File name:

Clash.Verge_2.4.2_x64-6715.msi

Full analysis: https://app.any.run/tasks/285b26b8-e31d-455f-ad3e-048961d76a80
Verdict: Malicious activity
Threats:

DonutLoader is a versatile, open-source-based in-memory loader that turns .NET assemblies, executables, DLLs, and scripts into position-independent shellcode for execution entirely in RAM. Originally derived from the popular Donut tool, it enables threat actors to bypass traditional antivirus and EDR solutions by avoiding disk writes and injecting payloads directly into legitimate Windows processes.

Malware Trends Tracker     >>>
Analysis date: April 28, 2026, 21:23:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
qrcode
donutloader
loader
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 14:06:51 2020, Security: 0, Code page: 936, Revision Number: {7F49D5E1-53C4-4A2F-B02D-F3E7A4350983}, Number of Words: 10, Subject: Clash.Verge_2.4.2_x64, Author: Clash.Verge, Name of Creating Application: Clash.Verge_2.4.2_x64, Template: ;2052, Comments: Installer Clash.Verge_2.4.2_x64 , Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Apr 28 10:04:38 2026, Number of Pages: 200
MD5:

37B7F2EB2FDB538829621F136E217B06

SHA1:

7F495882A53CF86C26EF669DF16B4DA665B6B2E7

SHA256:

CDAD0C56640713326EB48E36085E972022009A0F535DAB9D3B5259F486CCA926

SSDEEP:

786432:EAcBMeCe4P1xu3KZUCoyXxA578+K6MONU:EAct8/OKxxworOm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes Windows Defender settings

      • cmd.exe (PID: 2312)

    • Adds path to the Windows Defender exclusion list

      • VC_radist.x64.scr (PID: 2792)
      • cmd.exe (PID: 7240)
      • cmd.exe (PID: 2312)

    • Executing a file with an untrusted certificate

      • ev2f79.exe (PID: 2324)
      • ev2c34.exe (PID: 7924)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6832)
      • MicrosoftEdgeUpdate.exe (PID: 8044)

    • DONUTLOADER has been detected (YARA)

      • VSSVC.exe (PID: 3076)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 3580)

    • Starts application with an unusual extension

      • MSI1909.tmp (PID: 7172)

    • Executable content was dropped or overwritten

      • VC_radist.x64.scr (PID: 2792)
      • Clash.Verge_2.4.2_x64.exe (PID: 4944)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6832)

    • Get information on the list of running processes

      • VC_radist.x64.scr (PID: 2792)
      • cmd.exe (PID: 7232)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 7232)
      • cmd.exe (PID: 7240)
      • cmd.exe (PID: 2312)

    • Adds exclusion path to Windows Defender (POWERSHELL)

      • cmd.exe (PID: 2312)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2312)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3076)

    • The process creates files with name similar to system file names

      • Clash.Verge_2.4.2_x64.exe (PID: 4944)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Clash.Verge_2.4.2_x64.exe (PID: 4944)

    • Searches for installed software

      • Clash.Verge_2.4.2_x64.exe (PID: 4944)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 6832)
      • MicrosoftEdgeUpdate.exe (PID: 8044)

    • Disables SEHOP

      • MicrosoftEdgeUpdate.exe (PID: 8044)

    • Silent install from TEMP directory

      • Clash.Verge_2.4.2_x64.exe (PID: 4944)

  • INFO

    • Checks supported languages

      • msiexec.exe (PID: 3580)
      • msiexec.exe (PID: 4300)
      • MSI1909.tmp (PID: 7172)
      • MSI18F8.tmp (PID: 7600)
      • VC_radist.x64.scr (PID: 2792)
      • Clash.Verge_2.4.2_x64.exe (PID: 4944)
      • ev2f79.exe (PID: 2324)
      • ev2c34.exe (PID: 7924)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6832)
      • MicrosoftEdgeUpdate.exe (PID: 8044)

    • Reads the computer name

      • msiexec.exe (PID: 3580)
      • msiexec.exe (PID: 4300)
      • MSI1909.tmp (PID: 7172)
      • MSI18F8.tmp (PID: 7600)
      • Clash.Verge_2.4.2_x64.exe (PID: 4944)
      • ev2f79.exe (PID: 2324)
      • VC_radist.x64.scr (PID: 2792)
      • MicrosoftEdgeUpdate.exe (PID: 8044)

    • Reads Environment values

      • msiexec.exe (PID: 4300)
      • MicrosoftEdgeUpdate.exe (PID: 8044)

