File name:

Inst_D1_6_v1702.exe

Full analysis: https://app.any.run/tasks/25a658ab-c107-48fc-b4e6-58e7726c7fa7
Verdict: Malicious activity
Analysis date: February 11, 2025, 08:34:03
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

DE8D7110E5C532F6657493F47603CB54

SHA1:

F47851FD5CAD050D1BBAFB0A5087DFCF4DC1585E

SHA256:

8D07D3B25566B6B9F80CE735B93C52EE031A54C73F54DDC3D2629C9DD4BEB530

SSDEEP:

98304:1ed0fakKCF5Tf+S+PIC3RkSh04DNIyAjxL536l90fn/F5eZnrTQjAkuzTPhu2lB4:N8LE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Inst_D1_6_v1702.exe (PID: 5592)
      • Inst_D1_6_v1702.exe (PID: 5880)
      • DEKL1.exe (PID: 3960)
      • DEKL1.exe (PID: 5856)
      • DEKL1.exe (PID: 6284)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Inst_D1_6_v1702.exe (PID: 5880)
      • Inst_D1_6_v1702.exe (PID: 5592)

    • Starts itself from another location

      • Inst_D1_6_v1702.exe (PID: 5880)

    • There is functionality for taking screenshot (YARA)

      • Inst_D1_6_v1702.exe (PID: 5880)
      • Inst_D1_6_v1702.exe (PID: 5592)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 4204)

    • Uses RUNDLL32.EXE to load library

      • explorer.exe (PID: 7056)

    • Executes application which crashes

      • DEKL1.exe (PID: 3960)
      • DEKL1.exe (PID: 5856)

  • INFO

    • Checks supported languages

      • Inst_D1_6_v1702.exe (PID: 5880)
      • Inst_D1_6_v1702.exe (PID: 5592)
      • SearchApp.exe (PID: 5064)
      • msiexec.exe (PID: 4204)
      • DEKL1.exe (PID: 3960)
      • DEKL1.exe (PID: 5856)

    • Reads the computer name

      • Inst_D1_6_v1702.exe (PID: 5880)
      • Inst_D1_6_v1702.exe (PID: 5592)
      • msiexec.exe (PID: 4204)
      • DEKL1.exe (PID: 3960)
      • DEKL1.exe (PID: 5856)

    • The sample compiled with english language support

      • Inst_D1_6_v1702.exe (PID: 5880)
      • msiexec.exe (PID: 4204)

    • Create files in a temporary directory

      • Inst_D1_6_v1702.exe (PID: 5880)
      • Inst_D1_6_v1702.exe (PID: 5592)

    • Reads the machine GUID from the registry

      • SearchApp.exe (PID: 5064)

    • Process checks computer location settings

      • SearchApp.exe (PID: 5064)

    • Reads the software policy settings

      • SearchApp.exe (PID: 5064)
      • WerFault.exe (PID: 6796)
      • dllhost.exe (PID: 5240)
      • WerFault.exe (PID: 2408)

    • The sample compiled with bulgarian language support

      • msiexec.exe (PID: 4204)

    • Manual execution by a user

      • DEKL1.exe (PID: 3960)
      • DEKL1.exe (PID: 6284)
      • DEKL1.exe (PID: 5856)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 4204)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 7056)
      • dllhost.exe (PID: 5240)

    • Checks transactions between databases Windows and Oracle

      • rundll32.exe (PID: 6308)
      • rundll32.exe (PID: 6032)

    • Checks proxy server information

      • WerFault.exe (PID: 6796)
      • WerFault.exe (PID: 2408)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6796)
      • WerFault.exe (PID: 2408)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4204)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:09:20 13:06:54+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 476672
InitializedDataSize: 617984
UninitializedDataSize: -
EntryPoint: 0x4523a
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 17.2.0.0
ProductVersionNumber: 17.2.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: НАП
FileDescription: Setup Launcher Unicode
FileVersion: 17.02
InternalName: Setup
LegalCopyright: Copyright (c) 2018 Flexera. All Rights Reserved.
OriginalFileName: InstallShield Setup.exe
ProductName: Декларация Обр.1 и 6
ProductVersion: 17.02
InternalBuildNumber: 185990
ISInternalVersion: 24.0.573
ISInternalDescription: Setup Launcher Unicode
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
159
Monitored processes
20
Malicious processes
2
Suspicious processes
4

