URL:

https://duet.nyc3.cdn.digitaloceanspaces.com/Windows/1_8/DuetSetup-1-8-6-7.exe

Full analysis: https://app.any.run/tasks/1b3a1afd-cc68-405a-8263-315ac424267e
Verdict: Malicious activity
Analysis date: March 24, 2020, 09:05:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

74C203DE562D0D4CAC0CBB2FCB60BAD9

SHA1:

2B3D2516DFC1C7A11B2AF4DE82843CCC8922E2C9

SHA256:

73F90E42E8EA49F8830242CB1F0CC5B7AC1753E73E8ADE9814C123254533CB06

SSDEEP:

3:N8IY3JBDRv8AW2oDvKXRnRQQy0dA:2IY3zoDvKBn2QtC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • DuetSetup-1-8-6-7.exe (PID: 4036)
      • AppleMobileDeviceService.exe (PID: 3548)
      • powershell.exe (PID: 2424)
      • DrvInst.exe (PID: 3148)
      • powershell.exe (PID: 2412)

    • Changes settings of System certificates

      • DuetSetup-1-8-6-7.exe (PID: 4036)
      • msiexec.exe (PID: 2840)
      • CertUtil.exe (PID: 440)
      • CertUtil.exe (PID: 3296)
      • idConfig.exe (PID: 3212)

    • Changes the autorun value in the registry

      • DuetSetup-1-8-6-7.exe (PID: 4036)

    • Loads the Task Scheduler DLL interface

      • DuetSetup-1-8-6-7.exe (PID: 4036)
      • MsiExec.exe (PID: 3700)

    • Application was dropped or rewritten from another process

      • AppleMobileDeviceService.exe (PID: 3548)
      • DuetUpdater.exe (PID: 3512)
      • MSI9B03.tmp (PID: 3972)
      • MSIC59E.tmp (PID: 2872)
      • CertUtil.exe (PID: 3296)
      • MSIC706.tmp (PID: 1028)
      • idConfig.exe (PID: 3212)
      • CertUtil.exe (PID: 440)
      • ddmgr.exe (PID: 3940)

    • Loads the Task Scheduler COM API

      • MsiExec.exe (PID: 304)

  • SUSPICIOUS

    • Adds / modifies Windows certificates

      • DuetSetup-1-8-6-7.exe (PID: 4036)
      • msiexec.exe (PID: 2840)

    • Creates files in the user directory

      • DuetSetup-1-8-6-7.exe (PID: 4004)
      • DuetSetup-1-8-6-7.exe (PID: 4036)
      • powershell.exe (PID: 2424)
      • powershell.exe (PID: 2412)

    • Reads Environment values

      • DuetSetup-1-8-6-7.exe (PID: 4036)
      • MsiExec.exe (PID: 3700)
      • MsiExec.exe (PID: 3164)
      • MSI9B03.tmp (PID: 3972)
      • MsiExec.exe (PID: 304)
      • MSIC59E.tmp (PID: 2872)
      • MSIC706.tmp (PID: 1028)

    • Executable content was dropped or overwritten

      • DuetSetup-1-8-6-7.exe (PID: 4036)
      • DrvInst.exe (PID: 580)
      • MsiExec.exe (PID: 256)
      • msiexec.exe (PID: 2840)
      • DuetSetup-1-8-6-7.exe (PID: 2940)
      • DrvInst.exe (PID: 2452)
      • DrvInst.exe (PID: 3484)
      • idConfig.exe (PID: 3212)
      • DrvInst.exe (PID: 3148)
      • DrvInst.exe (PID: 2848)

    • Removes files from Windows directory

      • DuetSetup-1-8-6-7.exe (PID: 4036)
      • msiexec.exe (PID: 2840)
      • DrvInst.exe (PID: 2240)
      • DrvInst.exe (PID: 580)
      • CertUtil.exe (PID: 440)
      • CertUtil.exe (PID: 3296)
      • DrvInst.exe (PID: 2452)
      • DrvInst.exe (PID: 3484)
      • DrvInst.exe (PID: 2848)
      • DrvInst.exe (PID: 3148)

    • Starts Microsoft Installer

      • DuetSetup-1-8-6-7.exe (PID: 4036)

    • Creates files in the Windows directory

      • msiexec.exe (PID: 2840)
      • DuetSetup-1-8-6-7.exe (PID: 4036)
      • DrvInst.exe (PID: 2240)
      • DrvInst.exe (PID: 580)
      • CertUtil.exe (PID: 440)
      • CertUtil.exe (PID: 3296)
      • DrvInst.exe (PID: 2452)
      • DrvInst.exe (PID: 3484)
      • DrvInst.exe (PID: 2848)
      • DrvInst.exe (PID: 3148)
      • idConfig.exe (PID: 3212)

