File name:

LB3.exe

Full analysis: https://app.any.run/tasks/bf824f58-71a4-4f49-8385-9ac9aab075da
Verdict: Malicious activity
Threats:

BlackMatter is a ransomware strain operating as a Ransomware-as-a-Service (RaaS), designed to encrypt files, remove recovery options, and extort victims across critical industries. Emerging in 2021, it quickly became a major concern due to its ability to evade defenses, spread across networks, and cause large-scale operational disruption, forcing security teams to act against a highly destructive and persistent threat.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 17:27:44
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
blackmatter
ransomware
uac
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

F99DD595AFC51C71075C5844C5FD5041

SHA1:

1410FCB675DB4C992C8A48B472068F20A470737C

SHA256:

98187C81EEF3E6F63A46F544A9858FA5291728CEBCF4412C9977D171C09D0B61

SSDEEP:

1536:M5QuWpv+ecczvsVFlRo8ltiwkhTibFEuxgG59sFXO61jbS2:M5QuW1lbHwEFG59sRO61J

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BLACKMATTER mutex has been found

      • LB3.exe (PID: 3632)
      • svchost.exe (PID: 7108)

    • Changes the autorun value in the registry

      • svchost.exe (PID: 7108)

    • Bypass User Account Control (Modify registry)

      • svchost.exe (PID: 7108)

    • Uses Task Scheduler to autorun other applications

      • svchost.exe (PID: 7108)

    • Deletes shadow copies

      • cmd.exe (PID: 188)
      • cmd.exe (PID: 1964)
      • svchost.exe (PID: 7108)

    • Using BCDEDIT.EXE to modify recovery options

      • cmd.exe (PID: 5644)

    • Starts NET.EXE for service management

      • svchost.exe (PID: 7108)
      • net.exe (PID: 2864)
      • net.exe (PID: 6532)
      • net.exe (PID: 4644)
      • net.exe (PID: 3756)
      • net.exe (PID: 2648)
      • net.exe (PID: 1472)
      • net.exe (PID: 2648)
      • net.exe (PID: 4760)
      • net.exe (PID: 6404)
      • net.exe (PID: 5560)
      • net.exe (PID: 316)
      • net.exe (PID: 4680)
      • net.exe (PID: 5712)
      • net.exe (PID: 4968)
      • net.exe (PID: 5928)
      • net.exe (PID: 7000)
      • net.exe (PID: 6700)
      • net.exe (PID: 3112)
      • net.exe (PID: 3908)
      • net.exe (PID: 5628)
      • net.exe (PID: 6140)
      • net.exe (PID: 4500)
      • net.exe (PID: 6096)
      • net.exe (PID: 3976)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • LB3.exe (PID: 3632)
      • svchost.exe (PID: 7108)

    • Executing commands from a ".bat" file

      • LB3.exe (PID: 3632)
      • svchost.exe (PID: 7108)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 3832)
      • cmd.exe (PID: 6104)
      • cmd.exe (PID: 1896)
      • cmd.exe (PID: 3588)
      • cmd.exe (PID: 6360)
      • cmd.exe (PID: 4768)
      • cmd.exe (PID: 5716)

    • The process creates files with name similar to system file names

      • LB3.exe (PID: 3632)

    • Reads the date of Windows installation

      • LB3.exe (PID: 3632)
      • svchost.exe (PID: 7108)

    • Starts itself from another location

      • LB3.exe (PID: 3632)

    • Reads security settings of Internet Explorer

      • LB3.exe (PID: 3632)
      • svchost.exe (PID: 7108)

    • Changes default file association

      • svchost.exe (PID: 7108)

    • Executable content was dropped or overwritten

      • svchost.exe (PID: 7108)
      • LB3.exe (PID: 3632)

    • Windows service management via SC.EXE

      • sc.exe (PID: 6360)
      • sc.exe (PID: 7092)
      • sc.exe (PID: 2212)
      • sc.exe (PID: 4836)
      • sc.exe (PID: 5372)
      • sc.exe (PID: 7032)
      • sc.exe (PID: 4800)
      • sc.exe (PID: 1468)
      • sc.exe (PID: 3736)
      • sc.exe (PID: 3488)
      • sc.exe (PID: 4920)
      • sc.exe (PID: 5780)
      • sc.exe (PID: 4320)
      • sc.exe (PID: 6348)
      • sc.exe (PID: 1880)
      • sc.exe (PID: 4576)
      • sc.exe (PID: 2276)
      • sc.exe (PID: 6980)
      • sc.exe (PID: 2648)
      • sc.exe (PID: 6684)
      • sc.exe (PID: 2708)
      • sc.exe (PID: 6620)
      • sc.exe (PID: 6256)
      • sc.exe (PID: 5744)
      • sc.exe (PID: 2428)
      • sc.exe (PID: 320)
      • sc.exe (PID: 6936)
      • sc.exe (PID: 760)
      • sc.exe (PID: 1984)
      • sc.exe (PID: 5496)
      • sc.exe (PID: 6232)
      • sc.exe (PID: 6012)
      • sc.exe (PID: 4708)
      • sc.exe (PID: 6340)
      • sc.exe (PID: 2380)
      • sc.exe (PID: 3644)
      • sc.exe (PID: 6948)
      • sc.exe (PID: 2996)
      • sc.exe (PID: 3608)
      • sc.exe (PID: 2160)
      • sc.exe (PID: 1028)
      • sc.exe (PID: 5560)
      • sc.exe (PID: 5252)
      • sc.exe (PID: 6672)
      • sc.exe (PID: 6180)
      • sc.exe (PID: 6264)
      • sc.exe (PID: 5712)
      • sc.exe (PID: 6380)

    • Starts SC.EXE for service management

      • svchost.exe (PID: 7108)

  • INFO

    • Reads the machine GUID from the registry

      • LB3.exe (PID: 3632)
      • svchost.exe (PID: 7108)

    • Create files in a temporary directory

      • LB3.exe (PID: 3632)
      • svchost.exe (PID: 7108)

    • Checks supported languages

      • LB3.exe (PID: 3632)
      • svchost.exe (PID: 7108)

    • Reads the computer name

      • LB3.exe (PID: 3632)
      • svchost.exe (PID: 7108)

    • Launching a file from a Registry key

      • svchost.exe (PID: 7108)

    • Process checks computer location settings

      • svchost.exe (PID: 7108)
      • LB3.exe (PID: 3632)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6376)
      • notepad.exe (PID: 4156)

    • Manual execution by a user

      • notepad.exe (PID: 4156)

    • Creates files or folders in the user directory

      • LB3.exe (PID: 3632)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:06:21 17:23:20+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 83968
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x1675e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 0.0.0.0
InternalName: LB3.exe
LegalCopyright:
OriginalFileName: LB3.exe
ProductVersion: 0.0.0.0
AssemblyVersion: 0.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
359
Monitored processes
225
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start lb3.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs timeout.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs timeout.exe no specs cmd.exe no specs conhost.exe no specs fodhelper.exe no specs schtasks.exe no specs conhost.exe no specs timeout.exe no specs vssadmin.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs vssadmin.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs bcdedit.exe no specs bcdedit.exe no specs fodhelper.exe no specs fodhelper.exe no specs cmd.exe no specs conhost.exe no specs wbadmin.exe fodhelper.exe no specs vssadmin.exe no specs conhost.exe no specs fodhelper.exe no specs vssadmin.exe no specs conhost.exe no specs fodhelper.exe no specs fodhelper.exe no specs fodhelper.exe no specs fodhelper.exe no specs fodhelper.exe no specs fodhelper.exe no specs wbadmin.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs timeout.exe no specs fodhelper.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs notepad.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy deleteC:\Windows\System32\cmd.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2147749908
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
236"vssadmin" delete shadows /for=C: /all /quietC:\Windows\System32\vssadmin.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
316"net.exe" stop mysqlC:\Windows\System32\net.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
320bcdedit /set {default} bootstatuspolicy ignoreallfailures C:\Windows\System32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Boot Configuration Data Editor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cryptsp.dll
320\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
320\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
320"sc.exe" delete mysql$C:\Windows\System32\sc.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
516\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
516\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
724\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
4 283
Read events
4 270
Write events
13
Delete events
0

