File name:

Client.exe

Full analysis: https://app.any.run/tasks/29470a76-7d3d-4849-b9ec-d3a8e474d26e
Verdict: Malicious activity
Threats:

LockBit, a ransomware variant, encrypts data on infected machines, demanding a ransom payment for decryption. Used in targeted attacks, It's a significant risk to organizations.

Malware Trends Tracker     >>>
Analysis date: November 04, 2023, 20:12:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
lockbit
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

2B9A1B7A5E13B8672655D0A09CE50217

SHA1:

2B62DBB4EDBC5460BB42E790CA1A4BA7A4821362

SHA256:

F6C559C031B7B16B1EDF34B38E74B6BF3A7106CA34881D7F5C63B8E0D7AC3694

SSDEEP:

3072:sr85CS8+cKuGcaYYPhZyK0aGp0vH+rUTftHool3G+Ehgi3M1SBJhGvlfb9FDh5a7:k9S87iZOaGpWHSkhaYKJhq346VzQ3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Known privilege escalation attack

      • dllhost.exe (PID: 3584)

    • Drops the executable file immediately after the start

      • Client.exe (PID: 3440)
      • Client.exe (PID: 3828)

    • Renames files like ransomware

      • Client.exe (PID: 3828)

    • Steals credentials from Web Browsers

      • Client.exe (PID: 3828)

    • [YARA] LockBit is detected

      • Client.exe (PID: 3828)

    • Creates a writable file the system directory

      • printfilterpipelinesvc.exe (PID: 2196)
      • Client.exe (PID: 3828)

    • Actions looks like stealing of personal data

      • Client.exe (PID: 3440)
      • Client.exe (PID: 3828)

  • SUSPICIOUS

    • Reads the Internet Settings

      • Client.exe (PID: 3440)
      • C1E9.tmp (PID: 2056)
      • ONENOTE.EXE (PID: 1608)
      • rundll32.exe (PID: 3076)

    • Application launched itself

      • Client.exe (PID: 3204)
      • Client.exe (PID: 3844)

    • Write to the desktop.ini file (may be used to cloak folders)

      • Client.exe (PID: 3828)

    • Creates files like ransomware instruction

      • Client.exe (PID: 3828)

    • Reads browser cookies

      • Client.exe (PID: 3828)

    • Starts application with an unusual extension

      • Client.exe (PID: 3828)

    • Changes the desktop background image

      • Client.exe (PID: 3828)

    • Starts CMD.EXE for commands execution

      • C1E9.tmp (PID: 2056)

    • Reads settings of System Certificates

      • ONENOTE.EXE (PID: 1608)

    • Reads security settings of Internet Explorer

      • ONENOTE.EXE (PID: 1608)

    • Checks Windows Trust Settings

      • ONENOTE.EXE (PID: 1608)

  • INFO

    • Checks supported languages

      • Client.exe (PID: 3440)
      • Client.exe (PID: 3204)
      • Client.exe (PID: 3484)
      • wmpnscfg.exe (PID: 3556)
      • Client.exe (PID: 3844)
      • Client.exe (PID: 3828)
      • ONENOTE.EXE (PID: 1608)
      • C1E9.tmp (PID: 2056)
      • ONENOTEM.EXE (PID: 1836)
      • wmpnscfg.exe (PID: 1088)

    • Reads the computer name

      • Client.exe (PID: 3440)
      • Client.exe (PID: 3204)
      • Client.exe (PID: 3484)
      • wmpnscfg.exe (PID: 3556)
      • Client.exe (PID: 3844)
      • Client.exe (PID: 3828)
      • ONENOTE.EXE (PID: 1608)
      • C1E9.tmp (PID: 2056)
      • wmpnscfg.exe (PID: 1088)

    • Create files in a temporary directory

      • Client.exe (PID: 3440)
      • Client.exe (PID: 3828)
      • ONENOTE.EXE (PID: 1608)

    • Checks transactions between databases Windows and Oracle

      • Client.exe (PID: 3484)

    • Reads the machine GUID from the registry

      • Client.exe (PID: 3204)
      • Client.exe (PID: 3484)
      • wmpnscfg.exe (PID: 3556)
      • Client.exe (PID: 3844)
      • Client.exe (PID: 3828)
      • wmpnscfg.exe (PID: 1088)
      • ONENOTE.EXE (PID: 1608)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3556)
      • wmpnscfg.exe (PID: 1088)
      • notepad.exe (PID: 2692)
      • rundll32.exe (PID: 956)
      • rundll32.exe (PID: 3076)