    • Executed via COM

      • DrvInst.exe (PID: 2240)
      • DrvInst.exe (PID: 580)
      • DrvInst.exe (PID: 2452)
      • DrvInst.exe (PID: 3484)
      • DrvInst.exe (PID: 3480)
      • DrvInst.exe (PID: 2848)
      • DrvInst.exe (PID: 3148)
      • DrvInst.exe (PID: 2644)

    • Creates files in the driver directory

      • DrvInst.exe (PID: 2240)
      • DrvInst.exe (PID: 580)
      • msiexec.exe (PID: 2840)
      • DrvInst.exe (PID: 2452)
      • DrvInst.exe (PID: 3484)
      • DrvInst.exe (PID: 2848)
      • DrvInst.exe (PID: 3148)

    • Application launched itself

      • DuetSetup-1-8-6-7.exe (PID: 4036)

    • Executed as Windows Service

      • vssvc.exe (PID: 2428)
      • AppleMobileDeviceService.exe (PID: 3548)
      • ddmgr.exe (PID: 3940)

    • Creates COM task schedule object

      • msiexec.exe (PID: 2840)

    • Creates files in the program directory

      • DuetSetup-1-8-6-7.exe (PID: 2940)

    • Starts CMD.EXE for commands execution

      • MsiExec.exe (PID: 304)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2708)
      • DuetSetup-1-8-6-7.exe (PID: 4036)

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 2840)

    • Uses RUNDLL32.EXE to load library

      • DrvInst.exe (PID: 2452)
      • DrvInst.exe (PID: 2848)

    • Executes PowerShell scripts

      • MsiExec.exe (PID: 3700)

    • Reads Internet Cache Settings

      • DuetSetup-1-8-6-7.exe (PID: 4036)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3044)
      • msiexec.exe (PID: 2840)

    • Changes internet zones settings

      • iexplore.exe (PID: 3044)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3044)
      • iexplore.exe (PID: 3600)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3044)

    • Creates files in the user directory

      • iexplore.exe (PID: 3044)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 3700)
      • MsiExec.exe (PID: 3624)
      • MsiExec.exe (PID: 256)
      • MsiExec.exe (PID: 3164)
      • MsiExec.exe (PID: 304)
      • msiexec.exe (PID: 2840)

    • Reads settings of System Certificates

      • MsiExec.exe (PID: 3700)
      • iexplore.exe (PID: 3044)
      • iexplore.exe (PID: 3600)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 2840)

    • Changes settings of System certificates

      • DrvInst.exe (PID: 2240)
      • iexplore.exe (PID: 3044)

    • Adds / modifies Windows certificates

      • DrvInst.exe (PID: 2240)
      • iexplore.exe (PID: 3044)

    • Searches for installed software

      • msiexec.exe (PID: 2840)
      • DrvInst.exe (PID: 2452)
      • DrvInst.exe (PID: 2848)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 2428)

    • Dropped object may contain Bitcoin addresses

      • msiexec.exe (PID: 2840)

    • Creates files in the program directory

      • msiexec.exe (PID: 2840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
90
Monitored processes
40
Malicious processes
18
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe duetsetup-1-8-6-7.exe no specs duetsetup-1-8-6-7.exe msiexec.exe msiexec.exe no specs duetsetup-1-8-6-7.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe drvinst.exe no specs drvinst.exe applemobiledeviceservice.exe duetsetup-1-8-6-7.exe vssvc.exe no specs msiexec.exe no specs msiexec.exe cmd.exe no specs chcp.com no specs cmd.exe no specs duetupdater.exe no specs msi9b03.tmp no specs certutil.exe no specs msic59e.tmp no specs certutil.exe no specs msic706.tmp no specs idconfig.exe drvinst.exe rundll32.exe no specs drvinst.exe drvinst.exe no specs drvinst.exe rundll32.exe no specs drvinst.exe drvinst.exe no specs ddmgr.exe no specs powershell.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
256C:\Windows\system32\MsiExec.exe -Embedding 769A89A4A7DF99157DA196CEC2F1E5D9 M Global\MSI0000C:\Windows\system32\MsiExec.exe
msiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
304C:\Windows\system32\MsiExec.exe -Embedding E3D3028352DCDCAA20CF3A12532E3BC7 M Global\MSI0000C:\Windows\system32\MsiExec.exe
msiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
440"C:\Program Files\Kairos\Duet Display\Duet Pencil\CertUtil.exe" -addstore "TrustedPublisher" package.cerC:\Program Files\Kairos\Duet Display\Duet Pencil\CertUtil.exeMSI9B03.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.14393.0 (rs1_release.160715-1616)
Modules
Images
c:\program files\kairos\duet display\duet pencil\certutil.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\certcli.dll
c:\windows\system32\atl.dll
580DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{6c7d967e-67fb-022e-be1c-9545bf4ee051}\netaapl.inf" "0" "61971c80f" "000004B8" "WinSta0\Default" "00000324" "208" "C:\Program Files\Common Files\Apple\Mobile Device Support\NetDrivers"C:\Windows\system32\DrvInst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1028"C:\Users\admin\AppData\Local\Temp\MSIC706.tmp" /EnforcedRunAsAdmin /RunAsAdmin /HideWindow /dir "C:\Windows\system32\" "C:\Windows\system32\idConfig.exe" iC:\Users\admin\AppData\Local\Temp\MSIC706.tmpDuetSetup-1-8-6-7.exe
User:
admin
Company:
Caphyon LTD
Integrity Level:
HIGH
Description:
File that launches another file
Exit code:
0
Version:
16.2.0.0
Modules
Images
c:\users\admin\appdata\local\temp\msic706.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1256chcp 65001 C:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\chcp.com
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1328rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{57a54088-755e-2cad-f1cd-0f741670ef6b} Global\{6faf07ca-b2da-06be-7e2c-934378643540} C:\Windows\System32\DriverStore\Temp\{646684fd-61ad-2125-4aef-3e7ca62f4e19}\idispext.inf C:\Windows\System32\DriverStore\Temp\{646684fd-61ad-2125-4aef-3e7ca62f4e19}\idispext.catC:\Windows\system32\rundll32.exeDrvInst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
1832"C:\Windows\system32\msiexec.exe" /i "C:\Users\admin\AppData\Roaming\Kairos\Duet Display\prerequisites\AppleMobileDeviceSupport.msi" IAcceptLicense=Yes /qnC:\Windows\system32\msiexec.exeDuetSetup-1-8-6-7.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1860C:\Windows\system32\MsiExec.exe -Embedding 0323171746C7380DDDB2895547C1DCA4C:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2240DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{3cc12ff8-6064-3328-7178-4d1028e7285c}\usbaapl.inf" "0" "64270aeef" "000005AC" "WinSta0\Default" "000004B8" "208" "C:\Program Files\Common Files\Apple\Mobile Device Support\Drivers"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
Total events
15 306
Read events
4 485
Write events
8 083
Delete events
2 738

