File name:

WeModPatcher.exe

Full analysis: https://app.any.run/tasks/1c64f3e5-e059-4392-8986-dcc27ec5af51
Verdict: Malicious activity
Analysis date: May 18, 2025, 21:23:31
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
pastebin
arch-exec
arch-scr
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

2D2B9C759730A8B30107748A3FDF9F09

SHA1:

229B793724849EBC236D1352D8ABAE6C825FE256

SHA256:

23EF62989C2210F05BD598C64EC995B96C381EE15FF78ECDD6225FB163C0A388

SSDEEP:

98304:40RcUTfCh2HVNYDly8O54AFy9iH1Md2AV3OeghbDE5CdXkVe1NpHHvpUyt80P36t:rB/wOs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WeModPatcher.exe (PID: 7516)
      • cmd.exe (PID: 7580)

    • Executing commands from a ".bat" file

      • WeModPatcher.exe (PID: 7516)

    • Drops 7-zip archiver for unpacking

      • WeModPatcher.exe (PID: 7516)

    • Execution of CURL command

      • cmd.exe (PID: 7580)

    • Application launched itself

      • cmd.exe (PID: 7580)

    • Starts NET.EXE to display or manage information about active sessions

      • cmd.exe (PID: 7580)
      • net.exe (PID: 7764)

    • Get information on the list of running processes

      • cmd.exe (PID: 8140)
      • cmd.exe (PID: 7580)
      • cmd.exe (PID: 6032)
      • cmd.exe (PID: 7696)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7580)
      • cmd.exe (PID: 6032)
      • cmd.exe (PID: 5800)
      • cmd.exe (PID: 5772)
      • cmd.exe (PID: 4560)
      • cmd.exe (PID: 7396)
      • cmd.exe (PID: 5512)
      • cmd.exe (PID: 7700)
      • cmd.exe (PID: 8140)
      • cmd.exe (PID: 7848)
      • cmd.exe (PID: 8084)
      • cmd.exe (PID: 4628)
      • cmd.exe (PID: 6392)
      • cmd.exe (PID: 5668)
      • cmd.exe (PID: 7460)
      • cmd.exe (PID: 7684)
      • cmd.exe (PID: 7640)
      • cmd.exe (PID: 2904)
      • cmd.exe (PID: 8068)
      • cmd.exe (PID: 3896)
      • cmd.exe (PID: 3956)
      • cmd.exe (PID: 6136)
      • cmd.exe (PID: 5408)
      • cmd.exe (PID: 2148)
      • cmd.exe (PID: 2692)
      • cmd.exe (PID: 6768)
      • cmd.exe (PID: 7436)
      • cmd.exe (PID: 6560)
      • cmd.exe (PID: 8072)
      • cmd.exe (PID: 2692)
      • cmd.exe (PID: 6820)
      • cmd.exe (PID: 7644)
      • cmd.exe (PID: 1764)
      • cmd.exe (PID: 1348)
      • cmd.exe (PID: 7464)
      • cmd.exe (PID: 1020)
      • cmd.exe (PID: 4988)
      • cmd.exe (PID: 7536)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6564)
      • cmd.exe (PID: 7580)

    • Executes application which crashes

      • mshta.exe (PID: 5352)
      • mshta.exe (PID: 7020)
      • mshta.exe (PID: 7448)
      • mshta.exe (PID: 6540)
      • mshta.exe (PID: 7236)
      • mshta.exe (PID: 7656)
      • mshta.exe (PID: 904)
      • mshta.exe (PID: 2644)
      • mshta.exe (PID: 6424)
      • mshta.exe (PID: 7640)
      • mshta.exe (PID: 5360)
      • mshta.exe (PID: 4244)
      • mshta.exe (PID: 7756)
      • mshta.exe (PID: 8164)
      • mshta.exe (PID: 3024)
      • mshta.exe (PID: 7272)
      • mshta.exe (PID: 7552)
      • mshta.exe (PID: 7732)
      • mshta.exe (PID: 4728)
      • mshta.exe (PID: 1272)
      • mshta.exe (PID: 3884)
      • mshta.exe (PID: 3124)
      • mshta.exe (PID: 4724)
      • mshta.exe (PID: 7728)
      • mshta.exe (PID: 5244)
      • mshta.exe (PID: 236)
      • mshta.exe (PID: 7356)
      • mshta.exe (PID: 6988)
      • mshta.exe (PID: 5360)
      • mshta.exe (PID: 7412)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • mshta.exe (PID: 5352)
      • mshta.exe (PID: 7020)
      • mshta.exe (PID: 7640)

    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 5436)
      • WerFault.exe (PID: 7600)

  • INFO

    • The sample compiled with english language support

      • WeModPatcher.exe (PID: 7516)

    • Checks supported languages

      • WeModPatcher.exe (PID: 7516)
      • curl.exe (PID: 7616)
      • curl.exe (PID: 7676)
      • curl.exe (PID: 7732)
      • chcp.com (PID: 6744)
      • chcp.com (PID: 4976)
      • mode.com (PID: 2692)
      • chcp.com (PID: 1052)
      • chcp.com (PID: 4120)
      • chcp.com (PID: 7196)
      • chcp.com (PID: 3768)

    • Create files in a temporary directory

      • WeModPatcher.exe (PID: 7516)

    • Execution of CURL command

      • cmd.exe (PID: 7600)
      • cmd.exe (PID: 7660)
      • cmd.exe (PID: 7712)

    • Reads the computer name

      • curl.exe (PID: 7616)
      • curl.exe (PID: 7676)
      • curl.exe (PID: 7732)

    • Changes the display of characters in the console

      • cmd.exe (PID: 6564)
      • cmd.exe (PID: 7580)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 2692)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7880)