    • Creates files in the program directory

      • Client.exe (PID: 3828)

    • Creates files or folders in the user directory

      • Client.exe (PID: 3828)
      • printfilterpipelinesvc.exe (PID: 2196)
      • ONENOTE.EXE (PID: 1608)

    • Reads Environment values

      • ONENOTE.EXE (PID: 1608)

    • Dropped object may contain TOR URL's

      • Client.exe (PID: 3828)

    • Checks proxy server information

      • ONENOTE.EXE (PID: 1608)

    • Reads Microsoft Office registry keys

      • ONENOTE.EXE (PID: 1608)

    • Application launched itself

      • msedge.exe (PID: 3148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (89.3)
.exe | Win32 Executable Delphi generic (4.8)
.dll | Win32 Dynamic Link Library (generic) (2.2)
.exe | Win32 Executable (generic) (1.5)
.exe | Win16/32 Executable Delphi generic (0.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:20 00:22:17+02:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x80e4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
87
Monitored processes
37
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start client.exe client.exe no specs client.exe no specs CMSTPLUA no specs wmpnscfg.exe no specs client.exe no specs #LOCKBIT client.exe printfilterpipelinesvc.exe no specs c1e9.tmp no specs onenote.exe cmd.exe no specs onenotem.exe no specs wmpnscfg.exe no specs rundll32.exe no specs notepad.exe no specs rundll32.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
664"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3900 --field-trial-handle=1292,i,2996793529192232671,11966406071534438800,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
780"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4244 --field-trial-handle=1292,i,2996793529192232671,11966406071534438800,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
900"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3332 --field-trial-handle=1292,i,2996793529192232671,11966406071534438800,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
956"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Downloads\joinmsn.png.TdGeIqAUnC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
984"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~2\C1E9.tmp >> NULC:\Windows\System32\cmd.exeC1E9.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1088"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
1528"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4244 --field-trial-handle=1292,i,2996793529192232671,11966406071534438800,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1608/insertdoc "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{46BCBC9D-B8B1-4CC2-BD6A-28A0D2A35D18}.xps" 133436024234110000C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE
printfilterpipelinesvc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft OneNote
Exit code:
0
Version:
14.0.6022.1000
Modules
Images
c:\program files\microsoft office\office14\onenote.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1836/tsrC:\Program Files\Microsoft Office\Office14\ONENOTEM.EXEONENOTE.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft OneNote Quick Launcher
Exit code:
0
Version:
14.0.6015.1000
Modules
Images
c:\program files\microsoft office\office14\onenotem.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
2056"C:\ProgramData\C1E9.tmp"C:\ProgramData\C1E9.tmpClient.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225547
Modules
Images
c:\programdata\c1e9.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
Total events
14 556
Read events
13 411
Write events
1 131
Delete events
14

Modification events

(PID) Process:(3440) Client.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3440) Client.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3440) Client.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3440) Client.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3584) dllhost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3584) dllhost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3584) dllhost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3584) dllhost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3556) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{257E1F6E-0CA5-49FF-808D-3D8187CB48AE}\{6EC3734C-F564-4AFE-AA05-C395F0CD7292}
Operation:delete keyName:(default)
Value:
(PID) Process:(3556) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{257E1F6E-0CA5-49FF-808D-3D8187CB48AE}
Operation:delete keyName:(default)
Value:
Executable files
66
Suspicious files
1 511
Text files
982
Unknown types
0

