File name:

Lockbit 3 Builder.7z

Full analysis: https://app.any.run/tasks/2cb2f236-f62f-48ac-b931-2c8c649bc9fc
Verdict: Malicious activity
Threats:

LockBit, a ransomware variant, encrypts data on infected machines, demanding a ransom payment for decryption. Used in targeted attacks, It's a significant risk to organizations.

Malware Trends Tracker     >>>
Analysis date: June 13, 2024, 17:05:54
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
ransomware
lockbit
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

C9C2F3805F0012628E9D62E8F75AF4DD

SHA1:

B6269B1FC8813B93C11EC6066DC33D9F99F2E431

SHA256:

B2C3BEDA4B000A3D9AF0A457D6D942EC81696F3ED485F7CF723B18008A5F3D10

SSDEEP:

3072:pYWJsCuSlRODbWhyyZZsZ77n4s31uZzd2ppyMPOLOcrgCz:pbuSlicZyx4W1uLYpyMPOLjhz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • builder.exe (PID: 3956)
      • builder.exe (PID: 1576)
      • builder.exe (PID: 1864)
      • builder.exe (PID: 4476)
      • LB3.exe (PID: 5244)
      • builder.exe (PID: 5228)
      • builder.exe (PID: 2748)

    • Renames files like ransomware

      • LB3.exe (PID: 5244)

    • Steals credentials from Web Browsers

      • LB3.exe (PID: 5244)

    • Known privilege escalation attack

      • dllhost.exe (PID: 5708)

    • [YARA] LockBit is detected

      • LB3.exe (PID: 5244)

    • Creates a writable file in the system directory

      • splwow64.exe (PID: 756)
      • printfilterpipelinesvc.exe (PID: 4352)

    • Scans artifacts that could help determine the target

      • ONENOTE.EXE (PID: 1216)

    • Actions looks like stealing of personal data

      • LB3.exe (PID: 5244)

  • SUSPICIOUS

    • Detected use of alternative data streams (AltDS)

      • WindowsTerminal.exe (PID: 2908)

    • Reads security settings of Internet Explorer

      • WindowsTerminal.exe (PID: 2908)
      • Notepad.exe (PID: 4452)
      • ONENOTE.EXE (PID: 1216)
      • C21D.tmp (PID: 1568)

    • Reads the Internet Settings

      • Notepad.exe (PID: 4452)
      • WindowsTerminal.exe (PID: 2908)
      • powershell.exe (PID: 5024)
      • splwow64.exe (PID: 756)
      • printfilterpipelinesvc.exe (PID: 4352)
      • C21D.tmp (PID: 1568)
      • ONENOTE.EXE (PID: 1216)

    • Executing commands from a ".bat" file

      • powershell.exe (PID: 5024)

    • Reads the date of Windows installation

      • WindowsTerminal.exe (PID: 2908)
      • C21D.tmp (PID: 1568)
      • ONENOTE.EXE (PID: 1216)

    • Starts POWERSHELL.EXE for commands execution

      • WindowsTerminal.exe (PID: 2908)

    • Executable content was dropped or overwritten

      • builder.exe (PID: 3956)
      • builder.exe (PID: 1576)
      • builder.exe (PID: 1864)
      • builder.exe (PID: 4476)
      • builder.exe (PID: 5228)
      • builder.exe (PID: 2748)
      • LB3.exe (PID: 5244)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 5024)
      • C21D.tmp (PID: 1568)

    • The process creates files with name similar to system file names

      • builder.exe (PID: 4476)

    • Write to the desktop.ini file (may be used to cloak folders)

      • LB3.exe (PID: 5244)

    • Creates file in the systems drive root

      • LB3.exe (PID: 5244)

    • Creates files like ransomware instruction

      • LB3.exe (PID: 5244)

    • Starts application with an unusual extension

      • LB3.exe (PID: 5244)

    • Changes the desktop background image

      • LB3.exe (PID: 5244)

