File name:

RDPW_Installer.exe

Full analysis: https://app.any.run/tasks/1bc31274-f77e-4427-a83c-fca538c9c89a
Verdict: Malicious activity
Analysis date: July 19, 2024, 02:56:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

6EBEA4D46302623D47827CD82E0AA4B3

SHA1:

51C8D2AF8A8F00DA1EAB9CE34A9F9505115295DE

SHA256:

932BCF6C68E34FB99FFAFB5AE62A1473FE761D961034CB5630DC3A9BA9155CCB

SSDEEP:

98304:7qsLZ475+bairV071rc9Va1aCGxQtM0eerjgJikszsmjsV4dt3uOn2boyB3G1JS/:uTQki

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • RDPW_Installer.exe (PID: 7996)
      • RDPWInst.exe (PID: 2104)

    • Creates a writable file in the system directory

      • RDPWInst.exe (PID: 2104)
      • LGPO.exe (PID: 5464)

    • Changes the Windows auto-update feature

      • LGPO.exe (PID: 5464)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 3964)

    • Creates or modifies Windows services

      • RDPWInst.exe (PID: 2104)

    • Starts NET.EXE for service management

      • RDP_CnC.exe (PID: 4288)
      • net.exe (PID: 6032)
      • net.exe (PID: 3624)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • RDPW_Installer.exe (PID: 7996)
      • xcopy.exe (PID: 7452)
      • xcopy.exe (PID: 3776)
      • RDPWInst.exe (PID: 2104)

    • Process drops legitimate windows executable

      • RDPW_Installer.exe (PID: 7996)
      • RDPWInst.exe (PID: 2104)

    • Starts CMD.EXE for commands execution

      • RDPW_Installer.exe (PID: 7996)
      • cmd.exe (PID: 3964)

    • Process copies executable file

      • cmd.exe (PID: 3964)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 3964)

    • Executing commands from a ".bat" file

      • RDPW_Installer.exe (PID: 7996)

    • Reads security settings of Internet Explorer

      • RDPWInst.exe (PID: 2104)
      • RDPWInst.exe (PID: 7864)
      • RDP_CnC.exe (PID: 5748)
      • RDP_CnC.exe (PID: 4288)

    • Checks Windows Trust Settings

      • RDPWInst.exe (PID: 2104)
      • RDPWInst.exe (PID: 7864)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • RDPWInst.exe (PID: 2104)

    • Starts a Microsoft application from unusual location

      • LGPO.exe (PID: 5464)

    • Application launched itself

      • cmd.exe (PID: 3964)
      • RDP_CnC.exe (PID: 5748)
      • RDP_CnC.exe (PID: 4288)

    • Reads the date of Windows installation

      • RDP_CnC.exe (PID: 5748)
      • RDP_CnC.exe (PID: 4288)

  • INFO

    • Create files in a temporary directory

      • RDPW_Installer.exe (PID: 7996)

    • Checks supported languages

      • RDPW_Installer.exe (PID: 7996)
      • RDPWInst.exe (PID: 7868)
      • RDPWInst.exe (PID: 2104)
      • LGPO.exe (PID: 5464)
      • RDP_CnC.exe (PID: 5748)
      • RDPWInst.exe (PID: 7864)
      • RDP_CnC.exe (PID: 4288)
      • RDP_CnC.exe (PID: 7912)
      • RDP_CnC.exe (PID: 4808)
      • RDP_CnC.exe (PID: 5108)

    • Creates files in the program directory

      • xcopy.exe (PID: 3776)
      • xcopy.exe (PID: 7452)
      • xcopy.exe (PID: 7576)
      • RDPWInst.exe (PID: 2104)

    • Drops the executable file immediately after the start

      • xcopy.exe (PID: 3776)
      • xcopy.exe (PID: 7452)

    • Reads the computer name

      • RDPWInst.exe (PID: 2104)
      • LGPO.exe (PID: 5464)
      • RDP_CnC.exe (PID: 5748)
      • RDPWInst.exe (PID: 7864)
      • RDP_CnC.exe (PID: 4288)
      • RDP_CnC.exe (PID: 7912)
      • RDP_CnC.exe (PID: 4808)
      • RDP_CnC.exe (PID: 5108)

    • Checks proxy server information

      • RDPWInst.exe (PID: 2104)
      • RDPWInst.exe (PID: 7864)

    • Reads the software policy settings

      • RDPWInst.exe (PID: 2104)
      • RDPWInst.exe (PID: 7864)

    • Creates files or folders in the user directory

      • RDPWInst.exe (PID: 2104)
      • RDPWInst.exe (PID: 7864)

    • Reads the machine GUID from the registry

      • RDPWInst.exe (PID: 7864)
      • RDPWInst.exe (PID: 2104)

