File name:

LEAN2.exe

Full analysis: https://app.any.run/tasks/93622120-8d3b-4820-9269-7605b497a5dc
Verdict: Malicious activity
Analysis date: April 28, 2025, 18:24:07
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (console) Intel 80386, for MS Windows, 4 sections
MD5:

3D09F62460483AADA89819F8F0E2809C

SHA1:

07045C1FF20A5E88F8EE27A8838EBB737C07B5D1

SHA256:

BC1942B13230C5E1919683FF50E01D28D445913DA75A46CFC88EDB8D4BE7129E

SSDEEP:

768:Q0rFJcTxy3Uwk33HYrbR8orAu7EsxRYI7wwnMxo14ac9mg/6ApKF:jrrGg3O3cF8Ru7EsLC0Mxgcvtpe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • LEAN2.exe (PID: 7504)

    • Scans artifacts that could help determine the target

      • LEAN2.exe (PID: 7504)

    • Executing a file with an untrusted certificate

      • OneDrive.exe (PID: 5284)
      • FileSyncConfig.exe (PID: 1460)

  • SUSPICIOUS

    • Changes the desktop background image

      • LEAN2.exe (PID: 7504)

    • Reads security settings of Internet Explorer

      • LEAN2.exe (PID: 7504)

    • Reads Internet Explorer settings

      • LEAN2.exe (PID: 7504)

    • Process changes security settings for the VBA macro

      • LEAN2.exe (PID: 7504)

    • Executes application which crashes

      • StartMenuExperienceHost.exe (PID: 5528)
      • StartMenuExperienceHost.exe (PID: 7308)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 4120)

    • Application launched itself

      • ie4uinit.exe (PID: 5368)
      • setup.exe (PID: 5880)
      • setup.exe (PID: 5940)
      • setup.exe (PID: 6112)
      • OneDriveSetup.exe (PID: 532)

    • Uses RUNDLL32.EXE to load library

      • ie4uinit.exe (PID: 5480)

    • Executable content was dropped or overwritten

      • OneDriveSetup.exe (PID: 6164)

    • The process drops C-runtime libraries

      • OneDriveSetup.exe (PID: 6164)

    • Starts a Microsoft application from unusual location

      • FileSyncConfig.exe (PID: 1460)
      • OneDrive.exe (PID: 5284)

  • INFO

    • Checks supported languages

      • LEAN2.exe (PID: 7504)

    • Reads mouse settings

      • LEAN2.exe (PID: 7504)

    • Reads the computer name

      • LEAN2.exe (PID: 7504)

    • Process checks computer location settings

      • LEAN2.exe (PID: 7504)

    • Reads Microsoft Office registry keys

      • LEAN2.exe (PID: 7504)

    • Manual execution by a user

      • LEAN2.exe (PID: 7400)
      • LEAN2.exe (PID: 1660)
      • LEAN2.exe (PID: 7572)
      • hh.exe (PID: 7528)
      • notepad.exe (PID: 7884)
      • verclsid.exe (PID: 7228)
      • unregmp2.exe (PID: 5336)
      • ie4uinit.exe (PID: 5368)
      • unregmp2.exe (PID: 5632)
      • chrmstp.exe (PID: 5664)
      • setup.exe (PID: 5880)
      • fsquirt.exe (PID: 7256)
      • OneDriveSetup.exe (PID: 532)
      • wab.exe (PID: 7340)

    • Application launched itself

      • chrmstp.exe (PID: 5772)
      • chrmstp.exe (PID: 5664)
      • msedge.exe (PID: 4580)

    • The sample compiled with english language support

      • OneDriveSetup.exe (PID: 6164)

    • The sample compiled with chinese language support

      • OneDriveSetup.exe (PID: 6164)