    • Hides command output

      • cmd.exe (PID: 5272)

    • Reads settings of System Certificates

      • ONENOTE.EXE (PID: 1216)

    • Checks Windows Trust Settings

      • ONENOTE.EXE (PID: 1216)

  • INFO

    • Dropped object may contain TOR URL's

      • WinRAR.exe (PID: 2412)
      • LB3.exe (PID: 5244)

    • Manual execution by a user

      • WinRAR.exe (PID: 2412)
      • Notepad.exe (PID: 4452)

    • Checks supported languages

      • wt.exe (PID: 452)
      • WindowsTerminal.exe (PID: 2908)
      • OpenConsole.exe (PID: 1588)
      • Notepad.exe (PID: 4452)
      • builder.exe (PID: 4476)
      • keygen.exe (PID: 1480)
      • builder.exe (PID: 1576)
      • builder.exe (PID: 1864)
      • builder.exe (PID: 3956)
      • LB3.exe (PID: 4004)
      • builder.exe (PID: 5228)
      • builder.exe (PID: 2748)
      • LB3.exe (PID: 5244)
      • C21D.tmp (PID: 1568)
      • ONENOTE.EXE (PID: 1216)

    • Reads the computer name

      • wt.exe (PID: 452)
      • WindowsTerminal.exe (PID: 2908)
      • Notepad.exe (PID: 4452)
      • LB3.exe (PID: 4004)
      • LB3.exe (PID: 5244)
      • ONENOTE.EXE (PID: 1216)
      • C21D.tmp (PID: 1568)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2412)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2412)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 5024)

    • Creates files or folders in the user directory

      • LB3.exe (PID: 5244)
      • WindowsTerminal.exe (PID: 2908)
      • printfilterpipelinesvc.exe (PID: 4352)
      • ONENOTE.EXE (PID: 1216)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 5024)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 5024)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 5708)
      • splwow64.exe (PID: 756)
      • printfilterpipelinesvc.exe (PID: 4352)

    • Reads the machine GUID from the registry

      • LB3.exe (PID: 4004)
      • LB3.exe (PID: 5244)
      • ONENOTE.EXE (PID: 1216)

    • Creates files in the program directory

      • LB3.exe (PID: 5244)

    • Create files in a temporary directory

      • LB3.exe (PID: 5244)
      • ONENOTE.EXE (PID: 1216)

    • Reads Environment values

      • ONENOTE.EXE (PID: 1216)

    • Checks proxy server information

      • ONENOTE.EXE (PID: 1216)

    • Reads product name

      • ONENOTE.EXE (PID: 1216)

    • Reads Microsoft Office registry keys

      • ONENOTE.EXE (PID: 1216)

    • Reads CPU info

      • ONENOTE.EXE (PID: 1216)

