File name:

ep_setup.exe

Full analysis: https://app.any.run/tasks/10a83632-0d6b-42b2-b9b2-617bffa3e083
Verdict: Malicious activity
Analysis date: December 31, 2024, 09:24:12
OS: Windows 11 Professional (build: 22000, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

F164888A6FBC646B093F6AF6663F4E63

SHA1:

3C0BB9F9A4AD9B1C521AD9FC30EC03668577C97C

SHA256:

8C5A3597666F418B5C857E68C9A13B7B6D037EA08A988204B572F053450ADD67

SSDEEP:

98304:R/TvjMleJaJ4kJQeSWSeWdzPSkAdsC5pqNP+/YTXjM/cIcSoIov1UXuykZyzZ2Cg:mriEcSB6mCsb5x

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • ep_setup.exe (PID: 5248)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • ep_setup.exe (PID: 252)
      • ep_setup.exe (PID: 5248)
      • StartMenuExperienceHost.exe (PID: 4112)

    • Reads the date of Windows installation

      • ep_setup.exe (PID: 252)
      • ep_setup.exe (PID: 5248)
      • StartMenuExperienceHost.exe (PID: 4112)

    • Application launched itself

      • ep_setup.exe (PID: 252)

    • Reads the Internet Settings

      • ep_setup.exe (PID: 252)
      • ep_setup.exe (PID: 5248)
      • StartMenuExperienceHost.exe (PID: 4112)

    • Uses TASKKILL.EXE to kill process

      • ep_setup.exe (PID: 5248)

    • Starts SC.EXE for service management

      • ep_setup.exe (PID: 5248)

    • Stops a currently running service

      • sc.exe (PID: 6016)

    • The process creates files with name similar to system file names

      • ep_setup.exe (PID: 5248)

    • Executable content was dropped or overwritten

      • ep_setup.exe (PID: 5248)

    • Process drops legitimate windows executable

      • ep_setup.exe (PID: 5248)

    • The process executes via Task Scheduler

      • explorer.exe (PID: 1232)

    • Creates a software uninstall entry

      • ep_setup.exe (PID: 5248)

    • Windows service management via SC.EXE

      • sc.exe (PID: 5360)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 6128)
      • regsvr32.exe (PID: 6884)

  • INFO

    • The sample compiled with english language support

      • ep_setup.exe (PID: 252)
      • ep_setup.exe (PID: 5248)

    • Checks supported languages

      • ep_setup.exe (PID: 252)
      • ep_setup.exe (PID: 5248)
      • StartMenuExperienceHost.exe (PID: 4112)
      • SearchHost.exe (PID: 3664)

    • Reads the computer name

      • ep_setup.exe (PID: 252)
      • ep_setup.exe (PID: 5248)
      • StartMenuExperienceHost.exe (PID: 4112)
      • SearchHost.exe (PID: 3664)

    • The process uses the downloaded file

      • ep_setup.exe (PID: 252)
      • ep_setup.exe (PID: 5248)

    • Creates files in the program directory

      • ep_setup.exe (PID: 5248)

    • Reads the Internet Settings

      • explorer.exe (PID: 1232)

    • Reads product name

      • SearchHost.exe (PID: 3664)

    • Checks proxy server information

      • SearchHost.exe (PID: 3664)
      • explorer.exe (PID: 1232)

    • Reads Environment values

      • SearchHost.exe (PID: 3664)

    • Reads the machine GUID from the registry

      • SearchHost.exe (PID: 3664)

    • Sends debugging messages

      • StartMenuExperienceHost.exe (PID: 4112)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 1232)

    • Reads the software policy settings

      • SearchHost.exe (PID: 3664)
      • explorer.exe (PID: 1232)

    • Creates files or folders in the user directory

      • explorer.exe (PID: 1232)
      • SearchHost.exe (PID: 3664)