    • The sample compiled with portuguese language support

      • OneDriveSetup.exe (PID: 6164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win16/32 Executable Delphi generic (34.1)
.exe | Generic Win/DOS Executable (32.9)
.exe | DOS Executable Generic (32.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:28 18:19:19+00:00
ImageFileCharacteristics: Executable, Bytes reversed lo, 32-bit
PEType: PE32
LinkerVersion: 2.18
CodeSize: 35328
InitializedDataSize: 4096
UninitializedDataSize: -
EntryPoint: 0x18b8
OSVersion: 1.11
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
403
Monitored processes
48
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start lean2.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe startmenuexperiencehost.exe werfault.exe no specs startmenuexperiencehost.exe werfault.exe no specs shellexperiencehost.exe werfault.exe no specs lean2.exe no specs conhost.exe no specs slui.exe lean2.exe no specs conhost.exe no specs lean2.exe no specs conhost.exe no specs rundll32.exe no specs hh.exe no specs notepad.exe no specs verclsid.exe no specs plugscheduler.exe no specs unregmp2.exe no specs ie4uinit.exe no specs ie4uinit.exe no specs rundll32.exe no specs unregmp2.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs fsquirt.exe no specs onedrivesetup.exe no specs onedrivesetup.exe wab.exe no specs filesyncconfig.exe no specs onedrive.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
532"C:\Windows\SysWOW64\OneDriveSetup.exe" /thfirstsetupC:\Windows\SysWOW64\OneDriveSetup.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDrive (32 bit) Setup
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\windows\syswow64\onedrivesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
1132C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1164\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeLEAN2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1240\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeLEAN2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1460"C:\Users\TEMP\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exe" C:\Users\TEMP\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exeOneDriveSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDrive Configuration Application
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\temp\appdata\local\microsoft\onedrive\19.043.0304.0013\filesyncconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1660"C:\Users\admin\Desktop\LEAN2.exe" C:\Users\admin\Desktop\LEAN2.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\lean2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2244C:\WINDOWS\system32\WerFault.exe -u -p 5528 -s 1636C:\Windows\System32\WerFault.exeStartMenuExperienceHost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
4120"C:\Program Files\RUXIM\PLUGscheduler.exe"C:\Program Files\RUXIM\PLUGScheduler.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update LifeCycle Component Scheduler
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\plugscheduler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
4580"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --continue-active-setupC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5284 /setautostart /backgroundC:\Users\TEMP\AppData\Local\Microsoft\OneDrive\OneDrive.exeOneDriveSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDrive
Exit code:
2147943660
Version:
19.043.0304.0013
Modules
Images
c:\users\temp\appdata\local\microsoft\onedrive\onedrive.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
Total events
331 603
Read events
254 859
Write events
69 082
Delete events
7 662

Modification events

(PID) Process:(7504) LEAN2.exeKey:HKEY_CURRENT_USER\AppEvents\EventLabels\MailBeep
Operation:writeName:DispFileName
Value:
@m>>e..>nl,( <(I
(PID) Process:(7504) LEAN2.exeKey:HKEY_CURRENT_USER\AppEvents\EventLabels\Maximize
Operation:writeName:DispFileName
Value:
Sm;reaBdl6,T5=q|
(PID) Process:(7504) LEAN2.exeKey:HKEY_CURRENT_USER\AppEvents\EventLabels\MenuCommand
Operation:writeName:DispFileName
Value:
s\mFes.dtl7a5834
(PID) Process:(7504) LEAN2.exeKey:HKEY_CURRENT_USER\AppEvents\EventLabels\MenuPopup
Operation:writeName:DispFileName
Value:
:%N<esKd4+,-58P`
(PID) Process:(7504) LEAN2.exeKey:HKEY_CURRENT_USER\AppEvents\EventLabels\MessageNudge
Operation:writeName:DispFileName
Value:
@mD2?v.dll,-H}6l
(PID) Process:(7504) LEAN2.exeKey:HKEY_CURRENT_USER\AppEvents\EventLabels\Minimize
Operation:writeName:DispFileName
Value:
3Wmr0s.dll!(58N6
(PID) Process:(7504) LEAN2.exeKey:HKEY_CURRENT_USER\AppEvents\EventLabels\MisrecoSound
Operation:writeName:DispFileName
Value:
8C@\W*Lotws\SLstemUjXspeWhh\spee5hu%\sawnrhplT-556g
(PID) Process:(7504) LEAN2.exeKey:HKEY_CURRENT_USER\AppEvents\EventLabels\MoveMenuItem
Operation:writeName:DispFileName
Value:
@nefgamepzPl4^1j:22
(PID) Process:(7504) LEAN2.exeKey:HKEY_CURRENT_USER\AppEvents\EventLabels\Navigating
Operation:writeName:DispFileName
Value:
U(\?rame.dll$M[Q32-
(PID) Process:(7504) LEAN2.exeKey:HKEY_CURRENT_USER\AppEvents\EventLabels\Notification.Looping.Alarm10
Operation:writeName:DispFileName
Value:
\p%re_7tl%p-N897
Executable files
223
Suspicious files
121
Text files
260
Unknown types
1

