| File name: | decrypt.exe |
| Full analysis: | https://app.any.run/tasks/88835dc9-c6da-4b42-a2d1-5eb4bc0f833a |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | December 29, 2024, 21:14:48 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (console) Intel 80386, for MS Windows, 6 sections |
| MD5: | 0A08CC3661A39DEFCDC182ACF62E17E5 |
| SHA1: | 580CCC43274151726405797779500F4FE9A0069C |
| SHA256: | DB433F673EEACD8E905CCA9EF3B283D30C466AB6AFDE31E53373197EE5D197FD |
| SSDEEP: | 98304:TNYKXTIbUZOd58J7xCNLqvpoog+BZwEzP12NjPqmBporVv27TMQr/2EFOM5Z6lGA:7OtU+GmlR0EoX1D2+TS6NVJFqtkv |
MALICIOUS
Steals credentials from Web Browsers
- system15627a17808b7546c (PID: 6912)
Actions looks like stealing of personal data
- system15627a17808b7546c (PID: 6912)
SUSPICIOUS
Hides command output
- cmd.exe (PID: 6260)
- cmd.exe (PID: 628)
Starts CMD.EXE for commands execution
- decrypt.exe (PID: 4976)
- decrypt.exe (PID: 1224)
- system15627a17808b7546c (PID: 6912)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 6260)
- cmd.exe (PID: 628)
- system15627a17808b7546c (PID: 6912)
Executable content was dropped or overwritten
- decrypt.exe (PID: 4976)
- system15627a17808b7546c (PID: 6196)
- decrypt.exe (PID: 1224)
- system15627a17808b7546c (PID: 6880)
Starts process via Powershell
- powershell.exe (PID: 3688)
- powershell.exe (PID: 5652)
Starts application with an unusual extension
- powershell.exe (PID: 3688)
- system15627a17808b7546c (PID: 6196)
- powershell.exe (PID: 5652)
- system15627a17808b7546c (PID: 6880)
Process drops python dynamic module
- system15627a17808b7546c (PID: 6196)
- system15627a17808b7546c (PID: 6880)
The process drops C-runtime libraries
- system15627a17808b7546c (PID: 6196)
- system15627a17808b7546c (PID: 6880)
Process drops legitimate windows executable
- system15627a17808b7546c (PID: 6196)
- system15627a17808b7546c (PID: 6880)
Application launched itself
- system15627a17808b7546c (PID: 6196)
- system15627a17808b7546c (PID: 6880)
Loads Python modules
- system15627a17808b7546c (PID: 1684)
- system15627a17808b7546c (PID: 6912)
Searches for installed software
- system15627a17808b7546c (PID: 6912)
Uses WMIC.EXE
- cmd.exe (PID: 6928)
- cmd.exe (PID: 6224)
- cmd.exe (PID: 1460)
- cmd.exe (PID: 6148)
Uses WMIC.EXE to obtain computer system information
- cmd.exe (PID: 2380)
- cmd.exe (PID: 6468)
- cmd.exe (PID: 4592)
- cmd.exe (PID: 1064)
There is functionality for taking screenshot (YARA)
- system15627a17808b7546c (PID: 6912)
INFO
Reads the software policy settings
- SearchApp.exe (PID: 5064)
Reads the machine GUID from the registry
- SearchApp.exe (PID: 5064)
- system15627a17808b7546c (PID: 1684)
- system15627a17808b7546c (PID: 6912)
Checks supported languages
- decrypt.exe (PID: 6564)
- SearchApp.exe (PID: 5064)
- decrypt.exe (PID: 5696)
- decrypt.exe (PID: 6012)
- decrypt.exe (PID: 4976)
- decrypt.exe (PID: 5872)
- system15627a17808b7546c (PID: 6196)
- system15627a17808b7546c (PID: 1684)
- decrypt.exe (PID: 1224)
- system15627a17808b7546c (PID: 6880)
- system15627a17808b7546c (PID: 6912)
Process checks computer location settings
- SearchApp.exe (PID: 5064)
Create files in a temporary directory
- decrypt.exe (PID: 4976)
- system15627a17808b7546c (PID: 6196)
- system15627a17808b7546c (PID: 1684)
- decrypt.exe (PID: 1224)
- system15627a17808b7546c (PID: 6880)
- system15627a17808b7546c (PID: 6912)
Manual execution by a user
- cmd.exe (PID: 5200)
The executable file from the user directory is run by the Powershell process
- system15627a17808b7546c (PID: 6196)
- system15627a17808b7546c (PID: 6880)
Reads the computer name
- system15627a17808b7546c (PID: 6196)
- system15627a17808b7546c (PID: 1684)
- system15627a17808b7546c (PID: 6880)
- system15627a17808b7546c (PID: 6912)
The sample compiled with english language support
- system15627a17808b7546c (PID: 6196)
- system15627a17808b7546c (PID: 6880)
Checks proxy server information
- system15627a17808b7546c (PID: 1684)
- system15627a17808b7546c (PID: 6912)
PyInstaller has been detected (YARA)
- system15627a17808b7546c (PID: 6912)
- system15627a17808b7546c (PID: 6880)
The process uses the downloaded file
- powershell.exe (PID: 5432)
- powershell.exe (PID: 7100)
- powershell.exe (PID: 6496)
- powershell.exe (PID: 2432)
- powershell.exe (PID: 236)
