File name:

WNBOZYUN.msi

Full analysis: https://app.any.run/tasks/6cd561d2-b4bb-4306-882c-914df49fd585
Verdict: Malicious activity
Threats:

The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes.

Malware Trends Tracker     >>>
Analysis date: February 28, 2025, 20:47:00
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
stealer
arechclient2
backdoor
xor-url
generic
rat
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Blank Project Template, Author: InstallShield, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2021 - Premier Edition with Virtualization Pack 27, Last Saved Time/Date: Wed Feb 26 20:50:31 2025, Create Time/Date: Wed Feb 26 20:50:31 2025, Last Printed: Wed Feb 26 20:50:31 2025, Revision Number: {8DF3EDD3-7F66-46FF-A993-5317D24CF40D}, Code page: 1252, Template: Intel;1033
MD5:

FBAD39A4E69DA1CC3BF48541C7905D4C

SHA1:

747B277CD5BB37E719877E45864F3BEEDC949F06

SHA256:

923EFB46578F7F31A9734EC1D7E7E1B9EDF1560FEC54D7319179AA51CF3DD26A

SSDEEP:

98304:t2n5EQWHf8GS3m0/XzkvQflVJrcUsDhHTGH65OMh8HeKJgRAQhBIHMqREt3++tf+:xbEQm/4/iZ2v8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • ISBEW64.exe (PID: 1804)
      • ISBEW64.exe (PID: 4120)
      • ISBEW64.exe (PID: 4268)
      • ISBEW64.exe (PID: 5112)
      • ISBEW64.exe (PID: 5304)
      • ISBEW64.exe (PID: 3192)
      • ISBEW64.exe (PID: 5216)
      • ISBEW64.exe (PID: 6700)
      • ISBEW64.exe (PID: 5956)

    • Actions looks like stealing of personal data

      • MSBuild.exe (PID: 1388)

    • XORed URL has been found (YARA)

      • MSBuild.exe (PID: 1388)

    • ARECHCLIENT2 has been detected (SURICATA)

      • MSBuild.exe (PID: 1388)

    • ARECHCLIENT2 has been detected (YARA)

      • MSBuild.exe (PID: 1388)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • RoboTaskLite.exe (PID: 1328)

    • Starts itself from another location

      • RoboTaskLite.exe (PID: 1328)

    • Starts CMD.EXE for commands execution

      • RoboTaskLite.exe (PID: 4068)

    • Connects to unusual port

      • MSBuild.exe (PID: 1388)

  • INFO

    • The sample compiled with english language support

      • msiexec.exe (PID: 680)
      • msiexec.exe (PID: 6768)
      • RoboTaskLite.exe (PID: 1328)

    • Reads the computer name

      • msiexec.exe (PID: 6768)
      • msiexec.exe (PID: 5800)
      • ISBEW64.exe (PID: 1804)
      • ISBEW64.exe (PID: 4120)
      • ISBEW64.exe (PID: 4268)
      • ISBEW64.exe (PID: 3268)
      • ISBEW64.exe (PID: 5112)
      • ISBEW64.exe (PID: 5304)
      • ISBEW64.exe (PID: 3192)
      • ISBEW64.exe (PID: 5216)
      • ISBEW64.exe (PID: 6700)
      • RoboTaskLite.exe (PID: 4068)
      • MSBuild.exe (PID: 1388)
      • ISBEW64.exe (PID: 5956)
      • RoboTaskLite.exe (PID: 1328)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 680)
      • msiexec.exe (PID: 6768)

    • An automatically generated document

      • msiexec.exe (PID: 680)

    • Checks supported languages

      • msiexec.exe (PID: 5800)
      • ISBEW64.exe (PID: 1804)
      • msiexec.exe (PID: 6768)
      • ISBEW64.exe (PID: 4120)
      • ISBEW64.exe (PID: 4268)
      • ISBEW64.exe (PID: 5112)
      • ISBEW64.exe (PID: 3268)
      • ISBEW64.exe (PID: 5304)
      • ISBEW64.exe (PID: 3192)
      • ISBEW64.exe (PID: 5216)
      • ISBEW64.exe (PID: 6700)
      • RoboTaskLite.exe (PID: 4068)
      • MSBuild.exe (PID: 1388)
      • ISBEW64.exe (PID: 5956)
      • RoboTaskLite.exe (PID: 1328)

    • Create files in a temporary directory

      • msiexec.exe (PID: 6768)
      • RoboTaskLite.exe (PID: 4068)
      • MSBuild.exe (PID: 1388)