Dropped files

PID
Process
Filename
Type
2244WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Microsoft.Window_e71e7a5ae6399d62fa6eae82187c8e48167a6d_63f61128_eaa4ddb9-6fb1-4c5c-840b-241513dba1e6\Report.wer
MD5:
SHA256:
7152WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Microsoft.Window_e71e7a5ae6399d62fa6eae82187c8e48167a6d_63f61128_ef742c5b-e893-440f-8cf6-c74ada1dd0cb\Report.wer
MD5:
SHA256:
7960WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Microsoft.Window_fc777e5a44aed116d31747275a136cb01cab5bf3_961a8dc7_ef8146ef-7d5e-46b7-8246-f390080832c8\Report.wer
MD5:
SHA256:
2244WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER1D4B.tmp.xmlxml
MD5:F7C00F84AAE2D87DC14B64D8A3007C5C
SHA256:EFF2C9951E9380E3C91456C84E2F862E983A29A651632FD793C8B2E3DA8AE379
2244WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\StartMenuExperienceHost.exe.5528.dmpbinary
MD5:6AF5E4FAE51C39480D6DFAF8DEC946D5
SHA256:F1B79E87B6EA2B394BB66D9933EFBC02CAE9F6EA426BD97C166D6AB72E9C3694
2244WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER1D2B.tmp.WERInternalMetadata.xmlbinary
MD5:358C72E1B4C766706CD73071BB2FCC98
SHA256:787968EB9EECD87DF02580CF3F7187A6B32559A905F77124B29985901BDC6A2C
7152WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER2131.tmp.dmpbinary
MD5:64EE404E9F549559B9D9C7FA332FAB06
SHA256:F2AB0D56024A1A46D0B58793580DF508A090FA36850FFFFDD2711BA1045A40F6
7960WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER43BE.tmp.WERInternalMetadata.xmlbinary
MD5:B92E8DDD17D56ABB5F203924FEE15EDD
SHA256:1F55C69920E882B10A626003C196880B7EEBDB8146F2A8CE49C633E14988112D
7960WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER43DE.tmp.xmlxml
MD5:72D0C7B5C8361EB3FED7BDF79E8B2575
SHA256:7CF7A9281A3F943EF43D66967FC7BC5FD806A402DB211D9BBDAE8410A0F1F41D
2244WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER1C5F.tmp.dmpbinary
MD5:E2D0E0C20C0F09D6E242E187E7651837
SHA256:126FDE1740785CBDA66FF1D9605C4D0D28BF447CB9079F0C26124BA18559A043
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
59
DNS requests
32
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.17.251.99:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.17.251.99:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.21.189.233:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.21.189.233:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
23.210.252.238:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7216
SIHClient.exe
GET
200
2.21.189.233:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6028
backgroundTaskHost.exe
GET
200
23.210.252.238:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
7216
SIHClient.exe
GET
200
2.21.189.233:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4624
WerFault.exe
GET
200
2.17.251.99:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4624
WerFault.exe
GET
200
2.21.189.233:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
2.17.251.99:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2.17.251.99:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.21.189.233:80
www.microsoft.com
Akamai International B.V.
GB
whitelisted
2.21.189.233:80
www.microsoft.com
Akamai International B.V.
GB
whitelisted
5496
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.74.110
whitelisted
crl.microsoft.com
  • 2.17.251.99
whitelisted
www.microsoft.com
  • 2.21.189.233
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.231.128.65
whitelisted
ocsp.digicert.com
  • 23.210.252.238
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 2603:1030:408:7::3d
whitelisted
d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LEAN2.exe