File name:

Teacher.msi

Full analysis: https://app.any.run/tasks/99652e12-c0a5-41ce-a34e-64191c608d11
Verdict: Malicious activity
Analysis date: August 21, 2024, 13:55:32
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Professor LanSchool, Comments: , Keywords: Installer,MSI,Database, Subject: Instalao de Professor LanSchool, Author: , Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2014 - Professional Edition 21, Last Saved Time/Date: Wed Dec 14 18:11:09 2016, Create Time/Date: Wed Dec 14 18:11:09 2016, Last Printed: Wed Dec 14 18:11:09 2016, Revision Number: {F4105941-4843-40AD-8A86-79498825FFA9}, Code page: 1252, Template: Intel;1046
MD5:

10779569C96588555ACE415618DAFDD3

SHA1:

DC236079FF9A7754E756C271D2B50735EFF8E143

SHA256:

D287474C259FB16B0D66F7B5E5D15324732244FFC69F2E2CB525957D5786B45C

SSDEEP:

98304:WB+ad1gvK4NRgJr5FBgwRQTDCUEbnB1e4zXGjKzgRJOHvP3unWf8IMz/+TPfWxrf:5eHvHfod8AX1mppp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 6912)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 6976)
      • msiexec.exe (PID: 6912)

    • Executes as Windows Service

      • VSSVC.exe (PID: 7064)
      • LskHelper.exe (PID: 6280)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 6912)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 6912)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 6912)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 6912)

    • Reads security settings of Internet Explorer

      • teacher.exe (PID: 6340)
      • msiexec.exe (PID: 3180)

    • Reads the date of Windows installation

      • msiexec.exe (PID: 3180)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • msiexec.exe (PID: 3180)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • msiexec.exe (PID: 3180)

  • INFO

    • An automatically generated document

      • msiexec.exe (PID: 6768)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 6768)

    • Reads the computer name

      • msiexec.exe (PID: 6912)
      • msiexec.exe (PID: 6976)
      • ISBEW64.exe (PID: 7044)
      • ISBEW64.exe (PID: 7084)
      • ISBEW64.exe (PID: 7124)
      • ISBEW64.exe (PID: 7164)
      • ISBEW64.exe (PID: 6576)
      • ISBEW64.exe (PID: 5248)
      • ISBEW64.exe (PID: 4280)
      • ISBEW64.exe (PID: 368)
      • ISBEW64.exe (PID: 6196)
      • ISBEW64.exe (PID: 6260)
      • msiexec.exe (PID: 1060)
      • msiexec.exe (PID: 3180)
      • teacher.exe (PID: 6340)
      • LskHelper.exe (PID: 6280)

    • Checks proxy server information

      • msiexec.exe (PID: 6768)
      • teacher.exe (PID: 6340)

    • Reads the software policy settings

      • msiexec.exe (PID: 6768)
      • msiexec.exe (PID: 6912)

    • Checks supported languages

      • msiexec.exe (PID: 6912)
      • msiexec.exe (PID: 6976)
      • ISBEW64.exe (PID: 7044)
      • ISBEW64.exe (PID: 7084)
      • ISBEW64.exe (PID: 7124)
      • ISBEW64.exe (PID: 6576)
      • ISBEW64.exe (PID: 5248)
      • ISBEW64.exe (PID: 4280)
      • ISBEW64.exe (PID: 368)
      • ISBEW64.exe (PID: 6196)
      • ISBEW64.exe (PID: 6260)
      • msiexec.exe (PID: 1060)
      • msiexec.exe (PID: 3180)
      • LskHelper.exe (PID: 6280)
      • teacher.exe (PID: 6340)
      • lskHlpr64.exe (PID: 6560)
      • ISBEW64.exe (PID: 7164)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 6768)

    • Create files in a temporary directory

      • msiexec.exe (PID: 6976)
      • msiexec.exe (PID: 1060)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6976)
      • msiexec.exe (PID: 6768)
      • msiexec.exe (PID: 6912)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 6912)

