File name:

LEAN2.exe

Full analysis: https://app.any.run/tasks/93622120-8d3b-4820-9269-7605b497a5dc
Verdict: Malicious activity
Analysis date: April 28, 2025, 18:24:07
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (console) Intel 80386, for MS Windows, 4 sections
MD5:

3D09F62460483AADA89819F8F0E2809C

SHA1:

07045C1FF20A5E88F8EE27A8838EBB737C07B5D1

SHA256:

BC1942B13230C5E1919683FF50E01D28D445913DA75A46CFC88EDB8D4BE7129E

SSDEEP:

768:Q0rFJcTxy3Uwk33HYrbR8orAu7EsxRYI7wwnMxo14ac9mg/6ApKF:jrrGg3O3cF8Ru7EsLC0Mxgcvtpe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • LEAN2.exe (PID: 7504)

    • Changes the autorun value in the registry

      • LEAN2.exe (PID: 7504)

    • Executing a file with an untrusted certificate

      • FileSyncConfig.exe (PID: 1460)
      • OneDrive.exe (PID: 5284)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • LEAN2.exe (PID: 7504)

    • Changes the desktop background image

      • LEAN2.exe (PID: 7504)

    • Process changes security settings for the VBA macro

      • LEAN2.exe (PID: 7504)

    • Reads Internet Explorer settings

      • LEAN2.exe (PID: 7504)

    • Executes application which crashes

      • StartMenuExperienceHost.exe (PID: 5528)
      • StartMenuExperienceHost.exe (PID: 7308)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 4120)

    • Application launched itself

      • ie4uinit.exe (PID: 5368)
      • setup.exe (PID: 5880)
      • setup.exe (PID: 5940)
      • setup.exe (PID: 6112)
      • OneDriveSetup.exe (PID: 532)

    • Uses RUNDLL32.EXE to load library

      • ie4uinit.exe (PID: 5480)

    • The process drops C-runtime libraries

      • OneDriveSetup.exe (PID: 6164)

    • Executable content was dropped or overwritten

      • OneDriveSetup.exe (PID: 6164)

    • Starts a Microsoft application from unusual location

      • OneDrive.exe (PID: 5284)
      • FileSyncConfig.exe (PID: 1460)

  • INFO

    • Process checks computer location settings

      • LEAN2.exe (PID: 7504)

    • Reads mouse settings

      • LEAN2.exe (PID: 7504)

    • Reads the computer name

      • LEAN2.exe (PID: 7504)

    • Checks supported languages

      • LEAN2.exe (PID: 7504)

    • Reads Microsoft Office registry keys

      • LEAN2.exe (PID: 7504)

    • Manual execution by a user

      • LEAN2.exe (PID: 7400)
      • LEAN2.exe (PID: 7572)
      • LEAN2.exe (PID: 1660)
      • hh.exe (PID: 7528)
      • notepad.exe (PID: 7884)
      • verclsid.exe (PID: 7228)
      • unregmp2.exe (PID: 5632)
      • chrmstp.exe (PID: 5664)
      • OneDriveSetup.exe (PID: 532)
      • setup.exe (PID: 5880)
      • wab.exe (PID: 7340)
      • fsquirt.exe (PID: 7256)
      • unregmp2.exe (PID: 5336)
      • ie4uinit.exe (PID: 5368)

    • Application launched itself

      • chrmstp.exe (PID: 5664)
      • chrmstp.exe (PID: 5772)
      • msedge.exe (PID: 4580)

    • The sample compiled with english language support

      • OneDriveSetup.exe (PID: 6164)

    • The sample compiled with chinese language support

      • OneDriveSetup.exe (PID: 6164)

