File name:

SpyShelterSetup.exe

Full analysis: https://app.any.run/tasks/99ffa12e-a9ed-4944-8c06-1b7bb1fe52db
Verdict: Malicious activity
Analysis date: February 04, 2025, 17:40:25
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

91DB719C8165EE1AC2DEBC90B5306BA2

SHA1:

4266FE2968F275F20365A1863FFC5C44AA5775DF

SHA256:

FD57113A70243F201469BEB5EF2040D1A365037AFD6B4586DACD0F5F92118919

SSDEEP:

98304:RqG0OLl4gAX2vr2b6Qn/Vi1Hur7y8yiSVZ3fLfFG0zzzLLajMEwUieNuE/gV3sQq:O+h0Kd8r/DYZnENxYXqw6HCd15a9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • SpyShelterSetup.exe (PID: 2216)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • SpyShelterSetup.exe (PID: 2216)

    • Executable content was dropped or overwritten

      • SpyShelterSetup.exe (PID: 2216)
      • pnputil.exe (PID: 720)
      • drvinst.exe (PID: 640)

    • Drops a system driver (possible attempt to evade defenses)

      • SpyShelterSetup.exe (PID: 2216)
      • drvinst.exe (PID: 640)
      • pnputil.exe (PID: 720)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • SpyShelterSetup.exe (PID: 2216)

    • There is functionality for taking screenshot (YARA)

      • SpyShelterSetup.exe (PID: 2216)

    • Creates files in the driver directory

      • drvinst.exe (PID: 640)

    • Process drops legitimate windows executable

      • SpyShelterSetup.exe (PID: 2216)

    • Checks Windows Trust Settings

      • drvinst.exe (PID: 640)
      • sps_service.exe (PID: 5588)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 3732)
      • sps_service.exe (PID: 1864)

    • Windows service management via SC.EXE

      • sc.exe (PID: 4504)

    • Starts SC.EXE for service management

      • SpyShelterSetup.exe (PID: 2216)

    • Executes as Windows Service

      • sps_service.exe (PID: 5588)

    • Reads security settings of Internet Explorer

      • SpyShelterSetup.exe (PID: 2216)
      • sps_service.exe (PID: 5588)

    • The process drops C-runtime libraries

      • SpyShelterSetup.exe (PID: 2216)

  • INFO

    • Checks supported languages

      • SpyShelterSetup.exe (PID: 2216)
      • drvinst.exe (PID: 640)
      • drvinst.exe (PID: 3732)
      • sps_service.exe (PID: 1864)
      • SpyShelter.exe (PID: 2776)
      • sps_helper.exe (PID: 5004)

    • The sample compiled with english language support

      • SpyShelterSetup.exe (PID: 2216)
      • drvinst.exe (PID: 640)
      • pnputil.exe (PID: 720)

    • Reads the computer name

      • SpyShelterSetup.exe (PID: 2216)
      • drvinst.exe (PID: 640)
      • sps_service.exe (PID: 1864)

    • Creates files in the program directory

      • SpyShelterSetup.exe (PID: 2216)
      • sps_service.exe (PID: 5588)

    • Create files in a temporary directory

      • pnputil.exe (PID: 720)
      • SpyShelterSetup.exe (PID: 2216)

    • Reads the machine GUID from the registry

      • drvinst.exe (PID: 640)
      • SpyShelterSetup.exe (PID: 2216)
      • sps_service.exe (PID: 5588)

    • Manual execution by a user

      • sps.exe (PID: 5892)
      • SpyShelter.exe (PID: 2776)

    • Checks proxy server information

      • SpyShelterSetup.exe (PID: 2216)

    • Reads the software policy settings

      • SpyShelterSetup.exe (PID: 2216)
      • sps_service.exe (PID: 5588)

