File name:

44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exe

Full analysis: https://app.any.run/tasks/af92e5e0-2446-43d8-8bbf-7eb17bdf22a0
Verdict: Malicious activity
Analysis date: February 23, 2026, 06:41:41
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
pastebin
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

C8EB54347831ECAC1BE327A5CF0C253A

SHA1:

C184470C532960F37DD8028F8FC3C30B178ACCD3

SHA256:

44D52A6523FC9ECF5ABD8655E6FABA0A608BB8AF961AE96A15019D47A434315E

SSDEEP:

192:o2dfAtV1R0qVFFR/tW+FpkfEQLzDl1E/kgHk79jwTK:KROcQLz51E8GkpjwT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exe (PID: 6216)
      • winhost.exe (PID: 7036)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • 44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exe (PID: 6216)

    • Executable content was dropped or overwritten

      • 44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exe (PID: 6216)

    • Reads the Internet Settings

      • 44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exe (PID: 6216)
      • pingsender.exe (PID: 956)
      • winhost.exe (PID: 7036)

    • The process executes via Task Scheduler

      • default-browser-agent.exe (PID: 6664)

    • Loads DLL from Mozilla Firefox

      • default-browser-agent.exe (PID: 6664)
      • pingsender.exe (PID: 956)

    • Reads settings of System Certificates

      • winhost.exe (PID: 7036)
      • pingsender.exe (PID: 956)
      • 44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exe (PID: 6216)

  • INFO

    • Reads the computer name

      • 44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exe (PID: 6216)
      • pingsender.exe (PID: 956)
      • winhost.exe (PID: 7036)

    • Checks supported languages

      • 44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exe (PID: 6216)
      • default-browser-agent.exe (PID: 6664)
      • pingsender.exe (PID: 956)
      • winhost.exe (PID: 7036)

    • Creates files or folders in the user directory

      • 44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exe (PID: 6216)
      • pingsender.exe (PID: 956)

    • Launching a file from a Registry key

      • 44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exe (PID: 6216)
      • winhost.exe (PID: 7036)

    • Reads the machine GUID from the registry

      • 44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exe (PID: 6216)
      • winhost.exe (PID: 7036)
      • pingsender.exe (PID: 956)

    • Disables trace logs

      • 44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exe (PID: 6216)
      • winhost.exe (PID: 7036)

    • Checks proxy server information

      • 44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exe (PID: 6216)
      • winhost.exe (PID: 7036)
      • pingsender.exe (PID: 956)

    • Reads Environment values

      • 44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exe (PID: 6216)

    • Application launched itself

      • firefox.exe (PID: 4952)
      • firefox.exe (PID: 7008)

    • Manual execution by a user

      • cmd.exe (PID: 1048)
      • winhost.exe (PID: 7036)

    • Drops script file

      • firefox.exe (PID: 7008)

