File name:

PCProtect_Setup.exe

Full analysis: https://app.any.run/tasks/7a5d88cd-ae85-425b-bbc4-f23236031095
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 03, 2024, 01:49:27
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

87CB9284AAC0AA4112C153A5BCD89E99

SHA1:

3B724CE214652B93D1A5FB5FD5DE29C24F69C3DF

SHA256:

99C2474F5BEA6E3955D1002AA98678C32E9C0E9F2FB6D0C35D3A428EC279D103

SSDEEP:

786432:sSHEaiqBJ7V7lO70LeOBmFFIi0gJZdnhit:sSHGKzJs0LeOBmFFIi0gJZlwt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Deletes shadow copies

      • PCProtect_Setup.exe (PID: 6920)

    • Drops the executable file immediately after the start

      • SecurityService.exe (PID: 6736)
      • PCProtect_Setup.exe (PID: 6920)

    • Steals credentials from Web Browsers

      • PCProtect.exe (PID: 4060)
      • SecurityService.exe (PID: 2136)

    • Actions looks like stealing of personal data

      • PCProtect.exe (PID: 4060)
      • SecurityService.exe (PID: 2136)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • PCProtect_Setup.exe (PID: 6920)

    • Executable content was dropped or overwritten

      • PCProtect_Setup.exe (PID: 6920)
      • SecurityService.exe (PID: 6736)

    • The process creates files with name similar to system file names

      • PCProtect_Setup.exe (PID: 6920)

    • Get information on the list of running processes

      • PCProtect_Setup.exe (PID: 6920)

    • Uses WMIC.EXE

      • PCProtect_Setup.exe (PID: 6920)

    • Uses TASKKILL.EXE to kill process

      • PCProtect_Setup.exe (PID: 6920)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3812)
      • SecurityService.exe (PID: 5484)

    • Searches for installed software

      • dllhost.exe (PID: 6164)

    • Process drops legitimate windows executable

      • PCProtect_Setup.exe (PID: 6920)

    • The process drops C-runtime libraries

      • PCProtect_Setup.exe (PID: 6920)

    • Drops a system driver (possible attempt to evade defenses)

      • PCProtect_Setup.exe (PID: 6920)
      • SecurityService.exe (PID: 6736)

    • Creates a software uninstall entry

      • PCProtect_Setup.exe (PID: 6920)

    • Creates files in the driver directory

      • SecurityService.exe (PID: 6736)

    • Starts SC.EXE for service management

      • SecurityService.exe (PID: 6736)
      • SecurityService.exe (PID: 2136)

    • Reads security settings of Internet Explorer

      • PCProtect_Setup.exe (PID: 6920)
      • PCProtect.exe (PID: 4060)

    • Reads the date of Windows installation

      • PCProtect_Setup.exe (PID: 6920)

    • Application launched itself

      • SecurityService.exe (PID: 5484)

  • INFO

    • Checks supported languages

      • PCProtect_Setup.exe (PID: 6920)
      • SecurityService.exe (PID: 6736)
      • subinacl.exe (PID: 6280)
      • PCProtect.exe (PID: 4060)
      • SecurityService.exe (PID: 2136)
      • SecurityService.exe (PID: 5484)

    • Create files in a temporary directory

      • PCProtect_Setup.exe (PID: 6920)
      • PCProtect.exe (PID: 4060)

    • Reads the computer name

      • PCProtect_Setup.exe (PID: 6920)
      • SecurityService.exe (PID: 6736)
      • subinacl.exe (PID: 6280)
      • PCProtect.exe (PID: 4060)
      • SecurityService.exe (PID: 5484)
      • SecurityService.exe (PID: 2136)

    • Creates files in the program directory

      • PCProtect_Setup.exe (PID: 6920)
      • SecurityService.exe (PID: 6736)
      • PCProtect.exe (PID: 4060)
      • SecurityService.exe (PID: 5484)
      • SecurityService.exe (PID: 2136)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7000)

    • Process checks computer location settings

      • PCProtect_Setup.exe (PID: 6920)

    • Creates files or folders in the user directory

      • PCProtect.exe (PID: 4060)

    • Disables trace logs

      • PCProtect.exe (PID: 4060)

    • Reads the software policy settings

      • PCProtect.exe (PID: 4060)
      • SecurityService.exe (PID: 2136)
      • SecurityService.exe (PID: 5484)

    • Checks proxy server information

      • PCProtect.exe (PID: 4060)

    • Reads the machine GUID from the registry

      • SecurityService.exe (PID: 2136)
      • PCProtect.exe (PID: 4060)
      • SecurityService.exe (PID: 5484)

