File name:

formulario_agendamiento_citas.msi

Full analysis: https://app.any.run/tasks/243055d5-bd97-40bd-8913-325f7a08c878
Verdict: Malicious activity
Analysis date: January 28, 2026, 19:28:24
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Bygone, Author: Squat Bridle, Keywords: Installer, Comments: This installer database contains the logic and data required to install Bygone., Template: Intel;1033, Revision Number: {3A47B94A-BE36-4B1B-945A-D7A84532A132}, Create Time/Date: Mon Jan 26 15:38:26 2026, Last Saved Time/Date: Mon Jan 26 15:38:26 2026, Number of Pages: 500, Number of Words: 10, Name of Creating Application: WiX Toolset (4.0.0.0), Security: 2
MD5:

7B14BCCC717898DE81F2D7E3BE608BE4

SHA1:

43BEEFEFA68767D68BFF9CC98309729981A6B321

SHA256:

73B42E30D037A3EE1072712CCB8096919CD6EF7CD66682CC23EF92DF3A0F4D1A

SSDEEP:

98304:cCewVxrmRXmGdzTo5ZE3I4CielM3l3/2iHXIg/3HZCEgoKtUiA5gdq0ROpubU+Re:hlZlMc9qX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Co-Neuro.exe (PID: 6544)
      • Co-Neuro.exe (PID: 3276)
      • DefenderManager_v1_0.exe (PID: 7740)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 7204)

    • Executable content was dropped or overwritten

      • Co-Neuro.exe (PID: 6544)
      • Co-Neuro.exe (PID: 3276)

    • Starts itself from another location

      • Co-Neuro.exe (PID: 6544)

    • Process drops legitimate windows executable

      • Co-Neuro.exe (PID: 3276)

    • Starts a Microsoft application from unusual location

      • DefenderManager_v1_0.exe (PID: 7740)

  • INFO

    • Reads the computer name

      • Co-Neuro.exe (PID: 3276)
      • Co-Neuro.exe (PID: 6544)
      • msiexec.exe (PID: 8692)
      • DefenderManager_v1_0.exe (PID: 7740)

    • The sample compiled with english language support

      • Co-Neuro.exe (PID: 6544)
      • msiexec.exe (PID: 8692)
      • msiexec.exe (PID: 7236)
      • Co-Neuro.exe (PID: 3276)

    • Checks supported languages

      • Co-Neuro.exe (PID: 3276)
      • Co-Neuro.exe (PID: 6544)
      • msiexec.exe (PID: 8692)
      • DefenderManager_v1_0.exe (PID: 7740)

    • Creates files in the program directory

      • Co-Neuro.exe (PID: 6544)

    • Manages system restore points

      • SrTasks.exe (PID: 8716)

    • Reads CPU info

      • Co-Neuro.exe (PID: 6544)
      • Co-Neuro.exe (PID: 3276)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 8692)

    • Creates files or folders in the user directory

      • Co-Neuro.exe (PID: 3276)

    • Create files in a temporary directory

      • Co-Neuro.exe (PID: 3276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: Bygone
Author: Squat Bridle
Keywords: Installer
Comments: This installer database contains the logic and data required to install Bygone.
Template: Intel;1033
RevisionNumber: {3A47B94A-BE36-4B1B-945A-D7A84532A132}
CreateDate: 2026:01:26 15:38:26
ModifyDate: 2026:01:26 15:38:26
Pages: 500
Words: 10
Software: WiX Toolset (4.0.0.0)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
163
Monitored processes
9
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs co-neuro.exe co-neuro.exe defendermanager_v1_0.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1176\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1860C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3276C:\ProgramData\scheduler_v2_0\Co-Neuro.exeC:\ProgramData\scheduler_v2_0\Co-Neuro.exe
Co-Neuro.exe
User:
admin
Company:
decontev
Integrity Level:
MEDIUM
Version:
5.8.5.2174
Modules
Images
c:\programdata\scheduler_v2_0\co-neuro.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6544"C:\Users\admin\AppData\Local\Pollan\Co-Neuro.exe"C:\Users\admin\AppData\Local\Pollan\Co-Neuro.exe
msiexec.exe
User:
admin
Company:
decontev
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.8.5.2174
Modules
Images
c:\users\admin\appdata\local\pollan\co-neuro.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7204C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7236"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\formulario_agendamiento_citas.msiC:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
7740C:\Users\admin\AppData\Local\Temp\DefenderManager_v1_0.exeC:\Users\admin\AppData\Local\Temp\DefenderManager_v1_0.exeCo-Neuro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Format Message traces to text
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\appdata\local\temp\863e721.tmp
c:\users\admin\appdata\local\temp\defendermanager_v1_0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
8692C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
8716C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:15C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
1 921
Read events
1 764
Write events
148
Delete events
9

