File name:

Update & Activation.exe

Full analysis: https://app.any.run/tasks/6ee8b2ea-a07e-41d3-9971-55f786343131
Verdict: Malicious activity
Analysis date: February 04, 2024, 20:44:39
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

A3980159AFED25451DD375FF96674E91

SHA1:

BF30387F3068FBC51F88ADBC3D53F18D4D11A871

SHA256:

E316170C1A844B25DE55E7BE40345F31BA62A12CB157B301B91CDB913B461AE1

SSDEEP:

98304:ia7BL3n+C+iZjb7JGe/V8/EAGXMYbZeYgMqM5D4QvxLNgzP+btRc9DeaR3YIIdf3:7RxVxLmE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Update & Activation.exe (PID: 6200)
      • Update & Activation.exe (PID: 6700)
      • Update & Activation.tmp (PID: 4100)
      • Update & Activation.exe (PID: 2588)
      • Update & Activation.exe (PID: 2200)
      • Update & Activation.tmp (PID: 5448)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • Update & Activation.tmp (PID: 1124)
      • Update & Activation.tmp (PID: 5820)

    • Executable content was dropped or overwritten

      • Update & Activation.exe (PID: 6200)
      • Update & Activation.exe (PID: 6700)
      • Update & Activation.tmp (PID: 4100)
      • Update & Activation.exe (PID: 2588)
      • Update & Activation.exe (PID: 2200)
      • Update & Activation.tmp (PID: 5448)

    • Reads the Windows owner or organization settings

      • Update & Activation.tmp (PID: 4100)
      • Update & Activation.tmp (PID: 5448)

    • Executes application which crashes

      • PCStitch 11.exe (PID: 6288)

  • INFO

    • Checks supported languages

      • Update & Activation.exe (PID: 6200)
      • Update & Activation.tmp (PID: 1124)
      • Update & Activation.exe (PID: 6700)
      • Update & Activation.tmp (PID: 4100)
      • Update & Activation.exe (PID: 2588)
      • Update & Activation.tmp (PID: 5820)
      • Update & Activation.exe (PID: 2200)
      • PCStitch 11.exe (PID: 6288)
      • Update & Activation.tmp (PID: 5448)
      • ShellExperienceHost.exe (PID: 3176)

    • Reads the computer name

      • Update & Activation.tmp (PID: 1124)
      • Update & Activation.tmp (PID: 4100)
      • Update & Activation.tmp (PID: 5820)
      • Update & Activation.tmp (PID: 5448)
      • PCStitch 11.exe (PID: 6288)
      • ShellExperienceHost.exe (PID: 3176)

    • Create files in a temporary directory

      • Update & Activation.exe (PID: 6200)
      • Update & Activation.exe (PID: 6700)
      • Update & Activation.tmp (PID: 4100)
      • Update & Activation.tmp (PID: 5448)
      • Update & Activation.exe (PID: 2588)
      • Update & Activation.exe (PID: 2200)

    • Creates files in the program directory

      • Update & Activation.tmp (PID: 4100)

    • Manual execution by a user

      • Update & Activation.exe (PID: 2588)
      • PCStitch 11.exe (PID: 6288)

    • Reads the machine GUID from the registry

      • PCStitch 11.exe (PID: 6288)

    • Reads the software policy settings

      • PCStitch 11.exe (PID: 6288)
      • WerFault.exe (PID: 472)

    • Checks proxy server information

      • PCStitch 11.exe (PID: 6288)
      • WerFault.exe (PID: 472)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 472)

