File name:

!#setUp_2040_P@s$w0rd_!!.zip

Full analysis: https://app.any.run/tasks/ea65e9e4-7ccc-4791-8ddd-18764c525ccf
Verdict: Malicious activity
Threats:

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Malware Trends Tracker     >>>
Analysis date: July 22, 2024, 16:57:05
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
hijackloader
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

646553B78767B1718025DD9238E99B42

SHA1:

99796146E4743878185194F1B563B689148F87F6

SHA256:

6DF0C27C9B7346FCFD227ACE641A6BBC9F1A2A86E19A1F8C82813C55094CDCD2

SSDEEP:

98304:u4CAthgN1U6x4isNzg0txdSY0FmLVSDRzCpYNOmkjf6iXvttvRsW27Ko+i7s7H0p:CZML8tVmRFAZCOD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Setup.exe (PID: 5576)
      • WinRAR.exe (PID: 3336)
      • more.com (PID: 4748)
      • PeLoadDrv.exe (PID: 7036)
      • cmd.exe (PID: 2872)
      • Bush.pif (PID: 6732)

    • Changes powershell execution policy (Bypass)

      • PeLoadDrv.exe (PID: 7036)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 836)

    • HIJACKLOADER has been detected (YARA)

      • more.com (PID: 4748)

    • Actions looks like stealing of personal data

      • PeLoadDrv.exe (PID: 7036)

    • Antivirus name has been found in the command line (generic signature)

      • findstr.exe (PID: 6720)
      • findstr.exe (PID: 3840)

    • Adds path to the Windows Defender exclusion list

      • powershell.exe (PID: 836)

    • Create files in the Startup directory

      • cmd.exe (PID: 5500)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 6524)
      • cmd.exe (PID: 6248)
      • cmd.exe (PID: 6468)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Setup.exe (PID: 5576)
      • more.com (PID: 4748)
      • PeLoadDrv.exe (PID: 7036)
      • cmd.exe (PID: 2872)
      • Bush.pif (PID: 6732)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3336)

    • Starts application with an unusual extension

      • Setup.exe (PID: 5576)
      • cmd.exe (PID: 2872)
      • wscript.exe (PID: 6168)
      • wscript.exe (PID: 6936)
      • wscript.exe (PID: 1244)

    • Searches for installed software

      • PeLoadDrv.exe (PID: 7036)

    • The process executes Powershell scripts

      • PeLoadDrv.exe (PID: 7036)

    • Starts POWERSHELL.EXE for commands execution

      • PeLoadDrv.exe (PID: 7036)
      • powershell.exe (PID: 836)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 836)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 836)

    • Starts a new process with hidden mode (POWERSHELL)

      • powershell.exe (PID: 836)

    • Executes application which crashes

      • PeLoadDrv.exe (PID: 7036)

    • Reads security settings of Internet Explorer

      • 3X0NVGTDLHYD72QGW.exe (PID: 5628)

    • Reads the date of Windows installation

      • 3X0NVGTDLHYD72QGW.exe (PID: 5628)

    • Executing commands from ".cmd" file

      • 3X0NVGTDLHYD72QGW.exe (PID: 5628)

    • Starts CMD.EXE for commands execution

      • 3X0NVGTDLHYD72QGW.exe (PID: 5628)
      • cmd.exe (PID: 2872)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 2872)

    • Application launched itself

      • powershell.exe (PID: 836)
      • cmd.exe (PID: 2872)

    • Script adds exclusion path to Windows Defender

      • powershell.exe (PID: 836)

    • Get information on the list of running processes

      • cmd.exe (PID: 2872)

    • Drops a file with a rarely used extension (PIF)

      • cmd.exe (PID: 2872)
      • Bush.pif (PID: 6732)

    • Suspicious file concatenation

      • cmd.exe (PID: 6320)

    • The executable file from the user directory is run by the CMD process

      • Bush.pif (PID: 6732)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 2872)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 4208)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6168)
      • wscript.exe (PID: 6936)
      • wscript.exe (PID: 1244)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3336)

