File name:

reboot_launcher-9.2.69.2.6-windows-setup.exe

Full analysis: https://app.any.run/tasks/7c6e6cb7-8fb3-4fe5-91e3-b74e3eddaac8
Verdict: Malicious activity
Analysis date: October 28, 2024, 22:33:40
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

D9490DBA5F458BC4FB6A725DA7851080

SHA1:

21577B98AEA4CD9D921750EA7C58712BB38EF488

SHA256:

85D1D9B01F1940D8CCC68F2368E14FDA3F87B302BB3BE59DE201EC77B9A634E1

SSDEEP:

786432:hUaTT9bgiOKfji8dwtD+KsJ7zSoQ9LjD45:hUaTT98KfW6wtDhsJ7z09r+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • reboot_launcher-9.2.69.2.6-windows-setup.tmp (PID: 4376)

    • Changes powershell execution policy (Bypass)

      • reboot_launcher-9.2.69.2.6-windows-setup.tmp (PID: 4376)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2588)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • reboot_launcher-9.2.69.2.6-windows-setup.exe (PID: 6464)
      • reboot_launcher-9.2.69.2.6-windows-setup.exe (PID: 4792)
      • reboot_launcher-9.2.69.2.6-windows-setup.tmp (PID: 4376)
      • VC_redist.x64.exe (PID: 7016)
      • VC_redist.x64.exe (PID: 6228)
      • VC_redist.x64.exe (PID: 3788)
      • VC_redist.x64.exe (PID: 6472)
      • VC_redist.x64.exe (PID: 7068)

    • Reads security settings of Internet Explorer

      • reboot_launcher-9.2.69.2.6-windows-setup.tmp (PID: 4548)
      • ShellExperienceHost.exe (PID: 7052)
      • VC_redist.x64.exe (PID: 3788)

    • Reads the Windows owner or organization settings

      • reboot_launcher-9.2.69.2.6-windows-setup.tmp (PID: 4376)

    • Starts POWERSHELL.EXE for commands execution

      • reboot_launcher-9.2.69.2.6-windows-setup.tmp (PID: 4376)

    • Drops 7-zip archiver for unpacking

      • reboot_launcher-9.2.69.2.6-windows-setup.tmp (PID: 4376)

    • Script adds exclusion path to Windows Defender

      • reboot_launcher-9.2.69.2.6-windows-setup.tmp (PID: 4376)

    • Process drops legitimate windows executable

      • reboot_launcher-9.2.69.2.6-windows-setup.tmp (PID: 4376)
      • VC_redist.x64.exe (PID: 7016)
      • VC_redist.x64.exe (PID: 3788)
      • msiexec.exe (PID: 4568)
      • VC_redist.x64.exe (PID: 6228)
      • VC_redist.x64.exe (PID: 7068)

    • Starts a Microsoft application from unusual location

      • VC_redist.x64.exe (PID: 7016)
      • VC_redist.x64.exe (PID: 3788)
      • VC_redist.x64.exe (PID: 6228)

    • Searches for installed software

      • VC_redist.x64.exe (PID: 3788)
      • dllhost.exe (PID: 2420)

    • Starts itself from another location

      • VC_redist.x64.exe (PID: 3788)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3508)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 4568)

    • Application launched itself

      • VC_redist.x64.exe (PID: 6156)
      • VC_redist.x64.exe (PID: 6472)

  • INFO

    • Checks supported languages

      • reboot_launcher-9.2.69.2.6-windows-setup.exe (PID: 6464)
      • reboot_launcher-9.2.69.2.6-windows-setup.tmp (PID: 4548)
      • reboot_launcher-9.2.69.2.6-windows-setup.exe (PID: 4792)
      • reboot_launcher-9.2.69.2.6-windows-setup.tmp (PID: 4376)
      • ShellExperienceHost.exe (PID: 7052)
      • VC_redist.x64.exe (PID: 7016)
      • VC_redist.x64.exe (PID: 3788)
      • _setup64.tmp (PID: 7144)
      • VC_redist.x64.exe (PID: 6228)