    • Disables trace logs

      • teacher.exe (PID: 6340)

    • Reads Microsoft Office registry keys

      • teacher.exe (PID: 6340)
      • msedge.exe (PID: 4976)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6912)

    • Process checks computer location settings

      • msiexec.exe (PID: 3180)

    • Application launched itself

      • msedge.exe (PID: 4976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (84.2)
.mst | Windows SDK Setup Transform Script (9.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Characters: -
LastModifiedBy: InstallShield
Words: -
Title: Professor LanSchool
Comments:
Keywords: Installer,MSI,Database
Subject: Instala??o de Professor LanSchool
Author:
Security: Password protected
Pages: 200
Software: InstallShield? 2014 - Professional Edition 21
ModifyDate: 2016:12:14 18:11:09
CreateDate: 2016:12:14 18:11:09
LastPrinted: 2016:12:14 18:11:09
RevisionNumber: {F4105941-4843-40AD-8A86-79498825FFA9}
CodePage: Windows Latin 1 (Western European)
Template: Intel;1046
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
184
Monitored processes
50
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe lskhelper.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs teacher.exe lskhlpr64.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
252"C:\Windows\syswow64\NETSH.EXE" advfirewall firewall delete rule name="LanSchool Teacher"C:\Windows\SysWOW64\netsh.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
368C:\Users\admin\AppData\Local\Temp\{80EED6C1-529F-4A51-AFE7-66B57D0B8310}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7AADF77A-76D1-4977-BAA9-DD718E74009A}C:\Users\admin\AppData\Local\Temp\{80EED6C1-529F-4A51-AFE7-66B57D0B8310}\ISBEW64.exemsiexec.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\{80eed6c1-529f-4a51-afe7-66b57d0b8310}\isbew64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
448"C:\Windows\syswow64\NETSH.EXE" advfirewall firewall add rule name="LanSchool Teacher" dir=in program="C:\Program Files (x86)\LanSchool\Teacher.exe" action=allowC:\Windows\SysWOW64\netsh.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1060C:\Windows\syswow64\MsiExec.exe -Embedding BFE9352CF908D1FB6ED4ABA78118CF58C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1488"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4036 --field-trial-handle=2336,i,3730417162520016497,17406100787066518423,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
2024"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2540 --field-trial-handle=2336,i,3730417162520016497,17406100787066518423,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2456\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3180C:\Windows\syswow64\MsiExec.exe -Embedding 8FE97BDD41E89BEE574DE4D57F6CCB3F E Global\MSI0000C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
3276"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4240 --field-trial-handle=2336,i,3730417162520016497,17406100787066518423,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
3292"C:\Windows\syswow64\NETSH.EXE" advfirewall firewall add rule name="LanSchool Student" dir=in program="C:\Program Files (x86)\LanSchool\Student.exe" action=allowC:\Windows\SysWOW64\netsh.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
Total events
22 493
Read events
21 996
Write events
473
Delete events
24

Modification events

(PID) Process:(6912) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000FEB0C1D8D1F3DA01001B00009C1B0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6912) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000FEB0C1D8D1F3DA01001B00009C1B0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6912) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
48000000000000006CA5FFD8D1F3DA01001B00009C1B0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6912) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
48000000000000006CA5FFD8D1F3DA01001B00009C1B0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6912) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000030902D9D1F3DA01001B00009C1B0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6912) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000006E04D9D1F3DA01001B00009C1B0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6912) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(6912) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000EAAF8ED9D1F3DA01001B00009C1B0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6912) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000F01291D9D1F3DA01001B0000A0190000E80300000100000000000000000000001C8F99F2277A744BAD2893142C467FB200000000000000000000000000000000
(PID) Process:(7064) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000BCBFA1D9D1F3DA01981B0000B81B0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
63
Suspicious files
60
Text files
34
Unknown types
2