    • Reads Environment values

      • PCProtect.exe (PID: 4060)
      • SecurityService.exe (PID: 5484)
      • SecurityService.exe (PID: 2136)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:08:01 02:43:48+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 25600
InitializedDataSize: 118784
UninitializedDataSize: 1024
EntryPoint: 0x3461
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.24.38.0
ProductVersionNumber: 5.24.38.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileDescription: PCProtect Ultimate Antivirus Installer
FileVersion: 5.24.38.0
LegalCopyright: (C) Protected Antivirus Limited
OriginalFileName: PCProtect.exe
ProductName: PCProtect
ProductVersion: 5.24.38.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
29
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start pcprotect_setup.exe wmic.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs SPPSurrogate no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs SPPSurrogate no specs securityservice.exe conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs subinacl.exe no specs conhost.exe no specs pcprotect.exe securityservice.exe securityservice.exe conhost.exe no specs sc.exe no specs conhost.exe no specs pcprotect_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1360"sc" create ProtectedELAM binpath= "C:\WINDOWS\system32\drivers\protected_elam.sys" type= kernel start= boot error= critical group= Early-LaunchC:\Windows\System32\sc.exeSecurityService.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Exit code:
1073
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
2136"C:\Program Files (x86)\PCProtect\SecurityService.exe" --run-service --run-service-id=5484C:\Program Files (x86)\PCProtect\SecurityService.exe
SecurityService.exe
User:
SYSTEM
Company:
PCProtect
Integrity Level:
SYSTEM
Description:
PCProtect Ultimate Antivirus Service
Version:
5.24.38.0
Modules
Images
c:\program files (x86)\pcprotect\securityservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2728"sc" create SecurityService start= auto binpath= "\"C:\Program Files (x86)\PCProtect\SecurityService.exe\"" displayname= "PC Security Management Service" obj= LocalSystem password= ""C:\Windows\SysWOW64\sc.exeSecurityService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3812C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3992\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSecurityService.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4016C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
4060"C:\Program Files (x86)\PCProtect\PCProtect.exe" --installed --installer="C:\Users\admin\Desktop\PCProtect_Setup.exe"C:\Program Files (x86)\PCProtect\PCProtect.exe
PCProtect_Setup.exe
User:
admin
Company:
PCProtect
Integrity Level:
HIGH
Description:
PCProtect Ultimate Antivirus User Interface
Version:
5.24.38.0
Modules
Images
c:\program files (x86)\pcprotect\pcprotect.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5244\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5484"C:\Program Files (x86)\PCProtect\SecurityService.exe"C:\Program Files (x86)\PCProtect\SecurityService.exe
services.exe
User:
SYSTEM
Company:
PCProtect
Integrity Level:
SYSTEM
Description:
PCProtect Ultimate Antivirus Service
Version:
5.24.38.0
Modules
Images
c:\program files (x86)\pcprotect\securityservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\user32.dll
6164C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
Total events
27 627
Read events
27 356
Write events
251
Delete events
20

Modification events

(PID) Process:(6920) PCProtect_Setup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
40000000000000003D4CB97A47E5DA01081B0000541B0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6164) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000003CB0BB7A47E5DA011418000068040000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6164) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000DA64FE7A47E5DA011418000068040000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6164) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000DA64FE7A47E5DA011418000068040000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6164) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
480000000000000014CA007B47E5DA011418000068040000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6164) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
48000000000000007692057B47E5DA011418000068040000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6164) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(6164) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000ED6A7A7B47E5DA011418000068040000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6164) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000060CE7C7B47E5DA011418000068010000E80300000100000000000000000000002ADEDEC59A21784797A79C68490ECFF500000000000000000000000000000000
(PID) Process:(3812) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000044AC887B47E5DA01E40E00009C180000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
499
Suspicious files
137
Text files
54
Unknown types
3