Modification events

(PID) Process:(8692) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000009B5BF8498C90DC01F421000048210000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(8692) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000009B5BF8498C90DC01F421000048210000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(8692) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
48000000000000002493504A8C90DC01F421000048210000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(8692) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000DAB8764A8C90DC01F42100006C150000E8030000010000000000000000000000483FA44C9A27E547B9A30A5FB4C2D5AD00000000000000000000000000000000
(PID) Process:(7204) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4800000000000000052E8C4A8C90DC01241C0000C8210000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7204) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4800000000000000052E8C4A8C90DC01241C0000AC160000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(8692) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
480000000000000002304E4A8C90DC01F421000048210000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(8692) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000002304E4A8C90DC01F421000048210000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(8692) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
48000000000000008057554A8C90DC01F421000048210000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(8692) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
15
Executable files
10
Suspicious files
24
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
8692msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
8692msiexec.exeC:\Windows\Installer\1b777e.msi
MD5:
SHA256:
8692msiexec.exeC:\Windows\Installer\1b7780.msi
MD5:
SHA256:
8692msiexec.exeC:\Users\admin\AppData\Local\Pollan\dynsimpleipc.dllexecutable
MD5:B50DFE143BF85B9BC1B1CC69DC01B01D
SHA256:3B29E583402BBBE31AE0149078EB4291C278CC0726C8DE1BE379C991E77AF36B
8692msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:23FB0B7FB4194B93782A272AA0AD5B9B
SHA256:A9500DC574A984AED6D7DEDDAF50C51E87311A2E219FEB1B9431B19A92AA08C9
8692msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{4ca43f48-279a-47e5-b9a3-0a5fb4c2d5ad}_OnDiskSnapshotPropbinary
MD5:23FB0B7FB4194B93782A272AA0AD5B9B
SHA256:A9500DC574A984AED6D7DEDDAF50C51E87311A2E219FEB1B9431B19A92AA08C9
8692msiexec.exeC:\Windows\Installer\MSI7859.tmpbinary
MD5:6BBE30C486370FF0839E5628AEEF5CF1
SHA256:23B694125C6D956CB00289435F4DBEA18FCCF0C4244162E6E225DFE7B1E3C389
8692msiexec.exeC:\Users\admin\AppData\Local\Pollan\Co-Neuro.exeexecutable
MD5:EEFBE090564C86A64E752943DD4B7140
SHA256:C80CD99B40D03DD30F68B9AB5BA9AA18D69A81C6F9E87CE32D541AD822165243
8692msiexec.exeC:\Windows\Temp\~DF7805163395D77BEA.TMPbinary
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
8692msiexec.exeC:\Users\admin\AppData\Local\Pollan\Bock.kjbinary
MD5:4248FD9182155EE59E7BE4B40712B10E
SHA256:E06E5F81A5A87663400464E02924A1DA8B55B220565C92995B7A945BA223B5DB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
38
DNS requests
20
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6768
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
US
whitelisted
7724
svchost.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/WaaS/FeatureManagement?IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&CurrentBranch=vb_release&AccountFirstChar=&ActivationChannel=Retail&OEMModel=DELL&FlightRing=Retail&AttrDataVer=186&InstallLanguage=en-US&OSUILocale=en-US&WebExperience=1&FlightingBranchName=&ChassisTypeId=1&OSSkuId=48&App=CDM&InstallDate=1661339444&AppVer=&OSArchitecture=AMD64&DefaultUserRegion=244&TelemetryLevel=1&OSVersion=10.0.19045.4046&DeviceFamily=Windows.Desktop
US
whitelisted
3132
SIHClient.exe
GET
304
20.165.94.63:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
3132
SIHClient.exe
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
3132
SIHClient.exe
GET
200
20.165.94.63:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
3132
SIHClient.exe
GET
304
20.165.94.63:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
3412
svchost.exe
PUT
4.145.79.80:443
4.145.79.80:443
US
unknown
7704
svchost.exe
POST
403
88.221.169.205:443
https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409
US
html
386 b
whitelisted
7704
svchost.exe
POST
403
88.221.169.205:443
https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409
US
html
386 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
7724
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
2608
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.16.241.225:443
th.bing.com
AKAMAI-ASN1
NL
whitelisted
2.16.241.204:443
th.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3412
svchost.exe
4.145.79.80:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4280
svchost.exe
20.190.160.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4280
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
  • 40.127.240.158
whitelisted
th.bing.com
  • 2.16.241.204
  • 2.16.241.201
  • 2.16.241.207
  • 2.16.241.222
  • 2.16.241.205
  • 2.16.241.206
  • 2.16.241.225
whitelisted
www.bing.com
  • 2.16.241.225
  • 2.16.241.205
  • 2.16.241.204
  • 2.16.241.222
  • 2.16.241.206
  • 2.16.241.201
  • 2.16.241.207
whitelisted
google.com
  • 142.251.141.78
whitelisted
client.wns.windows.com
  • 4.145.79.80
whitelisted
login.live.com
  • 20.190.160.3
  • 20.190.160.2
  • 20.190.160.132
  • 40.126.32.138
  • 40.126.32.76
  • 40.126.32.134
  • 20.190.160.64
  • 20.190.160.14
whitelisted
ocsp.digicert.com
  • 184.30.131.245
  • 172.66.2.5
  • 162.159.142.9
whitelisted
crl.microsoft.com
  • 184.24.77.12
  • 184.24.77.6
  • 184.24.77.38
  • 184.24.77.7
  • 184.24.77.11
  • 184.24.77.10
  • 184.24.77.37
  • 184.24.77.29
whitelisted
go.microsoft.com
  • 88.221.169.205
whitelisted
slscr.update.microsoft.com
  • 20.165.94.63
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
formulario_agendamiento_citas.msi