File name:

Setup.exe

Full analysis: https://app.any.run/tasks/103c1386-aa60-42fa-8a6c-0cb2e8587c40
Verdict: Malicious activity
Analysis date: July 23, 2024, 19:01:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4A3468CD21C3DD03FAB5000F3D3D06C4

SHA1:

F6E763FE3073285B34AC415179F42AE70C427CF7

SHA256:

A785BB5943AE900656AEC2CFCA17124CE7292EB6D14BE835C0F6461D90AEE689

SSDEEP:

98304:erq3BdwY00EofjCVa4kLYeW2VXLgsoG1QvhhD7k+53DgMUShhxZn5olG675z8Q7P:GeLBQRGXEvd2Qm4QvZ9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Setup.exe (PID: 396)
      • Setup.tmp (PID: 4176)
      • Setup.exe (PID: 5528)
      • DuetUpdater.exe (PID: 1596)
      • Setup.tmp (PID: 4648)
      • IDRBackup.exe (PID: 4028)
      • IDRBackup.exe (PID: 6592)
      • Setup.exe (PID: 4140)
      • more.com (PID: 6700)
      • Setup.tmp (PID: 464)
      • Setup.exe (PID: 1756)
      • Setup.tmp (PID: 7072)
      • Setup.exe (PID: 6560)
      • Setup.tmp (PID: 2132)
      • Setup.exe (PID: 1252)
      • Setup.tmp (PID: 4580)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Setup.exe (PID: 396)
      • Setup.tmp (PID: 4176)
      • Setup.exe (PID: 5528)
      • Setup.tmp (PID: 4648)
      • DuetUpdater.exe (PID: 1596)
      • IDRBackup.exe (PID: 6592)
      • IDRBackup.exe (PID: 4028)
      • Setup.exe (PID: 4140)
      • more.com (PID: 6700)
      • Setup.tmp (PID: 464)
      • Setup.exe (PID: 1756)
      • Setup.exe (PID: 6560)
      • Setup.tmp (PID: 7072)
      • Setup.tmp (PID: 2132)
      • Setup.exe (PID: 1252)
      • Setup.tmp (PID: 4580)

    • Reads the Windows owner or organization settings

      • Setup.tmp (PID: 4176)
      • Setup.tmp (PID: 4648)
      • Setup.tmp (PID: 7072)
      • Setup.tmp (PID: 464)
      • Setup.tmp (PID: 2132)
      • Setup.tmp (PID: 4580)

    • Reads security settings of Internet Explorer

      • Setup.tmp (PID: 4176)
      • Setup.tmp (PID: 4648)
      • Setup.tmp (PID: 464)
      • Setup.tmp (PID: 2132)

    • Reads the date of Windows installation

      • Setup.tmp (PID: 4176)
      • Setup.tmp (PID: 4648)
      • Setup.tmp (PID: 464)
      • Setup.tmp (PID: 2132)

    • Process drops SQLite DLL files

      • DuetUpdater.exe (PID: 1596)
      • IDRBackup.exe (PID: 6592)

    • Starts itself from another location

      • IDRBackup.exe (PID: 6592)

    • Starts application with an unusual extension

      • IDRBackup.exe (PID: 4028)
      • more.com (PID: 6700)

    • Drops a file with a rarely used extension (PIF)

      • more.com (PID: 6700)

    • Creates file in the systems drive root

      • Setup.tmp (PID: 464)
      • Setup.tmp (PID: 2132)

  • INFO

    • Reads Environment values

      • Setup.exe (PID: 396)
      • Setup.tmp (PID: 4176)
      • Setup.exe (PID: 5528)
      • Setup.tmp (PID: 4648)
      • Setup.exe (PID: 4140)
      • Setup.tmp (PID: 464)
      • Setup.tmp (PID: 7072)
      • Setup.exe (PID: 1756)
      • Setup.exe (PID: 6560)
      • Setup.tmp (PID: 2132)
      • Setup.exe (PID: 1252)
      • Setup.tmp (PID: 4580)