Dropped files

PID
Process
Filename
Type
3440Client.exeC:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\ose.exeexecutable
MD5:58B58875A50A0D8B5E7BE7D6AC685164
SHA256:2A0AA0763FDEF9C38C5DD4D50703F0C7E27F4903C139804EC75E55F8388139AE
3440Client.exeC:\MSOCache\All Users\{90140000-006E-0407-0000-0000000FF1CE}-C\dwtrig20.exeexecutable
MD5:CF6C595D3E5E9667667AF096762FD9C4
SHA256:593E60CC30AE0789448547195AF77F550387F6648D45847EA244DD0DD7ABF03D
3440Client.exeC:\Users\admin\AppData\Local\Temp\3582-490\Client.exeexecutable
MD5:035A441E07C7D7797CCCFC92A988E156
SHA256:F00B211B5F93E23409E9383930C79990949B3671B1C1E0DC00208BB1C8F1E10D
3440Client.exeC:\MSOCache\All Users\{90140000-006E-0407-0000-0000000FF1CE}-C\DW20.EXEexecutable
MD5:02EE6A3424782531461FB2F10713D3C1
SHA256:EAD58C483CB20BCD57464F8A4929079539D634F469B213054BF737D227C026DC
3440Client.exeC:\MSOCache\All Users\{90140000-006E-0410-0000-0000000FF1CE}-C\DW20.EXEexecutable
MD5:02EE6A3424782531461FB2F10713D3C1
SHA256:EAD58C483CB20BCD57464F8A4929079539D634F469B213054BF737D227C026DC
3440Client.exeC:\MSOCache\All Users\{90140000-006E-0411-0000-0000000FF1CE}-C\DW20.EXEexecutable
MD5:02EE6A3424782531461FB2F10713D3C1
SHA256:EAD58C483CB20BCD57464F8A4929079539D634F469B213054BF737D227C026DC
3440Client.exeC:\MSOCache\All Users\{90140000-006E-0410-0000-0000000FF1CE}-C\dwtrig20.exeexecutable
MD5:CF6C595D3E5E9667667AF096762FD9C4
SHA256:593E60CC30AE0789448547195AF77F550387F6648D45847EA244DD0DD7ABF03D
3440Client.exeC:\MSOCache\All Users\{90140000-006E-0411-0000-0000000FF1CE}-C\dwtrig20.exeexecutable
MD5:CF6C595D3E5E9667667AF096762FD9C4
SHA256:593E60CC30AE0789448547195AF77F550387F6648D45847EA244DD0DD7ABF03D
3440Client.exeC:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\setup.exeexecutable
MD5:566ED4F62FDC96F175AFEDD811FA0370
SHA256:E17CD94C08FC0E001A49F43A0801CEA4625FB9AEE211B6DFEBEBEC446C21F460
3440Client.exeC:\MSOCache\All Users\{90140000-006E-040C-0000-0000000FF1CE}-C\DW20.EXEexecutable
MD5:02EE6A3424782531461FB2F10713D3C1
SHA256:EAD58C483CB20BCD57464F8A4929079539D634F469B213054BF737D227C026DC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
34
DNS requests
43
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3140
msedge.exe
GET
302
2.19.246.123:80
http://go.microsoft.com/fwlink/?LinkId=57426&Ext=TdGeIqAUn
unknown
unknown
3140
msedge.exe
GET
301
2.16.164.123:80
http://shell.windows.com/fileassoc/fileassoc.asp?Ext=TdGeIqAUn
unknown
unknown
1608
ONENOTE.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D
unknown
binary
471 b
unknown
1608
ONENOTE.EXE
GET
200
67.27.234.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0456d18720ece402
unknown
compressed
4.66 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2588
svchost.exe
239.255.255.250:1900
whitelisted
1608
ONENOTE.EXE
13.107.42.12:443
docs.live.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1608
ONENOTE.EXE
67.27.234.126:80
ctldl.windowsupdate.com
LEVEL3
US
unknown
1608
ONENOTE.EXE
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3140
msedge.exe
2.19.96.107:443
www.bing.com
unknown
3148
msedge.exe
239.255.255.250:1900
whitelisted
3140
msedge.exe
2.19.246.123:80
go.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
docs.live.net
  • 13.107.42.12
whitelisted
ctldl.windowsupdate.com
  • 67.27.234.126
  • 8.253.95.249
  • 8.241.11.254
  • 67.27.233.254
  • 67.27.159.126
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 2.19.246.123
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
nav-edge.smartscreen.microsoft.com
  • 20.105.95.163
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
shell.windows.com
  • 2.16.164.123
  • 2.16.164.16
whitelisted
data-edge.smartscreen.microsoft.com
  • 20.105.95.163
whitelisted
www.bing.com
  • 2.19.96.107
  • 2.19.96.83
  • 2.19.96.120
  • 2.19.96.128
  • 2.19.96.82
  • 2.19.96.90
  • 2.19.96.123
  • 2.19.96.88
  • 2.19.96.91
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Client.exe