    • Checks supported languages

      • Setup.exe (PID: 5576)
      • more.com (PID: 4748)
      • PeLoadDrv.exe (PID: 7036)
      • 3X0NVGTDLHYD72QGW.exe (PID: 5628)
      • Bush.pif (PID: 6732)
      • TextInputHost.exe (PID: 5532)
      • TradeTokenElite.pif (PID: 6220)
      • PLUGScheduler.exe (PID: 4208)
      • TradeTokenElite.pif (PID: 7004)
      • TradeTokenElite.pif (PID: 1360)

    • Manual execution by a user

      • Setup.exe (PID: 5576)
      • cmd.exe (PID: 6524)
      • cmd.exe (PID: 5500)
      • wscript.exe (PID: 6168)
      • cmd.exe (PID: 6248)
      • wscript.exe (PID: 6936)
      • cmd.exe (PID: 6468)
      • wscript.exe (PID: 1244)

    • Creates files or folders in the user directory

      • Setup.exe (PID: 5576)
      • WerFault.exe (PID: 3108)
      • Bush.pif (PID: 6732)

    • Reads the computer name

      • Setup.exe (PID: 5576)
      • more.com (PID: 4748)
      • PeLoadDrv.exe (PID: 7036)
      • 3X0NVGTDLHYD72QGW.exe (PID: 5628)
      • Bush.pif (PID: 6732)
      • PLUGScheduler.exe (PID: 4208)
      • TradeTokenElite.pif (PID: 7004)
      • TradeTokenElite.pif (PID: 6220)
      • TextInputHost.exe (PID: 5532)

    • Create files in a temporary directory

      • Setup.exe (PID: 5576)
      • more.com (PID: 4748)
      • PeLoadDrv.exe (PID: 7036)
      • 3X0NVGTDLHYD72QGW.exe (PID: 5628)

    • Reads the software policy settings

      • PeLoadDrv.exe (PID: 7036)
      • slui.exe (PID: 7108)
      • WerFault.exe (PID: 3108)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 836)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 836)

    • Process checks computer location settings

      • 3X0NVGTDLHYD72QGW.exe (PID: 5628)

    • Checks proxy server information

      • slui.exe (PID: 7108)
      • WerFault.exe (PID: 3108)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 836)
      • powershell.exe (PID: 4388)

    • Reads mouse settings

      • Bush.pif (PID: 6732)
      • TradeTokenElite.pif (PID: 6220)
      • TradeTokenElite.pif (PID: 7004)
      • TradeTokenElite.pif (PID: 1360)

    • Creates files in the program directory

      • Bush.pif (PID: 6732)
      • PLUGScheduler.exe (PID: 4208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:07:22 18:49:30
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: !#setUp_2040_P@s$w0rd_!!/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
318
Monitored processes
43
Malicious processes
6
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe slui.exe rundll32.exe no specs setup.exe #HIJACKLOADER more.com conhost.exe no specs peloaddrv.exe powershell.exe no specs conhost.exe no specs 3x0nvgtdlhyd72qgw.exe no specs werfault.exe cmd.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs bush.pif timeout.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe conhost.exe no specs textinputhost.exe no specs plugscheduler.exe no specs wscript.exe no specs tradetokenelite.pif no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs wscript.exe no specs tradetokenelite.pif no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs wscript.exe no specs tradetokenelite.pif no specs

Process information

PID
CMD
Path
Indicators
Parent process
836powershell -exec bypass -f "C:\Users\admin\AppData\Local\Temp\YV3YOLMONVK25RFALZ.ps1"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePeLoadDrv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1048tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1084\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1148tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1244"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\TradeToken Elite Innovations Inc\TradeTokenElite.js" C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1360"C:\Users\admin\AppData\Local\TradeToken Elite Innovations Inc\TradeTokenElite.pif" "C:\Users\admin\AppData\Local\TradeToken Elite Innovations Inc\r"C:\Users\admin\AppData\Local\TradeToken Elite Innovations Inc\TradeTokenElite.pifwscript.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 4
Modules
Images
c:\users\admin\appdata\local\tradetoken elite innovations inc\tradetokenelite.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\psapi.dll
c:\windows\syswow64\user32.dll
1836findstr /V "DEUTSCHCOMEDYCONDITIONSMINDS" Clips C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll
2348\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exemore.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2368cmd /c md 484309C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2476\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
30 423
Read events
30 348
Write events
72
Delete events
3