Dropped files

PID
Process
Filename
Type
6768msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_06BF5012787BDB4568CBC708433FF186binary
MD5:9880BFF0EA2F71CFC4FA896336E770AF
SHA256:3F25BEB775CF92389B0B9F26793ED274C7A02C6155AC7B0E31C3FDA2DEBB464B
6912msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6912msiexec.exeC:\Windows\Installer\12500c.msi
MD5:
SHA256:
6768msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_06BF5012787BDB4568CBC708433FF186der
MD5:B1508B122DA620C3F53C242C3C44542C
SHA256:68065974286881D9F28420C15253AEFEF8EE68846EDAAAF89DA818EB6D0224BC
6768msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4binary
MD5:5BFA51F3A417B98E7443ECA90FC94703
SHA256:BEBE2853A3485D1C2E5C5BE4249183E0DDAFF9F87DE71652371700A89D937128
6768msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIE377.tmpexecutable
MD5:D8D98BDD606AF949B6DCC2568C968137
SHA256:8A424153E6A15CFA1AF633B3E925A7A8A083CC620D7DEA9AFBDD8975361B1817
6976msiexec.exeC:\Users\admin\AppData\Local\Temp\{80EED6C1-529F-4A51-AFE7-66B57D0B8310}\String1046.txttext
MD5:B8A008E6923BA75B76CF8564E04443AD
SHA256:02507697EF3EC26EE87DA24954ED3E8E2E4D746E15E8AFFAD0C8FA3F96BDC544
6768msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7der
MD5:12C28927E0DE052BFADF7420CF437EBE
SHA256:05E22143973F441722148BAB18C9F54CBFC3A5FA474B55D5770E129B70410739
6768msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4binary
MD5:9C0C90CA6BC4F5808811FB8D0039C226
SHA256:3B6EF978F1FE70955E95F9E376D859464239F3D5984BB75A625B02D442929B11
6768msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7binary
MD5:03BF975960E91948ADD83BE12799CA9D
SHA256:6528C2DECB3867C8E23404AD59BB71B2062BFAB0355B161A627A98CF73AA7B84
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
45
DNS requests
38
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6768
msiexec.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D
unknown
whitelisted
6768
msiexec.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D
unknown
whitelisted
6768
msiexec.exe
GET
404
172.64.149.23:80
http://crl.usertrust.com/AddTrustExternalCARoot.crl
unknown
whitelisted
6768
msiexec.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEC58h8wOk0pS%2FpT9HLfNNK8%3D
unknown
whitelisted
6768
msiexec.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSSdxXdG447ymkRNPVViULv3rkBzQQUKZFg%2F4pN%2Buv5pmq4z%2FnmS71JzhICEQCkusQnzXQyyHiOtzNWAbkI
unknown
whitelisted
4132
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6364
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6912
msiexec.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D
unknown
whitelisted
6912
msiexec.exe
GET
404
172.64.149.23:80
http://crl.usertrust.com/AddTrustExternalCARoot.crl
unknown
whitelisted
6912
msiexec.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
608
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1492
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6768
msiexec.exe
104.18.38.233:80
ocsp.usertrust.com
CLOUDFLARENET
shared
6768
msiexec.exe
172.64.149.23:80
ocsp.usertrust.com
CLOUDFLARENET
US
unknown
1492
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4132
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4132
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.142
whitelisted
ocsp.usertrust.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
crl.usertrust.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
ocsp.comodoca.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
  • 40.127.240.158
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
login.live.com
  • 20.190.160.22
  • 40.126.32.68
  • 40.126.32.76
  • 20.190.160.20
  • 40.126.32.72
  • 20.190.160.17
  • 40.126.32.138
  • 40.126.32.140
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted
slscr.update.microsoft.com
  • 40.127.169.103
whitelisted

Threats

No threats detected
Process
Message
lskHlpr64.exe
At the start of LskHlpr64.exe
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Teacher.msi