    • The sample compiled with english language support

      • msiexec.exe (PID: 3580)
      • VC_radist.x64.scr (PID: 2792)
      • Clash.Verge_2.4.2_x64.exe (PID: 4944)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6832)
      • MicrosoftEdgeUpdate.exe (PID: 8044)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 3580)
      • VC_radist.x64.scr (PID: 2792)
      • ev2c34.exe (PID: 7924)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3580)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 3580)

    • Reads security settings of Internet Explorer

      • MSI1909.tmp (PID: 7172)
      • MSI18F8.tmp (PID: 7600)
      • VSSVC.exe (PID: 3076)
      • MicrosoftEdgeUpdate.exe (PID: 8044)

    • Process checks computer location settings

      • MSI1909.tmp (PID: 7172)
      • MSI18F8.tmp (PID: 7600)
      • MicrosoftEdgeUpdate.exe (PID: 8044)

    • Create files in a temporary directory

      • VC_radist.x64.scr (PID: 2792)
      • Clash.Verge_2.4.2_x64.exe (PID: 4944)
      • ev2f79.exe (PID: 2324)
      • ev2c34.exe (PID: 7924)

    • Application launched itself

      • cmd.exe (PID: 7240)

    • The sample compiled with chinese language support

      • VC_radist.x64.scr (PID: 2792)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5648)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5648)

    • There is functionality for taking screenshot (YARA)

      • Clash.Verge_2.4.2_x64.exe (PID: 4944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (81.9)
.mst | Windows SDK Setup Transform Script (9.2)
.msp | Windows Installer Patch (7.6)
.msi | Microsoft Installer (100)

EXIF

FlashPix

LastPrinted: 2009:12:11 11:47:44
ModifyDate: 2020:09:18 14:06:51
Security: None
CodePage: Windows Simplified Chinese (PRC, Singapore)
RevisionNumber: {7F49D5E1-53C4-4A2F-B02D-F3E7A4350983}
Words: 10
Subject: Clash.Verge_2.4.2_x64
Author: Clash.Verge
LastModifiedBy: -
Software: Clash.Verge_2.4.2_x64
Template: ;2052
Comments: ?? Installer ???ݿ??????˰?װ Clash.Verge_2.4.2_x64 ???????߼??????ݡ?
Title: Installation Database
Keywords: Installer, MSI, Database
CreateDate: 2026:04:28 10:04:38
Pages: 200
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
162
Monitored processes
23
Malicious processes
8
Suspicious processes
4

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe msiexec.exe no specs msi18f8.tmp no specs msi1909.tmp no specs vc_radist.x64.scr no specs clash.verge_2.4.2_x64.exe no specs vc_radist.x64.scr clash.verge_2.4.2_x64.exe cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe no specs ev2f79.exe no specs #DONUTLOADER vssvc.exe no specs ev2c34.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe wermgr.exe

Process information

PID
CMD
Path
Indicators
Parent process
1780\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2312cmd.exe /C "powershell Add-MpPreference -ExclusionPath C:\,D:\,F:\"C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2324"C:\Users\admin\AppData\Roaming\comain_ev2f79\ev2f79.exe"C:\Users\admin\AppData\Roaming\comain_ev2f79\ev2f79.exeVC_radist.x64.scr
User:
admin
Company:
Creative Labs Inc.
Integrity Level:
HIGH
Description:
OpenAL Installer
Exit code:
0
Version:
2, 0, 7, 0
Modules
Images
c:\users\admin\appdata\roaming\comain_ev2f79\ev2f79.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2660"C:\WINDOWS\system32\wermgr.exe" "-outproc" "0" "8044" "2472" "2212" "2476" "0" "0" "0" "0" "0" "0" "0" "0" C:\Windows\SysWOW64\wermgr.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wermgr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2792"C:\ProgramData\6sxK3v\VC_radist.x64.scr" /SC:\ProgramData\6sxK3v\VC_radist.x64.scr
MSI1909.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Store Installer
Exit code:
0
Version:
22604.415.1.0
Modules
Images
c:\programdata\6sxk3v\vc_radist.x64.scr
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3076C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3580C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
3640"C:\ProgramData\6sxK3v\VC_radist.x64.scr" /SC:\ProgramData\6sxK3v\VC_radist.x64.scrMSI1909.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Store Installer
Exit code:
3221226540
Version:
22604.415.1.0
Modules
Images
c:\programdata\6sxk3v\vc_radist.x64.scr
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4300C:\Windows\syswow64\MsiExec.exe -Embedding 46BDEB162E024F3F6762ACF2C3A1EBB2C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
4944"C:\Users\admin\AppData\Roaming\Clash.Verge\Clash.Verge_2.4.2_x64\Clash.Verge_2.4.2_x64.exe" C:\Users\admin\AppData\Roaming\Clash.Verge\Clash.Verge_2.4.2_x64\Clash.Verge_2.4.2_x64.exe
MSI18F8.tmp
User:
admin
Integrity Level:
HIGH
Description:
Clash Verge Rev
Version:
2.4.2
Modules
Images
c:\users\admin\appdata\roaming\clash.verge\clash.verge_2.4.2_x64\clash.verge_2.4.2_x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
22 971
Read events
22 913
Write events
47
Delete events
11

