File name:

SpyShelterSetup.exe

Full analysis: https://app.any.run/tasks/99ffa12e-a9ed-4944-8c06-1b7bb1fe52db
Verdict: Malicious activity
Analysis date: February 04, 2025, 17:40:25
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

91DB719C8165EE1AC2DEBC90B5306BA2

SHA1:

4266FE2968F275F20365A1863FFC5C44AA5775DF

SHA256:

FD57113A70243F201469BEB5EF2040D1A365037AFD6B4586DACD0F5F92118919

SSDEEP:

98304:RqG0OLl4gAX2vr2b6Qn/Vi1Hur7y8yiSVZ3fLfFG0zzzLLajMEwUieNuE/gV3sQq:O+h0Kd8r/DYZnENxYXqw6HCd15a9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • SpyShelterSetup.exe (PID: 2216)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • SpyShelterSetup.exe (PID: 2216)

    • The process drops C-runtime libraries

      • SpyShelterSetup.exe (PID: 2216)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • SpyShelterSetup.exe (PID: 2216)

    • Executable content was dropped or overwritten

      • pnputil.exe (PID: 720)
      • drvinst.exe (PID: 640)
      • SpyShelterSetup.exe (PID: 2216)

    • Creates files in the driver directory

      • drvinst.exe (PID: 640)

    • There is functionality for taking screenshot (YARA)

      • SpyShelterSetup.exe (PID: 2216)

    • Drops a system driver (possible attempt to evade defenses)

      • pnputil.exe (PID: 720)
      • drvinst.exe (PID: 640)
      • SpyShelterSetup.exe (PID: 2216)

    • Checks Windows Trust Settings

      • drvinst.exe (PID: 640)
      • sps_service.exe (PID: 5588)

    • Process drops legitimate windows executable

      • SpyShelterSetup.exe (PID: 2216)

    • Starts SC.EXE for service management

      • SpyShelterSetup.exe (PID: 2216)

    • Windows service management via SC.EXE

      • sc.exe (PID: 4504)

    • Executes as Windows Service

      • sps_service.exe (PID: 5588)

    • Reads security settings of Internet Explorer

      • sps_service.exe (PID: 5588)
      • SpyShelterSetup.exe (PID: 2216)

    • Creates or modifies Windows services

      • sps_service.exe (PID: 1864)
      • drvinst.exe (PID: 3732)

  • INFO

    • Checks supported languages

      • SpyShelterSetup.exe (PID: 2216)
      • drvinst.exe (PID: 640)
      • drvinst.exe (PID: 3732)
      • sps_service.exe (PID: 1864)
      • SpyShelter.exe (PID: 2776)
      • sps_helper.exe (PID: 5004)

    • The sample compiled with english language support

      • SpyShelterSetup.exe (PID: 2216)
      • pnputil.exe (PID: 720)
      • drvinst.exe (PID: 640)

    • Reads the machine GUID from the registry

      • drvinst.exe (PID: 640)
      • SpyShelterSetup.exe (PID: 2216)
      • sps_service.exe (PID: 5588)

    • Reads the computer name

      • SpyShelterSetup.exe (PID: 2216)
      • drvinst.exe (PID: 640)
      • sps_service.exe (PID: 1864)

    • Creates files in the program directory

      • SpyShelterSetup.exe (PID: 2216)
      • sps_service.exe (PID: 5588)

    • Create files in a temporary directory

      • pnputil.exe (PID: 720)
      • SpyShelterSetup.exe (PID: 2216)

    • Manual execution by a user

      • sps.exe (PID: 5892)
      • SpyShelter.exe (PID: 2776)

    • Reads the software policy settings

      • sps_service.exe (PID: 5588)
      • SpyShelterSetup.exe (PID: 2216)

    • Creates files or folders in the user directory

      • SpyShelter.exe (PID: 2776)
      • SpyShelter.exe (PID: 3680)