Modification events

(PID) Process:(7108) svchost.exeKey:HKEY_CLASSES_ROOT\ms-settings\Shell\Open\command
Operation:writeName:DelegateExecute
Value:
(PID) Process:(7108) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:UpdateOhgodK
Value:
C:\Users\admin\AppData\Local\svchost.exe
Executable files
15
Suspicious files
54
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
3632LB3.exeC:\Users\admin\AppData\Local\Temp\selfdestruct_J423NCUV.battext
MD5:98EC0893542F27D9CB66F211A8623F74
SHA256:682C08D1E8363272024133D9C0F84BEC7F153847B3738887C801DCA692CA5A6E
7108svchost.exeC:\Users\admin\AppData\Local\Temp\update_bdick7.exeexecutable
MD5:F99DD595AFC51C71075C5844C5FD5041
SHA256:98187C81EEF3E6F63A46F544A9858FA5291728CEBCF4412C9977D171C09D0B61
7108svchost.exeC:\Users\admin\AppData\Local\Temp\update_RnnP8r.exeexecutable
MD5:F99DD595AFC51C71075C5844C5FD5041
SHA256:98187C81EEF3E6F63A46F544A9858FA5291728CEBCF4412C9977D171C09D0B61
7108svchost.exeC:\Users\admin\AppData\Local\Temp\selfdestruct_0ezlAAI7.battext
MD5:80384AC2A6120ACBE512303AEBC66A1D
SHA256:169674D683BE5127DF6B0817287779B6292835BD97B12785ED9243543B823505
7108svchost.exeC:\Users\admin\AppData\Local\Temp\update_gcIYmZ.exeexecutable
MD5:F99DD595AFC51C71075C5844C5FD5041
SHA256:98187C81EEF3E6F63A46F544A9858FA5291728CEBCF4412C9977D171C09D0B61
7108svchost.exeC:\Users\admin\AppData\Local\Temp\update_aFcJHh.exeexecutable
MD5:F99DD595AFC51C71075C5844C5FD5041
SHA256:98187C81EEF3E6F63A46F544A9858FA5291728CEBCF4412C9977D171C09D0B61
7108svchost.exeC:\Users\admin\AppData\Local\Temp\update_Epr5O3.exeexecutable
MD5:F99DD595AFC51C71075C5844C5FD5041
SHA256:98187C81EEF3E6F63A46F544A9858FA5291728CEBCF4412C9977D171C09D0B61
7108svchost.exeC:\Users\admin\AppData\Local\Temp\update_9HK12e.exeexecutable
MD5:F99DD595AFC51C71075C5844C5FD5041
SHA256:98187C81EEF3E6F63A46F544A9858FA5291728CEBCF4412C9977D171C09D0B61
3632LB3.exeC:\Users\admin\AppData\Local\svchost.exeexecutable
MD5:F99DD595AFC51C71075C5844C5FD5041
SHA256:98187C81EEF3E6F63A46F544A9858FA5291728CEBCF4412C9977D171C09D0B61
7108svchost.exeC:\Users\admin\AppData\Local\Temp\update_LRYHtI.exeexecutable
MD5:F99DD595AFC51C71075C5844C5FD5041
SHA256:98187C81EEF3E6F63A46F544A9858FA5291728CEBCF4412C9977D171C09D0B61
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
20
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2524
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6960
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2336
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2524
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2524
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.78
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.2
  • 20.190.159.4
  • 40.126.31.69
  • 40.126.31.128
  • 40.126.31.129
  • 40.126.31.73
  • 40.126.31.0
  • 20.190.159.71
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted

Threats

No threats detected
Process
Message
wbadmin.exe
Invalid parameter passed to C runtime function.
wbadmin.exe
Invalid parameter passed to C runtime function.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LB3.exe