File name:

CosmicClientInstaller.exe

Full analysis: https://app.any.run/tasks/377f86e4-5a5c-4170-873a-9fff1fc31d60
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: July 21, 2025, 22:37:54
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
advancedinstaller
adware
takemyfile
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

5A906260FF434009AB6A270DDB88C51F

SHA1:

46D25E7166366624D0B4981D2C952FCB309F38CB

SHA256:

D56658C16FC6F9DC2FEA0DB1D75663E796F5A6A00B5B7F0D4585BF5C91E25E44

SSDEEP:

393216:oc2KzQ96zKDUf6I908SBoQ0i2TgnvzX4KDHJkc3Iw2b:/xQ8s6/90CQ0i1vzoKDzBw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • CosmicClientInstaller.exe (PID: 2880)
      • CosmicClientInstaller.exe (PID: 4708)
      • Cosmic Client.exe (PID: 3628)

    • ADWARE has been detected (SURICATA)

      • CosmicClientInstaller.exe (PID: 2880)

  • SUSPICIOUS

    • ADVANCEDINSTALLER mutex has been found

      • CosmicClientInstaller.exe (PID: 2880)

    • Executable content was dropped or overwritten

      • CosmicClientInstaller.exe (PID: 2880)
      • CosmicClientInstaller.exe (PID: 4708)

    • Reads security settings of Internet Explorer

      • CosmicClientInstaller.exe (PID: 2880)
      • CosmicClientInstaller.exe (PID: 4708)
      • msiexec.exe (PID: 6344)

    • Reads the Windows owner or organization settings

      • CosmicClientInstaller.exe (PID: 2880)
      • CosmicClientInstaller.exe (PID: 4708)
      • msiexec.exe (PID: 5564)

    • Process drops legitimate windows executable

      • CosmicClientInstaller.exe (PID: 2880)
      • msiexec.exe (PID: 6344)
      • CosmicClientInstaller.exe (PID: 4708)

    • Checks for Java to be installed

      • msiexec.exe (PID: 6344)

    • Likely accesses (executes) a file from the Public directory

      • CosmicClientInstaller.exe (PID: 4708)

    • Application launched itself

      • CosmicClientInstaller.exe (PID: 2880)

    • There is functionality for taking screenshot (YARA)

      • CosmicClientInstaller.exe (PID: 2880)

    • Detects AdvancedInstaller (YARA)

      • CosmicClientInstaller.exe (PID: 2880)

    • Access to an unwanted program domain was detected

      • CosmicClientInstaller.exe (PID: 2880)

  • INFO

    • The sample compiled with english language support

      • CosmicClientInstaller.exe (PID: 2880)
      • msiexec.exe (PID: 6344)
      • CosmicClientInstaller.exe (PID: 4708)
      • msiexec.exe (PID: 5564)

    • Reads Environment values

      • CosmicClientInstaller.exe (PID: 2880)
      • msiexec.exe (PID: 6344)
      • CosmicClientInstaller.exe (PID: 4708)
      • msiexec.exe (PID: 3960)

    • Reads the computer name

      • CosmicClientInstaller.exe (PID: 2880)
      • msiexec.exe (PID: 5564)
      • msiexec.exe (PID: 6344)
      • CosmicClientInstaller.exe (PID: 4708)
      • msiexec.exe (PID: 3960)
      • msiexec.exe (PID: 6012)
      • Cosmic Client.exe (PID: 3628)

    • Checks supported languages

      • CosmicClientInstaller.exe (PID: 2880)
      • msiexec.exe (PID: 5564)
      • msiexec.exe (PID: 6344)
      • CosmicClientInstaller.exe (PID: 4708)
      • msiexec.exe (PID: 3960)
      • msiexec.exe (PID: 6012)
      • Cosmic Client.exe (PID: 3628)

    • Creates files or folders in the user directory

      • CosmicClientInstaller.exe (PID: 2880)
      • Cosmic Client.exe (PID: 3628)

    • Create files in a temporary directory

      • CosmicClientInstaller.exe (PID: 2880)
      • msiexec.exe (PID: 6344)
      • CosmicClientInstaller.exe (PID: 4708)

    • Reads the machine GUID from the registry

      • CosmicClientInstaller.exe (PID: 2880)
      • CosmicClientInstaller.exe (PID: 4708)
      • msiexec.exe (PID: 5564)
      • Cosmic Client.exe (PID: 3628)

    • Reads the software policy settings

      • CosmicClientInstaller.exe (PID: 2880)
      • CosmicClientInstaller.exe (PID: 4708)
      • msiexec.exe (PID: 5564)
      • Cosmic Client.exe (PID: 3628)
      • slui.exe (PID: 3672)

    • Checks proxy server information

      • CosmicClientInstaller.exe (PID: 2880)
      • slui.exe (PID: 3672)