    • Reads settings of System Certificates

      • explorer.exe (PID: 1232)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:11:02 13:43:18+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.41
CodeSize: 151552
InitializedDataSize: 10995712
UninitializedDataSize: -
EntryPoint: 0x8c18
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 22621.4317.67.1
ProductVersionNumber: 22621.4317.67.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: ExplorerPatcher Developers
FileDescription: ExplorerPatcher Setup Program
FileVersion: 22621.4317.67.1
InternalName: ep_setup.exe
LegalCopyright: (C) 2021-2024 ExplorerPatcher Developers. All rights reserved.
OriginalFileName: ep_setup.exe
ProductName: ExplorerPatcher
ProductVersion: 22621.4317.67.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
15
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ep_setup.exe no specs ep_setup.exe taskkill.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs regsvr32.exe no specs regsvr32.exe no specs explorer.exe no specs explorer.exe searchhost.exe startmenuexperiencehost.exe no specs mobsync.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
252"C:\Users\admin\AppData\Local\Temp\ep_setup.exe" C:\Users\admin\AppData\Local\Temp\ep_setup.exeexplorer.exe
User:
admin
Company:
ExplorerPatcher Developers
Integrity Level:
MEDIUM
Description:
ExplorerPatcher Setup Program
Exit code:
0
Version:
22621.4317.67.1
Modules
Images
c:\users\admin\appdata\local\temp\ep_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1232C:\Windows\explorer.exe /NoUACCheckC:\Windows\explorer.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.22000.184 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
2236\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2992"C:\Windows\explorer.exe" C:\Windows\explorer.exeep_setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Explorer
Exit code:
2
Version:
10.0.22000.184 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
3324C:\Windows\System32\mobsync.exe -EmbeddingC:\Windows\System32\mobsync.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Sync Center
Exit code:
0
Version:
10.0.22000.653 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mobsync.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
3664"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Version:
421.22500.3595.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\searchhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\program files\windowsapps\microsoft.vclibs.140.00_14.0.30704.0_x64__8wekyb3d8bbwe\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
4112"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mcaC:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\windows\systemapps\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\startmenuexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\wincorlib.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
4496\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
5248"C:\Users\admin\AppData\Local\Temp\ep_setup.exe" C:\Users\admin\AppData\Local\Temp\ep_setup.exe
ep_setup.exe
User:
admin
Company:
ExplorerPatcher Developers
Integrity Level:
HIGH
Description:
ExplorerPatcher Setup Program
Exit code:
0
Version:
22621.4317.67.1
Modules
Images
c:\users\admin\appdata\local\temp\ep_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5360"C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBC:\Windows\System32\sc.exeep_setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
Total events
39 760
Read events
39 318
Write events
403
Delete events
39

Modification events

(PID) Process:(252) ep_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(252) ep_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(252) ep_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(252) ep_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(5248) ep_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5248) ep_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5248) ep_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5248) ep_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(5248) ep_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcher
Operation:writeName:UninstallString
Value:
"C:\Program Files\ExplorerPatcher\ep_setup.exe" /uninstall
(PID) Process:(5248) ep_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcher
Operation:writeName:DisplayName
Value:
ExplorerPatcher
Executable files
14
Suspicious files
149
Text files
68
Unknown types
1