    • Creates files or folders in the user directory

      • RoboTaskLite.exe (PID: 1328)

    • Reads the machine GUID from the registry

      • MSBuild.exe (PID: 1388)

    • Disables trace logs

      • MSBuild.exe (PID: 1388)

    • Reads the software policy settings

      • slui.exe (PID: 4464)

    • Checks proxy server information

      • MSBuild.exe (PID: 1388)
      • slui.exe (PID: 4464)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(1388) MSBuild.exe
Decrypted-URLs (3)http://dl.google.com/chrome/install/375.126/chrome_installer.exe
https://github.com
https://pastebin.com/raw/UPxYyFp87
No Malware configuration.

TRiD

.mst | Windows SDK Setup Transform Script (60.2)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Characters: -
LastModifiedBy: InstallShield
Words: -
Title: Installation Database
Comments: Contact: Your local administrator
Keywords: Installer,MSI,Database
Subject: Blank Project Template
Author: InstallShield
Security: Password protected
Pages: 200
Software: InstallShield? 2021 - Premier Edition with Virtualization Pack 27
ModifyDate: 2025:02:26 20:50:31
CreateDate: 2025:02:26 20:50:31
LastPrinted: 2025:02:26 20:50:31
RevisionNumber: {8DF3EDD3-7F66-46FF-A993-5317D24CF40D}
CodePage: Windows Latin 1 (Western European)
Template: Intel;1033
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
19
Malicious processes
6
Suspicious processes
9

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe no specs msiexec.exe isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs robotasklite.exe robotasklite.exe no specs cmd.exe no specs conhost.exe no specs #XOR-URL msbuild.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
680"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\WNBOZYUN.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
1603
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1328C:\Users\admin\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exe C:\Users\admin\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exe
msiexec.exe
User:
admin
Company:
Neowise Software
Integrity Level:
MEDIUM
Description:
RoboTask Lite, automation software
Exit code:
0
Version:
9.8.1.960
Modules
Images
c:\users\admin\appdata\local\temp\{ee8a0717-c2ae-4188-8bec-631be53427b8}\robotasklite.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\msvcp_win.dll
1388C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\users\admin\appdata\local\temp\atdjfykgvpwdr
c:\windows\syswow64\mshtml.dll
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
xor-url
(PID) Process(1388) MSBuild.exe
Decrypted-URLs (3)http://dl.google.com/chrome/install/375.126/chrome_installer.exe
https://github.com
https://pastebin.com/raw/UPxYyFp87
1804C:\Users\admin\AppData\Local\Temp\{FF5D755E-59AF-4D84-930D-34525B9D506A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{273EDE7C-E01F-4C7E-8AE8-204EA617C02E}C:\Users\admin\AppData\Local\Temp\{FF5D755E-59AF-4D84-930D-34525B9D506A}\ISBEW64.exemsiexec.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\{ff5d755e-59af-4d84-930d-34525b9d506a}\isbew64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
3192C:\Users\admin\AppData\Local\Temp\{FF5D755E-59AF-4D84-930D-34525B9D506A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{01892184-C098-41F4-870E-51EEDCCDECC1}C:\Users\admin\AppData\Local\Temp\{FF5D755E-59AF-4D84-930D-34525B9D506A}\ISBEW64.exemsiexec.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\{ff5d755e-59af-4d84-930d-34525b9d506a}\isbew64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3268C:\Users\admin\AppData\Local\Temp\{FF5D755E-59AF-4D84-930D-34525B9D506A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5C850F39-8106-4C83-8BC7-7EAA07549933}C:\Users\admin\AppData\Local\Temp\{FF5D755E-59AF-4D84-930D-34525B9D506A}\ISBEW64.exemsiexec.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\{ff5d755e-59af-4d84-930d-34525b9d506a}\isbew64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4068C:\Users\admin\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeC:\Users\admin\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeRoboTaskLite.exe
User:
admin
Company:
Neowise Software
Integrity Level:
MEDIUM
Description:
RoboTask Lite, automation software
Exit code:
1
Version:
9.8.1.960
Modules
Images
c:\users\admin\appdata\roaming\servicevalid_testv2\robotasklite.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\msvcp_win.dll
4120C:\Users\admin\AppData\Local\Temp\{FF5D755E-59AF-4D84-930D-34525B9D506A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{77998CAC-DFAE-4071-BE80-AE89F6807CD7}C:\Users\admin\AppData\Local\Temp\{FF5D755E-59AF-4D84-930D-34525B9D506A}\ISBEW64.exemsiexec.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\{ff5d755e-59af-4d84-930d-34525b9d506a}\isbew64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4268C:\Users\admin\AppData\Local\Temp\{FF5D755E-59AF-4D84-930D-34525B9D506A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{30BF5DE1-2AA5-423E-AF1F-7BC344CFE016}C:\Users\admin\AppData\Local\Temp\{FF5D755E-59AF-4D84-930D-34525B9D506A}\ISBEW64.exemsiexec.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\{ff5d755e-59af-4d84-930d-34525b9d506a}\isbew64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4464C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
5 336
Read events
5 322
Write events
14
Delete events
0