Modification events

(PID) Process:(3600) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3600) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3600) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
2079878302
(PID) Process:(3044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30802363
(PID) Process:(3044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
Executable files
237
Suspicious files
126
Text files
934
Unknown types
71

Dropped files

PID
Process
Filename
Type
3600iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab6F5C.tmp
MD5:
SHA256:
3600iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar6F5D.tmp
MD5:
SHA256:
3600iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\DuetSetup-1-8-6-7[1].exe
MD5:
SHA256:
3044iexplore.exeC:\Users\admin\AppData\Local\Temp\Cab9108.tmp
MD5:
SHA256:
3044iexplore.exeC:\Users\admin\AppData\Local\Temp\Tar9109.tmp
MD5:
SHA256:
3044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver9149.tmp
MD5:
SHA256:
3044iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Y8CV6E8L.txt
MD5:
SHA256:
3044iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\GINBQJJ3.txt
MD5:
SHA256:
3600iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\DuetSetup-1-8-6-7.exe.qcw5v5x.partial
MD5:
SHA256:
3044iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF41B10A153D7EEC64.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
15
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3044
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3600
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D
US
der
471 b
whitelisted
3044
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3044
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
1052
svchost.exe
GET
200
93.184.221.240:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
55.7 Kb
whitelisted
3044
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3044
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3600
iexplore.exe
205.185.216.42:443
duet.nyc3.cdn.digitaloceanspaces.com
Highwinds Network Group, Inc.
US
whitelisted
3600
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3044
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3044
iexplore.exe
204.79.197.200:443
ieonline.microsoft.com
Microsoft Corporation
US
whitelisted
3044
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1052
svchost.exe
93.184.221.240:80
www.download.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
duet.nyc3.cdn.digitaloceanspaces.com
  • 205.185.216.42
  • 205.185.216.10
malicious
ocsp.digicert.com
  • 93.184.220.29
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
www.download.windowsupdate.com
  • 93.184.221.240
whitelisted

Threats

No threats detected
Process
Message
AppleMobileDeviceService.exe
ASL checking for logging parameters in environment variable "AppleMobileDeviceService.exe.log"
AppleMobileDeviceService.exe
ASL checking for logging parameters in environment variable "asl.log"
MsiExec.exe
DBGHELP: msi.pdb - file not found
MsiExec.exe
DBGHELP: ntdll - export symbols
MsiExec.exe
DBGHELP: C:\Windows\system32\tmp\ResourceCleaner.pdb - file not found
MsiExec.exe
DBGHELP: Symbol Search Path: .
MsiExec.exe
DBGHELP: kernel32 - export symbols
MsiExec.exe
DBGHELP: C:\JobRelease\win\Release\custact\x86\ResourceCleaner.pdb - file not found
MsiExec.exe
DBGHELP: MSI856F - export symbols
MsiExec.exe
DBGHELP: SymSrv load failure: symsrv.dll
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://duet.nyc3.cdn.digitaloceanspaces.com/Windows/1_8/DuetSetup-1-8-6-7.exe