File name:

Setup.exe

Full analysis: https://app.any.run/tasks/df2cc205-e523-4891-b06f-76b49997da3a
Verdict: Malicious activity
Analysis date: July 26, 2025, 08:43:36
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
anydesk
rmm-tool
auto-startup
arch-exec
arch-scr
pyinstaller
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

72C434AE868156CAD89A3C0446DD1C26

SHA1:

8D05118776719E1ABF5DE865EC4696E852F68DAB

SHA256:

73E75B9542520645FC474CB678297744A064ADC91DBAD2E18146C2CA63951846

SSDEEP:

98304:fC3CpAgJebngUnAGFJ+90pB1/B91QEZkdeHnUxn8MJlIMhpBIMoFqetcFNtImIT2:iKNFzm6aqBy2EabxUyVLkgGS55A/P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • AnyDesk.exe (PID: 5712)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1056)

  • SUSPICIOUS

    • Process drops python dynamic module

      • Setup.exe (PID: 3860)
      • Setup.exe (PID: 5780)

    • Reads the date of Windows installation

      • Setup.exe (PID: 768)

    • Application launched itself

      • Setup.exe (PID: 768)
      • Setup.exe (PID: 5780)
      • AnyDesk.exe (PID: 5712)
      • Setup.exe (PID: 3860)
      • cmd.exe (PID: 3840)
      • cmd.exe (PID: 6732)

    • Process drops legitimate windows executable

      • Setup.exe (PID: 5780)
      • Setup.exe (PID: 3860)

    • Reads security settings of Internet Explorer

      • Setup.exe (PID: 768)

    • The process drops C-runtime libraries

      • Setup.exe (PID: 5780)
      • Setup.exe (PID: 3860)

    • Executable content was dropped or overwritten

      • Setup.exe (PID: 5780)
      • Setup.exe (PID: 3556)
      • AnyDesk.exe (PID: 5712)
      • Setup.exe (PID: 3860)

    • Executing commands from a ".bat" file

      • Setup.exe (PID: 3556)

    • Starts CMD.EXE for commands execution

      • Setup.exe (PID: 3556)
      • cmd.exe (PID: 3840)
      • cmd.exe (PID: 6732)

    • The executable file from the user directory is run by the CMD process

      • AnyDesk.exe (PID: 5712)

    • ANYDESK has been found

      • cmd.exe (PID: 3840)
      • AnyDesk.exe (PID: 5712)
      • AnyDesk.exe (PID: 5712)
      • AnyDesk.exe (PID: 7104)
      • AnyDesk.exe (PID: 6780)
      • AnyDesk.exe (PID: 4044)
      • AnyDesk.exe (PID: 3100)
      • cmd.exe (PID: 6732)
      • cmd.exe (PID: 4540)
      • AnyDesk.exe (PID: 6760)

    • ANYDESK mutex has been found

      • AnyDesk.exe (PID: 6452)
      • AnyDesk.exe (PID: 1324)
      • AnyDesk.exe (PID: 5712)
      • AnyDesk.exe (PID: 4044)
      • AnyDesk.exe (PID: 7104)
      • AnyDesk.exe (PID: 3100)
      • AnyDesk.exe (PID: 2632)
      • AnyDesk.exe (PID: 6780)
      • AnyDesk.exe (PID: 6760)

    • Creates file in the systems drive root

      • AnyDesk.exe (PID: 5712)

    • Creates a software uninstall entry

      • AnyDesk.exe (PID: 5712)
      • AnyDesk.exe (PID: 7104)

    • Executes as Windows Service

      • AnyDesk.exe (PID: 7104)

    • Searches for installed software

      • AnyDesk.exe (PID: 4044)
      • AnyDesk.exe (PID: 6780)
      • AnyDesk.exe (PID: 7104)
      • AnyDesk.exe (PID: 3100)
      • AnyDesk.exe (PID: 6760)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 3840)

    • There is functionality for taking screenshot (YARA)

      • Setup.exe (PID: 5780)
      • Setup.exe (PID: 3556)

  • INFO

    • Reads the computer name

      • Setup.exe (PID: 3860)
      • Setup.exe (PID: 768)
      • Setup.exe (PID: 5780)
      • Setup.exe (PID: 3556)
      • AnyDesk.exe (PID: 6452)
      • AnyDesk.exe (PID: 1324)
      • AnyDesk.exe (PID: 5712)
      • AnyDesk.exe (PID: 7104)
      • AnyDesk.exe (PID: 6780)
      • AnyDesk.exe (PID: 4044)
      • AnyDesk.exe (PID: 2632)
      • AnyDesk.exe (PID: 3100)
      • AnyDesk.exe (PID: 6760)