    • Checks proxy server information

      • SpyShelterSetup.exe (PID: 2216)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:30 16:55:19+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x3665
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 15.2.0.801
ProductVersionNumber: 15.2.0.801
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: SpyShelter
FileDescription: SpyShelter
FileVersion: 15,2,0,801
LegalCopyright: (c) 2009-2024 SpyShelter
OriginalFileName: SpyShelterSetup.exe
ProductName: SpyShelter Setup
ProductVersion: 15,2,0,801
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
17
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start spysheltersetup.exe pnputil.exe conhost.exe no specs drvinst.exe drvinst.exe no specs sc.exe no specs conhost.exe no specs sps_service.exe no specs conhost.exe no specs sps_service.exe sps.exe no specs conhost.exe no specs spyshelter.exe no specs sps_helper.exe no specs spyshelter.exe no specs conhost.exe no specs spysheltersetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
640DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{d0f1564d-8bc0-0441-ab19-9b29b10519c2}\SpyShelter.inf" "9" "41f2c91b7" "00000000000001C4" "WinSta0\Default" "00000000000001D8" "208" "C:\Program Files\SpyShelter"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
720"pnputil.exe" /add-driver "C:\Program Files\SpyShelter\spyshelter.inf" /installC:\Windows\System32\pnputil.exe
SpyShelterSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft PnP Utility - Tool to add, delete, export, and enumerate driver packages.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\pnputil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
1864"C:\Program Files\SpyShelter\sps_service.exe" --installstartC:\Program Files\SpyShelter\sps_service.exeSpyShelterSetup.exe
User:
admin
Company:
SpyShelter
Integrity Level:
HIGH
Description:
SpyShelter System Service
Exit code:
0
Version:
15.2.0.801
Modules
Images
c:\program files\spyshelter\sps_service.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
1988\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesps_helper.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2216"C:\Users\admin\Desktop\SpyShelterSetup.exe" C:\Users\admin\Desktop\SpyShelterSetup.exe
explorer.exe
User:
admin
Company:
SpyShelter
Integrity Level:
HIGH
Description:
SpyShelter
Exit code:
0
Version:
15,2,0,801
Modules
Images
c:\users\admin\desktop\spysheltersetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2776"C:\Program Files\SpyShelter\ui\SpyShelter.exe" OKC:\Program Files\SpyShelter\ui\SpyShelter.exeexplorer.exe
User:
admin
Company:
SpyShelter
Integrity Level:
MEDIUM
Description:
SpyShelter UI
Version:
15.2.0+801
Modules
Images
c:\program files\spyshelter\ui\spyshelter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
2844\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesps_service.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3508"C:\Users\admin\Desktop\SpyShelterSetup.exe" C:\Users\admin\Desktop\SpyShelterSetup.exeexplorer.exe
User:
admin
Company:
SpyShelter
Integrity Level:
MEDIUM
Description:
SpyShelter
Exit code:
3221226540
Version:
15,2,0,801
Modules
Images
c:\users\admin\desktop\spysheltersetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
3680"C:\Program Files\SpyShelter\ui\SpyShelter.exe" --helper 5A87:1C:\Program Files\SpyShelter\ui\SpyShelter.exesps_service.exe
User:
admin
Company:
SpyShelter
Integrity Level:
MEDIUM
Description:
SpyShelter UI
Version:
15.2.0+801
Modules
Images
c:\program files\spyshelter\ui\spyshelter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3732DrvInst.exe "8" "4" "C:\WINDOWS\System32\DriverStore\FileRepository\spyshelter.inf_amd64_e7c2fb6aef372d7d\spyshelter.inf" "0" "41f2c91b7" "00000000000001D8" "WinSta0\Default"C:\Windows\System32\drvinst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
Total events
14 222
Read events
14 134
Write events
80
Delete events
8

Modification events

(PID) Process:(2216) SpyShelterSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyShelter
Operation:writeName:DisplayName
Value:
SpyShelter 15.2
(PID) Process:(2216) SpyShelterSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyShelter
Operation:writeName:UninstallString
Value:
"C:\Program Files\SpyShelter\uninstall.exe"
(PID) Process:(2216) SpyShelterSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyShelter
Operation:writeName:Comments
Value:
Visit www.spyshelter.com for updated information about this product.
(PID) Process:(2216) SpyShelterSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyShelter
Operation:writeName:Contact
Value:
http://www.spyshelter.com
(PID) Process:(2216) SpyShelterSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyShelter
Operation:writeName:DisplayVersion
Value:
15.2.0.801
(PID) Process:(2216) SpyShelterSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyShelter
Operation:writeName:HelpLink
Value:
http://www.spyshelter.com
(PID) Process:(2216) SpyShelterSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyShelter
Operation:writeName:Publisher
Value:
SpyShelter
(PID) Process:(2216) SpyShelterSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyShelter
Operation:writeName:URLInfoAbout
Value:
http://www.spyshelter.com
(PID) Process:(2216) SpyShelterSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyShelter
Operation:writeName:URLUpdateInfo
Value:
http://www.spyshelter.com
(PID) Process:(2216) SpyShelterSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyShelter
Operation:writeName:DisplayIcon
Value:
C:\Program Files\SpyShelter\ui\SpyShelter.exe,0
Executable files
30
Suspicious files
288
Text files
138
Unknown types
1