- powershell.exe (PID: 3988)
Reads security settings of Internet Explorer
- WMIC.exe (PID: 4336)
- WMIC.exe (PID: 1200)
- WMIC.exe (PID: 2632)
- WMIC.exe (PID: 6456)
- WMIC.exe (PID: 2976)
- WMIC.exe (PID: 3288)
- WMIC.exe (PID: 3172)
- WMIC.exe (PID: 5040)
Creates files or folders in the user directory
- system15627a17808b7546c (PID: 6912)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:12:25 19:41:16+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14 |
| CodeSize: | 95744 |
| InitializedDataSize: | 17028608 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1b19 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
Total processes
159
Monitored processes
40
Malicious processes
5
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 236 | powershell.exe "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName FirewallProduct" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | — | system15627a17808b7546c | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 628 | C:\WINDOWS\system32\cmd.exe /c powershell.exe "Start-Process -FilePath \"C:\Users\admin\AppData\Local\Temp\system15627a17808b7546c\" -NoNewWindow -ArgumentList '--safetorun','-x','--channel=1','-a' | Wait-Process" 2>nul | C:\Windows\SysWOW64\cmd.exe | — | decrypt.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1064 | C:\WINDOWS\system32\cmd.exe /c "WMIC COMPUTERSYSTEM GET HypervisorPresent" | C:\Windows\SysWOW64\cmd.exe | — | system15627a17808b7546c | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1200 | wmic datafile where name="C:\\Program Files\\Mozilla Firefox\\firefox.exe" get Version /value | C:\Windows\SysWOW64\wbem\WMIC.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1224 | decrypt.exe --safetorun -x --channel=1 -a | C:\Users\admin\Desktop\decrypt.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1460 | C:\WINDOWS\system32\cmd.exe /c "wmic datafile where name="C:\\Program Files\\Mozilla Firefox\\firefox.exe" get Version /value" | C:\Windows\SysWOW64\cmd.exe | — | system15627a17808b7546c | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1684 | "C:\Users\admin\AppData\Local\Temp\system15627a17808b7546c" --safetorun -a | C:\Users\admin\AppData\Local\Temp\system15627a17808b7546c | system15627a17808b7546c | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 101 Modules
| |||||||||||||||
| 2380 | C:\WINDOWS\system32\cmd.exe /c "WMIC COMPUTERSYSTEM GET HypervisorPresent" | C:\Windows\SysWOW64\cmd.exe | — | system15627a17808b7546c | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2432 | powershell.exe "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName FirewallProduct" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | — | system15627a17808b7546c | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2632 | wmic datafile where name="C:\\Program Files\\Mozilla Firefox\\firefox.exe" get Version /value | C:\Windows\SysWOW64\wbem\WMIC.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
43 573
Read events
43 486
Write events
85
Delete events
2
Modification events
| (PID) Process: | (5064) SearchApp.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com |
| Operation: | write | Name: | Total |
Value: 929 | |||
| (PID) Process: | (5064) SearchApp.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings |
| Operation: | write | Name: | SafeSearchMode |
Value: 1 | |||
| (PID) Process: | (5064) SearchApp.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings |
| Operation: | write | Name: | IsMSACloudSearchEnabled |
Value: 0 | |||
| (PID) Process: | (5064) SearchApp.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings |
| Operation: | write | Name: | IsAADCloudSearchEnabled |
Value: 0 | |||
| (PID) Process: | (5064) SearchApp.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Flighting |
| Operation: | write | Name: | CachedFeatureString |
Value: | |||
| (PID) Process: | (5064) SearchApp.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com |
| Operation: | write | Name: | Total |
Value: 949 | |||
| (PID) Process: | (5064) SearchApp.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com |
| Operation: | write | Name: | Total |
Value: 1480 | |||
| (PID) Process: | (5064) SearchApp.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\A1hdl50UVDh2ZbG324Nx-6fZgntcGnHOs5kHLdmaJYE\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\Recognizers |