    • The sample compiled with portuguese language support

      • OneDriveSetup.exe (PID: 6164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win16/32 Executable Delphi generic (34.1)
.exe | Generic Win/DOS Executable (32.9)
.exe | DOS Executable Generic (32.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:28 18:19:19+00:00
ImageFileCharacteristics: Executable, Bytes reversed lo, 32-bit
PEType: PE32
LinkerVersion: 2.18
CodeSize: 35328
InitializedDataSize: 4096
UninitializedDataSize: -
EntryPoint: 0x18b8
OSVersion: 1.11
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
403
Monitored processes
48
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start lean2.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe startmenuexperiencehost.exe werfault.exe no specs startmenuexperiencehost.exe werfault.exe no specs shellexperiencehost.exe werfault.exe no specs lean2.exe no specs conhost.exe no specs slui.exe lean2.exe no specs conhost.exe no specs lean2.exe no specs conhost.exe no specs rundll32.exe no specs hh.exe no specs notepad.exe no specs verclsid.exe no specs plugscheduler.exe no specs unregmp2.exe no specs ie4uinit.exe no specs ie4uinit.exe no specs rundll32.exe no specs unregmp2.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs fsquirt.exe no specs onedrivesetup.exe no specs onedrivesetup.exe wab.exe no specs filesyncconfig.exe no specs onedrive.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
532"C:\Windows\SysWOW64\OneDriveSetup.exe" /thfirstsetupC:\Windows\SysWOW64\OneDriveSetup.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDrive (32 bit) Setup
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\windows\syswow64\onedrivesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
1132C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1164\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeLEAN2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1240\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeLEAN2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1460"C:\Users\TEMP\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exe" C:\Users\TEMP\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exeOneDriveSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDrive Configuration Application
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\temp\appdata\local\microsoft\onedrive\19.043.0304.0013\filesyncconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1660"C:\Users\admin\Desktop\LEAN2.exe" C:\Users\admin\Desktop\LEAN2.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\lean2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2244C:\WINDOWS\system32\WerFault.exe -u -p 5528 -s 1636C:\Windows\System32\WerFault.exeStartMenuExperienceHost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
4120"C:\Program Files\RUXIM\PLUGscheduler.exe"C:\Program Files\RUXIM\PLUGScheduler.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update LifeCycle Component Scheduler
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\plugscheduler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
4580"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --continue-active-setupC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5284 /setautostart /backgroundC:\Users\TEMP\AppData\Local\Microsoft\OneDrive\OneDrive.exeOneDriveSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDrive
Exit code:
2147943660
Version:
19.043.0304.0013
Modules
Images
c:\users\temp\appdata\local\microsoft\onedrive\onedrive.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
Total events
331 603
Read events
254 859
Write events
69 082
Delete events
7 662

Modification events

(PID) Process:(7504) LEAN2.exeKey:HKEY_CURRENT_USER\AppEvents\EventLabels\MailBeep
Operation:writeName:DispFileName
Value:
@m>>e..>nl,( <(I
(PID) Process:(7504) LEAN2.exeKey:HKEY_CURRENT_USER\AppEvents\EventLabels\Maximize
Operation:writeName:DispFileName
Value:
Sm;reaBdl6,T5=q|
(PID) Process:(7504) LEAN2.exeKey:HKEY_CURRENT_USER\AppEvents\EventLabels\MenuCommand
Operation:writeName:DispFileName
Value:
s\mFes.dtl7a5834
(PID) Process:(7504) LEAN2.exeKey:HKEY_CURRENT_USER\AppEvents\EventLabels\MenuPopup
Operation:writeName:DispFileName
Value:
:%N<esKd4+,-58P`
(PID) Process:(7504) LEAN2.exeKey:HKEY_CURRENT_USER\AppEvents\EventLabels\MessageNudge
Operation:writeName:DispFileName
Value:
@mD2?v.dll,-H}6l
(PID) Process:(7504) LEAN2.exeKey:HKEY_CURRENT_USER\AppEvents\EventLabels\Minimize
Operation:writeName:DispFileName
Value:
3Wmr0s.dll!(58N6
(PID) Process:(7504) LEAN2.exeKey:HKEY_CURRENT_USER\AppEvents\EventLabels\MisrecoSound
Operation:writeName:DispFileName
Value:
8C@\W*Lotws\SLstemUjXspeWhh\spee5hu%\sawnrhplT-556g
(PID) Process:(7504) LEAN2.exeKey:HKEY_CURRENT_USER\AppEvents\EventLabels\MoveMenuItem
Operation:writeName:DispFileName
Value:
@nefgamepzPl4^1j:22
(PID) Process:(7504) LEAN2.exeKey:HKEY_CURRENT_USER\AppEvents\EventLabels\Navigating
Operation:writeName:DispFileName
Value:
U(\?rame.dll$M[Q32-
(PID) Process:(7504) LEAN2.exeKey:HKEY_CURRENT_USER\AppEvents\EventLabels\Notification.Looping.Alarm10
Operation:writeName:DispFileName
Value:
\p%re_7tl%p-N897
Executable files
223
Suspicious files
121
Text files
260
Unknown types
1

