File name:

setup.msi

Full analysis: https://app.any.run/tasks/a24f7b16-5650-4a9c-bc56-ca629b26883f
Verdict: Malicious activity
Analysis date: December 02, 2024, 21:06:02
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
ateraagent
atera
tool
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

83F1AE63BE7D1BD93E1EAC2ADCD33298

SHA1:

730F2ACA867722E775F7177798CB7508F9F76A4D

SHA256:

A4A7E335B5F9590E38F44050CABFEBEE6F64A2C4B626027F3B7C750E14F5D7FA

SSDEEP:

98304:5IZTffzvns6eLKLdpRwznfsJb+7J7ERXndiWaKzPtSjXmbABY/lT8vjkZBvrePVv:W3XP9No

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ATERAAGENT has been detected (YARA)

      • msiexec.exe (PID: 3224)
      • msiexec.exe (PID: 5320)

    • Starts NET.EXE for service management

      • msiexec.exe (PID: 5680)
      • net.exe (PID: 848)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 3224)
      • msiexec.exe (PID: 5320)

    • Executes as Windows Service

      • VSSVC.exe (PID: 5544)
      • AteraAgent.exe (PID: 3640)
      • AteraAgent.exe (PID: 6652)

    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 3836)
      • rundll32.exe (PID: 440)
      • rundll32.exe (PID: 5460)
      • rundll32.exe (PID: 6228)
      • AteraAgent.exe (PID: 6652)

    • Potential Corporate Privacy Violation

      • rundll32.exe (PID: 5460)
      • rundll32.exe (PID: 6228)
      • AteraAgent.exe (PID: 3640)
      • AteraAgent.exe (PID: 6652)
      • AgentPackageAgentInformation.exe (PID: 6920)

    • Uses TASKKILL.EXE to kill process

      • msiexec.exe (PID: 5680)

    • ATERAAGENT has been detected

      • AteraAgent.exe (PID: 5496)
      • AteraAgent.exe (PID: 3640)
      • AteraAgent.exe (PID: 6652)

    • Starts SC.EXE for service management

      • AteraAgent.exe (PID: 3640)
      • AteraAgent.exe (PID: 6652)

  • INFO

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 3224)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 3224)

    • Checks supported languages

      • msiexec.exe (PID: 5320)

    • Reads the software policy settings

      • msiexec.exe (PID: 3224)

    • Manages system restore points

      • SrTasks.exe (PID: 6056)

    • Reads the computer name

      • msiexec.exe (PID: 5320)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5320)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: AteraAgent
Author: Atera networks
Keywords: Installer
Comments: This installer database contains the logic and data required to install AteraAgent.
Template: Intel;1033
RevisionNumber: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}
CreateDate: 2024:02:28 10:52:02
ModifyDate: 2024:02:28 10:52:02
Pages: 200
Words: 6
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
151
Monitored processes
27
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
start #ATERAAGENT msiexec.exe #ATERAAGENT msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs rundll32.exe rundll32.exe rundll32.exe msiexec.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs taskkill.exe no specs conhost.exe no specs THREAT ateraagent.exe THREAT ateraagent.exe rundll32.exe sc.exe no specs conhost.exe no specs THREAT ateraagent.exe sc.exe no specs conhost.exe no specs agentpackageagentinformation.exe conhost.exe no specs agentpackageagentinformation.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
440rundll32.exe "C:\WINDOWS\Installer\MSIB55B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1291656 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallationC:\Windows\SysWOW64\rundll32.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
440\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
848"NET" STOP AteraAgentC:\Windows\SysWOW64\net.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
1140C:\Windows\syswow64\MsiExec.exe -Embedding C1EC4E7BE948D6BB3AC133275AC213B1C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
3224"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\setup.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
3640"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
services.exe
User:
SYSTEM
Company:
ATERA Networks Ltd.
Integrity Level:
SYSTEM
Description:
AteraAgent
Exit code:
4294967295
Version:
1.8.7.2
Modules
Images
c:\program files (x86)\atera networks\ateraagent\ateraagent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3696"TaskKill.exe" /f /im AteraAgent.exeC:\Windows\SysWOW64\taskkill.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3836rundll32.exe "C:\WINDOWS\Installer\MSIAAD9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1289046 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentIdC:\Windows\SysWOW64\rundll32.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
4652C:\WINDOWS\system32\net1 STOP AteraAgentC:\Windows\SysWOW64\net1.exenet.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
5076\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
34 165
Read events
33 839
Write events
308
Delete events
18