    • Checks supported languages

      • Setup.exe (PID: 768)
      • Setup.exe (PID: 5780)
      • Setup.exe (PID: 3860)
      • Setup.exe (PID: 3556)
      • AnyDesk.exe (PID: 6452)
      • AnyDesk.exe (PID: 5712)
      • AnyDesk.exe (PID: 1324)
      • AnyDesk.exe (PID: 7104)
      • AnyDesk.exe (PID: 6780)
      • AnyDesk.exe (PID: 4044)
      • AnyDesk.exe (PID: 3100)
      • AnyDesk.exe (PID: 2632)
      • AnyDesk.exe (PID: 6760)

    • Process checks computer location settings

      • Setup.exe (PID: 768)

    • Create files in a temporary directory

      • Setup.exe (PID: 3860)
      • Setup.exe (PID: 5780)
      • Setup.exe (PID: 3556)

    • The sample compiled with english language support

      • Setup.exe (PID: 5780)
      • Setup.exe (PID: 3556)
      • AnyDesk.exe (PID: 5712)
      • Setup.exe (PID: 3860)

    • Creates files or folders in the user directory

      • AnyDesk.exe (PID: 5712)

    • Reads the machine GUID from the registry

      • AnyDesk.exe (PID: 1324)
      • AnyDesk.exe (PID: 7104)
      • AnyDesk.exe (PID: 4044)

    • Checks proxy server information

      • AnyDesk.exe (PID: 6452)
      • AnyDesk.exe (PID: 6780)
      • Setup.exe (PID: 3556)
      • slui.exe (PID: 3396)

    • Creates files in the program directory

      • AnyDesk.exe (PID: 5712)
      • AnyDesk.exe (PID: 7104)

    • Launching a file from the Startup directory

      • AnyDesk.exe (PID: 5712)

    • Manual execution by a user

      • AnyDesk.exe (PID: 6780)
      • cmd.exe (PID: 6732)
      • AnyDesk.exe (PID: 6760)
      • powershell.exe (PID: 1056)

    • PyInstaller has been detected (YARA)

      • Setup.exe (PID: 5780)
      • Setup.exe (PID: 3556)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1056)

    • Reads CPU info

      • AnyDesk.exe (PID: 6760)

    • UPX packer has been detected

      • Setup.exe (PID: 3556)

    • Reads the software policy settings

      • slui.exe (PID: 3396)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:07:26 08:40:12+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 174592
InitializedDataSize: 157184
UninitializedDataSize: -
EntryPoint: 0xd0d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
156
Monitored processes
24
Malicious processes
8
Suspicious processes
4

Behavior graph

Click at the process to see the details
start setup.exe setup.exe no specs setup.exe setup.exe cmd.exe no specs conhost.exe no specs anydesk.exe anydesk.exe anydesk.exe no specs anydesk.exe anydesk.exe no specs cmd.exe no specs anydesk.exe no specs timeout.exe no specs cmd.exe no specs anydesk.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs anydesk.exe no specs anydesk.exe no specs powershell.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
188timeout /t 1 /nobreak C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
768"C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\Desktop\Setup.exeSetup.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1056"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\set.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
1324"C:\Users\admin\AppData\Local\Temp\tmpei8alrtt\AnyDesk.exe" --local-serviceC:\Users\admin\AppData\Local\Temp\tmpei8alrtt\AnyDesk.exe
AnyDesk.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
HIGH
Description:
AnyDesk
Exit code:
9099
Version:
8.0.8
Modules
Images
c:\users\admin\appdata\local\temp\tmpei8alrtt\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
2120C:\WINDOWS\system32\cmd.exe /S /D /c" echo LOCREMOTEPC "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2632"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --set-passwordC:\Program Files (x86)\AnyDesk\AnyDesk.execmd.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Version:
8.0.8
Modules
Images
c:\program files (x86)\anydesk\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\winmm.dll
c:\windows\syswow64\msvcrt.dll
3028\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3100"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --get-idC:\Program Files (x86)\AnyDesk\AnyDesk.execmd.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
HIGH
Description:
AnyDesk
Exit code:
0
Version:
8.0.8
Modules
Images
c:\program files (x86)\anydesk\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
3396C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3556"C:\Users\admin\Desktop\Setup.exe" "C:\Users\admin\Desktop\Setup.exe"C:\Users\admin\Desktop\Setup.exe
Setup.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
10 238
Read events
10 215
Write events
23
Delete events
0