    • Process checks computer location settings

      • RDP_CnC.exe (PID: 5748)
      • RDP_CnC.exe (PID: 4288)

    • Manual execution by a user

      • RDP_CnC.exe (PID: 4808)
      • RDP_CnC.exe (PID: 5164)
      • RDP_CnC.exe (PID: 3128)
      • RDP_CnC.exe (PID: 5108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:02:01 20:18:05+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 70144
InitializedDataSize: 2472960
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
FileVersionNumber: 1.8.9.9
ProductVersionNumber: 1.8.9.9
FileFlagsMask: 0x003f
FileFlags: Debug, Pre-release, Private build
FileOS: Windows 16-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileVersion: 1.8.9.9
ProductVersion: 1.8.9.9
ProductName: RDPW_Installer
OriginalFileName: RDPW_Installer
InternalName: RDPW_Installer
CompanyName: sebaxakerhtc
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
169
Monitored processes
32
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start rdpw_installer.exe conhost.exe no specs cmd.exe no specs rdpwinst.exe no specs ping.exe no specs xcopy.exe xcopy.exe xcopy.exe no specs xcopy.exe no specs rdpwinst.exe netsh.exe no specs netsh.exe no specs lgpo.exe no specs schtasks.exe no specs cmd.exe no specs rdp_cnc.exe no specs slui.exe no specs rdpwinst.exe conhost.exe no specs rdp_cnc.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs rdp_cnc.exe no specs rdp_cnc.exe no specs rdp_cnc.exe rdp_cnc.exe no specs rdp_cnc.exe rdpw_installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1284xcopy "RDP_CnC.lnk" "C:\Users\admin\Desktop\" /s /I /yC:\Windows\System32\xcopy.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Extended Copy Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
2104"C:\Program Files\RDP Wrapper\RDPWInst" -i -oC:\Program Files\RDP Wrapper\RDPWInst.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\rdp wrapper\rdpwinst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2436SCHTASKS /CREATE /SC ONSTART /DELAY 0002:00 /TN "RDPWUpdater" /TR "'C:\Program Files\RDP Wrapper\RDPWInst.exe' -w" /RL HIGHEST /RU SYSTEM /NP /FC:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3128"C:\Program Files\RDP Wrapper\RDP_CnC.exe" C:\Program Files\RDP Wrapper\RDP_CnC.exeexplorer.exe
User:
admin
Company:
Thanks to Stas'M Corp for this project
Integrity Level:
MEDIUM
Description:
RDP Wrapper Configuration and Check utility by sebaxakerhtc
Exit code:
3221226540
Version:
1.8.9.9
Modules
Images
c:\program files\rdp wrapper\rdp_cnc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
3152C:\WINDOWS\system32\net1 start termservice /yC:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\samcli.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\ucrtbase.dll
3624net start termservice /yC:\Windows\System32\net.exeRDP_CnC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\mpr.dll
c:\windows\system32\rpcrt4.dll
3776xcopy "RDP_CnC.exe" "C:\Program Files\RDP Wrapper\" /s /I /yC:\Windows\System32\xcopy.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Extended Copy Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
3964"C:\WINDOWS\sysnative\cmd" /c "C:\Users\admin\AppData\Local\Temp\9614.tmp\9615.tmp\9616.bat C:\Users\admin\AppData\Local\Temp\RDPW_Installer.exe"C:\Windows\System32\cmd.exeRDPW_Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
4288"C:\Program Files\RDP Wrapper\RDP_CnC.exe" C:\Program Files\RDP Wrapper\RDP_CnC.exeRDP_CnC.exe
User:
admin
Company:
Thanks to Stas'M Corp for this project
Integrity Level:
HIGH
Description:
RDP Wrapper Configuration and Check utility by sebaxakerhtc
Exit code:
0
Version:
1.8.9.9
Modules
Images
c:\program files\rdp wrapper\rdp_cnc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
4808"C:\Program Files\RDP Wrapper\RDP_CnC.exe" C:\Program Files\RDP Wrapper\RDP_CnC.exe
explorer.exe
User:
admin
Company:
Thanks to Stas'M Corp for this project
Integrity Level:
HIGH
Description:
RDP Wrapper Configuration and Check utility by sebaxakerhtc
Exit code:
0
Version:
1.8.9.9
Modules
Images
c:\program files\rdp wrapper\rdp_cnc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
Total events
8 329
Read events
8 234
Write events
68
Delete events
27

