File name:

setup.msi

Full analysis: https://app.any.run/tasks/a24f7b16-5650-4a9c-bc56-ca629b26883f
Verdict: Malicious activity
Analysis date: December 02, 2024, 21:06:02
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
ateraagent
atera
tool
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

83F1AE63BE7D1BD93E1EAC2ADCD33298

SHA1:

730F2ACA867722E775F7177798CB7508F9F76A4D

SHA256:

A4A7E335B5F9590E38F44050CABFEBEE6F64A2C4B626027F3B7C750E14F5D7FA

SSDEEP:

98304:5IZTffzvns6eLKLdpRwznfsJb+7J7ERXndiWaKzPtSjXmbABY/lT8vjkZBvrePVv:W3XP9No

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • msiexec.exe (PID: 5680)
      • net.exe (PID: 848)

    • ATERAAGENT has been detected (YARA)

      • msiexec.exe (PID: 3224)
      • msiexec.exe (PID: 5320)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 3224)
      • msiexec.exe (PID: 5320)

    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 3836)
      • rundll32.exe (PID: 5460)
      • rundll32.exe (PID: 440)
      • rundll32.exe (PID: 6228)
      • AteraAgent.exe (PID: 6652)

    • Potential Corporate Privacy Violation

      • rundll32.exe (PID: 5460)
      • rundll32.exe (PID: 6228)
      • AteraAgent.exe (PID: 3640)
      • AteraAgent.exe (PID: 6652)
      • AgentPackageAgentInformation.exe (PID: 6920)

    • Uses TASKKILL.EXE to kill process

      • msiexec.exe (PID: 5680)

    • ATERAAGENT has been detected

      • AteraAgent.exe (PID: 5496)
      • AteraAgent.exe (PID: 3640)
      • AteraAgent.exe (PID: 6652)

    • Executes as Windows Service

      • VSSVC.exe (PID: 5544)
      • AteraAgent.exe (PID: 3640)
      • AteraAgent.exe (PID: 6652)

    • Starts SC.EXE for service management

      • AteraAgent.exe (PID: 3640)
      • AteraAgent.exe (PID: 6652)

  • INFO

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 3224)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5320)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 3224)

    • Reads the software policy settings

      • msiexec.exe (PID: 3224)

    • Reads the computer name

      • msiexec.exe (PID: 5320)

    • Manages system restore points

      • SrTasks.exe (PID: 6056)

    • Checks supported languages

      • msiexec.exe (PID: 5320)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: AteraAgent
Author: Atera networks
Keywords: Installer
Comments: This installer database contains the logic and data required to install AteraAgent.
Template: Intel;1033
RevisionNumber: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}
CreateDate: 2024:02:28 10:52:02
ModifyDate: 2024:02:28 10:52:02
Pages: 200
Words: 6
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
151
Monitored processes
27
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
start #ATERAAGENT msiexec.exe #ATERAAGENT msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs rundll32.exe rundll32.exe rundll32.exe msiexec.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs taskkill.exe no specs conhost.exe no specs THREAT ateraagent.exe THREAT ateraagent.exe rundll32.exe sc.exe no specs conhost.exe no specs THREAT ateraagent.exe sc.exe no specs conhost.exe no specs agentpackageagentinformation.exe conhost.exe no specs agentpackageagentinformation.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
440rundll32.exe "C:\WINDOWS\Installer\MSIB55B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1291656 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallationC:\Windows\SysWOW64\rundll32.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
440\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
848"NET" STOP AteraAgentC:\Windows\SysWOW64\net.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
1140C:\Windows\syswow64\MsiExec.exe -Embedding C1EC4E7BE948D6BB3AC133275AC213B1C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
3224"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\setup.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
3640"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
services.exe
User:
SYSTEM
Company:
ATERA Networks Ltd.
Integrity Level:
SYSTEM
Description:
AteraAgent
Exit code:
4294967295
Version:
1.8.7.2
Modules
Images
c:\program files (x86)\atera networks\ateraagent\ateraagent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3696"TaskKill.exe" /f /im AteraAgent.exeC:\Windows\SysWOW64\taskkill.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3836rundll32.exe "C:\WINDOWS\Installer\MSIAAD9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1289046 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentIdC:\Windows\SysWOW64\rundll32.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
4652C:\WINDOWS\system32\net1 STOP AteraAgentC:\Windows\SysWOW64\net1.exenet.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
5076\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
34 165
Read events
33 839
Write events
308
Delete events
18

