File name:

2024-11-27_9d2ce8d5bfc7e6a1e7e4ec73aba8cd5d_cobalt-strike_ryuk

Full analysis: https://app.any.run/tasks/a12c0952-eb96-43ff-b4e1-523d3e8ddbdd
Verdict: Malicious activity
Analysis date: November 27, 2024, 22:52:44
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
xor-url
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 9 sections
MD5:

9D2CE8D5BFC7E6A1E7E4EC73ABA8CD5D

SHA1:

7C97168F0A3E8F929A4B4E7C86470D8E33C4BEA2

SHA256:

10AA90EC6547F6BA676A962CC9C09408D31AFFF2C226F76A854A80980D8975F4

SSDEEP:

98304:xw15XVl7NvUMLlX0kHjVd6T+7RbrTYaE6p7AbP3DddvSYtlD6S80yjBJPYAOkn2r:G3ZKeZPfBIz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XORed URL has been found (YARA)

      • OfficeClickToRun.exe (PID: 6520)

  • SUSPICIOUS

    • Uses REG/REGEDIT.EXE to modify registry

      • 2024-11-27_9d2ce8d5bfc7e6a1e7e4ec73aba8cd5d_cobalt-strike_ryuk.exe (PID: 6760)

    • Executes script without checking the security policy

      • powershell.exe (PID: 6956)

    • The process bypasses the loading of PowerShell profile settings

      • 2024-11-27_9d2ce8d5bfc7e6a1e7e4ec73aba8cd5d_cobalt-strike_ryuk.exe (PID: 6760)

    • Probably download files using WebClient

      • 2024-11-27_9d2ce8d5bfc7e6a1e7e4ec73aba8cd5d_cobalt-strike_ryuk.exe (PID: 6760)

    • Starts POWERSHELL.EXE for commands execution

      • 2024-11-27_9d2ce8d5bfc7e6a1e7e4ec73aba8cd5d_cobalt-strike_ryuk.exe (PID: 6760)

    • Uses TASKKILL.EXE to kill process

      • 2024-11-27_9d2ce8d5bfc7e6a1e7e4ec73aba8cd5d_cobalt-strike_ryuk.exe (PID: 6760)

    • Starts CMD.EXE for commands execution

      • 2024-11-27_9d2ce8d5bfc7e6a1e7e4ec73aba8cd5d_cobalt-strike_ryuk.exe (PID: 6760)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 6236)

    • Unpacks CAB file

      • expand.exe (PID: 3732)
      • expand.exe (PID: 6412)

    • Executable content was dropped or overwritten

      • expand.exe (PID: 3732)

    • The process drops C-runtime libraries

      • expand.exe (PID: 3732)

    • Process drops legitimate windows executable

      • expand.exe (PID: 3732)

  • INFO

    • Checks supported languages

      • 2024-11-27_9d2ce8d5bfc7e6a1e7e4ec73aba8cd5d_cobalt-strike_ryuk.exe (PID: 6760)

    • Reads Environment values

      • 2024-11-27_9d2ce8d5bfc7e6a1e7e4ec73aba8cd5d_cobalt-strike_ryuk.exe (PID: 6760)

    • Reads product name

      • 2024-11-27_9d2ce8d5bfc7e6a1e7e4ec73aba8cd5d_cobalt-strike_ryuk.exe (PID: 6760)

    • Reads the computer name

      • 2024-11-27_9d2ce8d5bfc7e6a1e7e4ec73aba8cd5d_cobalt-strike_ryuk.exe (PID: 6760)

    • Disables trace logs

      • powershell.exe (PID: 6956)

    • Checks proxy server information

      • powershell.exe (PID: 6956)

    • UPX packer has been detected

      • 2024-11-27_9d2ce8d5bfc7e6a1e7e4ec73aba8cd5d_cobalt-strike_ryuk.exe (PID: 6760)

    • Executes as Windows Service

      • OfficeClickToRun.exe (PID: 6852)

    • Manual execution by a user

      • OfficeC2RClient.exe (PID: 4400)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:11:26 00:44:14+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 1529856
InitializedDataSize: 9049600
UninitializedDataSize: -
EntryPoint: 0x17543c
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.2.0.0
ProductVersionNumber: 1.2.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
27
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2024-11-27_9d2ce8d5bfc7e6a1e7e4ec73aba8cd5d_cobalt-strike_ryuk.exe reg.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs expand.exe conhost.exe no specs powershell.exe conhost.exe no specs expand.exe no specs conhost.exe no specs #XOR-URL officeclicktorun.exe officeclicktorun.exe Delivery Optimization User no specs officec2rclient.exe 2024-11-27_9d2ce8d5bfc7e6a1e7e4ec73aba8cd5d_cobalt-strike_ryuk.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2736"taskkill.exe" /t /f /IM IntegratedOffice.exeC:\Windows\System32\taskkill.exe2024-11-27_9d2ce8d5bfc7e6a1e7e4ec73aba8cd5d_cobalt-strike_ryuk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2796\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3288\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3436"taskkill.exe" /t /f /IM OfficeC2RClient.exeC:\Windows\System32\taskkill.exe2024-11-27_9d2ce8d5bfc7e6a1e7e4ec73aba8cd5d_cobalt-strike_ryuk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3732"expand" i640.cab -F:* "C:\Program Files\Common Files\Microsoft Shared\ClickToRun"C:\Windows\System32\expand.exe
2024-11-27_9d2ce8d5bfc7e6a1e7e4ec73aba8cd5d_cobalt-strike_ryuk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
LZ Expansion Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\expand.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
3780\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4076"powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20812/i640.cab', 'C:\Users\admin\AppData\Local\Temp\i640.cab') }"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2024-11-27_9d2ce8d5bfc7e6a1e7e4ec73aba8cd5d_cobalt-strike_ryuk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
4400"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /progressandlaunch AppTargets="root\office16\excel.exe|root\office16\lync.exe|root\office16\msaccess.exe|root\office16\mspub.exe|root\office16\onenote.exe|root\office16\outlook.exe|root\office16\powerpnt.exe|root\office16\visio.exe|root\office16\winproj.exe|root\office16\winword.exe" ManualUpgrade=False ScenarioToTrack="Scenario:{477E0208-58BD-4F33-978A-09BCC9AA9EB1}@INSTALL"C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office Click-to-Run Client
Version:
16.0.14332.20810
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officec2rclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4536"powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20812/i641049.cab', 'C:\Users\admin\AppData\Local\Temp\i641049.cab') }"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2024-11-27_9d2ce8d5bfc7e6a1e7e4ec73aba8cd5d_cobalt-strike_ryuk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
4672\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeexpand.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
51 853
Read events
51 575
Write events
169
Delete events
109

