analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

paranor.7z

Full analysis: https://app.any.run/tasks/3e5e2181-002e-4232-9479-afccfc4705a8
Verdict: Malicious activity
Analysis date: August 08, 2024, 09:11:05
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
vmprotect
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

3D234118EACD7EC9FFEBED5B00827A5F

SHA1:

6272ABB9F0E7D391EBA4FE22A416EF8CEF77BAC9

SHA256:

30F4561861E99D1B04D30395A4A671D9291EF1A2261FC22E7F8C80B1E9EA43B7

SSDEEP:

98304:KVPflCFjd+dDxmo6kZVQ/BpEmi8ovZmbLHSJQTBRGBZxTmkJX7cPjEHncCR5rmK2:tSxqeQY72

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Client.exe (PID: 6688)
      • WinRAR.exe (PID: 6380)
      • 123.exe (PID: 6844)
      • OneDriveSetup.exe (PID: 7452)

    • Scans artifacts that could help determine the target

      • OneDrive.exe (PID: 6776)

    • Changes the autorun value in the registry

      • OneDriveSetup.exe (PID: 7452)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Client.exe (PID: 6688)
      • 123.exe (PID: 6844)
      • OneDriveSetup.exe (PID: 7452)

    • Creates file in the systems drive root

      • Client.exe (PID: 6688)
      • Client.exe (PID: 6856)
      • 123.exe (PID: 6844)
      • Client.exe (PID: 5064)
      • Client.exe (PID: 5244)
      • 123.exe (PID: 3324)
      • WerFault.exe (PID: 6192)
      • WinRAR.exe (PID: 5144)
      • firefox.exe (PID: 6140)
      • WinRAR.exe (PID: 2152)

    • Reads security settings of Internet Explorer

      • Client.exe (PID: 6688)
      • Client.exe (PID: 5244)
      • OneDrive.exe (PID: 6776)
      • WinRAR.exe (PID: 2152)
      • OneDriveSetup.exe (PID: 7412)
      • OneDriveSetup.exe (PID: 7452)

    • Reads the date of Windows installation

      • Client.exe (PID: 6688)
      • Client.exe (PID: 5244)
      • OneDrive.exe (PID: 6776)
      • OneDriveSetup.exe (PID: 7452)

    • Executes as Windows Service

      • imgmmy.exe (PID: 6288)

    • Creates or modifies Windows services

      • 123.exe (PID: 6844)

    • Executes application which crashes

      • 123.exe (PID: 3324)

    • Changes Internet Explorer settings (feature browser emulation)

      • OneDrive.exe (PID: 6776)
      • OneDriveSetup.exe (PID: 7452)

    • Creates/Modifies COM task schedule object

      • OneDrive.exe (PID: 6776)
      • OneDriveSetup.exe (PID: 7452)

    • Application launched itself

      • WinRAR.exe (PID: 2152)
      • OneDriveSetup.exe (PID: 7412)

    • Checks Windows Trust Settings

      • OneDrive.exe (PID: 6776)
      • OneDriveSetup.exe (PID: 7452)
      • OneDriveSetup.exe (PID: 7412)

    • The process creates files with name similar to system file names

      • OneDriveSetup.exe (PID: 7452)

    • Process drops legitimate windows executable

      • OneDriveSetup.exe (PID: 7452)

    • Creates a software uninstall entry

      • OneDriveSetup.exe (PID: 7452)

    • The process drops C-runtime libraries

      • OneDriveSetup.exe (PID: 7452)

  • INFO

    • Manual execution by a user

      • Client.exe (PID: 6688)
      • Client.exe (PID: 876)
      • Client.exe (PID: 6672)
      • Client.exe (PID: 5244)
      • Build.exe (PID: 7052)
      • OneDrive.exe (PID: 6776)
      • WinRAR.exe (PID: 2152)
      • firefox.exe (PID: 4784)

    • Reads the computer name

      • Client.exe (PID: 6688)
      • 123.exe (PID: 6844)
      • imgmmy.exe (PID: 6288)
      • Client.exe (PID: 6856)
      • Client.exe (PID: 5244)
      • 123.exe (PID: 3324)
      • Client.exe (PID: 5064)
      • Build.exe (PID: 7052)
      • OneDrive.exe (PID: 6776)
      • TextInputHost.exe (PID: 3880)
      • OneDriveSetup.exe (PID: 7412)
      • OneDriveSetup.exe (PID: 7452)
      • OneDrive.exe (PID: 7684)

    • Checks supported languages

      • Client.exe (PID: 6688)
      • Client.exe (PID: 6856)
      • 123.exe (PID: 6844)
      • imgmmy.exe (PID: 6288)
      • Client.exe (PID: 5244)
      • Client.exe (PID: 5064)
      • 123.exe (PID: 3324)
      • Build.exe (PID: 7052)
      • OneDrive.exe (PID: 6776)
      • TextInputHost.exe (PID: 3880)
      • OneDriveSetup.exe (PID: 7452)
      • OneDriveSetup.exe (PID: 7412)
      • FileSyncConfig.exe (PID: 7660)
      • OneDrive.exe (PID: 7684)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6380)
      • firefox.exe (PID: 6140)

    • Process checks computer location settings

      • Client.exe (PID: 6688)
      • Client.exe (PID: 5244)
      • OneDrive.exe (PID: 6776)
      • OneDriveSetup.exe (PID: 7452)

    • Reads CPU info

      • imgmmy.exe (PID: 6288)
      • OneDrive.exe (PID: 6776)

    • Reads Environment values

      • imgmmy.exe (PID: 6288)
      • OneDrive.exe (PID: 6776)
      • OneDrive.exe (PID: 7684)

    • Create files in a temporary directory

      • Client.exe (PID: 6856)
      • OneDrive.exe (PID: 6776)
      • OneDriveSetup.exe (PID: 7452)

    • Reads the software policy settings

      • WerFault.exe (PID: 6192)
      • OneDrive.exe (PID: 6776)
      • OneDriveSetup.exe (PID: 7412)
      • OneDriveSetup.exe (PID: 7452)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6192)
      • OneDrive.exe (PID: 6776)
      • OneDriveSetup.exe (PID: 7412)
      • OneDriveSetup.exe (PID: 7452)
      • OneDrive.exe (PID: 7684)

    • Checks proxy server information

      • WerFault.exe (PID: 6192)
      • OneDrive.exe (PID: 6776)

    • VMProtect protector has been detected

      • imgmmy.exe (PID: 6288)

    • Reads the machine GUID from the registry

      • OneDrive.exe (PID: 6776)
      • OneDriveSetup.exe (PID: 7452)
      • OneDriveSetup.exe (PID: 7412)
      • OneDrive.exe (PID: 7684)

    • Reads the time zone

      • OneDrive.exe (PID: 6776)

    • Reads Microsoft Office registry keys

      • OneDrive.exe (PID: 6776)
      • firefox.exe (PID: 6140)
      • OneDrive.exe (PID: 7684)

    • Application launched itself

      • firefox.exe (PID: 4784)
      • firefox.exe (PID: 6140)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 5144)
      • firefox.exe (PID: 6140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
173
Monitored processes
32
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs client.exe no specs client.exe client.exe no specs 123.exe THREAT imgmmy.exe no specs client.exe no specs client.exe client.exe no specs 123.exe werfault.exe build.exe no specs onedrive.exe winrar.exe no specs winrar.exe firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs textinputhost.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs onedrivesetup.exe no specs onedrivesetup.exe filesyncconfig.exe no specs onedrive.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6380"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\paranor.7zC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6672C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
876"C:\Users\admin\Desktop\Client.exe" C:\Users\admin\Desktop\Client.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\client.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6688"C:\Users\admin\Desktop\Client.exe" C:\Users\admin\Desktop\Client.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\client.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
6856"C:\Client.exe" C:\Client.exeClient.exe
User:
admin
Company:
Black Eyes Group (C) 1995~2011
Integrity Level:
HIGH
Description:
UDP Pck Data/UDP Trapic/ICMP/TCP/SYN
Exit code:
0
Version:
1.00
Modules
Images
c:\client.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
6844"C:\123.exe" C:\123.exe
Client.exe
User:
admin
Company:
Microsoft
Integrity Level:
HIGH
Description:
Server
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\123.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
6288C:\WINDOWS\SysWOW64\imgmmy.exeC:\Windows\SysWOW64\imgmmy.exe
services.exe
User:
SYSTEM
Company:
Microsoft
Integrity Level:
SYSTEM
Description:
Server
Version:
1, 0, 0, 1
Modules
Images
c:\windows\syswow64\imgmmy.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
6672"C:\Users\admin\Desktop\Client.exe" C:\Users\admin\Desktop\Client.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\client.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5244"C:\Users\admin\Desktop\Client.exe" C:\Users\admin\Desktop\Client.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\client.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
5064"C:\Client.exe" C:\Client.exeClient.exe
User:
admin
Company:
2011火狐DDOS改进版
Integrity Level:
HIGH
Description:
QQ:528988114
Exit code:
2
Version:
3, 0, 0, 1
Modules
Images
c:\client.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
Total events
50 105
Read events
49 026
Write events
513
Delete events
566

Modification events

(PID) Process:(6380) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6380) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6380) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6380) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\paranor.7z
(PID) Process:(6380) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6380) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6380) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6380) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6688) Client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6688) Client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
232
Suspicious files
224
Text files
440
Unknown types
23