    • Creates files or folders in the user directory

      • SpyShelter.exe (PID: 2776)
      • SpyShelter.exe (PID: 3680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:30 16:55:19+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x3665
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 15.2.0.801
ProductVersionNumber: 15.2.0.801
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: SpyShelter
FileDescription: SpyShelter
FileVersion: 15,2,0,801
LegalCopyright: (c) 2009-2024 SpyShelter
OriginalFileName: SpyShelterSetup.exe
ProductName: SpyShelter Setup
ProductVersion: 15,2,0,801
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
17
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start spysheltersetup.exe pnputil.exe conhost.exe no specs drvinst.exe drvinst.exe no specs sc.exe no specs conhost.exe no specs sps_service.exe no specs conhost.exe no specs sps_service.exe sps.exe no specs conhost.exe no specs spyshelter.exe no specs sps_helper.exe no specs spyshelter.exe no specs conhost.exe no specs spysheltersetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
640DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{d0f1564d-8bc0-0441-ab19-9b29b10519c2}\SpyShelter.inf" "9" "41f2c91b7" "00000000000001C4" "WinSta0\Default" "00000000000001D8" "208" "C:\Program Files\SpyShelter"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
720"pnputil.exe" /add-driver "C:\Program Files\SpyShelter\spyshelter.inf" /installC:\Windows\System32\pnputil.exe
SpyShelterSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft PnP Utility - Tool to add, delete, export, and enumerate driver packages.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\pnputil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
1864"C:\Program Files\SpyShelter\sps_service.exe" --installstartC:\Program Files\SpyShelter\sps_service.exeSpyShelterSetup.exe
User:
admin
Company:
SpyShelter
Integrity Level:
HIGH
Description:
SpyShelter System Service
Exit code:
0
Version:
15.2.0.801
Modules
Images
c:\program files\spyshelter\sps_service.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
1988\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesps_helper.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2216"C:\Users\admin\Desktop\SpyShelterSetup.exe" C:\Users\admin\Desktop\SpyShelterSetup.exe
explorer.exe
User:
admin
Company:
SpyShelter
Integrity Level:
HIGH
Description:
SpyShelter
Exit code:
0
Version:
15,2,0,801
Modules
Images
c:\users\admin\desktop\spysheltersetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2776"C:\Program Files\SpyShelter\ui\SpyShelter.exe" OKC:\Program Files\SpyShelter\ui\SpyShelter.exeexplorer.exe
User:
admin
Company:
SpyShelter
Integrity Level:
MEDIUM
Description:
SpyShelter UI
Version:
15.2.0+801
Modules
Images
c:\program files\spyshelter\ui\spyshelter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
2844\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesps_service.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3508"C:\Users\admin\Desktop\SpyShelterSetup.exe" C:\Users\admin\Desktop\SpyShelterSetup.exeexplorer.exe
User:
admin
Company:
SpyShelter
Integrity Level:
MEDIUM
Description:
SpyShelter
Exit code:
3221226540
Version:
15,2,0,801
Modules
Images
c:\users\admin\desktop\spysheltersetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
3680"C:\Program Files\SpyShelter\ui\SpyShelter.exe" --helper 5A87:1C:\Program Files\SpyShelter\ui\SpyShelter.exesps_service.exe
User:
admin
Company:
SpyShelter
Integrity Level:
MEDIUM
Description:
SpyShelter UI
Version:
15.2.0+801
Modules
Images
c:\program files\spyshelter\ui\spyshelter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3732DrvInst.exe "8" "4" "C:\WINDOWS\System32\DriverStore\FileRepository\spyshelter.inf_amd64_e7c2fb6aef372d7d\spyshelter.inf" "0" "41f2c91b7" "00000000000001D8" "WinSta0\Default"C:\Windows\System32\drvinst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
Total events
14 222
Read events
14 134
Write events
80
Delete events
8

Modification events

(PID) Process:(2216) SpyShelterSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyShelter
Operation:writeName:DisplayName
Value:
SpyShelter 15.2
(PID) Process:(2216) SpyShelterSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyShelter
Operation:writeName:UninstallString
Value:
"C:\Program Files\SpyShelter\uninstall.exe"
(PID) Process:(2216) SpyShelterSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyShelter
Operation:writeName:Comments
Value:
Visit www.spyshelter.com for updated information about this product.
(PID) Process:(2216) SpyShelterSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyShelter
Operation:writeName:Contact
Value:
http://www.spyshelter.com
(PID) Process:(2216) SpyShelterSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyShelter
Operation:writeName:DisplayVersion
Value:
15.2.0.801
(PID) Process:(2216) SpyShelterSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyShelter
Operation:writeName:HelpLink
Value:
http://www.spyshelter.com
(PID) Process:(2216) SpyShelterSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyShelter
Operation:writeName:Publisher
Value:
SpyShelter
(PID) Process:(2216) SpyShelterSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyShelter
Operation:writeName:URLInfoAbout
Value:
http://www.spyshelter.com
(PID) Process:(2216) SpyShelterSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyShelter
Operation:writeName:URLUpdateInfo
Value:
http://www.spyshelter.com
(PID) Process:(2216) SpyShelterSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyShelter
Operation:writeName:DisplayIcon
Value:
C:\Program Files\SpyShelter\ui\SpyShelter.exe,0
Executable files
30
Suspicious files
288
Text files
138
Unknown types
1