Behavior graph

Click at the process to see the details
start inst_d1_6_v1702.exe inst_d1_6_v1702.exe msiexec.exe no specs msiexec.exe explorer.exe no specs COpenControlPanel no specs rundll32.exe no specs COpenControlPanel no specs rundll32.exe no specs %systemroot%\system32\intl.cpl no specs dekl1.exe explorer.exe no specs werfault.exe rundll32.exe no specs %systemroot%\system32\intl.cpl no specs rundll32.exe no specs dekl1.exe no specs dekl1.exe werfault.exe searchapp.exe

Process information

PID
CMD
Path
Indicators
Parent process
940C:\WINDOWS\system32\explorer.exeC:\Windows\SysWOW64\explorer.exeInst_D1_6_v1702.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcp_win.dll
2408C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5856 -s 652C:\Windows\SysWOW64\WerFault.exe
DEKL1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
3732"C:\WINDOWS\system32\MSIEXEC.EXE" /i "C:\Users\admin\AppData\Local\Temp\{64EADA0C-25D4-4901-9F7A-DA935BC51EC7}\Декларация Обр.1 и 6.msi" SETUPEXEDIR="C:\Users\admin\AppData\Local\Temp" SETUPEXENAME="Inst_D1_6_v1702.exe"C:\Windows\SysWOW64\msiexec.exeInst_D1_6_v1702.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
3960"C:\Program Files (x86)\НАП\Декларации\Обр1_6\DEKL1.exe" C:\Program Files (x86)\НАП\Декларации\Обр1_6\DEKL1.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
DEKL1 MFC Application
Exit code:
3221225477
Version:
17, 0, 2, 0
Modules
Images
c:\program files (x86)\нап\декларации\обр1_6\dekl1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3988C:\WINDOWS\system32\DllHost.exe /Processid:{514B5E31-5596-422F-BE58-D804464683B5}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
4204C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
5064"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Search application
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5240C:\WINDOWS\system32\DllHost.exe /Processid:{514B5E31-5596-422F-BE58-D804464683B5}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
5588"C:\WINDOWS\System32\rundll32.exe" werconcpl.dll, LaunchErcApp -queuereportingC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
5592C:\Users\admin\AppData\Local\Temp\{64EADA0C-25D4-4901-9F7A-DA935BC51EC7}\Inst_D1_6_v1702.exe /q"C:\Users\admin\AppData\Local\Temp\Inst_D1_6_v1702.exe" /tempdisk1folder"C:\Users\admin\AppData\Local\Temp\{64EADA0C-25D4-4901-9F7A-DA935BC51EC7}" /IS_tempC:\Users\admin\AppData\Local\Temp\{64EADA0C-25D4-4901-9F7A-DA935BC51EC7}\Inst_D1_6_v1702.exe
Inst_D1_6_v1702.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\{64eada0c-25d4-4901-9f7a-da935bc51ec7}\inst_d1_6_v1702.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
36 099
Read events
34 909
Write events
1 093
Delete events
97

Modification events

(PID) Process:(5064) SearchApp.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\A1hdl50UVDh2ZbG324Nx-6fZgntcGnHOs5kHLdmaJYE\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\Recognizers
Operation:writeName:DefaultTokenId
Value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN
(PID) Process:(5064) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Flighting
Operation:delete valueName:CachedFeatureString
Value:
(PID) Process:(5064) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings
Operation:writeName:IsMSACloudSearchEnabled
Value:
0
(PID) Process:(5064) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings
Operation:writeName:IsAADCloudSearchEnabled
Value:
0
(PID) Process:(5064) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
Operation:writeName:CortanaStateLastRun
Value:
850BAB6700000000
(PID) Process:(5064) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings
Operation:writeName:SafeSearchMode
Value:
1
(PID) Process:(5064) SearchApp.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com
Operation:writeName:Total
Value:
51223
(PID) Process:(5064) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Flighting
Operation:writeName:CachedFeatureString
Value:
(PID) Process:(5064) SearchApp.exeKey:\REGISTRY\A\{ee080948-b2ea-145a-6870-f9164b908eb9}\LocalState
Operation:writeName:BINGIDENTITY_PROP_USEREMAIL
Value:
00002EB4A4BA5F7CDB01
(PID) Process:(5064) SearchApp.exeKey:\REGISTRY\A\{ee080948-b2ea-145a-6870-f9164b908eb9}\LocalState
Operation:writeName:BINGIDENTITY_PROP_ACCOUNTTYPETEXT
Value:
00002EB4A4BA5F7CDB01
Executable files
13
Suspicious files
93
Text files
223
Unknown types
0