    • Reads Microsoft Office registry keys

      • msiexec.exe (PID: 6344)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6344)
      • msiexec.exe (PID: 5564)

    • Process checks computer location settings

      • CosmicClientInstaller.exe (PID: 2880)
      • msiexec.exe (PID: 6344)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 5564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:01:15 13:42:34+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.24
CodeSize: 1505792
InitializedDataSize: 690176
UninitializedDataSize: -
EntryPoint: 0x11e5d3
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Cosmic Games
FileDescription: Cosmic Client Installer
FileVersion: 1
InternalName: Cosmic Client Installer
LegalCopyright: Copyright (C) 2023 Cosmic Games
OriginalFileName: Cosmic Client Installer.exe
ProductName: Cosmic Client
ProductVersion: 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
146
Monitored processes
8
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #ADWARE cosmicclientinstaller.exe msiexec.exe msiexec.exe cosmicclientinstaller.exe msiexec.exe no specs msiexec.exe no specs cosmic client.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2880"C:\Users\admin\Desktop\CosmicClientInstaller.exe" C:\Users\admin\Desktop\CosmicClientInstaller.exe
explorer.exe
User:
admin
Company:
Cosmic Games
Integrity Level:
MEDIUM
Description:
Cosmic Client Installer
Exit code:
0
Version:
1.0
Modules
Images
c:\users\admin\desktop\cosmicclientinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3628"C:\Program Files\Cosmic Client\Cosmic Client.exe" C:\Program Files\Cosmic Client\Cosmic Client.exe
msiexec.exe
User:
admin
Company:
Cosmic Games ULC
Integrity Level:
MEDIUM
Description:
Cosmic Client
Exit code:
1
Version:
1.0
Modules
Images
c:\program files\cosmic client\cosmic client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3672C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3960C:\Windows\syswow64\MsiExec.exe -Embedding F9FDCEB709ED9D3DB8A8FD1365ACE974C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
4708"C:\Users\admin\Desktop\CosmicClientInstaller.exe" /i "C:\Users\admin\AppData\Roaming\Cosmic Games\Cosmic Client 1.0\install\A68543B\Cosmic Client Installer.x64.msi" AI_EUIMSI=1 APPDIR="C:\Program Files\Cosmic Client" SHORTCUTDIR="C:\Users\Public\Desktop" SECONDSEQUENCE="1" CLIENTPROCESSID="2880" AI_MORE_CMD_LINE=1C:\Users\admin\Desktop\CosmicClientInstaller.exe
CosmicClientInstaller.exe
User:
admin
Company:
Cosmic Games
Integrity Level:
HIGH
Description:
Cosmic Client Installer
Exit code:
0
Version:
1.0
Modules
Images
c:\users\admin\desktop\cosmicclientinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5564C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6012C:\Windows\syswow64\MsiExec.exe -Embedding 78B6DC409FF2AF92FAF1101AEF2B352A E Global\MSI0000C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6344C:\Windows\syswow64\MsiExec.exe -Embedding A8F33B6B25B3BBC22C5401E1BF56FCCF CC:\Windows\SysWOW64\msiexec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
19 772
Read events
19 649
Write events
115
Delete events
8

Modification events

(PID) Process:(5564) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(5564) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
BC150000B660C72090FADB01
(PID) Process:(5564) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
B33CC54E9818702167E0C69AD718ECFEC8D87C7BB119B7974AA06A2BCACD5168
(PID) Process:(5564) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:writeName:C:\Config.Msi\
Value:
(PID) Process:(5564) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\190343.rbs
Value:
31193744
(PID) Process:(5564) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\190343.rbsLow
Value:
639283776
(PID) Process:(5564) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\35D26D469C129DA49828EEAE4F06E9FC
Operation:writeName:31D8E75D9A1885943B6BCF25A58645B3
Value:
C:\Program Files\Cosmic Client\
(PID) Process:(5564) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0524AFD6162ECA944B2472098A2FDDE6
Operation:writeName:31D8E75D9A1885943B6BCF25A58645B3
Value:
02:\Software\Cosmic Games\Cosmic Client\Version
(PID) Process:(5564) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D48DDA809E1EB7E4EAD319F3472260FB
Operation:writeName:31D8E75D9A1885943B6BCF25A58645B3
Value:
02:\Software\Caphyon\Advanced Installer\LZMA\{D57E8D13-81A9-4958-B3B6-FC525A68543B}\1.0\AI_ExePath
(PID) Process:(5564) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DB9F69E49FD5ECF48A6BD1273297909B
Operation:writeName:31D8E75D9A1885943B6BCF25A58645B3
Value:
02:\Software\Cosmic Games\{D57E8D13-81A9-4958-B3B6-FC525A68543B}\AI_IA_ENABLE
Executable files
41
Suspicious files
11
Text files
25
Unknown types
12