Dropped files

PID
Process
Filename
Type
2216SpyShelterSetup.exeC:\Program Files\SpyShelter\ui\SpyShelter.pdb
MD5:
SHA256:
2216SpyShelterSetup.exeC:\Users\admin\AppData\Local\Temp\nsz886F.tmp\modern-wizard.bmpimage
MD5:923578ED58A7F2B7C93C02374023BC99
SHA256:9E28DF3373BACC36A903E02B8AF302A9F34667142C80BB613A3B279A4E7532CA
2216SpyShelterSetup.exeC:\Program Files\SpyShelter\ui\tray_manager_plugin.dllexecutable
MD5:08197A53DD7B342ABA8E36C565D99BA1
SHA256:230DC195037721FFE2EADAA7402E2FED5236B53E06F31C02CF0B145ECDD8F01F
2216SpyShelterSetup.exeC:\Program Files\SpyShelter\ui\data\app.so
MD5:
SHA256:
2216SpyShelterSetup.exeC:\Users\admin\AppData\Local\Temp\nsz886F.tmp\side_120.bmpimage
MD5:20F2A150141995255C2D7684CDABFE7E
SHA256:26736B15E93CB08FE7C490538016083979AB3A50D65F1048C0DA54CCB3B5C02B
2216SpyShelterSetup.exeC:\Program Files\SpyShelter\ui\flutter_desktop_sleep_plugin.dllexecutable
MD5:133BF7C37809139C1C5E3D0F233D9F43
SHA256:EE8DF30E130B1D131BBCB3746B980DB0ED7499A6BC0F15CCF9AB08C8DB86D416
2216SpyShelterSetup.exeC:\Users\admin\AppData\Local\Temp\nsz886F.tmp\side_168.bmpimage
MD5:3FEC7655840B6C95C83E0DB2550D70F5
SHA256:517BBB8EEFF41326F874FC74D1E8DFF7A30C0306D5888B4C2718D9A35A061C70
2216SpyShelterSetup.exeC:\Users\admin\AppData\Local\Temp\nsz886F.tmp\header_96.bmpimage
MD5:8370132D1EAE38F175D348F800610403
SHA256:567A0A41CCF8F7B81717A2685D3C75DDEB5020B56D40D25DE513954958101C03
2216SpyShelterSetup.exeC:\Users\admin\AppData\Local\Temp\nsz886F.tmp\header_120.bmpimage
MD5:107E2B3C1BD6411112557FBD3E9F1CB4
SHA256:B306C92FD635E2A0AE3DA2B90D482720CEB534DC46EAE13C6F3565C55A1CE002
2216SpyShelterSetup.exeC:\Users\admin\AppData\Local\Temp\nsz886F.tmp\nsDialogs.dllexecutable
MD5:B7D61F3F56ABF7B7FF0D4E7DA3AD783D
SHA256:89A82C4849C21DFE765052681E1FAD02D2D7B13C8B5075880C52423DCA72A912
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
23
DNS requests
8
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.78.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
35.71.188.31:443
https://api.cryptlex.com/v3/trial-activations
unknown
binary
1.44 Kb
POST
204
104.126.37.184:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
POST
200
172.67.149.185:443
https://app.spyshelter.net/api/v1/rating
unknown
binary
258 b
POST
200
104.21.29.195:443
https://app.spyshelter.net/api/v1/rating
unknown
POST
200
172.67.149.185:443
https://app.spyshelter.net/api/v1/rating
unknown
binary
175 b
POST
200
104.21.29.195:443
https://app.spyshelter.net/api/v1/rating
unknown
POST
200
104.21.29.195:443
https://app.spyshelter.net/api/v1/rating
unknown
binary
94 b
POST
200
104.21.29.195:443
https://app.spyshelter.net/api/v1/rating
unknown
binary
255 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
95.101.78.42:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2736
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3976
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5064
SearchApp.exe
104.126.37.186:443
www.bing.com
Akamai International B.V.
DE
whitelisted
2216
SpyShelterSetup.exe
172.67.149.185:443
app.spyshelter.net
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 95.101.78.42
  • 95.101.78.32
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
www.bing.com
  • 104.126.37.186
  • 104.126.37.130
  • 104.126.37.178
  • 104.126.37.179
  • 104.126.37.129
  • 104.126.37.145
  • 104.126.37.163
  • 104.126.37.123
  • 104.126.37.177
whitelisted
app.spyshelter.net
  • 172.67.149.185
  • 104.21.29.195
unknown
api.cryptlex.com
  • 52.223.22.71
  • 35.71.188.31
unknown
self.events.data.microsoft.com
  • 20.42.72.131
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
Misc activity
SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
Process
Message
SpyShelterSetup.exe
ExecShellAsUser: got desktop
SpyShelterSetup.exe
ExecShellAsUser: elevated process detected
SpyShelterSetup.exe
ExecShellAsUser: thread finished
SpyShelterSetup.exe
ExecShellAsUser: DLL_PROCESS_DETACH
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SpyShelterSetup.exe