Dropped files

PID
Process
Filename
Type
6192WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_123.exe_4372bed4a7a799395bdccaa16bada5f78e264a19_62d46436_40892e3b-4851-43f4-84f6-4afa788fab08\Report.wer
MD5:
SHA256:
6380WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6380.9077\디도스+프로그램\Client.exeexecutable
MD5:C4C009CDCE24A619519E668D734BCF73
SHA256:3F4A0C0938A23DD5EC7D81246C645609749D1DC3DF8260957002633D623C58B4
6380WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6380.8494\고기툴 2.0 ver\gogi.dllexecutable
MD5:75981EC1E63555A0AF71F72268D133CF
SHA256:4D1C67472BC1C788166732447E9AAC102486FD908CBC7E125D3878254BCE9D41
6688Client.exeC:\123.exeexecutable
MD5:FEC169E05B7AD3EBACB6CD66D4E57100
SHA256:685D384CEB439C018AA259345F75E5A28CB3CCCE61772E4AB556967519F083D2
6856Client.exeC:\Users\admin\AppData\Local\Temp\~DF359C2DED60F45FFE.TMPbinary
MD5:81EF5D2C0D6C26336B8A2E68F74E3D74
SHA256:E74B5795288BF7006CCC08AD4BCBA7F4B7A4FACF55405C93653F2F331AF6184E
6380WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6380.9077\디도스+프로그램\인덱스 아리아.txttext
MD5:0C1EEAEC031EFD80ED5D7429BDE5F9E4
SHA256:F5C2C798E6859362A47BB352C10EBD2896AE9E9BBDCDC71FC5A81C6F5EE500CC
6380WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6380.10886\카스툴패킷강화\카스툴패킷강화\Server\Server.Datexecutable
MD5:94FEE570220BAF8B735E96E0FAB910C3
SHA256:F089590C57F095058D2DDE975428D47BBC3A655A599D3AE1F3EBF779F369DF70
6380WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6380.10886\카스툴패킷강화\카스툴패킷강화\소울찬양[참고].txttext
MD5:FE7A96FA2F06B54CC01A8FFF54915A40
SHA256:E6DB999163ADB8BE9403EC7B5DD6E3E9FD97D441C534C36503AA542D1CF3334B
6380WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6380.10886\카스툴패킷강화\카스툴패킷강화\Client.exeexecutable
MD5:78583152F138D90B7EF1D5AAC902AFE5
SHA256:179C5E0CAAAB0ED1E87DFCA4759B1043B51A784E633E98A0465CF913FC07C615
6380WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6380.9077\디도스+프로그램\제품설명.txttext
MD5:6B60E61FDBCAC4CBAB187E429CCE3E18
SHA256:2B7193DAAE6120BD0833977F29FB0B3330BE60D60A3FE83FF098A0D32A13D631
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
113
DNS requests
138
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6140
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
unknown
4920
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
6140
firefox.exe
POST
200
95.101.54.106:80
http://r10.o.lencr.org/
unknown
unknown
6140
firefox.exe
POST
200
95.101.54.112:80
http://r11.o.lencr.org/
unknown
unknown
6140
firefox.exe
POST
200
95.101.54.112:80
http://r11.o.lencr.org/
unknown
unknown
6896
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
4920
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
6140
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
unknown
6140
firefox.exe
POST
200
95.101.54.106:80
http://r10.o.lencr.org/
unknown
unknown
6776
OneDrive.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
4040
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5116
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
5336
SearchApp.exe
92.123.104.36:443
www.bing.com
Akamai International B.V.
DE
unknown
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3260
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4920
svchost.exe
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.206
whitelisted
www.bing.com
  • 92.123.104.36
  • 92.123.104.32
  • 92.123.104.34
  • 92.123.104.29
  • 92.123.104.31
  • 92.123.104.30
  • 92.123.104.33
  • 92.123.104.28
  • 92.123.104.37
  • 92.123.104.49
  • 92.123.104.57
  • 92.123.104.54
  • 92.123.104.53
  • 92.123.104.45
  • 92.123.104.59
  • 92.123.104.46
  • 92.123.104.52
  • 92.123.104.58
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.115.3.253
  • 40.113.103.199
whitelisted
login.live.com
  • 20.190.159.0
  • 40.126.31.69
  • 20.190.159.75
  • 40.126.31.67
  • 20.190.159.2
  • 40.126.31.73
  • 20.190.159.23
  • 20.190.159.4
  • 40.126.32.134
  • 40.126.32.74
  • 20.190.160.20
  • 40.126.32.72
  • 20.190.160.14
  • 40.126.32.68
  • 20.190.160.17
  • 40.126.32.138
whitelisted
th.bing.com
  • 92.123.104.12
  • 92.123.104.5
  • 92.123.104.11
  • 92.123.104.9
  • 92.123.104.6
  • 92.123.104.7
  • 92.123.104.4
  • 92.123.104.13
  • 92.123.104.10
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted
mp662002.codns.com
  • 127.0.0.1
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
paranor.7z