    • Create files in a temporary directory

      • reboot_launcher-9.2.69.2.6-windows-setup.exe (PID: 6464)
      • reboot_launcher-9.2.69.2.6-windows-setup.exe (PID: 4792)
      • reboot_launcher-9.2.69.2.6-windows-setup.tmp (PID: 4376)
      • VC_redist.x64.exe (PID: 3788)

    • Reads the computer name

      • reboot_launcher-9.2.69.2.6-windows-setup.tmp (PID: 4548)
      • reboot_launcher-9.2.69.2.6-windows-setup.tmp (PID: 4376)
      • ShellExperienceHost.exe (PID: 7052)
      • VC_redist.x64.exe (PID: 3788)
      • VC_redist.x64.exe (PID: 6228)

    • Process checks computer location settings

      • reboot_launcher-9.2.69.2.6-windows-setup.tmp (PID: 4548)
      • ShellExperienceHost.exe (PID: 7052)
      • VC_redist.x64.exe (PID: 3788)

    • Reads the machine GUID from the registry

      • ShellExperienceHost.exe (PID: 7052)

    • Creates files in the program directory

      • reboot_launcher-9.2.69.2.6-windows-setup.tmp (PID: 4376)

    • Creates a software uninstall entry

      • reboot_launcher-9.2.69.2.6-windows-setup.tmp (PID: 4376)

    • Sends debugging messages

      • ShellExperienceHost.exe (PID: 7052)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 2588)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2588)

    • The process uses the downloaded file

      • VC_redist.x64.exe (PID: 3788)

    • Manages system restore points

      • SrTasks.exe (PID: 4292)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:15 14:54:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 89600
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Auties00
FileDescription: Reboot Launcher Setup
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName: Reboot Launcher
ProductVersion: 9.2.6
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
20
Malicious processes
6
Suspicious processes
3

Behavior graph

Click at the process to see the details
start reboot_launcher-9.2.69.2.6-windows-setup.exe reboot_launcher-9.2.69.2.6-windows-setup.tmp no specs reboot_launcher-9.2.69.2.6-windows-setup.exe reboot_launcher-9.2.69.2.6-windows-setup.tmp shellexperiencehost.exe no specs _setup64.tmp no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs vc_redist.x64.exe vc_redist.x64.exe vc_redist.x64.exe SPPSurrogate no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe vc_redist.x64.exe no specs vc_redist.x64.exe vc_redist.x64.exe

Process information

PID
CMD
Path
Indicators
Parent process
1176\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1396\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2420C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
2588"powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\Reboot Launcher'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exereboot_launcher-9.2.69.2.6-windows-setup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3508C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3788"C:\WINDOWS\Temp\{83CACC99-E605-48E3-9491-131AAA531168}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\admin\AppData\Local\Temp\is-B9IDO.tmp\VC_redist.x64.exe" -burn.filehandle.attached=780 -burn.filehandle.self=672 /quietC:\Windows\Temp\{83CACC99-E605-48E3-9491-131AAA531168}\.cr\VC_redist.x64.exe
VC_redist.x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.40.33810
Exit code:
3010
Version:
14.40.33810.0
Modules
Images
c:\windows\temp\{83cacc99-e605-48e3-9491-131aaa531168}\.cr\vc_redist.x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
4292C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
1073807364
Version:
10.0.19041.1 (WinBuild.160101.0800)
4376"C:\Users\admin\AppData\Local\Temp\is-3GAM8.tmp\reboot_launcher-9.2.69.2.6-windows-setup.tmp" /SL5="$1101FA,72039665,832512,C:\Users\admin\Desktop\reboot_launcher-9.2.69.2.6-windows-setup.exe" /SPAWNWND=$402D8 /NOTIFYWND=$403B4 C:\Users\admin\AppData\Local\Temp\is-3GAM8.tmp\reboot_launcher-9.2.69.2.6-windows-setup.tmp
reboot_launcher-9.2.69.2.6-windows-setup.exe
User:
admin
Company:
Auties00
Integrity Level:
HIGH
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-3gam8.tmp\reboot_launcher-9.2.69.2.6-windows-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
4548"C:\Users\admin\AppData\Local\Temp\is-DV14G.tmp\reboot_launcher-9.2.69.2.6-windows-setup.tmp" /SL5="$403B4,72039665,832512,C:\Users\admin\Desktop\reboot_launcher-9.2.69.2.6-windows-setup.exe" C:\Users\admin\AppData\Local\Temp\is-DV14G.tmp\reboot_launcher-9.2.69.2.6-windows-setup.tmpreboot_launcher-9.2.69.2.6-windows-setup.exe
User:
admin
Company:
Auties00
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
1073807364
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-dv14g.tmp\reboot_launcher-9.2.69.2.6-windows-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
4568C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Total events
15 368
Read events
15 207
Write events
110
Delete events
51