Modification events

(PID) Process:(2104) RDPWInst.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2104) RDPWInst.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2104) RDPWInst.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2104) RDPWInst.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2104) RDPWInst.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2104) RDPWInst.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2104) RDPWInst.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2104) RDPWInst.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters
Operation:writeName:ServiceDll
Value:
%ProgramFiles%\RDP Wrapper\rdpwrap.dll
(PID) Process:(2104) RDPWInst.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server
Operation:writeName:fDenyTSConnections
Value:
0
(PID) Process:(2104) RDPWInst.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\Licensing Core
Operation:writeName:EnableConcurrentSessions
Value:
1
Executable files
7
Suspicious files
10
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
7996RDPW_Installer.exeC:\Users\admin\AppData\Local\Temp\9614.tmp\H264_ON.polbinary
MD5:78952B476AA2E47BF0E27416ACF6FE1F
SHA256:213DA1274863316DBF91AA4C725B86F23E37784912930ED951003608834A0B46
2104RDPWInst.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419binary
MD5:7D75ED3CD9736924946143AB968B5B63
SHA256:0BD7D77BEA3917C008980EF175B95B04918222AD603D1ACADDB020F7B9CFBFE7
7996RDPW_Installer.exeC:\Users\admin\AppData\Local\Temp\9614.tmp\RDPWInst.exeexecutable
MD5:980D56AE0A529BA108D9194FB056F285
SHA256:D8B3001C86A1433524F1239C2A14A11D67009BBA44DC3C686F295BCC0FACC5A1
2104RDPWInst.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\rdpwrap[1].inibinary
MD5:1E1B8C8EFE19C79C87F0915827F45600
SHA256:F076E8795486788FFBD13B42837E5A9AE2E6C3FAD70B0BE70855278F10A07F56
7996RDPW_Installer.exeC:\Users\admin\AppData\Local\Temp\9614.tmp\RDP_CnC.lnklnk
MD5:BF5E6E967E6DF74051E971D62EE9D282
SHA256:83F134B45E9E28ABD1E4A773F48C0303BC5F8B8B22F7FC12EE4FCB4011A7733D
3776xcopy.exeC:\Program Files\RDP Wrapper\RDP_CnC.exeexecutable
MD5:08ED5177C4AA58AECB690243A7C60513
SHA256:5552C5AB33A144F420F1F1855392BD216C31385B4470B807F65017B310490C0E
2104RDPWInst.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419binary
MD5:127D2B2CF1E56A224CDC0AEACBFF22A2
SHA256:7ACBF9E424C3554C40A16B8CC72BCC13F2C683ACBFF064D2AED5E1B1936E28AF
5464LGPO.exeC:\WINDOWS\System32\GroupPolicy\GPT.INItext
MD5:C4C4884CE6CED5037C417F94E5EF53F2
SHA256:8925364ADD932EB879A4FF160077508611DF45205D22DB6E0529FD9B6EC0B8B7
7996RDPW_Installer.exeC:\Users\admin\AppData\Local\Temp\9614.tmp\LGPO.exeexecutable
MD5:FDF6C1F114A0FD2A144A6A126206461C
SHA256:0C97F29543418B30340C4FF5D930D31E6196DD59C2CC74B6B890FA7B90C910C7
7996RDPW_Installer.exeC:\Users\admin\AppData\Local\Temp\9614.tmp\9615.tmp\9616.battext
MD5:1C04DB7C0404D977651E89247B449FB5
SHA256:BF7F1043F7D151E06440C07AA91BD2C7048657515C12A0AF8DEA2BECFE6802BD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
32
DNS requests
12
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
RDPWInst.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4032
svchost.exe
239.255.255.250:1900
whitelisted
7484
backgroundTaskHost.exe
20.103.156.88:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4
System
192.168.100.255:138
whitelisted
4716
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
7856
svchost.exe
4.209.32.67:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2760
svchost.exe
40.115.3.253:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7484
backgroundTaskHost.exe
20.223.36.55:443
fd.api.iris.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2104
RDPWInst.exe
185.199.109.133:443
raw.githubusercontent.com
FASTLY
US
unknown
2104
RDPWInst.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1032
svchost.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
unknown

DNS requests

Domain
IP
Reputation
arc.msn.com
  • 20.103.156.88
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.71
  • 40.126.31.71
  • 20.190.159.4
  • 20.190.159.75
  • 20.190.159.2
  • 20.190.159.64
  • 20.190.159.73
whitelisted
google.com
  • 142.250.185.142
whitelisted
fd.api.iris.microsoft.com
  • 20.223.36.55
whitelisted
raw.githubusercontent.com
  • 185.199.109.133
  • 185.199.111.133
  • 185.199.110.133
  • 185.199.108.133
shared
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
www.bing.com
  • 2.23.209.130
  • 2.23.209.149
  • 2.23.209.182
  • 2.23.209.133
  • 2.23.209.187
whitelisted
licensing.mp.microsoft.com
  • 4.209.33.156
whitelisted

Threats

PID
Process
Class
Message
2168
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2168
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RDPW_Installer.exe