Modification events

(PID) Process:(5712) AnyDesk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:DisplayIcon
Value:
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe"
(PID) Process:(5712) AnyDesk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:DisplayName
Value:
AnyDesk
(PID) Process:(5712) AnyDesk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:DisplayVersion
Value:
ad 8.0.8
(PID) Process:(5712) AnyDesk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:EstimatedSize
Value:
2048
(PID) Process:(5712) AnyDesk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:HelpLink
Value:
https://help.anydesk.com/
(PID) Process:(5712) AnyDesk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:InstallLocation
Value:
"C:\Program Files (x86)\AnyDesk"
(PID) Process:(5712) AnyDesk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:Publisher
Value:
AnyDesk Software GmbH
(PID) Process:(5712) AnyDesk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --uninstall
(PID) Process:(5712) AnyDesk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:VersionMajor
Value:
8
(PID) Process:(5712) AnyDesk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
Operation:writeName:VersionMinor
Value:
0
Executable files
44
Suspicious files
11
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
3860Setup.exeC:\Users\admin\AppData\Local\Temp\_MEI38602\_asyncio.pydexecutable
MD5:407A5F96128B79261AC282BCA6A73E2D
SHA256:A16FB3D1389840C273B7D1738E81A67E3D67B2D76E83CDDADFC9BC88BA045E80
3860Setup.exeC:\Users\admin\AppData\Local\Temp\_MEI38602\_decimal.pydexecutable
MD5:A572AA95D2CE1E31F4CBFCAB8660327B
SHA256:A9C91599D96743A8D80BFFD8D6E50AE0FE9B3B29CD285BDEA8618FAFD4D5241B
3860Setup.exeC:\Users\admin\AppData\Local\Temp\_MEI38602\VCRUNTIME140.dllexecutable
MD5:32DA96115C9D783A0769312C0482A62D
SHA256:8B10C53241726B0ACC9F513157E67FCB01C166FEC69E5E38CA6AADA8F9A3619F
3860Setup.exeC:\Users\admin\AppData\Local\Temp\_MEI38602\_bz2.pydexecutable
MD5:FDB30BA7908353EA3FE2552EB4965F8D
SHA256:5989C853FF7BF5FEDA031A776EB0AA1585F6BF97C43049BE368BE4191CAD8FCD
3860Setup.exeC:\Users\admin\AppData\Local\Temp\_MEI38602\_lzma.pydexecutable
MD5:5A67E09FDDAC7F870FC85D0D1425FAC2
SHA256:D6B43F206910D421BFFCF2FBA39ACB6D1EBE1A66B1E286B0B54345A886ABFCD1
3860Setup.exeC:\Users\admin\AppData\Local\Temp\_MEI38602\_multiprocessing.pydexecutable
MD5:181CBC250909CBC7CBB9A36DDE570F69
SHA256:B51F8808C182CC21DD1C7DCB74B9F31D9602EDAC096BC8C79A99BA412D89D045
3860Setup.exeC:\Users\admin\AppData\Local\Temp\_MEI38602\_ctypes.pydexecutable
MD5:DE0B4AA088EE89BB15F8EB5C9DD20987
SHA256:E0B6B4CFCC59BBB8F84F31F337C74774C895EAC4CF47AD36474022A0C6D2B049
3860Setup.exeC:\Users\admin\AppData\Local\Temp\_MEI38602\certifi\cacert.pemtext
MD5:02570654379A8E42724EA83D72A8DFAA
SHA256:966DDC609C44BFD4A8031E00B5CDCD893D43F7677DEB9BDC203E87DFD7FFF77A
3860Setup.exeC:\Users\admin\AppData\Local\Temp\_MEI38602\base_library.zipcompressed
MD5:D6AE935A335CB46DA66C19B2EF94F06D
SHA256:980A4820A6A6171991DA22564D7C8BFF13D8EDFF76AE0EC9FD70D593B3347F9C
3860Setup.exeC:\Users\admin\AppData\Local\Temp\_MEI38602\_ssl.pydexecutable
MD5:689368FE253E7BD465D35C8B4016AD75
SHA256:7104EBB48FA102E25484AA914BE09853940A50FFC025013C2803163741F38C0B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
84
DNS requests
21
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.55.110.193:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.55.110.193:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.55.110.193:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.31.2:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
40.126.31.131:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
POST
200
40.126.31.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.55.110.193:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.55.110.193:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.55.110.193:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.3.109.244:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.3.109.244:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.3.109.244:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.55.110.193
  • 23.55.110.211
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.3.109.244
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.160.14
  • 20.190.160.66
  • 20.190.160.2
  • 20.190.160.128
  • 20.190.160.130
  • 20.190.160.67
  • 40.126.32.74
  • 20.190.160.20
whitelisted
boot.net.anydesk.com
  • 195.181.174.173
  • 195.181.174.174
  • 37.59.29.33
  • 141.95.145.210
  • 57.128.101.75
  • 57.128.101.74
whitelisted
relay-1461944f.net.anydesk.com
  • 208.115.231.150
whitelisted
data-center-9b03f-default-rtdb.asia-southeast1.firebasedatabase.app
  • 35.186.236.207
unknown
client.wns.windows.com
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Relay Domain (net .anydesk .com) in DNS Lookup
2200
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Domain (boot .net .anydesk .com) in DNS Lookup
2200
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Relay Domain (net .anydesk .com) in DNS Lookup
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Setup.exe