Dropped files

PID
Process
Filename
Type
5248ep_setup.exeC:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dllexecutable
MD5:8BFCA71ADD96D3DE75173D464792E2B9
SHA256:5AAA6BAB20B7116B32BDDBA1DF216F7476557BB48397E1968A49EDE14E6C377D
5248ep_setup.exeC:\Program Files\ExplorerPatcher\ep_gui.dllexecutable
MD5:81CD6D96F81B1E54AA327A4AF6BCBE85
SHA256:B23BAB1F5DC85C9E10145EEB32214D6CFE02FB5ABCF956A37A3C9DD7E09FEE67
5248ep_setup.exeC:\Program Files\ExplorerPatcher\ep_setup.exeexecutable
MD5:F164888A6FBC646B093F6AF6663F4E63
SHA256:8C5A3597666F418B5C857E68C9A13B7B6D037EA08A988204B572F053450ADD67
5248ep_setup.exeC:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dllexecutable
MD5:E5BB14C2B9AF4D5BF6C38E0759F454DD
SHA256:A4FD75AC8F852EDC8BDB88A705EEEE2C93F6EC51EF9FA0739A11A690A067C66D
5248ep_setup.exeC:\Windows\dxgi.dllexecutable
MD5:047B192A9C703FC5A2C2764DB869FF5C
SHA256:1971C57F88849B4069BE06D3784E0968755C916FA1564A3F8F05610D3B02CDCC
5248ep_setup.exeC:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib.dllexecutable
MD5:B80816EE9FCDB1D9076B73FD929FC96B
SHA256:D63B9FC13C99000CF77D02EE6E5E84C825D02A92D87B728CB601681B5EB21671
5248ep_setup.exeC:\Program Files\ExplorerPatcher\ep_weather_host.dllexecutable
MD5:AAC2857727CFF3CD7B291F9500196F73
SHA256:78ED3E3676D97C337FEF071B522805F4CF742587A40F96AF4AA4D74FEE0AF88A
3664SearchHost.exeC:\Users\admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\ServiceWorkerFiles\6AAEB8D0-9CA2-434C-B459-EC4DE26A0D37\Zrtu2hQ08VU_1.jsbinary
MD5:D2FC976D3F4A29E57CF931A0D55B6809
SHA256:E42813CD44AA69FCC86F098AB6DFAF72EF34C0BC1B687DDA2BF01B8045F07ABF
5248ep_setup.exeC:\Program Files\ExplorerPatcher\WebView2Loader.dllexecutable
MD5:C5F0C46E91F354C58ECEC864614157D7
SHA256:465A7DDFB3A0DA4C3965DAF2AD6AC7548513F42329B58AEBC337311C10EA0A6F
5248ep_setup.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnkbinary
MD5:A4F39AC3C2DEE4094B28255970EEC100
SHA256:DBEB3DFA8970FD6A704594A611DE1079D347EE43BAD2E693A47BFB5118394457
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
65
DNS requests
44
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
95.101.54.131:80
http://r11.o.lencr.org/
unknown
whitelisted
POST
200
2.16.202.121:80
http://r10.o.lencr.org/
unknown
whitelisted
6196
MoUsoCoreWorker.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7e5846292e7366ea
unknown
whitelisted
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
unknown
whitelisted
1592
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3664
SearchHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1232
explorer.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEFZnHQTqT5lMbxCBR1nSdZQ%3D
unknown
whitelisted
1232
explorer.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSr83eyJy3njhjVpn5bEpfc6MXawQQUOuEJhtTPGcKWdnRJdtzgNcZjY5oCEQDzZE5rbgBQI34JRr174fUd
unknown
whitelisted
1232
explorer.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
unknown
whitelisted
1232
explorer.exe
GET
302
204.79.197.219:80
http://msdl.microsoft.com/download/symbols/StartDocked.pdb/2277997BCA00A0B524B2AD3E27B0AD691/StartDocked.pdb
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
34.149.100.209:443
firefox.settings.services.mozilla.com
GOOGLE
US
whitelisted
4
System
192.168.100.255:137
whitelisted
34.120.208.123:443
incoming.telemetry.mozilla.org
GOOGLE-CLOUD-PLATFORM
US
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
95.101.54.131:80
r11.o.lencr.org
Akamai International B.V.
DE
whitelisted
5552
svchost.exe
239.255.255.250:1900
whitelisted
34.160.144.191:443
content-signature-2.cdn.mozilla.net
GOOGLE
US
whitelisted
2.16.202.121:80
r11.o.lencr.org
Akamai International B.V.
NL
whitelisted
6304
rundll32.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
832
OfficeC2RClient.exe
52.109.32.97:443
MICROSOFT-CORP-MSN-AS-BLOCK
GB
unknown

DNS requests

Domain
IP
Reputation
firefox.settings.services.mozilla.com
  • 34.149.100.209
whitelisted
incoming.telemetry.mozilla.org
  • 34.120.208.123
whitelisted
prod.remote-settings.prod.webservices.mozgcp.net
  • 34.149.100.209
whitelisted
telemetry-incoming.r53-2.services.mozilla.com
  • 34.120.208.123
whitelisted
r11.o.lencr.org
  • 95.101.54.131
  • 2.16.202.121
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
fp2e7a.wpc.phicdn.net
  • 192.229.221.95
  • 2606:2800:233:fa02:67b:9ff6:6107:833
whitelisted
a1887.dscq.akamai.net
  • 95.101.54.131
  • 2.16.202.121
  • 2a02:26f0:480:e::210:f108
  • 2a02:26f0:480:e::210:f10f
whitelisted
content-signature-2.cdn.mozilla.net
  • 34.160.144.191
whitelisted
google.com
  • 142.250.186.78
whitelisted

Threats

PID
Process
Class
Message
1656
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Blob Storage (.blob .core .windows .net)
1296
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
1656
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Blob Storage (.blob .core .windows .net)
1656
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Blob Storage (.blob .core .windows .net)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ep_setup.exe