    • Create files in a temporary directory

      • Setup.exe (PID: 396)
      • Setup.tmp (PID: 4176)
      • Setup.exe (PID: 5528)
      • Setup.tmp (PID: 4648)
      • IDRBackup.exe (PID: 4028)
      • Setup.exe (PID: 4140)
      • more.com (PID: 6700)
      • Setup.tmp (PID: 464)
      • Setup.exe (PID: 1756)
      • Setup.tmp (PID: 7072)
      • Setup.exe (PID: 6560)
      • Setup.exe (PID: 1252)
      • Setup.tmp (PID: 2132)
      • Setup.tmp (PID: 4580)

    • Reads the computer name

      • Setup.tmp (PID: 4176)
      • Setup.tmp (PID: 4648)
      • IDRBackup.exe (PID: 4028)
      • Bt.exe (PID: 3548)
      • IDRBackup.exe (PID: 6592)
      • more.com (PID: 6700)
      • SputterPork.pif (PID: 1272)
      • TextInputHost.exe (PID: 7152)
      • Setup.tmp (PID: 464)
      • Setup.tmp (PID: 7072)
      • Setup.exe (PID: 6560)
      • Setup.tmp (PID: 2132)
      • Setup.exe (PID: 1252)
      • Setup.tmp (PID: 4580)

    • Checks supported languages

      • Setup.tmp (PID: 4176)
      • Setup.exe (PID: 396)
      • Setup.exe (PID: 5528)
      • Setup.tmp (PID: 4648)
      • DuetUpdater.exe (PID: 1596)
      • IDRBackup.exe (PID: 6592)
      • IDRBackup.exe (PID: 4028)
      • Bt.exe (PID: 3548)
      • more.com (PID: 6700)
      • SputterPork.pif (PID: 1272)
      • TextInputHost.exe (PID: 7152)
      • Setup.exe (PID: 4140)
      • Setup.tmp (PID: 464)
      • Setup.exe (PID: 1756)
      • Setup.tmp (PID: 7072)
      • Setup.exe (PID: 6560)
      • Setup.tmp (PID: 2132)
      • Setup.exe (PID: 1252)
      • Setup.tmp (PID: 4580)
      • DuetUpdater.exe (PID: 1044)
      • DuetUpdater.exe (PID: 2668)

    • Process checks computer location settings

      • Setup.tmp (PID: 4176)
      • Setup.tmp (PID: 4648)
      • Setup.tmp (PID: 464)
      • Setup.tmp (PID: 2132)

    • Creates files or folders in the user directory

      • DuetUpdater.exe (PID: 1596)
      • Setup.tmp (PID: 4648)
      • IDRBackup.exe (PID: 4028)
      • IDRBackup.exe (PID: 6592)
      • Setup.tmp (PID: 7072)
      • Setup.tmp (PID: 4580)

    • Manual execution by a user

      • Setup.exe (PID: 4140)
      • Setup.exe (PID: 6560)

    • Reads the software policy settings

      • SputterPork.pif (PID: 1272)
      • slui.exe (PID: 3404)

    • Checks proxy server information

      • slui.exe (PID: 3404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (65.1)
.exe | Win32 EXE PECompact compressed (generic) (24.6)
.dll | Win32 Dynamic Link Library (generic) (3.9)
.exe | Win32 Executable (generic) (2.6)
.exe | Win16/32 Executable Delphi generic (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:06:10 14:47:11+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 685056
InitializedDataSize: 56832
UninitializedDataSize: -
EntryPoint: 0xa83bc
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 4.1334.78.9
ProductVersionNumber: 4.1334.78.9
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: quinquennialist Setup
FileVersion: 4.1334.78.9
LegalCopyright:
OriginalFileName:
ProductName: quinquennialist
ProductVersion: 4.1334.78.9
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
164
Monitored processes
28
Malicious processes
13
Suspicious processes
3