Dropped files

PID
Process
Filename
Type
6164dllhost.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6920PCProtect_Setup.exeC:\Users\admin\AppData\Local\Temp\nsj923B.tmp\System.dllexecutable
MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
SHA256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
6920PCProtect_Setup.exeC:\Users\admin\AppData\Local\Temp\nsj923B.tmp\modern-wizard.bmpimage
MD5:3EB2FF327FB3FC2495C7B4333D4BEDE2
SHA256:B2C7196BC66D0BA39812AF671542664C2C8216B3334D1CBBD57241BF11653B0A
6920PCProtect_Setup.exeC:\Users\admin\AppData\Local\Temp\nsj923B.tmp\nsExec.dllexecutable
MD5:09C2E27C626D6F33018B8A34D3D98CB6
SHA256:114C6941A8B489416C84563E94FD266EA5CAD2B518DB45CD977F1F9761E00CB1
6164dllhost.exeC:\System Volume Information\SPP\OnlineMetadataCache\{c5dede2a-219a-4778-97a7-9c68490ecff5}_OnDiskSnapshotPropbinary
MD5:EBB7810A64FDECD9B69E85E5AB24090C
SHA256:31A8BEAD162409C7D5DCA17BBB0AAF6FB3CF99EFBB0B1C1CD56A4B349F18E268
6920PCProtect_Setup.exeC:\Users\admin\AppData\Local\Temp\nsj923B.tmp\nsRandom.dllexecutable
MD5:AB467B8DFAA660A0F0E5B26E28AF5735
SHA256:DB267D9920395B4BADC48DE04DF99DFD21D579480D103CAE0F48E6578197FF73
6920PCProtect_Setup.exeC:\Users\admin\AppData\Local\Temp\nsj923B.tmp\SysRestore.dllexecutable
MD5:DA046184A8D7269A0E138B0B0B9B2EB5
SHA256:C5E335BD19FA798F120287FE3ED920296F899223942FD6B987585A765F0ADEC2
6164dllhost.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:EBB7810A64FDECD9B69E85E5AB24090C
SHA256:31A8BEAD162409C7D5DCA17BBB0AAF6FB3CF99EFBB0B1C1CD56A4B349F18E268
6920PCProtect_Setup.exeC:\Program Files (x86)\PCProtect\API-MS-Win-core-xstate-l2-1-0.dllexecutable
MD5:5F11B9BB427753BDAE6D312A02C516F9
SHA256:4879FE3EA58D853F21658AEFC5E8B92B7E6333D77C0AF31A6BF9FF769475F6FD
6920PCProtect_Setup.exeC:\Program Files (x86)\PCProtect\Accessibility.dllexecutable
MD5:1B4CC6782E295675217CD17DF70057F3
SHA256:F08BDBF797DFDBBDE37000FB29141CAEC4BEB4DC0F552AB2CFE0887E1E6C5F60
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
38
TCP/UDP connections
48
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
34.128.164.30:443
https://api.pcprotect.com/v1/user/sso
unknown
GET
34.128.164.30:443
https://api.pcprotect.com/v1/vpnaccount/expiry
unknown
GET
34.128.164.30:443
https://api.pcprotect.com/v1/user/mobile-download/pcprotect?fresh=0
unknown
HEAD
200
185.172.148.128:443
https://definition.protected.net/vdf.zip
unknown
GET
185.172.148.128:443
https://definition.protected.net/vdf.zip
unknown
GET
34.128.164.30:443
https://api.pcprotect.com/v1/variable
unknown
GET
200
34.128.164.30:443
https://api.pcprotect.com/v1/user/challenge
unknown
binary
203 b
POST
200
4.152.45.235:443
https://in.appcenter.ms/logs?api-version=1.0.0
unknown
binary
138 b
POST
200
4.152.45.219:443
https://in.appcenter.ms/logs?api-version=1.0.0
unknown
binary
129 b
POST
200
20.57.103.21:443
https://in.appcenter.ms/logs?api-version=1.0.0
unknown
binary
129 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
4060
PCProtect.exe
34.128.164.30:443
api.pcprotect.com
GOOGLE
US
unknown
4060
PCProtect.exe
4.152.45.219:443
in.appcenter.ms
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2136
SecurityService.exe
185.172.148.128:443
definition.protected.net
proinity GmbH
CH
unknown
5484
SecurityService.exe
20.57.103.21:443
in.appcenter.ms
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2136
SecurityService.exe
20.57.103.21:443
in.appcenter.ms
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
5336
SearchApp.exe
2.23.209.187:443
www.bing.com
Akamai International B.V.
GB
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.174
whitelisted
api.pcprotect.com
  • 34.128.164.30
unknown
in.appcenter.ms
  • 4.152.45.219
  • 20.57.103.21
unknown
definition.protected.net
  • 185.172.148.128
unknown
www.bing.com
  • 2.23.209.187
  • 2.23.209.182
  • 2.23.209.133
whitelisted
api.phantom.avira-vpn.com
  • 3.123.255.36
  • 18.157.72.28
unknown

Threats

No threats detected
Process
Message
SecurityService.exe
SQLite error (1): duplicate column name: key in "ALTER TABLE sf_notify ADD COLUMN key TEXT PRIMARY KEY"
SecurityService.exe
SQLite error (1): duplicate column name: value in "ALTER TABLE sf_notify ADD COLUMN value TEXT"
SecurityService.exe
SQLite error (1): duplicate column name: key in "ALTER TABLE wwwcache ADD COLUMN key TEXT PRIMARY KEY"
SecurityService.exe
SQLite error (1): duplicate column name: value in "ALTER TABLE wwwcache ADD COLUMN value TEXT"
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PCProtect_Setup.exe