Modification events

(PID) Process:(1388) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1388) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1388) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1388) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1388) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(1388) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(1388) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(1388) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1388) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1388) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
14
Suspicious files
10
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6768msiexec.exeC:\Users\admin\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\fell.jpgbinary
MD5:78BA7EFB62CBF027C2A45D6DD73F7A08
SHA256:6E072E22E76D32F12AAF1742B03256E9872D265A107A42000BCE5F6E40FF71A8
5400cmd.exeC:\Users\admin\AppData\Local\Temp\atdjfykgvpwdr
MD5:
SHA256:
6768msiexec.exeC:\Users\admin\AppData\Local\Temp\{FF5D755E-59AF-4D84-930D-34525B9D506A}\ISBEW64.exeexecutable
MD5:40F3A092744E46F3531A40B917CCA81E
SHA256:561F14CDECE85B38617403E1C525FF0B1B752303797894607A4615D0BD66F97F
6768msiexec.exeC:\Users\admin\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\rtl280.bplexecutable
MD5:FCDF410C77A83F042590C29280B39F52
SHA256:08941C5FA519F9DFFBA137A2A4844E9063ED71BC0C881FB7643E67FB3E3DDB0A
1328RoboTaskLite.exeC:\Users\admin\AppData\Roaming\ServiceValid_testv2\residentiary.phptext
MD5:56DDFC14E3334BDEAB08C68C00D2C002
SHA256:27F49A1346A11A3FC53CF9F190C519BA9262BC4BA3D6A9B4C464D6D533B8F40F
6768msiexec.exeC:\Users\admin\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\vcl280.bplexecutable
MD5:C6BAC35FCA828124E75535A4BD4C563C
SHA256:76793F3FC4515628ACAFC68441850BD4F36EACB3AB568D30A3076D7E19CC3C8E
1328RoboTaskLite.exeC:\Users\admin\AppData\Roaming\ServiceValid_testv2\fell.jpgbinary
MD5:78BA7EFB62CBF027C2A45D6DD73F7A08
SHA256:6E072E22E76D32F12AAF1742B03256E9872D265A107A42000BCE5F6E40FF71A8
1328RoboTaskLite.exeC:\Users\admin\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeexecutable
MD5:6EE5F7F9F0016B5CC4F93A949A08F0DC
SHA256:DCC88BF0CFE7AA2C059D0F92F351627E8B38B6FDB2C85CB5A31A444BB0A6FBA3
6768msiexec.exeC:\Users\admin\AppData\Local\Temp\{FF5D755E-59AF-4D84-930D-34525B9D506A}\_isres_0x0409.dllexecutable
MD5:7DE024BC275F9CDEAF66A865E6FD8E58
SHA256:BD32468EE7E8885323F22EABBFF9763A0F6FFEF3CC151E0BD0481DF5888F4152
1328RoboTaskLite.exeC:\Users\admin\AppData\Roaming\ServiceValid_testv2\vcl280.bplexecutable
MD5:C6BAC35FCA828124E75535A4BD4C563C
SHA256:76793F3FC4515628ACAFC68441850BD4F36EACB3AB568D30A3076D7E19CC3C8E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
22
DNS requests
4
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1388
MSBuild.exe
GET
200
92.255.85.23:9000
http://92.255.85.23:9000/wbinjget?q=EF680CC9EFE0A8BCEC05D07897760CE8
unknown
malicious
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
3812
svchost.exe
239.255.255.250:1900
whitelisted
1388
MSBuild.exe
92.255.85.23:15847
Chang Way Technologies Co. Limited
HK
malicious
1388
MSBuild.exe
92.255.85.23:9000
Chang Way Technologies Co. Limited
HK
malicious
5408
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4464
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.46
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
1388
MSBuild.exe
A Network Trojan was detected
ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WNBOZYUN.msi