Dropped files

PID
Process
Filename
Type
2880CosmicClientInstaller.exeC:\Users\admin\AppData\Roaming\Cosmic Games\Cosmic Client 1.0\install\holder0.aiph
MD5:
SHA256:
2880CosmicClientInstaller.exeC:\Users\admin\AppData\Local\Temp\MSIE23D.LOG
MD5:
SHA256:
2880CosmicClientInstaller.exeC:\Users\admin\AppData\Roaming\Cosmic Games\Cosmic Client 1.0\install\A68543B\Cosmic Client Installer.x64.msiexecutable
MD5:D3ECAA109D218560F01669FDF2AC1E6F
SHA256:2938851B5A339BDB25B4A255460CFDE3739FAE15BAD38A9F6179676565935E73
2880CosmicClientInstaller.exeC:\Users\admin\AppData\Roaming\Cosmic Games\Cosmic Client 1.0\install\A68543B\Cosmic Client Installer.msiexecutable
MD5:0EC3960889CFBC6DA04F1C25D696FBA9
SHA256:42D8FDEDE0E5207C547E9CE47F58F1E9A2F8E6680128A81B27036D1767D0D2FD
2880CosmicClientInstaller.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_C5856A5EB1E3B74AE8014850A678CDBFder
MD5:786F0041EE5594B7F1E882E30C7C8FCC
SHA256:44E6B985D947D4CCFBD07628F8795646202DB2FA0C67356049E822DFCA692021
2880CosmicClientInstaller.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_C5856A5EB1E3B74AE8014850A678CDBFbinary
MD5:E61EC15DAC7E40E3D027E9D142F79380
SHA256:4343367B4C9C16FC60006D1A472774DDCEF853A0495FE36191DC75B1B83552CD
2880CosmicClientInstaller.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3EC49180A59F0C351C30F112AD97CFA5_B1F00FA1D2ECD5D781E44CEE5DF6C96Abinary
MD5:D72481D633F407FB93E2837966F003F3
SHA256:5ED9E5E080D39BD281A34AFA8A3F832319248B60EED61013466B144242377DD7
2880CosmicClientInstaller.exeC:\Users\admin\AppData\Roaming\Cosmic Games\Cosmic Client 1.0\install\decoder.dllexecutable
MD5:DCA95F4411A1C7EEB221C095C9EF8196
SHA256:51E89BFA578FDCDCB324F5CAA2C36C5CC8F1DBD73658BED39445C57C722B91F4
2880CosmicClientInstaller.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3EC49180A59F0C351C30F112AD97CFA5_B1F00FA1D2ECD5D781E44CEE5DF6C96Ader
MD5:C7B15C1938E04CBB8D42C190751E7AB1
SHA256:0E1158684B4516708D647DFF4119572BD32D421C759A0700FA85D047E722F59A
2880CosmicClientInstaller.exeC:\Users\admin\AppData\Local\AdvinstAnalytics\5ec6a1d8c8fe80765ec277d0\1.0\{8F5E057D-84C1-43E5-A765-17C46ADF93AE}.sessiontext
MD5:0AEB9BD3D622DDD97F48AC9B57B5B518
SHA256:FEA806BEAE83EF6736CD7C56D11520AA42690965C2D188BFF662195A92CF17E4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
38
TCP/UDP connections
32
DNS requests
19
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.22:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6584
RUXIMICS.exe
GET
200
23.216.77.22:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6584
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.156.128.21:443
https://cdn.cosmicclient.com/bootstrap/jcef/windows_x64.tar.zst.gpg?1753137501852107500
unknown
binary
801 b
GET
200
23.156.128.104:443
https://cdn.cosmicclient.com/bootstrap/assets/dock-lg.png.gpg?1753137502067807800
unknown
binary
801 b
GET
200
23.156.128.153:443
https://cdn.cosmicclient.com/bootstrap/launcher.jar.gpg?1753137502296980800
unknown
2880
CosmicClientInstaller.exe
POST
402
3.227.106.113:80
http://collect.installeranalytics.com/
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
GET
23.156.128.229:443
https://cdn.cosmicclient.com/bootstrap/java/windows_x64.tar.zst?04a842e8127215eb6673f1077ef634ff97bb28cba27dd7528cdbfc49f8a78687
unknown
2940
svchost.exe
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6584
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6584
RUXIMICS.exe
23.216.77.22:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.22:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6584
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2880
CosmicClientInstaller.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.216.77.22
  • 23.216.77.6
  • 23.216.77.30
  • 23.216.77.42
  • 23.216.77.8
  • 23.216.77.36
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
cdn.cosmicclient.com
  • 23.156.128.104
  • 23.156.128.153
  • 23.156.128.21
  • 23.156.128.229
unknown
collect.installeranalytics.com
  • 3.227.106.113
  • 34.195.50.84
whitelisted
self.events.data.microsoft.com
  • 20.42.73.30
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
x1.c.lencr.org
  • 23.209.209.135
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CosmicClientInstaller.exe