Modification events

(PID) Process:(3336) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3336) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3336) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(3336) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\!#setUp_2040_P@s$w0rd_!!.zip
(PID) Process:(3336) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3336) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3336) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3336) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3336) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:(3336) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\AppData\Local\Temp
Executable files
14
Suspicious files
67
Text files
17
Unknown types
6

Dropped files

PID
Process
Filename
Type
4748more.comC:\Users\admin\AppData\Local\Temp\titphou
MD5:
SHA256:
3336WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3336.25070\!#setUp_2040_P@s$w0rd_!!\plugins\StartupHelperexecutable
MD5:14934CACA84D5FE0288F27EFB31DCBF8
SHA256:7FA86147035627BAE39576BCBE619D045E94A48C4DB8CA131968C20BB4DE4A36
3336WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3336.25070\!#setUp_2040_P@s$w0rd_!!\libvlc.dllexecutable
MD5:96214B94B796BFFC48D63289854AE5A2
SHA256:528C416CFB4813EE5F1DA52743EF4ADB20043171230098B27E25D1DD90E3F288
3336WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3336.25070\!#setUp_2040_P@s$w0rd_!!\plugins\lang-1049.dllexecutable
MD5:0AC98A4BFC717523E344010A42C2F4BA
SHA256:68546336232AA2BE277711AFA7C1F08ECD5FCC92CC182F90459F0C61FB39507F
3336WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3336.25070\!#setUp_2040_P@s$w0rd_!!\libvlccore.dllexecutable
MD5:E25413BB41C2F239FFDD3569F76E74B0
SHA256:9126D9ABF91585456000FFFD9336478E91B9EA07ED2A25806A4E2E0437F96D29
3336WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3336.25070\!#setUp_2040_P@s$w0rd_!!\cockboat.xmlbinary
MD5:F1EEE8B3E3991DC9B33488A34BCA9CDF
SHA256:BD10FC128EEBF9B730E6842D32B6D7FD2432F1A02045C69C202D845BDC8FD1DC
5576Setup.exeC:\Users\admin\AppData\Local\Temp\c812c97fbinary
MD5:ADE91E8299BAEC30CCDCDF565D0C8EC4
SHA256:D9DB4E18A12F6250716BD5B950E601F900E21620CD957C4FE13DBF6CF0D42D3A
3336WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3336.25070\!#setUp_2040_P@s$w0rd_!!\tak_deco_lib.dllexecutable
MD5:402F61799F2C7C08DED975E09125A247
SHA256:7D6C1029107DC81D9A96649908C546C55AFB3C9324F93E4271924FF2F8B0DB98
3336WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3336.25070\!#setUp_2040_P@s$w0rd_!!\plugins\Microsoft.VisualStudio.VsWebProtocolexecutable
MD5:91ACF072FE60B3EF9867FAEC1A7A8CB0
SHA256:1F49ADC807A564E7C1ECF32F58074A1230A6FE4764E8F54CE7FFA8C2E880DCCA
3336WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3336.25070\!#setUp_2040_P@s$w0rd_!!\plugins\lang-1058.dllexecutable
MD5:41C75E831A5571C3F72287794391A0E6
SHA256:B3AD99AFDAEE3B9365E7A3FFCC44C2761E22A4F92DFF5E5EFDC52F6B08EA0105
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
90
DNS requests
45
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3148
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5440
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5440
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6012
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4140
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.110.193:443
Akamai International B.V.
DE
unknown
3952
svchost.exe
239.255.255.250:1900
whitelisted
4.209.32.67:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4
System
192.168.100.255:138
whitelisted
1992
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
whitelisted
5368
SearchApp.exe
2.16.110.193:443
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 216.58.206.46
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
login.live.com
  • 40.126.32.72
  • 20.190.160.14
  • 40.126.32.68
  • 40.126.32.136
  • 20.190.160.20
  • 40.126.32.134
  • 40.126.32.133
  • 40.126.32.140
  • 20.190.160.22
  • 20.190.160.17
whitelisted
client.wns.windows.com
  • 40.113.103.199
  • 40.113.110.67
  • 40.115.3.253
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
fd.api.iris.microsoft.com
  • 20.199.58.43
  • 20.31.169.57
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
slscr.update.microsoft.com
  • 52.165.165.26
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] Azure Front Door domain observed in TLS SNI ( .azurefd .net)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
!#setUp_2040_P@s$w0rd_!!.zip