Dropped files

PID
Process
Filename
Type
5592Inst_D1_6_v1702.exeC:\Users\admin\AppData\Local\Temp\{64EADA0C-25D4-4901-9F7A-DA935BC51EC7}\Setup.INItext
MD5:D07E0EB617F730CF7C40A00F12D41A6C
SHA256:ADCBB0B34754ACDFFC5D77CFBA72A6B115D3CB588000203AE565B093AC2A683B
5064SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\0SrfjVbd4BJYe5wzcCR3l-BPV6c[1].jsbinary
MD5:93C8EEB694177EFB7AFE347F5C67A9F9
SHA256:736C9B4487EDDD28E6D8695DF77EBC8BA760F3BA0709E9CA7C151856E76D4FBB
5592Inst_D1_6_v1702.exeC:\Users\admin\AppData\Local\Temp\{64EADA0C-25D4-4901-9F7A-DA935BC51EC7}\Декларация Обр.1 и 6.msiexecutable
MD5:4A1015847F36C05F643CB3D6363CF22F
SHA256:792D11496BA6C48D7A38AAB5D028136ED164CEDE61FE6FC51AFC4B20C072F4C9
5064SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10Dbinary
MD5:7FA323D209EF732804F7C0AC58DF327B
SHA256:4EB11498828933ABF5CDD2098ADDCAA5F41249DC7C9CDC241D0FF173FE1B0ED7
5880Inst_D1_6_v1702.exeC:\Users\admin\AppData\Local\Temp\~648A.tmptext
MD5:D07E0EB617F730CF7C40A00F12D41A6C
SHA256:ADCBB0B34754ACDFFC5D77CFBA72A6B115D3CB588000203AE565B093AC2A683B
5064SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbresbinary
MD5:AF4D21502DEDDFB1B3F5A99078B542A7
SHA256:CB69ADC55BCC991C9726EB58C6AC70F305DCFD4F04C34F94A3EAC3A1E46C93C5
5064SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZWUI0EBX\www.bing[1].xmltext
MD5:38933441DD01BBC7561215029695F858
SHA256:E9754EC97E81BD5887644F6F5B3CCD66428A2CD1E30A67DBDBC7A3603FDE9733
5592Inst_D1_6_v1702.exeC:\Users\admin\AppData\Local\Temp\~6584.tmptext
MD5:D07E0EB617F730CF7C40A00F12D41A6C
SHA256:ADCBB0B34754ACDFFC5D77CFBA72A6B115D3CB588000203AE565B093AC2A683B
5880Inst_D1_6_v1702.exeC:\Users\admin\AppData\Local\Temp\{64EADA0C-25D4-4901-9F7A-DA935BC51EC7}\_ISMSIDEL.INItext
MD5:B3145D1F24BB88AA62D17F704C38188F
SHA256:2035C2BF5F1423E8BBC03AE989E2F3745E16E2CEE4088C662BD2B195185E50AD
5064SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\Init[1].htmhtml
MD5:3A6C32381D8E3421C0C885006FF87995
SHA256:E2793951FD3033BA9D0E05CA5C53E675AB9F83EE2DAB9373710905C85478391F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
54
DNS requests
27
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1356
svchost.exe
GET
200
23.48.23.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1176
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6100
SystemSettings.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6100
SystemSettings.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5064
SearchApp.exe
92.123.104.22:443
Akamai International B.V.
DE
unknown
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.48.23.147:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1356
svchost.exe
23.48.23.147:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.147:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
92.123.104.24:443
Akamai International B.V.
DE
unknown
5064
SearchApp.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
5064
SearchApp.exe
204.79.197.222:443
fp.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
www.microsoft.com
  • 23.35.229.160
  • 2.23.246.101
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted
www.bing.com
  • 2.19.122.26
  • 2.19.122.25
  • 2.19.122.30
  • 2.19.122.20
  • 2.19.122.21
  • 2.19.122.19
  • 2.19.122.27
  • 2.19.122.29
  • 2.19.122.28
whitelisted
cxcs.microsoft.net
  • 23.196.240.134
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
th.bing.com
  • 2.19.122.30
  • 2.19.122.33
  • 2.19.122.37
  • 2.19.122.38
  • 2.19.122.29
  • 2.19.122.39
  • 2.19.122.32
  • 2.19.122.31
  • 2.19.122.36
whitelisted
login.live.com
  • 20.190.160.131
  • 40.126.32.72
  • 40.126.32.136
  • 20.190.160.17
  • 20.190.160.5
  • 40.126.32.134
  • 40.126.32.76
  • 20.190.160.128
whitelisted
go.microsoft.com
  • 2.18.97.227
whitelisted
browser.pipe.aria.microsoft.com
  • 20.42.73.27
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Inst_D1_6_v1702.exe