    • Reads security settings of Internet Explorer

      • pingsender.exe (PID: 956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2090:12:15 04:51:46+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 8704
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x4006
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: Serivce_Handler
FileVersion: 1.0.0.0
InternalName: Serivce_Handler.exe
LegalCopyright: Copyright © 2026
LegalTrademarks: -
OriginalFileName: Serivce_Handler.exe
ProductName: Serivce_Handler
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
10
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start 44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exe svchost.exe winhost.exe cmd.exe no specs conhost.exe no specs default-browser-agent.exe no specs firefox.exe no specs firefox.exe pingsender.exe firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
956"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/default-browser-agent/default-browser/1/7920CCB7-A543-45D2-8952-8ED69E25654E "C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Pending Pings\7920CCB7-A543-45D2-8952-8ED69E25654E"C:\Program Files\Mozilla Firefox\pingsender.exe
firefox.exe
User:
admin
Company:
Mozilla Foundation
Integrity Level:
MEDIUM
Exit code:
0
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\pingsender.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
1048C:\Windows\System32\cmd.exe /c 1C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1632\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1736C:\Windows\system32\svchost.exe -k NetworkService -pC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
3304"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -prefsHandle 1788 -prefsLen 24143 -prefMapHandle 1792 -prefMapSize 268993 -ipcHandle 1868 -initialChannelId {13832ef4-3f22-4196-927e-f8ef45ab3ffc} -parentPid 7008 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7008" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 socketC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
4952"C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask defaultagent do-task 308046B0AF4A39CBC:\Program Files\Mozilla Firefox\firefox.exedefault-browser-agent.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\windows\system32\bcrypt.dll
6216"C:\Users\admin\Downloads\44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exe" C:\Users\admin\Downloads\44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Serivce_Handler
Version:
1.0.0.0
Modules
Images
c:\users\admin\downloads\44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
6664"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task "308046B0AF4A39CB"C:\Program Files\Mozilla Firefox\default-browser-agent.exesvchost.exe
User:
admin
Company:
Mozilla Foundation
Integrity Level:
MEDIUM
Exit code:
0
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\default-browser-agent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcp_win.dll
7008"C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask defaultagent do-task 308046B0AF4A39CBC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
7036"C:\Users\admin\AppData\Roaming\WinHost\winhost.exe"C:\Users\admin\AppData\Roaming\WinHost\winhost.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Serivce_Handler
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\winhost\winhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
Total events
3 861
Read events
3 819
Write events
42
Delete events
0

Modification events

(PID) Process:(6216) 44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6216) 44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6216) 44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6216) 44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6216) 44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6216) 44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6216) 44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6216) 44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6216) 44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6216) 44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
1
Suspicious files
41
Text files
3
Unknown types
19