Modification events

(PID) Process:(3580) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
FC0D0000974AB15655D7DC01
(PID) Process:(3580) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
7BE5649AA8EB869048386DB1F1D5F4A754BE90EEB1E965A3323C30B80F8DA8E8
(PID) Process:(3580) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(3580) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:writeName:C:\Config.Msi\
Value:
(PID) Process:(3580) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\e14ce.rbs
Value:
31250227
(PID) Process:(3580) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\e14ce.rbsLow
Value:
(PID) Process:(3580) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:writeName:C:\Users\admin\AppData\Roaming\Microsoft\Installer\
Value:
(PID) Process:(3580) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\D4E115BCA72EB654BA0D7D9E1FAB8F00
Operation:writeName:OQB51FX41JYZ1QURATJWE9G62HUERLLD
Value:
C:\Users\admin\AppData\Roaming\Clash.Verge\Clash.Verge_2.4.2_x64\Clash.Verge_2.4.2_x64.exe
(PID) Process:(3580) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\26F734EACD23FDD49B9BA13FCBDBE380
Operation:writeName:OQB51FX41JYZ1QURATJWE9G62HUERLLD
Value:
C:\ProgramData\6sxK3v\VC_radist.x64.scr
(PID) Process:(3580) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:writeName:C:\Users\admin\AppData\Roaming\Clash.Verge\Clash.Verge_2.4.2_x64\
Value:
1
Executable files
224
Suspicious files
45
Text files
79
Unknown types
2