    • Reads the software policy settings

      • ONENOTE.EXE (PID: 1216)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
26
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe dllhost.exe no specs wt.exe no specs windowsterminal.exe no specs openconsole.exe no specs powershell.exe no specs dllhost.exe no specs notepad.exe no specs cmd.exe no specs keygen.exe no specs builder.exe builder.exe builder.exe builder.exe builder.exe builder.exe lb3.exe no specs CMSTPLUA #LOCKBIT lb3.exe splwow64.exe printfilterpipelinesvc.exe no specs onenote.exe c21d.tmp no specs cmd.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
452"C:\Users\admin\AppData\Local\Microsoft\WindowsApps\Microsoft.WindowsTerminal_8wekyb3d8bbwe\wt.exe" -d "C:\Users\admin\Desktop\LBLeak"C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.14.1963.0_x64__8wekyb3d8bbwe\wt.exedllhost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\program files\windowsapps\microsoft.windowsterminal_1.14.1963.0_x64__8wekyb3d8bbwe\wt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\windowsapps\microsoft.vclibs.140.00.uwpdesktop_14.0.30704.0_x64__8wekyb3d8bbwe\vcruntime140_1.dll
c:\program files\windowsapps\microsoft.vclibs.140.00.uwpdesktop_14.0.30704.0_x64__8wekyb3d8bbwe\msvcp140.dll
c:\program files\windowsapps\microsoft.vclibs.140.00.uwpdesktop_14.0.30704.0_x64__8wekyb3d8bbwe\vcruntime140.dll
c:\windows\system32\daxexec.dll
c:\windows\system32\msvcp_win.dll
480\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
756C:\Windows\splwow64.exe 12288C:\Windows\splwow64.exe
LB3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Print driver host for applications
Version:
10.0.22000.795 (WinBuild.160101.0800)
Modules
Images
c:\windows\splwow64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1216/insertdoc "C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\{3389203F-67CA-4703-B2C2-46E1A9A8D5F4}.xps" 133627723532520000C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
printfilterpipelinesvc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft OneNote
Version:
16.0.16626.20134
Modules
Images
c:\program files\microsoft office\root\office16\onenote.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
1480keygen -path C:\Users\admin\Desktop\LBLeak\Build -pubkey pub.key -privkey priv.keyC:\Users\admin\Desktop\LBLeak\keygen.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\lbleak\keygen.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1568"C:\ProgramData\C21D.tmp"C:\ProgramData\C21D.tmpLB3.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\programdata\c21d.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1576builder -type dec -privkey C:\Users\admin\Desktop\LBLeak\Build\priv.key -config config.json -ofile C:\Users\admin\Desktop\LBLeak\Build\LB3Decryptor.exeC:\Users\admin\Desktop\LBLeak\builder.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\lbleak\builder.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1588"C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.14.1963.0_x64__8wekyb3d8bbwe\OpenConsole.exe" --headless --win32input --resizeQuirk --width 120 --height 27 --signal 0x9e4 --server 0x9e0C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.14.1963.0_x64__8wekyb3d8bbwe\OpenConsole.exeWindowsTerminal.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\program files\windowsapps\microsoft.windowsterminal_1.14.1963.0_x64__8wekyb3d8bbwe\openconsole.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
1864builder -type enc -exe -pubkey C:\Users\admin\Desktop\LBLeak\Build\pub.key -config config.json -ofile C:\Users\admin\Desktop\LBLeak\Build\LB3.exeC:\Users\admin\Desktop\LBLeak\builder.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\lbleak\builder.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
2412"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Lockbit 3 Builder.7z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
40 689
Read events
38 159
Write events
2 487
Delete events
43

Modification events

(PID) Process:(5388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:VerInfo
Value:
005B0500667295FAB3BDDA01
(PID) Process:(5388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(5388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(5388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(5388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\AppData\Local\Temp
(PID) Process:(5388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(5388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Operation:writeName:Band76_0
Value:
4C000000730100000402000000000000F0F0F00000000000000000000000000000000000000000004A00070000000000000000003B000000B402000000000000000000000000000001000000
Executable files
32
Suspicious files
1 733
Text files
2 348
Unknown types
79