Modification events

(PID) Process:(5320) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000193A0807FE44DB01C814000074130000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5320) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000193A0807FE44DB01C814000074130000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5320) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
480000000000000097004B07FE44DB01C814000074130000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5320) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000097004B07FE44DB01C814000074130000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5320) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000EB654D07FE44DB01C814000074130000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5320) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000EC185207FE44DB01C814000074130000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5320) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(5320) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
480000000000000056D6BF07FE44DB01C814000074130000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5320) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
48000000000000003E3AC207FE44DB01C814000084130000E80300000100000000000000000000007EF1EFEBAFD46448AB07169508A2AF3700000000000000000000000000000000
(PID) Process:(5544) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000024B5CB07FE44DB01A815000084120000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
34
Suspicious files
29
Text files
11
Unknown types
2

Dropped files

PID
Process
Filename
Type
5320msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3224msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBder
MD5:B6102B47F3D2450F02C1167E5B337E9B
SHA256:E0C2D57C8661D444666AE009725EE84CD33A29AC48738277EA37BFD56B3CF8C4
5320msiexec.exeC:\Windows\Installer\MSIAAD9.tmpexecutable
MD5:88D29734F37BDCFFD202EAFCDD082F9D
SHA256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
3836rundll32.exeC:\Users\admin\AppData\Local\Temp\MSIAAD9.tmp-\AlphaControlAgentInstallation.dllexecutable
MD5:AA1B9C5C685173FAD2DABEBEB3171F01
SHA256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
3836rundll32.exeC:\Users\admin\AppData\Local\Temp\MSIAAD9.tmp-\Microsoft.Deployment.WindowsInstaller.dllexecutable
MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
SHA256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
3836rundll32.exeC:\Users\admin\AppData\Local\Temp\MSIAAD9.tmp-\System.Management.dllexecutable
MD5:878E361C41C05C0519BFC72C7D6E141C
SHA256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
5320msiexec.exeC:\Windows\Installer\13a7dc.msiexecutable
MD5:83F1AE63BE7D1BD93E1EAC2ADCD33298
SHA256:A4A7E335B5F9590E38F44050CABFEBEE6F64A2C4B626027F3B7C750E14F5D7FA
3836rundll32.exeC:\Users\admin\AppData\Local\Temp\MSIAAD9.tmp-\Newtonsoft.Json.dllexecutable
MD5:715A1FBEE4665E99E859EDA667FE8034
SHA256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
3836rundll32.exeC:\Users\admin\AppData\Local\Temp\MSIAAD9.tmp-\CustomAction.configxml
MD5:BC17E956CDE8DD5425F2B2A68ED919F8
SHA256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
5320msiexec.exeC:\Windows\Installer\MSIAE65.tmpexecutable
MD5:88D29734F37BDCFFD202EAFCDD082F9D
SHA256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
32
DNS requests
13
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3224
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
3224
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
3224
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAooSZl45YmN9AojjrilUug%3D
unknown
whitelisted
488
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4724
RUXIMICS.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
488
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
AteraAgent.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
5496
AteraAgent.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
488
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4724
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.209.140:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4
System
192.168.100.255:138
whitelisted
3224
msiexec.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
488
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4724
RUXIMICS.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.23.209.140
  • 2.23.209.135
  • 2.23.209.185
  • 2.23.209.133
  • 2.23.209.189
  • 2.23.209.130
  • 2.23.209.149
  • 2.23.209.141
  • 2.23.209.150
whitelisted
google.com
  • 216.58.206.46
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
agent-api.atera.com
  • 40.119.152.241
whitelisted
self.events.data.microsoft.com
  • 13.89.178.26
whitelisted
ps.pndsn.com
  • 35.157.63.228
  • 35.157.63.227
unknown

Threats

Found threats are available for the paid subscriptions
8 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
setup.msi