Modification events

(PID) Process:(7052) ShellExperienceHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\yYpHriFUdyS-r81lKl88jPGlZr-M05PzoCQ_A6O0gXA\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\Voices
Operation:writeName:DefaultTokenId
Value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_DavidM
(PID) Process:(7052) ShellExperienceHost.exeKey:\REGISTRY\A\{81358559-e501-9987-b73e-e6cfe92d1628}\LocalState\ClockFlyoutCache
Operation:delete valueName:20240722
Value:
(PID) Process:(7052) ShellExperienceHost.exeKey:\REGISTRY\A\{81358559-e501-9987-b73e-e6cfe92d1628}\LocalState\ClockFlyoutCache
Operation:delete valueName:20240708
Value:
(PID) Process:(7052) ShellExperienceHost.exeKey:\REGISTRY\A\{81358559-e501-9987-b73e-e6cfe92d1628}\LocalState\ClockFlyoutCache
Operation:delete valueName:20240729
Value:
(PID) Process:(7052) ShellExperienceHost.exeKey:\REGISTRY\A\{81358559-e501-9987-b73e-e6cfe92d1628}\LocalState\ClockFlyoutCache
Operation:delete valueName:20240702
Value:
(PID) Process:(7052) ShellExperienceHost.exeKey:\REGISTRY\A\{81358559-e501-9987-b73e-e6cfe92d1628}\LocalState\ClockFlyoutCache
Operation:delete valueName:20240801
Value:
(PID) Process:(7052) ShellExperienceHost.exeKey:\REGISTRY\A\{81358559-e501-9987-b73e-e6cfe92d1628}\LocalState\ClockFlyoutCache
Operation:delete valueName:20240731
Value:
(PID) Process:(7052) ShellExperienceHost.exeKey:\REGISTRY\A\{81358559-e501-9987-b73e-e6cfe92d1628}\LocalState\ClockFlyoutCache
Operation:delete valueName:20240727
Value:
(PID) Process:(7052) ShellExperienceHost.exeKey:\REGISTRY\A\{81358559-e501-9987-b73e-e6cfe92d1628}\LocalState\ClockFlyoutCache
Operation:delete valueName:20240719
Value:
(PID) Process:(7052) ShellExperienceHost.exeKey:\REGISTRY\A\{81358559-e501-9987-b73e-e6cfe92d1628}\LocalState\ClockFlyoutCache
Operation:delete valueName:20240712
Value:
Executable files
104
Suspicious files
1 292
Text files
115
Unknown types
3