Modification events

(PID) Process:(6792) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
1
(PID) Process:(6520) OfficeClickToRun.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(6520) OfficeClickToRun.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(6520) OfficeClickToRun.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(6520) OfficeClickToRun.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(6520) OfficeClickToRun.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(6520) OfficeClickToRun.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(6520) OfficeClickToRun.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(6520) OfficeClickToRun.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
(PID) Process:(6520) OfficeClickToRun.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ru-ru
Value:
2
Executable files
223
Suspicious files
100
Text files
81
Unknown types
2

Dropped files

PID
Process
Filename
Type
4076powershell.exeC:\Users\admin\AppData\Local\Temp\i640.cab
MD5:
SHA256:
67602024-11-27_9d2ce8d5bfc7e6a1e7e4ec73aba8cd5d_cobalt-strike_ryuk.exeC:\Users\admin\Desktop\Office Installer.initext
MD5:2A8204CFB0C0B6B7D73880F70FF4DCE7
SHA256:9A3CCCA43D3BFE395820E58E478A1CFC1A5D9CF606B7F63000E03C8EF63C81C9
6956powershell.exeC:\Users\admin\AppData\Local\Temp\files\ver.txttext
MD5:B9BE9BA5FF2D66336CB58EBD224FD708
SHA256:41D49DACFA9F043BBDAA843FE526E24A1BC910BADD66ACC56D8788B19181FDBF
6956powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:5168B946A6836D5977169108D1A76A2E
SHA256:20151BA03C0CB3693AC45F0441292DCF338F9C3F37FB70D163AAEC10333889BE
3732expand.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dllexecutable
MD5:BDD63EA2508C27B43E6D52B10DA16915
SHA256:7D4252AB1B79C5801B58A08CE16EFD3B30D8235733028E5823F3709BD0A98BCF
3732expand.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dllexecutable
MD5:247061D7C5542286AEDDADE76897F404
SHA256:CCB974C24DDFA7446278CA55FC8B236D0605D2CAAF273DB8390D1813FC70CD5B
3732expand.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dllexecutable
MD5:ADB3471F89E47CD93B6854D629906809
SHA256:355633A84DB0816AB6A340A086FB41C65854C313BD08D427A17389C42A1E5B69
3732expand.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dllexecutable
MD5:B9BC664A451424342A73A8B12918F88D
SHA256:0C5C4DFEA72595FB7AE410F8FA8DA983B53A83CE81AEA144FA20CAB613E641B7
3732expand.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dllexecutable
MD5:E3D0F4E97F07033C1FEAF72362BBB367
SHA256:3067981026FAD83882F211BFE32210CE17F89C6A15916C13E62069E00D5A19E3
4076powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_c0p4dlfn.hu0.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
65
TCP/UDP connections
55
DNS requests
49
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5892
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5892
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4076
powershell.exe
GET
200
2.19.198.59:80
http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20812/i640.cab
unknown
whitelisted
GET
200
52.151.58.88:443
https://geo.prod.do.dsp.mp.microsoft.com/geo?doClientVersion=10.0.19041.3996&profile=3145984&callId=443433242
unknown
6884
svchost.exe
GET
206
2.19.198.59:80
http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20812/s640.cab
unknown
whitelisted
6884
svchost.exe
GET
206
23.32.238.155:80
http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20812/s640.cab
unknown
whitelisted
6884
svchost.exe
GET
206
23.32.238.155:80
http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20812/s640.cab
unknown
whitelisted
4536
powershell.exe
GET
200
2.19.198.59:80
http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20812/i641049.cab
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2.23.209.133:443
www.bing.com
Akamai International B.V.
GB
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5892
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5892
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5892
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6956
powershell.exe
52.109.89.117:443
mrodevicemgr.officeapps.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.209.133
  • 2.23.209.182
  • 2.23.209.130
  • 2.23.209.187
  • 2.23.209.149
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
  • 23.32.238.112
  • 23.32.238.107
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.181.156
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.109.89.117
whitelisted
self.events.data.microsoft.com
  • 20.50.73.13
  • 51.116.253.170
whitelisted
officecdn.microsoft.com
  • 2.19.198.59
  • 23.32.238.107
  • 23.32.238.155
  • 41.63.96.130
  • 152.199.21.175
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
geo.prod.do.dsp.mp.microsoft.com
  • 52.158.227.125
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2024-11-27_9d2ce8d5bfc7e6a1e7e4ec73aba8cd5d_cobalt-strike_ryuk