    • Reads Environment values

      • PCStitch 11.exe (PID: 6288)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (77.7)
.exe | Win32 Executable Delphi generic (10)
.dll | Win32 Dynamic Link Library (generic) (4.6)
.exe | Win32 Executable (generic) (3.1)
.exe | Win16/32 Executable Delphi generic (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:20 00:22:17+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 41984
InitializedDataSize: 14336
UninitializedDataSize: -
EntryPoint: 0xaad0
OSVersion: 1
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: M&R Technologies
FileDescription: PCStitch Setup
FileVersion:
LegalCopyright:
ProductName: PCStitch
ProductVersion: 11.00.016
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
160
Monitored processes
12
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start update & activation.exe update & activation.tmp no specs update & activation.exe update & activation.tmp update & activation.exe update & activation.tmp no specs update & activation.exe update & activation.tmp rundll32.exe no specs pcstitch 11.exe shellexperiencehost.exe no specs werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
472C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6288 -s 2760C:\Windows\SysWOW64\WerFault.exe
PCStitch 11.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1081 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1124"C:\Users\admin\AppData\Local\Temp\is-1UDDV.tmp\Update & Activation.tmp" /SL5="$60240,2480078,57344,C:\Users\admin\Desktop\Update & Activation.exe" C:\Users\admin\AppData\Local\Temp\is-1UDDV.tmp\Update & Activation.tmpUpdate & Activation.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-1uddv.tmp\update & activation.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2200"C:\Users\admin\Desktop\Update & Activation.exe" /SPAWNWND=$901F0 /NOTIFYWND=$90278 C:\Users\admin\Desktop\Update & Activation.exe
Update & Activation.tmp
User:
admin
Company:
M&R Technologies
Integrity Level:
HIGH
Description:
PCStitch Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\desktop\update & activation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2588"C:\Users\admin\Desktop\Update & Activation.exe" C:\Users\admin\Desktop\Update & Activation.exe
explorer.exe
User:
admin
Company:
M&R Technologies
Integrity Level:
MEDIUM
Description:
PCStitch Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\desktop\update & activation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
3176"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Exit code:
0
Version:
10.0.19041.1151 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\wincorlib.dll
4100"C:\Users\admin\AppData\Local\Temp\is-RGECD.tmp\Update & Activation.tmp" /SL5="$A0206,2480078,57344,C:\Users\admin\Desktop\Update & Activation.exe" /SPAWNWND=$801C6 /NOTIFYWND=$60240 C:\Users\admin\AppData\Local\Temp\is-RGECD.tmp\Update & Activation.tmp
Update & Activation.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-rgecd.tmp\update & activation.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5324C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
5448"C:\Users\admin\AppData\Local\Temp\is-43KI3.tmp\Update & Activation.tmp" /SL5="$1301BE,2480078,57344,C:\Users\admin\Desktop\Update & Activation.exe" /SPAWNWND=$901F0 /NOTIFYWND=$90278 C:\Users\admin\AppData\Local\Temp\is-43KI3.tmp\Update & Activation.tmp
Update & Activation.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-43ki3.tmp\update & activation.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5820"C:\Users\admin\AppData\Local\Temp\is-QNVVM.tmp\Update & Activation.tmp" /SL5="$90278,2480078,57344,C:\Users\admin\Desktop\Update & Activation.exe" C:\Users\admin\AppData\Local\Temp\is-QNVVM.tmp\Update & Activation.tmpUpdate & Activation.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-qnvvm.tmp\update & activation.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
6200"C:\Users\admin\Desktop\Update & Activation.exe" C:\Users\admin\Desktop\Update & Activation.exe
explorer.exe
User:
admin
Company:
M&R Technologies
Integrity Level:
MEDIUM
Description:
PCStitch Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\desktop\update & activation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
10 740
Read events
10 720
Write events
8
Delete events
12

