File name:

bb2.zip

Full analysis: https://app.any.run/tasks/c85587f9-3782-4ebd-8204-b0e921374679
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: February 10, 2025, 12:15:08
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
obfuscated-js
ransomware
fody
golang
prince
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

558D7088D39A8C569C6289C5D185C730

SHA1:

142F3F2474E3145F16F3EA553B6430B3C9DB070F

SHA256:

BDFC66266A2A19FC3D5DCCEF3EEFE4C0EE928BA5B7ABAD60BC320218B2082FEA

SSDEEP:

98304:sL6Ag6GE0nkZIMLVqYIcZY1hILfZlWqZa3vszThm4v/dfQThF7b1/gfUQsV95jtm:Wj/tYvUt3SKx37qIfFH/QurYDc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6608)
    • RANSOMWARE has been detected

      • go3.exe (PID: 5528)
      • go3.exe (PID: 7908)
      • go3.exe (PID: 5112)
      • crazyhunter.exe (PID: 2124)
    • Renames files like ransomware

      • go3.exe (PID: 5528)
    • PRINCE has been detected (YARA)

      • go3.exe (PID: 5528)
    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 8176)
      • powershell.exe (PID: 4244)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 624)
  • SUSPICIOUS

    • The process executes via Task Scheduler

      • powershell.exe (PID: 5748)
    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 6608)
    • Creates file in the systems drive root

      • go3.exe (PID: 5528)
      • go3.exe (PID: 7908)
      • go3.exe (PID: 5112)
      • crazyhunter.exe (PID: 2124)
    • Detected use of alternative data streams (AltDS)

      • go3.exe (PID: 7908)
    • Probably download files using WebClient

      • go3.exe (PID: 5528)
      • go3.exe (PID: 7908)
      • go3.exe (PID: 5112)
      • crazyhunter.exe (PID: 2124)
    • Starts POWERSHELL.EXE for commands execution

      • go3.exe (PID: 5528)
      • go3.exe (PID: 7908)
      • go3.exe (PID: 5112)
      • crazyhunter.exe (PID: 2124)
    • Imports DLL using pinvoke

      • powershell.exe (PID: 5604)
      • powershell.exe (PID: 6496)
    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 1488)
      • csc.exe (PID: 7300)
    • Executable content was dropped or overwritten

      • csc.exe (PID: 1488)
      • csc.exe (PID: 7300)
  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6608)
    • The sample compiled with english language support

      • WinRAR.exe (PID: 6608)
    • Checks supported languages

      • go.exe (PID: 1228)
      • go.exe (PID: 6560)
      • go3.exe (PID: 5528)
      • go3.exe (PID: 7908)
      • go3.exe (PID: 5112)
      • csc.exe (PID: 1488)
      • cvtres.exe (PID: 5732)
      • crazyhunter.exe (PID: 2124)
      • csc.exe (PID: 7300)
      • cvtres.exe (PID: 5856)
    • Reads the computer name

      • go.exe (PID: 6560)
      • go.exe (PID: 1228)
    • Detects Fody packer (YARA)

      • powershell.exe (PID: 5748)
    • Creates files in the program directory

      • go3.exe (PID: 5528)
    • Creates files or folders in the user directory

      • go3.exe (PID: 5528)
    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 5748)
    • Drops encrypted JS script (Microsoft Script Encoder)

      • go3.exe (PID: 5528)
      • go3.exe (PID: 7908)
      • go3.exe (PID: 5112)
      • crazyhunter.exe (PID: 2124)
    • Disables trace logs

      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 624)
    • Checks proxy server information

      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 624)
    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8176)
      • powershell.exe (PID: 4244)
    • Reads the machine GUID from the registry

      • csc.exe (PID: 1488)
      • csc.exe (PID: 7300)
    • Create files in a temporary directory

      • csc.exe (PID: 1488)
      • cvtres.exe (PID: 5732)
      • cvtres.exe (PID: 5856)
      • csc.exe (PID: 7300)
    • Application based on Golang

      • go3.exe (PID: 5528)
    • Detects GO elliptic curve encryption (YARA)

      • go3.exe (PID: 5528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:02:10 17:51:14
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: bb/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
207
Monitored processes
26
Malicious processes
5
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs powershell.exe conhost.exe no specs go.exe no specs go.exe no specs THREAT go3.exe no specs THREAT go3.exe no specs powershell.exe no specs conhost.exe no specs THREAT go3.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs csc.exe cvtres.exe no specs THREAT crazyhunter.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs csc.exe cvtres.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
624powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://ncmep.org/files/2023/05/ransomeware-01-1280x640.png', 'C:\Users\admin\AppData\Local\Temp\Wallpaper.png')"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
crazyhunter.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
1228"C:\Users\admin\Desktop\bb2\bb\go.exe" -helpC:\Users\admin\Desktop\bb2\bb\go.exepowershell.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\bb2\bb\go.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1488"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\lq25cm1d\lq25cm1d.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
2124"C:\Users\admin\Desktop\bb2\bb\crazyhunter.exe" C:\Users\admin\Desktop\bb2\bb\crazyhunter.exe
powershell.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\bb2\bb\crazyhunter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3532\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4244powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://ncmep.org/files/2023/05/ransomeware-01-1280x640.png', 'C:\Users\admin\AppData\Local\Temp\Wallpaper.png')"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exego3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4264\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4444\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4864\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5112"C:\Users\admin\Desktop\bb2\bb\go3.exe" C:\Users\admin\Desktop\bb2\bb\go3.exe
powershell.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\bb2\bb\go3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptbase.dll
Total events
39 911
Read events
39 877
Write events
21
Delete events
13

Modification events

(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\bb2.zip
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:15
Value:
(PID) Process:(6608) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:14
Value:
Executable files
10
Suspicious files
153
Text files
269
Unknown types
0

Dropped files

PID
Process
Filename
Type
6608WinRAR.exeC:\Users\admin\Desktop\bb2\bb\crazyhunter.sysbinary
MD5:906E89F6EB39919C6D12A660B68AE81F
SHA256:5316060745271723C9934047155DAE95A3920CB6343CA08C93531E1C235861BA
6608WinRAR.exeC:\Users\admin\Desktop\bb2\bb\ru.battext
MD5:F45CC69F74F75A707A02D26CCD912845
SHA256:D1081C77F37D080B4E8ECF6325D79E6666572D8AC96598FE65F9630DDA6EC1EC
6608WinRAR.exeC:\Users\admin\Desktop\bb2\bb\zam64.sysexecutable
MD5:2A3CE41BB2A7894D939FBD1B20DAE5A0
SHA256:2BBC6B9DD5E6D0327250B32305BE20C89B19B56D33A096522EE33F22D8C82FF1
5748powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V0O7JZP140EVRYA4EH3C.tempbinary
MD5:1F7FFA12CE4041D997B8151FD751537A
SHA256:26905B5F23756677FEF359BC6FC0236C330D82B83ED55AFC5AB0538F21474A4E
5748powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF142a4a.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
5748powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:1F7FFA12CE4041D997B8151FD751537A
SHA256:26905B5F23756677FEF359BC6FC0236C330D82B83ED55AFC5AB0538F21474A4E
5748powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5tviidka.0tw.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5748powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cbesfwd2.obp.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5748powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txttext
MD5:B02D8E5C54E7A6A81D09AF41F1F221FB
SHA256:AB52D6F4BE61649D1A214717161DBDF60330ED55BD1CB3C974F4F7FE5438A1FB
5748powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_i4hqgjwu.zev.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
75
DNS requests
77
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6532
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6532
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7008
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
2496
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e30939f9-8764-4977-9b5d-f865df373b71?P1=1739388086&P2=404&P3=2&P4=jCV3wQ4FkSpNjDk%2fKKPfODKft27ivOpbM4c%2fSkQG8diBdmhkuK3ByRW0EPxVd2bJJft442UQiR0b6ilw0xxdDw%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.72:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5064
SearchApp.exe
92.123.104.47:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
4
System
192.168.100.255:137
whitelisted
1176
svchost.exe
20.190.160.5:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1076
svchost.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.164.72
  • 2.16.164.114
  • 2.16.164.24
  • 2.16.164.43
  • 2.16.164.120
  • 2.16.164.99
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
whitelisted
www.bing.com
  • 92.123.104.47
  • 92.123.104.53
  • 92.123.104.64
  • 92.123.104.63
  • 92.123.104.62
  • 92.123.104.43
  • 92.123.104.46
  • 92.123.104.58
  • 92.123.104.65
  • 92.123.104.41
  • 92.123.104.38
  • 92.123.104.59
  • 92.123.104.4
  • 92.123.104.66
  • 92.123.104.5
whitelisted
google.com
  • 216.58.206.46
whitelisted
ocsp.digicert.com
  • 184.30.131.245
  • 2.23.77.188
  • 2.17.190.73
whitelisted
login.live.com
  • 20.190.160.5
  • 20.190.160.4
  • 20.190.160.2
  • 20.190.160.22
  • 40.126.32.133
  • 40.126.32.138
  • 40.126.32.140
  • 40.126.32.134
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

No threats detected
No debug info