Dropped files

PID
Process
Filename
Type
2216SpyShelterSetup.exeC:\Program Files\SpyShelter\ui\SpyShelter.pdb
MD5:
SHA256:
2216SpyShelterSetup.exeC:\Users\admin\AppData\Local\Temp\nsz886F.tmp\side_144.bmpimage
MD5:5DE0EEA6FF241E2B5FA8CBB12160FA40
SHA256:5319871F796BF1790DE8ACA827D454425B75285E324936F4897D099D5E6EF149
2216SpyShelterSetup.exeC:\Users\admin\AppData\Local\Temp\nsz886F.tmp\header_144.bmpimage
MD5:0EC22617FE65786E262DD463DD032DE1
SHA256:2EA7989338F576F38FF96F192560789F8BB58C5BFB31CF039BFB828BA9D14845
2216SpyShelterSetup.exeC:\Program Files\SpyShelter\ui\data\app.so
MD5:
SHA256:
2216SpyShelterSetup.exeC:\Users\admin\AppData\Local\Temp\nsz886F.tmp\modern-wizard.bmpimage
MD5:923578ED58A7F2B7C93C02374023BC99
SHA256:9E28DF3373BACC36A903E02B8AF302A9F34667142C80BB613A3B279A4E7532CA
2216SpyShelterSetup.exeC:\Users\admin\AppData\Local\Temp\nsz886F.tmp\side_192.bmpimage
MD5:983351735235BAA9F6DED49CB5CF4725
SHA256:29999426ACBC018FD826E37679A4B0E1FC79E18DCDC27CA4D0506BA5992E5194
2216SpyShelterSetup.exeC:\Users\admin\AppData\Local\Temp\nsz886F.tmp\side_96.bmpimage
MD5:923578ED58A7F2B7C93C02374023BC99
SHA256:9E28DF3373BACC36A903E02B8AF302A9F34667142C80BB613A3B279A4E7532CA
2216SpyShelterSetup.exeC:\Users\admin\AppData\Local\Temp\nsz886F.tmp\header_120.bmpimage
MD5:107E2B3C1BD6411112557FBD3E9F1CB4
SHA256:B306C92FD635E2A0AE3DA2B90D482720CEB534DC46EAE13C6F3565C55A1CE002
2216SpyShelterSetup.exeC:\Program Files\SpyShelter\ui\url_launcher_windows_plugin.dllexecutable
MD5:3D8CAC3919CF1FD99E4E552A61206296
SHA256:0204A3AAE9017B1BADCC57B9ADE76FB532DF5A356708EDBCD90BDB3C7646E83B
2216SpyShelterSetup.exeC:\Program Files\SpyShelter\sps\sps.exeexecutable
MD5:F3FA5EA79218A3EE3602376E9B5DE558
SHA256:4F72200755ED916AD95660B2DCAE2D6576AF3CAF8AA54B516E40BEE2B7AA4F38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
23
DNS requests
8
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.78.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
172.67.149.185:443
https://app.spyshelter.net/api/v1/rating
unknown
binary
258 b
unknown
GET
200
104.21.29.195:443
https://app.spyshelter.net/api/v1/install?version=15.2.0.801&upgrade=0
unknown
binary
15 b
unknown
POST
204
104.126.37.184:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
POST
200
104.21.29.195:443
https://app.spyshelter.net/api/v1/rating
unknown
unknown
POST
200
172.67.149.185:443
https://app.spyshelter.net/api/v1/rating
unknown
unknown
POST
200
104.21.29.195:443
https://app.spyshelter.net/api/v1/rating
unknown
binary
255 b
unknown
POST
200
172.67.149.185:443
https://app.spyshelter.net/api/v1/rating
unknown
unknown
POST
200
104.21.29.195:443
https://app.spyshelter.net/api/v1/rating
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
95.101.78.42:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2736
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3976
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5064
SearchApp.exe
104.126.37.186:443
www.bing.com
Akamai International B.V.
DE
whitelisted
2216
SpyShelterSetup.exe
172.67.149.185:443
app.spyshelter.net
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 95.101.78.42
  • 95.101.78.32
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
www.bing.com
  • 104.126.37.186
  • 104.126.37.130
  • 104.126.37.178
  • 104.126.37.179
  • 104.126.37.129
  • 104.126.37.145
  • 104.126.37.163
  • 104.126.37.123
  • 104.126.37.177
whitelisted
app.spyshelter.net
  • 172.67.149.185
  • 104.21.29.195
unknown
api.cryptlex.com
  • 52.223.22.71
  • 35.71.188.31
unknown
self.events.data.microsoft.com
  • 20.42.72.131
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
Misc activity
SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
Process
Message
SpyShelterSetup.exe
ExecShellAsUser: got desktop
SpyShelterSetup.exe
ExecShellAsUser: elevated process detected
SpyShelterSetup.exe
ExecShellAsUser: thread finished
SpyShelterSetup.exe
ExecShellAsUser: DLL_PROCESS_DETACH
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SpyShelterSetup.exe