Modification events

(PID) Process:(5320) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000193A0807FE44DB01C814000074130000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5320) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000193A0807FE44DB01C814000074130000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5320) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
480000000000000097004B07FE44DB01C814000074130000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5320) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000097004B07FE44DB01C814000074130000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5320) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000EB654D07FE44DB01C814000074130000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5320) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000EC185207FE44DB01C814000074130000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5320) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(5320) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
480000000000000056D6BF07FE44DB01C814000074130000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5320) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
48000000000000003E3AC207FE44DB01C814000084130000E80300000100000000000000000000007EF1EFEBAFD46448AB07169508A2AF3700000000000000000000000000000000
(PID) Process:(5544) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000024B5CB07FE44DB01A815000084120000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
34
Suspicious files
29
Text files
11
Unknown types
2

Dropped files

PID
Process
Filename
Type
5320msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3224msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:17D3D8C2FACAB87AE66F5BABB9352DEF
SHA256:76DC58047EF623B742F5F17398505151243E297DC8D78B568B941AA8F4C2B5E9
3224msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBder
MD5:B6102B47F3D2450F02C1167E5B337E9B
SHA256:E0C2D57C8661D444666AE009725EE84CD33A29AC48738277EA37BFD56B3CF8C4
5320msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:E705C56BBB1E0634FA991E23009F8A39
SHA256:87ACB3E74E93D648DB8D5BF7FAE0B5B300D907FB39E3284690ED5DF35BEF3AAB
3224msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141der
MD5:1DC1121E24814AB2E9102C631F6368E5
SHA256:8ED09687565336351EF88085DCF6CFC841AF12A63433ECC12C2F13A9557C3C59
3224msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944der
MD5:A433D0BD40AE75FBD372EFE3FD3E2BC6
SHA256:83599EE2C90C3EF5DA0F1D87BB6155BDCD2E70B97AD2163E4247F74F0925E1EC
5320msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{ebeff17e-d4af-4864-ab07-169508a2af37}_OnDiskSnapshotPropbinary
MD5:E705C56BBB1E0634FA991E23009F8A39
SHA256:87ACB3E74E93D648DB8D5BF7FAE0B5B300D907FB39E3284690ED5DF35BEF3AAB
5320msiexec.exeC:\Windows\Installer\MSIAAD9.tmpexecutable
MD5:88D29734F37BDCFFD202EAFCDD082F9D
SHA256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
5320msiexec.exeC:\Windows\Installer\13a7dc.msiexecutable
MD5:83F1AE63BE7D1BD93E1EAC2ADCD33298
SHA256:A4A7E335B5F9590E38F44050CABFEBEE6F64A2C4B626027F3B7C750E14F5D7FA
5460rundll32.exeC:\Users\admin\AppData\Local\Temp\MSIAE65.tmp-\AlphaControlAgentInstallation.dllexecutable
MD5:AA1B9C5C685173FAD2DABEBEB3171F01
SHA256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
32
DNS requests
13
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3224
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
4724
RUXIMICS.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3224
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAooSZl45YmN9AojjrilUug%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
488
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3224
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
488
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4724
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
AteraAgent.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
488
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4724
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.209.140:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4
System
192.168.100.255:138
whitelisted
3224
msiexec.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
488
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4724
RUXIMICS.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.23.209.140
  • 2.23.209.135
  • 2.23.209.185
  • 2.23.209.133
  • 2.23.209.189
  • 2.23.209.130
  • 2.23.209.149
  • 2.23.209.141
  • 2.23.209.150
whitelisted
google.com
  • 216.58.206.46
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
agent-api.atera.com
  • 40.119.152.241
whitelisted
self.events.data.microsoft.com
  • 13.89.178.26
whitelisted
ps.pndsn.com
  • 35.157.63.228
  • 35.157.63.227
unknown

Threats

Found threats are available for the paid subscriptions
8 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
setup.msi