Dropped files

PID
Process
Filename
Type
5388WinRAR.exeC:\USERS\ADMIN\APPDATA\ROAMING\WINRAR\VERSION.DATbinary
MD5:933712A1B50E5E1F1293CCD0B7C3CC47
SHA256:565AF8706A67FD7B6C84D0C41258906BC34E7E03979AE56F3B545FA7C5C59FA5
2412WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2412.28827\LBLeak\keygen.exeexecutable
MD5:5E28C7C900E4DCE08366051C22F07F84
SHA256:BB76F4D10EC2C1D24BE904D2EE078F34A6B5BD11F3B40F295E116FEA44824B89
2412WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2412.28827\LBLeak\config.jsonbinary
MD5:A6BA7B662DE10B45EBE5B6B7EDAA62A9
SHA256:3F7518D88AEFD4B1E0A1D6F9748F9A9960C1271D679600E34F5065D8DF8C9DC8
2412WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2412.28827\LBLeak\Build.battext
MD5:4E46E28B2E61643F6AF70A8B19E5CB1F
SHA256:8E83A1727696CED618289F79674B97305D88BEEEABF46BD25FC77AC53C1AE339
2412WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2412.28827\LBLeak\builder.exeexecutable
MD5:8C689DC9E82C9356B990D2B67B4943E1
SHA256:E8E2DEB0A83AEBB1E2CC14846BC71715343372103F279D2D1622E383FB26D6EF
5024powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xtdan4jk.cyj.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2908WindowsTerminal.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JRS43J02L2YM54RBTX0M.tempbinary
MD5:01381A33F86649FB5AF55C60025E4507
SHA256:78A445DFB4CD9CD4E4852CDC733D55712F57EA072F842FA91361ED7B4A320B0C
5024powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_froot2zt.r2j.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2908WindowsTerminal.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16f2f0042ddbe0e8.customDestinations-msbinary
MD5:01381A33F86649FB5AF55C60025E4507
SHA256:78A445DFB4CD9CD4E4852CDC733D55712F57EA072F842FA91361ED7B4A320B0C
2908WindowsTerminal.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16f2f0042ddbe0e8.customDestinations-ms~RF128313.TMPbinary
MD5:35F7CB74FE5446764D34580D180505B6
SHA256:40526E2FC7874D00C634694249F85AB7E92A7F019FC97A950C1B452DD8195EA6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
26
DNS requests
12
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
403
23.53.113.159:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
POST
403
23.53.113.159:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
POST
403
23.53.113.159:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
POST
403
23.53.113.159:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
POST
403
23.53.113.159:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
POST
403
23.53.113.159:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
POST
403
23.53.113.159:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
2828
svchost.exe
GET
200
95.101.63.72:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?3a3082f95a18b6d2
unknown
unknown
2828
svchost.exe
GET
200
95.101.63.72:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a838ce9651e3b5f0
unknown
unknown
2828
svchost.exe
GET
200
95.101.63.72:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?17b2b73c54e86f00
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5880
svchost.exe
23.53.114.19:443
fs.microsoft.com
AKAMAI-AS
US
unknown
23.53.113.159:80
go.microsoft.com
AKAMAI-AS
US
unknown
4552
svchost.exe
239.255.255.250:1900
unknown
4
System
192.168.100.255:137
whitelisted
2868
OfficeClickToRun.exe
20.189.173.26:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2868
OfficeClickToRun.exe
192.229.221.95:80
EDGECAST
US
whitelisted
2828
svchost.exe
95.101.63.72:80
ctldl.windowsupdate.com
Akamai International B.V.
GB
unknown
2844
svchost.exe
52.182.143.213:443
v20.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2844
svchost.exe
13.89.179.11:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1216
ONENOTE.EXE
52.109.32.97:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
unknown

DNS requests

Domain
IP
Reputation
fs.microsoft.com
  • 23.53.114.19
whitelisted
go.microsoft.com
  • 23.53.113.159
whitelisted
self.events.data.microsoft.com
  • 20.189.173.26
  • 20.189.173.9
whitelisted
ctldl.windowsupdate.com
  • 95.101.63.72
  • 95.101.63.96
  • 95.101.63.90
whitelisted
v20.events.data.microsoft.com
  • 52.182.143.213
whitelisted
dns.msftncsi.com
  • 131.107.255.255
  • fd3e:4f5a:5b81::1
shared
officeclient.microsoft.com
  • 52.109.32.97
whitelisted
login.live.com
  • 20.190.159.68
  • 20.190.159.23
  • 40.126.31.73
  • 20.190.159.75
  • 20.190.159.4
  • 20.190.159.71
  • 20.190.159.73
  • 20.190.159.0
  • 40.126.31.71
  • 20.190.159.64
  • 40.126.31.69
  • 20.190.159.2
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
Process
Message
splwow64.exe
Invalid parameter passed to C runtime function.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Lockbit 3 Builder.7z