| Operation: | write | Name: | DefaultTokenId |
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN | |||
| (PID) Process: | (5064) SearchApp.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search |
| Operation: | write | Name: | CortanaStateLastRun |
Value: F0BB716700000000 | |||
| (PID) Process: | (5064) SearchApp.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Flighting |
| Operation: | delete value | Name: | CachedFeatureString |
Value: | |||
Executable files
110
Suspicious files
97
Text files
300
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5064 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres | binary | |
MD5:93C32BDF02E45ADDD57894F5EF1A98F6 | SHA256:7174F28B860EC5AB4D92BB98F751A86A77DB8B41DD42C08E1AC024D620E3A415 | |||
| 5064 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\95d9a2a97a42f02325559b453ba7f8fe839baa18.tbres | binary | |
MD5:BE251468E77E9391F3E434D0DC5F31F8 | SHA256:DF17FDE97858E949AD9C9CC0C0D37839AFE129D19F35A11B61FCD89E3FC08908 | |||
| 5064 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZWUI0EBX\www.bing[1].xml | text | |
MD5:07B7A1C7CF1D5517B211CD0961931320 | SHA256:841024DB591A19AFFF04F0D18F8129A5FBE034D75051506686ED0F7457894E5D | |||
| 5064 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\EDR6aHlON56kRFUYoTu1poTQKHc.br[1].js | binary | |
MD5:CB035F15ED6E8CAB42F08C38CFA49F81 | SHA256:89C859D7DF60C8350DAF9F664FFBB76B01DCCFAED8FDBCBAB2B4B4FA76A09C15 | |||
| 5064 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\-iNIzuEypRdgRJ6xnyVHizZ3bpM.br[1].js | binary | |
MD5:E86ABEFE45E62F7E2F865D8A344D0B6F | SHA256:5D54790C856CE13811590E18AC3B0ACEEFEFB61258852490F4C5C60748365E89 | |||
| 5064 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\7XBzB16ObKtasF8Ix3Tevt1o800.br[1].js | binary | |
MD5:42AF14A7DAD6B53FE392281B9891FC08 | SHA256:7FCA491171B5328996521C4203EA308C205439218EFBD755433E9A6A7868BAC8 | |||
| 5064 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\I6nommjaUrH5K7RnL_cFpH5R7jM[1].css | text | |
MD5:C1AC4CCA38EA836717738D7CF72B45B9 | SHA256:E4C0BF089E674482FA2FE7D558F64F9D3EBDD414EAED18908E34A6140D09B727 | |||
| 5064 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\QNBBNqWD9F_Blep-UqQSqnMp-FI[1].css | text | |
MD5:77373397A17BD1987DFCA2E68D022ECF | SHA256:A319AF2E953E7AFDA681B85A62F629A5C37344AF47D2FCD23AB45E1D99497F13 | |||
| 5064 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\_BjeFNPDJ-N9umMValublyrbq4Y[1].css | text | |
MD5:15DC838A1A66277F9F4D915124DFFBBC | SHA256:9C947D5F732431197DA9DB1F159CB3D4CDC5DBFE55FDC0A9513E571FF31236A1 | |||
| 5064 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\67\5qSqWyip_grL-s7BafaqI3Mrk9M.br[1].js | binary | |
MD5:23C987E711C002D4CA3CD02DEEDC9BBF | SHA256:A1C2F4C8CA6113EBDAC36F2C33D6CE19BCF2F4BD99EC06E8BA845E2B25B03322 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
77
DNS requests
31
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.20.245.137:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4300 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4300 | svchost.exe | GET | 200 | 2.20.245.137:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1176 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
5064 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
3928 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D | unknown | — | — | whitelisted |
6680 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
6680 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
5064 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.20.245.137:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
4300 | svchost.exe | 2.20.245.137:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4300 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1176 | svchost.exe | 40.126.32.72:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5064 | SearchApp.exe | 104.126.37.123:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
1176 | svchost.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.bing.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| unknown |
go.microsoft.com |
| whitelisted |
arc.msn.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |