File name:

Bloatware CleanUp.exe

Full analysis: https://app.any.run/tasks/06fd079f-5514-49ae-94e4-39062d1feaa0
Verdict: Malicious activity
Analysis date: December 21, 2024, 01:21:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

30BC3A4843995DB743E3CE3F43CB1CD2

SHA1:

DDDFCA415D3A7B0C1E3F44B70D72F38C8D7E47EB

SHA256:

8CA203F91FBDC5FD20F63FC8409CE52785852306DE1922F8C14F5D1CE0C01820

SSDEEP:

3072:i3pox1w8FCoFjKej0u/Dt1XWhlPhoutPFLtVBjnmATFUJgsL:i58u8PFjcurvXUlPhoSPvfTZpwgG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • net.exe (PID: 836)
      • cmd.exe (PID: 6896)
      • net.exe (PID: 6012)

    • Changes image file execution options

      • regedit.exe (PID: 4384)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Bloatware CleanUp.exe (PID: 6412)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6896)
      • cmd.exe (PID: 6472)

    • Starts CMD.EXE for commands execution

      • Bloatware CleanUp.exe (PID: 6412)
      • cmd.exe (PID: 6896)
      • cmd.exe (PID: 6472)

    • Executing commands from a ".bat" file

      • Bloatware CleanUp.exe (PID: 6412)
      • cmd.exe (PID: 6472)

    • Hides command output

      • cmd.exe (PID: 6752)
      • cmd.exe (PID: 7032)
      • cmd.exe (PID: 6916)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6896)

    • Stops a currently running service

      • sc.exe (PID: 4188)
      • sc.exe (PID: 6740)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6896)

    • Executes script without checking the security policy

      • powershell.exe (PID: 5788)
      • powershell.exe (PID: 7072)
      • powershell.exe (PID: 6464)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 6896)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6896)
      • cmd.exe (PID: 6472)

    • Application launched itself

      • cmd.exe (PID: 6896)
      • cmd.exe (PID: 6472)

    • Windows service management via SC.EXE

      • sc.exe (PID: 4544)
      • sc.exe (PID: 2408)
      • sc.exe (PID: 4592)
      • sc.exe (PID: 5096)
      • sc.exe (PID: 6184)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 6896)

  • INFO

    • Create files in a temporary directory

      • Bloatware CleanUp.exe (PID: 6412)

    • The sample compiled with russian language support

      • Bloatware CleanUp.exe (PID: 6412)

    • Reads the computer name

      • Bloatware CleanUp.exe (PID: 6412)
      • msiexec.exe (PID: 4164)

    • Checks supported languages

      • Bloatware CleanUp.exe (PID: 6412)
      • chcp.com (PID: 6644)
      • mode.com (PID: 6664)
      • chcp.com (PID: 6976)
      • mode.com (PID: 6996)
      • msiexec.exe (PID: 4164)
      • mode.com (PID: 7060)
      • mode.com (PID: 1224)

    • Changes the display of characters in the console

      • cmd.exe (PID: 6472)
      • cmd.exe (PID: 6896)

    • The process uses the downloaded file

      • Bloatware CleanUp.exe (PID: 6412)
      • cmd.exe (PID: 6472)

    • Process checks computer location settings

      • Bloatware CleanUp.exe (PID: 6412)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 6664)
      • mode.com (PID: 6996)
      • mode.com (PID: 7060)
      • mode.com (PID: 1224)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:12:31 00:38:38+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 57344
InitializedDataSize: 176128
UninitializedDataSize: 258048
EntryPoint: 0x4cf60
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Russian
CharacterSet: Unicode
CompanyName: -
FileDescription: -
LegalCopyright: -
LegalTrademarks: -
InternalName: -
ProductName: -
OriginalFileName: -
FileVersion: -
ProductVersion: -
Comments: -
PrivateBuild: -
SpecialBuild: -
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
172
Monitored processes
46
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start bloatware cleanup.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs mode.com no specs reg.exe no specs fltmc.exe no specs cmd.exe conhost.exe no specs chcp.com no specs mode.com no specs reg.exe no specs fltmc.exe no specs mode.com no specs cmd.exe no specs where.exe no specs reg.exe no specs cmd.exe no specs where.exe no specs reg.exe no specs cmd.exe no specs where.exe no specs reg.exe no specs sc.exe no specs taskkill.exe no specs powershell.exe no specs msiexec.exe no specs taskkill.exe no specs powershell.exe no specs powershell.exe no specs taskkill.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs taskkill.exe no specs taskkill.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs sc.exe no specs sc.exe no specs regedit.exe sc.exe no specs mode.com no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
836net stop AutodeskDesktopApp C:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1224mode con: cols=55 lines=3C:\Windows\SysWOW64\mode.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DOS Device MODE Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mode.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1904C:\WINDOWS\system32\net1 stop AdAppMgrSVC C:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
2408sc config "Autodesk Access Service Host" start= disabled C:\Windows\SysWOW64\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4164C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4188sc stop "AdskLicensingService" C:\Windows\SysWOW64\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4384regedit.exe /s C:\Users\admin\AppData\Local\Temp\Bloatware\Bloatware.reg C:\Windows\SysWOW64\regedit.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4544sc delete "Autodesk Access Service Host" C:\Windows\SysWOW64\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4592sc delete AdAppMgrSVC C:\Windows\SysWOW64\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5096sc delete AutodeskDesktopApp C:\Windows\SysWOW64\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
14 272
Read events
14 221
Write events
21
Delete events
30

Modification events

(PID) Process:(6472) cmd.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\system32\cmd.exe.FriendlyAppName
Value:
Windows Command Processor
(PID) Process:(6472) cmd.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\system32\cmd.exe.ApplicationCompany
Value:
Microsoft Corporation
(PID) Process:(4384) regedit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:delete valueName:C:\ProgramData\Autodesk\Genuine Autodesk Service\
Value:
(PID) Process:(4384) regedit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:delete valueName:C:\ProgramData\Autodesk\Genuine Service\
Value:
(PID) Process:(4384) regedit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:delete valueName:C:\ProgramData\Autodesk\Genuine Service\locales\
Value:
(PID) Process:(4384) regedit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:delete valueName:C:\ProgramData\Autodesk\Genuine Service\UPI\
Value:
(PID) Process:(4384) regedit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:delete valueName:C:\ProgramData\Autodesk\Genuine Service\x64\
Value:
(PID) Process:(4384) regedit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:delete valueName:C:\ProgramData\Autodesk\Genuine Service\default_NC\SE\
Value:
(PID) Process:(4384) regedit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:delete valueName:C:\ProgramData\Autodesk\Genuine Service\default_NC\
Value:
(PID) Process:(4384) regedit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:delete valueName:C:\ProgramData\Autodesk\Genuine Service\default_NC\RU\
Value:
Executable files
0
Suspicious files
2
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
5788powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yo11ihhv.vog.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5788powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:8E7D26D71A1CAF822C338431F0651251
SHA256:495E7C4588626236C39124CCE568968E874BEDA950319BA391665B43DE111084
7072powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ooynswsy.mzn.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7072powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_s5g24sej.tbs.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5788powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:30C37204606E5DC511D534254150B1BA
SHA256:6D1DC4BA174A5A6D196791F28E6C7CC0408C7C0DAFD94396378C525B48DBA60C
6412Bloatware CleanUp.exeC:\Users\admin\AppData\Local\Temp\Bloatware\Bloatware.battext
MD5:277077C220E9A625D79EB0661B933A9C
SHA256:FC239F9C3F47F97C85EFDF7730161221C5487F833F5C4A4FCC04A768141749AD
5788powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4mvwktsu.xnp.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6412Bloatware CleanUp.exeC:\Users\admin\AppData\Local\Temp\Bloatware\Bloatware.regtext
MD5:697FA22F59C6C24CA9BA1FEEEF158D6B
SHA256:1EF616893165155B17B649277F7661B4A86909905F49ED6D318D4DF27EEDA68E
6412Bloatware CleanUp.exeC:\Users\admin\AppData\Local\Temp\Bloatware\Revert.regtext
MD5:72BDC09123165856D2ED4AD9DF667608
SHA256:64FF0B75F8EBDEE88BE800D0B4DF097EB15C0C11902E903D6BB5650DF76AB667
6464powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dwzek2co.bvg.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
41
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
628
WmiPrvSE.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
628
WmiPrvSE.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
628
WmiPrvSE.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
628
WmiPrvSE.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D
unknown
whitelisted
628
WmiPrvSE.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAkQWITrlZ07yLmU%2BRintu4%3D
unknown
whitelisted
628
WmiPrvSE.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl
unknown
whitelisted
628
WmiPrvSE.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
unknown
whitelisted
628
WmiPrvSE.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1380
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.145:443
www.bing.com
Akamai International B.V.
DE
unknown
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
unknown
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 2.16.164.49
  • 2.16.164.51
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
google.com
  • 216.58.206.78
whitelisted
www.bing.com
  • 104.126.37.145
  • 104.126.37.123
  • 104.126.37.128
  • 104.126.37.130
  • 104.126.37.139
  • 104.126.37.163
  • 104.126.37.131
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.73
  • 40.126.31.71
  • 20.190.159.23
  • 20.190.159.71
  • 20.190.159.2
  • 20.190.159.68
  • 20.190.159.75
  • 20.190.159.4
whitelisted
go.microsoft.com
  • 184.30.17.189
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
fd.api.iris.microsoft.com
  • 20.31.169.57
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Bloatware CleanUp.exe