Dropped files

PID
Process
Filename
Type
621644d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exeC:\Users\admin\AppData\Roaming\WinHost\winhost.exeexecutable
MD5:C8EB54347831ECAC1BE327A5CF0C253A
SHA256:44D52A6523FC9ECF5ABD8655E6FABA0A608BB8AF961AE96A15019D47A434315E
7008firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\42yxmsvg.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\datareporting\glean\events\background-updatetext
MD5:2A5ED167F9C7D789232602EC7F09F23C
SHA256:F53D8003AF044DB6931DD72F9A550A105A2C12B91A02E80351E614EB05F1BFAF
7008firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\42yxmsvg.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\datareporting\glean\tmp\74232a03-e01e-40cb-b93c-bf05838337d5text
MD5:1064B7A6B77EC4EE98C47B8DEC85CDDE
SHA256:36C53A403B7CA44C246BB5D8CD3FA2E229D9C5F790C0E2A709D28A311FCE0357
7008firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\42yxmsvg.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\datareporting\glean\db\data.safe.tmpbinary
MD5:B8E91BFC703B31F77601E9F31A7B21C0
SHA256:C3A624A3F4EEA2B1E2DD6DE6598A9EDCCB4795AB065B74B73F162AF2C848BE06
7008firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\42yxmsvg.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\datareporting\glean\db\data.safe.binbinary
MD5:B8E91BFC703B31F77601E9F31A7B21C0
SHA256:C3A624A3F4EEA2B1E2DD6DE6598A9EDCCB4795AB065B74B73F162AF2C848BE06
7008firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\42yxmsvg.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\SiteSecurityServiceState.binbinary
MD5:ADE941D31A37912AE52D4D4BB6A4CD55
SHA256:7CC67689782B5569C4A76B771823E5D3FAD4022150B2658898F8693B05F065C1
7008firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\42yxmsvg.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\prefs-1.jsbinary
MD5:C7EAA7FB32F79F823EA9720A2BCAD027
SHA256:3E4E1BA91792934A6E157B8DA8FF0D0D2153118288D177EDE3AB69E5B4CCC0D5
7008firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Pending Pings\7920CCB7-A543-45D2-8952-8ED69E25654Ebinary
MD5:60468FEE00FA4656B255357D2DC00F5B
SHA256:9E18C181E7E4ABB17DE95A6589822C78DC43A265E5FD4CE3981BCFAF8DBE42E6
7008firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\42yxmsvg.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\prefs.jsbinary
MD5:C7EAA7FB32F79F823EA9720A2BCAD027
SHA256:3E4E1BA91792934A6E157B8DA8FF0D0D2153118288D177EDE3AB69E5B4CCC0D5
956pingsender.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\59D76868C250B3240414CE3EFBB12518_02F238D737DDE39558F0B4A5EF423834binary
MD5:D3F4962110B9E1C488DEB84BCF340189
SHA256:CA3400CAF4660D9F94532F5DBD2FDA2005BAC527C112E59A1C5EC98A78129961
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
22
DNS requests
21
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4080
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7fd7302d7c852bb7
unknown
unknown
2332
svchost.exe
HEAD
200
23.212.222.21:443
https://fs.microsoft.com/fs/windows/config.json
unknown
whitelisted
4080
svchost.exe
GET
200
23.63.118.230:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
unknown
whitelisted
6216
44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exe
GET
200
172.66.171.73:443
https://pastebin.com/raw/iSRu3Xjx
unknown
text
54 b
unknown
7036
winhost.exe
GET
200
172.66.171.73:443
https://pastebin.com/raw/iSRu3Xjx
unknown
text
54 b
unknown
3292
OfficeClickToRun.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1aa5685ae19092ee
unknown
unknown
1380
svchost.exe
GET
200
2.18.64.200:80
http://www.msftconnecttest.com/connecttest.txt
unknown
unknown
3292
OfficeClickToRun.exe
GET
200
23.63.118.230:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
6216
44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exe
GET
200
172.66.171.73:443
https://pastebin.com/raw/iSRu3Xjx
unknown
text
54 b
unknown
956
pingsender.exe
POST
200
34.120.208.123:443
https://incoming.telemetry.mozilla.org/submit/default-browser-agent/default-browser/1/7920CCB7-A543-45D2-8952-8ED69E25654E
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
52.110.17.21:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
192.168.100.255:137
Not routed
whitelisted
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4080
svchost.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
4080
svchost.exe
23.63.118.230:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
1380
svchost.exe
2.18.64.212:80
AKAMAI-ASN1
NL
whitelisted
6216
44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exe
172.66.171.73:443
pastebin.com
CLOUDFLARENET
US
whitelisted
7036
winhost.exe
172.66.171.73:443
pastebin.com
CLOUDFLARENET
US
whitelisted
3292
OfficeClickToRun.exe
13.89.178.26:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3292
OfficeClickToRun.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
officeclient.microsoft.com
  • 52.110.17.21
  • 52.110.17.69
  • 52.110.17.26
  • 52.110.17.47
  • 52.110.17.28
  • 52.110.17.45
  • 52.110.17.43
  • 52.110.17.61
whitelisted
login.live.com
  • 40.126.32.72
  • 40.126.32.133
  • 40.126.32.136
  • 20.190.160.4
  • 40.126.32.68
  • 20.190.160.5
  • 20.190.160.131
  • 20.190.160.20
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
ocsp.digicert.com
  • 23.63.118.230
whitelisted
google.com
  • 142.250.201.78
whitelisted
pastebin.com
  • 172.66.171.73
  • 104.20.29.150
whitelisted
mph-insulin-pull-currencies.trycloudflare.com
unknown
self.events.data.microsoft.com
  • 13.89.178.26
whitelisted
incoming.telemetry.mozilla.org
  • 34.120.208.123
whitelisted
telemetry-incoming.r53-2.services.mozilla.com
  • 34.120.208.123
whitelisted

Threats

PID
Process
Class
Message
1736
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
1736
svchost.exe
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Cloudflare Tunneling Service observed (.trycloudflare .com)
1380
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
1736
svchost.exe
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Cloudflare Tunneling Service observed (.trycloudflare .com)
1736
svchost.exe
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Cloudflare Tunneling Service observed (.trycloudflare .com)
1736
svchost.exe
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Cloudflare Tunneling Service observed (.trycloudflare .com)
1736
svchost.exe
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Cloudflare Tunneling Service observed (.trycloudflare .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
44d52a6523fc9ecf5abd8655e6faba0a608bb8af961ae96a15019d47a434315e.exe