    • Checks proxy server information

      • mshta.exe (PID: 5352)
      • mshta.exe (PID: 7020)
      • mshta.exe (PID: 7640)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 5352)
      • mshta.exe (PID: 7020)
      • mshta.exe (PID: 7640)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 5436)
      • WerFault.exe (PID: 7600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.2)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2019:07:30 08:52:08+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware
PEType: PE32+
LinkerVersion: 2.5
CodeSize: 92672
InitializedDataSize: 1956352
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
FileVersionNumber: 1.2.5.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: Debug, Pre-release, Private build
FileOS: Windows 16-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileVersion: 1.2.5.0
ProductVersion: 1.2.5
ProductName: WeModPatcher
OriginalFileName: WeModPatcher.bat
FileDescription: WeModPatcher
LegalCopyright: brunolee®
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
383
Monitored processes
223
Malicious processes
2
Suspicious processes
30

Behavior graph

Click at the process to see the details
start wemodpatcher.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs curl.exe cmd.exe no specs curl.exe cmd.exe no specs curl.exe net.exe no specs net1.exe no specs powershell.exe no specs sppextcomobj.exe no specs slui.exe cmd.exe no specs tasklist.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs chcp.com no specs chcp.com no specs mode.com no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs tasklist.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs slui.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs mshta.exe werfault.exe no specs cmd.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
232C:\WINDOWS\system32\cmd.exe /c mshta.exe "C:\Users\admin\Downloads\Launcher.hta"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225477
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
236mshta.exe "C:\Users\admin\Downloads\Launcher.hta"C:\Windows\System32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
3221225477
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
616chcp 850C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
616chcp 850C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
616chcp 850C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
632C:\WINDOWS\system32\WerFault.exe -u -p 4724 -s 1984C:\Windows\System32\WerFault.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
664powershell -Command "(Get-FileHash Options.ini -Algorithm MD5).Hash"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
668chcp 850C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
728powershell -Command "(Get-FileHash Options.ini -Algorithm MD5).Hash"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
900C:\WINDOWS\system32\cmd.exe /c mshta.exe "C:\Users\admin\Downloads\Launcher.hta"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225477
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
Total events
250 964
Read events
250 964
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
92
Text files
122
Unknown types
1

Dropped files

PID
Process
Filename
Type
7516WeModPatcher.exeC:\Users\admin\Downloads\Options.initext
MD5:83503A2A8B9F78CFFA4ED444885C4959
SHA256:E217B87EA4F57FA0FBF70BED27EDA1DA7FF3A4D3B7A989BF15B1261E6735387A
7516WeModPatcher.exeC:\Users\admin\Downloads\WeModPatcherToolscompressed
MD5:7D2DBEC2395D4CF262EAF10C9B944F4C
SHA256:43F2B4E8D63A62055E8A2CDF80C8809ED6A9FE1574141A9083CA998B65C7E082
7516WeModPatcher.exeC:\Users\admin\Downloads\lang\lang_es.initext
MD5:EFE851D125CBF4EA90D87CF1F469E331
SHA256:5D75679F3A5CD60EA5700C5F83AF9411D404B1A6077EB994D90597BDFE9855D9
7516WeModPatcher.exeC:\Users\admin\Downloads\lang\lang_de.initext
MD5:56F718D833D85B64D368A746CEC7D311
SHA256:9296A56AE3F33183E5DD78159EEDC14E7C55D58B6FF984D30480927F3491A0A6
7516WeModPatcher.exeC:\Users\admin\Downloads\lang\lang_en.initext
MD5:DA7F78CEA561177B4593E43E472B8A61
SHA256:5CE043FA53863E2FC94E42D72D870DA746D94CA5CDBC1E1F6FBD364681D69F26
7516WeModPatcher.exeC:\Users\admin\Downloads\lang\lang_fr.initext
MD5:EA19B7BB4D40D45A8F8A7DD1AC50F71B
SHA256:1C7F187AED0221D27937884A433425D351AA85CEB907F2CBD59794F2437E5801
7516WeModPatcher.exeC:\Users\admin\AppData\Local\Temp\B509.tmp\B50A.tmp\B50B.batbinary
MD5:A11E36537E59303FD2D217D30C310F21
SHA256:312EEF935DFB4A14D9997555C1921BE0EAD0AB209FEE2D655148C91C9A60EA0D
7812powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:342F72364612BD009B9931AF12BB6B23
SHA256:599378430E62D6358A093ADA5B1D7A7579D5158A88B601A6B20CE05D7ADB713E
6964powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xawef04c.vc2.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3140powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5sl5kw0f.2al.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
40
DNS requests
21
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4164
firefox.exe
GET
404
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
4164
firefox.exe
GET
404
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
4164
firefox.exe
GET
404
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
4164
firefox.exe
GET
404
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
4164
firefox.exe
GET
404
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
4164
firefox.exe
GET
404
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7616
curl.exe
185.199.109.133:443
raw.githubusercontent.com
FASTLY
US
whitelisted
7676
curl.exe
172.65.251.78:443
gitlab.com
CLOUDFLARENET
US
whitelisted
7732
curl.exe
104.22.68.199:443
pastebin.com
CLOUDFLARENET
whitelisted
2112
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4164
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 216.58.212.142
whitelisted
raw.githubusercontent.com
  • 185.199.109.133
  • 185.199.111.133
  • 185.199.108.133
  • 185.199.110.133
whitelisted
gitlab.com
  • 172.65.251.78
whitelisted
pastebin.com
  • 104.22.68.199
  • 104.22.69.199
  • 172.67.25.94
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
  • 2a01:111:f100:9001::1761:914d
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WeModPatcher.exe