Behavior graph

Click at the process to see the details
start setup.exe setup.tmp setup.exe setup.tmp duetupdater.exe conhost.exe no specs idrbackup.exe idrbackup.exe bt.exe no specs slui.exe no specs more.com conhost.exe no specs sputterpork.pif textinputhost.exe no specs rundll32.exe no specs setup.exe setup.tmp setup.exe setup.tmp setup.exe setup.tmp setup.exe setup.tmp duetupdater.exe no specs conhost.exe no specs slui.exe duetupdater.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
396"C:\Users\admin\AppData\Local\Temp\Setup.exe" C:\Users\admin\AppData\Local\Temp\Setup.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
quinquennialist Setup
Exit code:
1
Version:
4.1334.78.9
Modules
Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
464"C:\Users\admin\AppData\Local\Temp\is-164PE.tmp\Setup.tmp" /SL5="$402BE,4606294,742912,C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\AppData\Local\Temp\is-164PE.tmp\Setup.tmp
Setup.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
1
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-164pe.tmp\setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
1044"C:\Users\admin\AppData\Local\Temp\is-9J5S2.tmp\DuetUpdater.exe" x -pAJGCrB&6s!FMASMm#Ud4 -o "C:\Users\admin\AppData\Local\quinquennialist\\D5TFYUOLMOIU.rar" "C:\Users\admin\AppData\Local\quinquennialist\"C:\Users\admin\AppData\Local\Temp\is-9J5S2.tmp\DuetUpdater.exeSetup.tmp
User:
admin
Company:
全球发行商 win.rar GmbH
Integrity Level:
MEDIUM
Description:
命令行 RAR
Version:
7.1.0
Modules
Images
c:\users\admin\appdata\local\temp\is-9j5s2.tmp\duetupdater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1252"C:\Users\admin\Desktop\Setup.exe" /VERYSILENTC:\Users\admin\Desktop\Setup.exe
Setup.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
quinquennialist Setup
Version:
4.1334.78.9
Modules
Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1272C:\Users\admin\AppData\Local\Temp\SputterPork.pifC:\Users\admin\AppData\Local\Temp\SputterPork.pif
more.com
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\xuaxufgn
c:\windows\syswow64\version.dll
c:\users\admin\appdata\local\temp\sputterpork.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1408\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeDuetUpdater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1596"C:\Users\admin\AppData\Local\Temp\is-TCV3V.tmp\DuetUpdater.exe" x -pAJGCrB&6s!FMASMm#Ud4 -o "C:\Users\admin\AppData\Local\quinquennialist\\D5TFYUOLMOIU.rar" "C:\Users\admin\AppData\Local\quinquennialist\"C:\Users\admin\AppData\Local\Temp\is-TCV3V.tmp\DuetUpdater.exe
Setup.tmp
User:
admin
Company:
全球发行商 win.rar GmbH
Integrity Level:
MEDIUM
Description:
命令行 RAR
Exit code:
0
Version:
7.1.0
Modules
Images
c:\users\admin\appdata\local\temp\is-tcv3v.tmp\duetupdater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1756"C:\Users\admin\Desktop\Setup.exe" /VERYSILENTC:\Users\admin\Desktop\Setup.exe
Setup.tmp
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
quinquennialist Setup
Version:
4.1334.78.9
Modules
Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
2132"C:\Users\admin\AppData\Local\Temp\is-LK2HO.tmp\Setup.tmp" /SL5="$60322,4606294,742912,C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\AppData\Local\Temp\is-LK2HO.tmp\Setup.tmp
Setup.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
1
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-lk2ho.tmp\setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
2668"C:\Users\admin\AppData\Local\Temp\is-8JB39.tmp\DuetUpdater.exe" x -pAJGCrB&6s!FMASMm#Ud4 -o "C:\Users\admin\AppData\Local\quinquennialist\\D5TFYUOLMOIU.rar" "C:\Users\admin\AppData\Local\quinquennialist\"C:\Users\admin\AppData\Local\Temp\is-8JB39.tmp\DuetUpdater.exeSetup.tmp
User:
admin
Company:
全球发行商 win.rar GmbH
Integrity Level:
HIGH
Description:
命令行 RAR
Version:
7.1.0
Modules
Images
c:\users\admin\appdata\local\temp\is-8jb39.tmp\duetupdater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
13 307
Read events
13 233
Write events
56
Delete events
18

Modification events

(PID) Process:(4176) Setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
50100000C94F05BB32DDDA01
(PID) Process:(4176) Setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
7BD51FC2EE11B83323276EDBC447207B6F894D979C67456008A350AFDAD22D94
(PID) Process:(4176) Setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(4176) Setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4176) Setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4176) Setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4176) Setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4176) Setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:

(PID) Process:(4176) Setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
핻숟ᇮ㎸✣�䟄笠襯靍果恅ꌈ꽐틚鐭
(PID) Process:(4176) Setup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:Owner
Value:
Executable files
42
Suspicious files
13
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
396Setup.exeC:\Users\admin\AppData\Local\Temp\is-V338B.tmp\Setup.tmpexecutable
MD5:1D0EC3516586F0B77DA6372F3A82143D
SHA256:1EBE2945F564AB2C0568C57592097E73C524FC3FA0F31C7C00AC9DB3A7EFD136
4648Setup.tmpC:\Users\admin\AppData\Local\Temp\is-TCV3V.tmp\is-VIFUC.tmpexecutable
MD5:E84B92F608DB288AFCC12C5FE341B6C7
SHA256:F6C80D7C6AB6BA91CC24E12AA71C5290CA095E0842AE59A460AD71522039DEB3
4176Setup.tmpC:\Users\admin\AppData\Local\Temp\is-N7BOU.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
4648Setup.tmpC:\Users\admin\AppData\Local\Temp\is-TCV3V.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
4176Setup.tmpC:\Users\admin\AppData\Local\Temp\is-N7BOU.tmp\_isetup\_iscrypt.dllexecutable
MD5:47CFD05FDE4BABE79530C7EA730F6DC0
SHA256:4BB34FE74F86AB389763863EE395A93D73E2D9548C224819EC9055D7C8C4B480
4648Setup.tmpC:\Users\admin\AppData\Local\Temp\is-TCV3V.tmp\_isetup\_iscrypt.dllexecutable
MD5:47CFD05FDE4BABE79530C7EA730F6DC0
SHA256:4BB34FE74F86AB389763863EE395A93D73E2D9548C224819EC9055D7C8C4B480
4648Setup.tmpC:\Users\admin\AppData\Local\quinquennialist\is-G6CIG.tmpcompressed
MD5:BB2D7CD71A57EF2CF331BFEFCD472416
SHA256:FDC373CBFB365003C6B22C06E25D8C30E8E6629BCBA4D129FA10751D2A3896E9
4648Setup.tmpC:\Users\admin\AppData\Local\Temp\is-TCV3V.tmp\DuetUpdater.exeexecutable
MD5:E84B92F608DB288AFCC12C5FE341B6C7
SHA256:F6C80D7C6AB6BA91CC24E12AA71C5290CA095E0842AE59A460AD71522039DEB3
1596DuetUpdater.exeC:\Users\admin\AppData\Local\quinquennialist\datastate.dllexecutable
MD5:28F0CCF746F952F94FF434CA989B7814
SHA256:6010E2147A0F51A7BFA2F942A5A9EAAD9A294F463F717963B486ED3F53D305C2
1596DuetUpdater.exeC:\Users\admin\AppData\Local\quinquennialist\IDRBackup.exeexecutable
MD5:371C165E3E3C1A000051B78D7B0E7E79
SHA256:5AE3838D77C2102766538F783D0A4B4205E7D2CDBA4E0AD2AB332DC8AB32FEA9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
58
DNS requests
29
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
3148
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6012
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4220
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3500
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.106.215:443
Akamai International B.V.
DE
unknown
4204
svchost.exe
20.247.184.142:443
MICROSOFT-CORP-MSN-AS-BLOCK
SG
unknown
3952
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
3500
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7124
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.46
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
www.bing.com
  • 184.86.251.21
  • 184.86.251.19
  • 184.86.251.14
  • 184.86.251.28
  • 184.86.251.26
  • 184.86.251.17
  • 184.86.251.25
  • 184.86.251.29
  • 184.86.251.20
  • 2.23.209.135
  • 2.23.209.130
  • 2.23.209.150
  • 2.23.209.182
  • 2.23.209.187
  • 2.23.209.158
  • 2.23.209.189
  • 2.23.209.160
  • 2.23.209.141
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.71
  • 20.190.159.73
  • 20.190.159.2
  • 20.190.159.64
  • 20.190.159.75
  • 40.126.31.67
  • 20.190.159.0
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted
slscr.update.microsoft.com
  • 20.114.59.183
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.166.126.56
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Setup.exe