Dropped files

PID
Process
Filename
Type
3580msiexec.exeC:\Windows\Installer\e14cc.msi
MD5:
SHA256:
3580msiexec.exeC:\Users\admin\AppData\Roaming\Clash.Verge\Clash.Verge_2.4.2_x64\Clash.Verge_2.4.2_x64.exe
MD5:
SHA256:
3580msiexec.exeC:\Windows\Installer\MSI1634.tmpexecutable
MD5:C7FBD5EE98E32A77EDF1156DB3FCA622
SHA256:E140990B509DD6884A5742BDE64F2CDAA10012D472B0B32DE43EBECBC83242B6
3580msiexec.exeC:\Windows\Temp\~DF53E951AF171C74E9.TMPbinary
MD5:A46C3B54F2C9871CD81DAF7A932499C0
SHA256:E4F60D0AA6D7F3D3B6A6494B1C861B99F649C6F9EC51ABAF201B20F297327C95
3580msiexec.exeC:\Windows\Temp\~DFB9536B03FA21169D.TMPbinary
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
3580msiexec.exeC:\Config.Msi\e14ce.rbsbinary
MD5:421C21A3FEE97600175C611D75E850C0
SHA256:AA87BAA445C532BB2DCAA493DF9457302EC87A95F1DB1DDA09FA3BF1BD27D783
3580msiexec.exeC:\Windows\Installer\MSI15B6.tmpexecutable
MD5:C7FBD5EE98E32A77EDF1156DB3FCA622
SHA256:E140990B509DD6884A5742BDE64F2CDAA10012D472B0B32DE43EBECBC83242B6
3580msiexec.exeC:\Windows\Installer\MSI1664.tmpexecutable
MD5:C7FBD5EE98E32A77EDF1156DB3FCA622
SHA256:E140990B509DD6884A5742BDE64F2CDAA10012D472B0B32DE43EBECBC83242B6
3580msiexec.exeC:\Windows\Installer\MSI1909.tmpexecutable
MD5:CAC0EAEB267D81CF3FA968EE23A6AF9D
SHA256:F1DD0DD1E83B28FFA2ED30F46F98E94A4919EC1F4E9D33720354288B77153774
3580msiexec.exeC:\Windows\Installer\SourceHash{4XF15BQO-ZYJ1-RUQ1-TAWJ-9E6GH2EULRDL}binary
MD5:4B402790848B9196B6771AD6CD44937B
SHA256:2921A11F25DADAA24AA79A548E4E81508C2E5E56AF2D833D65E2BCCE448CE2F5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
31
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
8044
MicrosoftEdgeUpdate.exe
GET
304
150.171.22.17:443
https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.195.69?clientId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&appChannel_webview=5&appConsentState_webview=0&appDayOfInstall_webview=0&appInactivityBadgeApplied_webview=0&appInactivityBadgeCleared_webview=0&appInactivityBadgeDuration_webview=0&appInstallTimeDiffSec_webview=0&appIsPinnedSystem_webview=false&appLastLaunchCount_webview=0&appLastLaunchTime_webview=0&appLastLaunchTimeJson_webview=0&appLastLaunchTimeDaysAgo_webview=0&appUpdateCheckIsUpdateDisabled_webview=false&appUpdatesAllowedForMeteredNetworks_webview=false&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=6&hwPhysmemory=6&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=DELL&oemProductName=DELL&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.4046&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=otherinstallcmd&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.195.69
US
unknown
6076
svchost.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
6076
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
2000
slui.exe
POST
500
48.192.1.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
5532
SearchApp.exe
POST
204
2.16.204.133:443
https://www.bing.com/threshold/xls.aspx?t=5&dl=1&f=9&wsbc=1
unknown
whitelisted
5532
SearchApp.exe
POST
204
2.16.204.139:443
https://www.bing.com/threshold/xls.aspx?t=5&dl=1&f=9&wsbc=1
NL
whitelisted
8044
MicrosoftEdgeUpdate.exe
GET
200
52.123.243.219:443
https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.195.69?clientId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&appChannel_edgeupdate=6&appConsentState_edgeupdate=0&appDayOfInstall_edgeupdate=0&appInactivityBadgeApplied_edgeupdate=0&appInactivityBadgeCleared_edgeupdate=0&appInactivityBadgeDuration_edgeupdate=0&appInstallTimeDiffSec_edgeupdate=0&appIsPinnedSystem_edgeupdate=false&appLastLaunchCount_edgeupdate=0&appLastLaunchTime_edgeupdate=0&appLastLaunchTimeJson_edgeupdate=0&appLastLaunchTimeDaysAgo_edgeupdate=0&appVersion_edgeupdate=1.3.195.69&appUpdateCheckIsUpdateDisabled_edgeupdate=false&appUpdatesAllowedForMeteredNetworks_edgeupdate=false&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=6&hwPhysmemory=6&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=DELL&oemProductName=DELL&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.4046&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=otherinstallcmd&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.195.69
US
text
648 b
unknown
8044
MicrosoftEdgeUpdate.exe
GET
200
150.171.22.17:443
https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.195.69?clientId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&appChannel_edgeupdate=6&appConsentState_edgeupdate=0&appDayOfInstall_edgeupdate=0&appInactivityBadgeApplied_edgeupdate=0&appInactivityBadgeCleared_edgeupdate=0&appInactivityBadgeDuration_edgeupdate=0&appInstallTimeDiffSec_edgeupdate=0&appIsPinnedSystem_edgeupdate=false&appLastLaunchCount_edgeupdate=0&appLastLaunchTime_edgeupdate=0&appLastLaunchTimeJson_edgeupdate=0&appLastLaunchTimeDaysAgo_edgeupdate=0&appVersion_edgeupdate=1.3.195.69&appUpdateCheckIsUpdateDisabled_edgeupdate=false&appUpdatesAllowedForMeteredNetworks_edgeupdate=false&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=6&hwPhysmemory=6&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=DELL&oemProductName=DELL&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.4046&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=otherinstallcmd&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.195.69
US
text
648 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5276
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
6076
svchost.exe
184.24.77.35:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5276
MoUsoCoreWorker.exe
184.24.77.35:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6076
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
2000
slui.exe
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
crl.microsoft.com
  • 184.24.77.35
  • 184.24.77.37
  • 2.16.164.120
  • 2.16.164.32
  • 2.16.164.49
  • 2.16.164.96
  • 2.16.164.59
  • 2.16.164.89
  • 2.16.164.107
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 23.59.18.102
whitelisted
google.com
  • 142.250.154.101
  • 142.250.154.113
  • 142.250.154.139
  • 142.250.154.100
  • 142.250.154.102
  • 142.250.154.138
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.16.204.139
  • 2.16.204.152
  • 2.16.204.151
  • 2.16.204.154
  • 2.16.204.133
  • 2.16.204.140
  • 2.16.204.141
  • 2.16.204.160
  • 2.16.204.147
whitelisted
yu3dc.com
  • 154.218.3.146
unknown
config.edge.skype.com
  • 150.171.22.17
whitelisted
watson.events.data.microsoft.com
  • 172.178.240.163
whitelisted
self.events.data.microsoft.com
  • 20.189.173.8
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Clash.Verge_2.4.2_x64-6715.msi