Dropped files

PID
Process
Filename
Type
2244WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Microsoft.Window_e71e7a5ae6399d62fa6eae82187c8e48167a6d_63f61128_eaa4ddb9-6fb1-4c5c-840b-241513dba1e6\Report.wer
MD5:
SHA256:
7152WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Microsoft.Window_e71e7a5ae6399d62fa6eae82187c8e48167a6d_63f61128_ef742c5b-e893-440f-8cf6-c74ada1dd0cb\Report.wer
MD5:
SHA256:
7960WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Microsoft.Window_fc777e5a44aed116d31747275a136cb01cab5bf3_961a8dc7_ef8146ef-7d5e-46b7-8246-f390080832c8\Report.wer
MD5:
SHA256:
7152WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER21CE.tmp.WERInternalMetadata.xmlbinary
MD5:C434A871A02684E8B37E889E7D2C56AC
SHA256:F463349BA0B955FB47AC62695808B29B18885F67C0D495C2CA30CF9DB72C399C
7960WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER43BE.tmp.WERInternalMetadata.xmlbinary
MD5:B92E8DDD17D56ABB5F203924FEE15EDD
SHA256:1F55C69920E882B10A626003C196880B7EEBDB8146F2A8CE49C633E14988112D
2244WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\StartMenuExperienceHost.exe.5528.dmpbinary
MD5:6AF5E4FAE51C39480D6DFAF8DEC946D5
SHA256:F1B79E87B6EA2B394BB66D9933EFBC02CAE9F6EA426BD97C166D6AB72E9C3694
7152WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER21EE.tmp.xmlxml
MD5:2FCBE7BB084231FE9A38855AA9B596E8
SHA256:675B8A4EF9917E91863854F73AC406DB40AE8742276C5A6030E1675B814D2924
7960WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER43DE.tmp.xmlxml
MD5:72D0C7B5C8361EB3FED7BDF79E8B2575
SHA256:7CF7A9281A3F943EF43D66967FC7BC5FD806A402DB211D9BBDAE8410A0F1F41D
4120PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.048.etlbinary
MD5:A23907B6FDD47DCABFDFD7CF2FCD7671
SHA256:0C9C33FE9E984A2E5A70EBA51F36B9929A86199E424AF2F8080E1267B87DC970
4120PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.049.etlbinary
MD5:5EA68411BF8E9EAF4621BAF73F61449E
SHA256:9D4CA5A1D871F819C139A498BB910A63576C2FE6367853544F8D172D8B6EBFF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
59
DNS requests
32
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.17.251.99:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.17.251.99:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.21.189.233:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4624
WerFault.exe
GET
200
2.21.189.233:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
23.210.252.238:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7216
SIHClient.exe
GET
200
2.21.189.233:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6028
backgroundTaskHost.exe
GET
200
23.210.252.238:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
7216
SIHClient.exe
GET
200
2.21.189.233:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6768
SearchApp.exe
GET
200
23.210.252.238:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4624
WerFault.exe
GET
200
2.17.251.99:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
2.17.251.99:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2.17.251.99:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.21.189.233:80
www.microsoft.com
Akamai International B.V.
GB
whitelisted
2.21.189.233:80
www.microsoft.com
Akamai International B.V.
GB
whitelisted
5496
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.74.110
whitelisted
crl.microsoft.com
  • 2.17.251.99
whitelisted
www.microsoft.com
  • 2.21.189.233
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.231.128.65
whitelisted
ocsp.digicert.com
  • 23.210.252.238
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 2603:1030:408:7::3d
whitelisted
d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LEAN2.exe