Modification events

(PID) Process:(4100) Update & Activation.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFilesHash
Value:
E62F77D5811E1CCD9215EF0F3F3BBF3F11F84DFF5288B741F184CD61D5C9C618
(PID) Process:(4100) Update & Activation.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFiles0000
Value:
C:\Program Files (x86)\PCStitch 11\AxInterop.SHDocVw.dll
(PID) Process:(4100) Update & Activation.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:
1
(PID) Process:(4100) Update & Activation.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
C817A24E086DF4058D4B98295871CAECEF11D7F46ADE699D23D545F34A02A014
(PID) Process:(4100) Update & Activation.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:Owner
Value:
04100000A6A70F01AB57DA01
(PID) Process:(4100) Update & Activation.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete keyName:(default)
Value:
(PID) Process:(5448) Update & Activation.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFilesHash
Value:
AD86B4D7D97154F5F6B0B8C5DC955668D77A34AF819A23EC040F6BECD404D30D
(PID) Process:(5448) Update & Activation.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFiles0000
Value:
C:\Users\admin\Desktop\PCStitch 11\AxInterop.SHDocVw.dll
(PID) Process:(5448) Update & Activation.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:
1
(PID) Process:(5448) Update & Activation.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
7A86E540C0521318093D39FFD9EFAAF46B6810F8DEC2E3FEE102423305F91892
Executable files
94
Suspicious files
1
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
4100Update & Activation.tmpC:\Users\admin\AppData\Local\Temp\is-8QM7O.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
4100Update & Activation.tmpC:\Program Files (x86)\PCStitch 11\is-E3325.tmpexecutable
MD5:4AB6198B02E3ED83396FCB5C4A1B06CB
SHA256:390BA64DDE2156D4ECFE69C8B7FDA2FF9D7BEE15930161B08F6ECD84E4BE0F41
4100Update & Activation.tmpC:\Program Files (x86)\PCStitch 11\AxInterop.XtremeCommandBars.dllexecutable
MD5:4AB6198B02E3ED83396FCB5C4A1B06CB
SHA256:390BA64DDE2156D4ECFE69C8B7FDA2FF9D7BEE15930161B08F6ECD84E4BE0F41
4100Update & Activation.tmpC:\Program Files (x86)\PCStitch 11\is-R61BU.tmpexecutable
MD5:700A08398357B232BBC087232F7E0F8A
SHA256:676BDE9D2D48B39E64E8D948FDFC1756B59D49AEF89973597D121CDE423B1692
6200Update & Activation.exeC:\Users\admin\AppData\Local\Temp\is-1UDDV.tmp\Update & Activation.tmpexecutable
MD5:604A8AF42EF41CE6A8B34F9B5BB079C4
SHA256:028E855E3FFA2EDACF8AF423AD2004A7665E47CCDEA325C433FC759C9152DFC3
6700Update & Activation.exeC:\Users\admin\AppData\Local\Temp\is-RGECD.tmp\Update & Activation.tmpexecutable
MD5:604A8AF42EF41CE6A8B34F9B5BB079C4
SHA256:028E855E3FFA2EDACF8AF423AD2004A7665E47CCDEA325C433FC759C9152DFC3
4100Update & Activation.tmpC:\Program Files (x86)\PCStitch 11\is-Q3K3O.tmpexecutable
MD5:DDD507C6501BE1B478E26B7FBCCE20A2
SHA256:72B94BB137962C33FB70192E400F637F387C4240A84358E91E6838B85A83E77E
4100Update & Activation.tmpC:\Program Files (x86)\PCStitch 11\AxInterop.SHDocVw.dllexecutable
MD5:DDD507C6501BE1B478E26B7FBCCE20A2
SHA256:72B94BB137962C33FB70192E400F637F387C4240A84358E91E6838B85A83E77E
4100Update & Activation.tmpC:\Program Files (x86)\PCStitch 11\Interop.SHDocVw.dllexecutable
MD5:5ED27AC07C6CCA652B5CC1C2E96E46DC
SHA256:6C5F46F0B3786F3C519612F9851108B68272FE0E3540AF1FD134E2AEB654FE14
4100Update & Activation.tmpC:\Program Files (x86)\PCStitch 11\Interop.StdType.dllexecutable
MD5:A2AF0BCE4858FC6F3B5F15F471B6062A
SHA256:25905E8362A288E4D02D1AEF416E68AC6A0CB81FC24A329784E2B339DCD2A4A1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
77
TCP/UDP connections
26
DNS requests
25
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1612
svchost.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
binary
1.11 Kb
unknown
5612
MoUsoCoreWorker.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
binary
1.11 Kb
unknown
5612
MoUsoCoreWorker.exe
GET
200
88.221.125.143:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
binary
814 b
unknown
1612
svchost.exe
GET
200
88.221.125.143:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
binary
814 b
unknown
5028
SearchApp.exe
GET
200
150.171.22.254:443
https://ln-ring.msedge.net/apc/trans.gif?3b69de1f26c1d4c4e904e5e54c31ea62
unknown
image
43 b
5028
SearchApp.exe
GET
200
13.107.246.45:443
https://fp-afd.azurefd.net/apc/trans.gif?98f358606741058726096444fe021a2e
unknown
5028
SearchApp.exe
GET
200
13.107.213.45:443
https://fp-afd.azurefd.net/apc/trans.gif?e6fdf9138c6b1482023f632c662c9f89
unknown
5028
SearchApp.exe
GET
200
131.253.33.254:443
https://a-ring-fallback.msedge.net/apc/trans.gif?3c9b74dce2ee2e72c7fe3e76afd0e461
unknown
image
43 b
6492
msedge.exe
GET
302
23.35.229.160:443
https://go.microsoft.com/fwlink/?linkid=2133855&bucket=15
unknown
5676
svchost.exe
HEAD
200
23.44.215.49:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1707508670&P2=404&P3=2&P4=A1MV5CyNSjFaZvcq07AsuXiDslL98L0kOR3NVRkQJsVj6SmZ0CMtFkpTT3NihNe4qRcXo5bvr%2fZjnAaHANGqRQ%3d%3d
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5612
MoUsoCoreWorker.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
1612
svchost.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5612
MoUsoCoreWorker.exe
88.221.125.143:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1612
svchost.exe
88.221.125.143:80
www.microsoft.com
AKAMAI-AS
DE
unknown
5612
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3720
svchost.exe
239.255.255.250:1900
unknown
5028
SearchApp.exe
204.79.197.222:443
fp.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5028
SearchApp.exe
150.171.22.254:443
ln-ring.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
5028
SearchApp.exe
13.107.246.45:443
fp-afd.azurefd.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
5028
SearchApp.exe
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.120
  • 2.16.164.49
  • 2.16.164.72
whitelisted
www.microsoft.com
  • 88.221.125.143
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted
ln-ring.msedge.net
  • 150.171.22.254
unknown
fp-afd.azurefd.net
  • 13.107.246.45
  • 13.107.213.45
unknown
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 92.123.104.40
  • 92.123.104.43
  • 92.123.104.31
  • 92.123.104.33
  • 92.123.104.30
  • 92.123.104.46
  • 92.123.104.32
  • 92.123.104.26
  • 92.123.104.28
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted

Threats

PID
Process
Class
Message
5028
SearchApp.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Front Door domain observed in TLS SNI ( .azurefd .net)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Update & Activation.exe