Dropped files

PID
Process
Filename
Type
4792reboot_launcher-9.2.69.2.6-windows-setup.exeC:\Users\admin\AppData\Local\Temp\is-3GAM8.tmp\reboot_launcher-9.2.69.2.6-windows-setup.tmpexecutable
MD5:E5A314E23A8C97CAC275B6FA062D9085
SHA256:129E0E443ABBF885C668D6D19B1C6F4813F646219E690F8E98EBA5018C3F6E86
4376reboot_launcher-9.2.69.2.6-windows-setup.tmpC:\Program Files\Reboot Launcher\is-0EBCB.tmpexecutable
MD5:C8A42571255C5EB2F6D559FEBB8CD47F
SHA256:9AFBB4A3CD4A9A78392308A80E556DD632C5D3A68247671E60B80ACA882B9211
4376reboot_launcher-9.2.69.2.6-windows-setup.tmpC:\Users\admin\AppData\Local\Temp\is-B9IDO.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
6464reboot_launcher-9.2.69.2.6-windows-setup.exeC:\Users\admin\AppData\Local\Temp\is-DV14G.tmp\reboot_launcher-9.2.69.2.6-windows-setup.tmpexecutable
MD5:E5A314E23A8C97CAC275B6FA062D9085
SHA256:129E0E443ABBF885C668D6D19B1C6F4813F646219E690F8E98EBA5018C3F6E86
4376reboot_launcher-9.2.69.2.6-windows-setup.tmpC:\Program Files\Reboot Launcher\is-PIK46.tmpexecutable
MD5:47E3F17607C4E2615AFD58CA2160E52C
SHA256:D7BC21614C320A003119E22F93774D77CC14777E8F77D2CAFCDFE7E7854AB46C
4376reboot_launcher-9.2.69.2.6-windows-setup.tmpC:\Program Files\Reboot Launcher\app_links_plugin.dllexecutable
MD5:C8A42571255C5EB2F6D559FEBB8CD47F
SHA256:9AFBB4A3CD4A9A78392308A80E556DD632C5D3A68247671E60B80ACA882B9211
4376reboot_launcher-9.2.69.2.6-windows-setup.tmpC:\Program Files\Reboot Launcher\unins000.exeexecutable
MD5:E3DDF690CE249D7191E1B3E69175A379
SHA256:41FB5D6DE848F289727AD5DEE73FC51F7F3A12C583D989C233DFA66F4C00E873
4376reboot_launcher-9.2.69.2.6-windows-setup.tmpC:\Program Files\Reboot Launcher\bitsdojo_window_windows_plugin.libbinary
MD5:3FE047CB1341A27707E4AFBAF96AB209
SHA256:873A93083C159A2C61A9B968DF74CA3B79C891ECDFA84E0FF24C7208E5D808A8
4376reboot_launcher-9.2.69.2.6-windows-setup.tmpC:\Program Files\Reboot Launcher\is-2B8EE.tmpbinary
MD5:3FE047CB1341A27707E4AFBAF96AB209
SHA256:873A93083C159A2C61A9B968DF74CA3B79C891ECDFA84E0FF24C7208E5D808A8
4376reboot_launcher-9.2.69.2.6-windows-setup.tmpC:\Program Files\Reboot Launcher\flutter_acrylic_plugin.dllexecutable
MD5:47E3F17607C4E2615AFD58CA2160E52C
SHA256:D7BC21614C320A003119E22F93774D77CC14777E8F77D2CAFCDFE7E7854AB46C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
25
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
6944
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
GET
200
2.19.126.133:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
DE
binary
1.05 Kb
whitelisted
6944
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
POST
204
104.126.37.145:443
https://www.bing.com/threshold/xls.aspx
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6944
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5488
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
  • 2.19.126.133
  • 2.19.126.146
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 20.189.173.1
whitelisted
www.bing.com
  • 104.126.37.144
  • 104.126.37.129
  • 104.126.37.130
  • 104.126.37.137
  • 104.126.37.145
  • 104.126.37.123
  • 104.126.37.131
  • 104.126.37.136
  • 104.126.37.139
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
reboot_launcher-9.2.69.2.6-windows-setup.exe