File name:

Trickbot.exe

Full analysis: https://app.any.run/tasks/fd900bf7-fa12-4926-8b96-953b410d1626
Verdict: Malicious activity
Threats:

TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage.

Malware Trends Tracker     >>>
Analysis date: November 17, 2025, 15:32:03
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
trickbot
banker
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

0B375E6B7E44D7C8488C4227E9344197

SHA1:

DD8753066EFC055DEA693F44627FD69C988DFC65

SHA256:

9FDEA40A9872A77335AE3B733A50F4D1E9F8EFF193AE84E36FB7E5802C481F72

SSDEEP:

12288:Zx1Q61iHsXYvfVpMODDawkCurdEtttYy7C62Vvyh7:ZXQUIsQpMsequrmGyiqh7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TRICKBOT mutex has been found

      • svchost.exe (PID: 3100)
      • svchost.exe (PID: 3356)

    • Known privilege escalation attack

      • dllhost.exe (PID: 5684)

    • TRICKBOT has been detected (YARA)

      • svchost.exe (PID: 3356)

  • SUSPICIOUS

    • Starts itself from another location

      • Trickbot.exe (PID: 7096)

    • Executable content was dropped or overwritten

      • Trickbot.exe (PID: 7096)
      • svchost.exe (PID: 3100)

    • There is functionality for taking screenshot (YARA)

      • аНаоすは래별.exe (PID: 2576)

    • The process executes via Task Scheduler

      • аНаоすは래별.exe (PID: 5052)

    • Reads security settings of Internet Explorer

      • Trickbot.exe (PID: 7096)

    • Connects to unusual port

      • svchost.exe (PID: 3356)

  • INFO

    • Checks supported languages

      • Trickbot.exe (PID: 7096)
      • аНаоすは래별.exe (PID: 2576)
      • аНаоすは래별.exe (PID: 6376)
      • аНаоすは래별.exe (PID: 5052)
      • identity_helper.exe (PID: 6076)
      • SystemSettings.exe (PID: 4960)

    • The sample compiled with english language support

      • Trickbot.exe (PID: 7096)
      • svchost.exe (PID: 3100)

    • Reads the computer name

      • Trickbot.exe (PID: 7096)
      • аНаоすは래별.exe (PID: 2576)
      • аНаоすは래별.exe (PID: 6376)
      • аНаоすは래별.exe (PID: 5052)
      • identity_helper.exe (PID: 6076)
      • SystemSettings.exe (PID: 4960)

    • Reads the machine GUID from the registry

      • аНаоすは래별.exe (PID: 2576)
      • аНаоすは래별.exe (PID: 6376)
      • аНаоすは래별.exe (PID: 5052)
      • SystemSettings.exe (PID: 4960)

    • Creates files in the program directory

      • Trickbot.exe (PID: 7096)
      • аНаоすは래별.exe (PID: 5052)

    • Process checks computer location settings

      • Trickbot.exe (PID: 7096)

    • Reads the software policy settings

      • slui.exe (PID: 2312)
      • SystemSettings.exe (PID: 4960)

    • Checks proxy server information

      • slui.exe (PID: 2312)

    • Application launched itself

      • msedge.exe (PID: 3972)
      • chrome.exe (PID: 6156)

    • Reads Environment values

      • identity_helper.exe (PID: 6076)

    • Manual execution by a user

      • chrome.exe (PID: 6156)
      • msedge.exe (PID: 3972)

    • Reads Microsoft Office registry keys

      • SystemSettings.exe (PID: 4960)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 5684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

TrickBot

(PID) Process(3356) svchost.exe
C2 (45)101.108.92.111:449
103.69.216.86:449
128.201.174.107:449
131.161.253.190:449
144.91.79.12:443
144.91.79.9:443
146.185.219.29:443
170.233.120.53:449
170.82.156.53:449
172.245.97.148:443
177.103.240.149:449
178.183.150.169:449
181.10.207.234:449
181.112.52.26:449
181.49.61.237:449
185.222.202.192:443
185.222.202.76:443
185.62.188.117:443
185.68.93.43:443
186.42.98.254:449
186.71.150.23:449
187.58.56.26:449
190.111.255.219:449
190.13.160.19:449
190.152.125.22:449
190.152.4.98:449
190.154.203.218:449
195.123.238.191:443
195.133.196.151:443
195.93.223.100:449
200.116.199.10:449
200.127.121.99:449
200.21.51.38:449
201.187.105.123:449
201.210.120.239:449
23.227.206.170:443
31.128.13.45:449
31.214.138.207:449
36.89.85.103:449
45.235.213.126:449
46.174.235.36:449
81.190.160.139:449
85.204.116.139:443
89.228.243.148:449
91.235.129.60:443
Options
Version1000480
Botnetono23
KeyRUNTMzAAAADzIIbbIE3wcze1+xiwwK+Au/P78UrAO8YAHyPvHEwGVKOPphl8QVfrC7x/QaFYeXANw6E4HF7ietEp+7ZVQdWOx8c+HvO0Z2PTUPVbX9HAVrg4h9u1RNfhOHk+YysDLsg=
Autorun
module
@namesysteminfo
@ctlGetSystemInfo
@namepwgrab
Strings (199)checkip.amazonaws.com
ipecho.net
ipinfo.io
api.ipify.org
icanhazip.com
myexternalip.com
wtfismyip.com
ip.anysrc.net
api.ipify.org
api.ip.sb
ident.me
www.myexternalip.com
/plain
/ip
/raw
/text
/?format=text
zen.spamhaus.org
cbl.abuseat.org
b.barracudacentral.org
dnsbl-1.uceprotect.net
spam.dnsbl.sorbs.net
path
not listed
listed
DNSBL
client is behind NAT
failed
NAT status
client is not behind NAT
tmp
0.0.0.0
/%s/%s/23/%d/
%u %u %u %u
settings.ini
SINJ
VERS
WantRelease
ModuleQuery
info
data
%s/%s/64/%s/%s/%s/
SeTcbPrivilege
GetProcAddress
kernel32.dll
\NuiGet
Win32 error
Start failed
Control failed
CI failed, 0x%x
--%s--
--%s Content-Disposition: form-data; name="%S"
Content-Type: multipart/form-data; boundary=%s Content-Length: %d
------Boundary%08X
50
cmd.exe
</Command> </Exec> </Actions> </Task>
</Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</Sta...
</UserId>
<UserId>
</StartBoundary> <Enabled>true</Enabled> </TimeTrigger> </Triggers> <Principals> <Principal id="Author">
%04d-%02d-%02dT%02d:%02d:%02d
<TimeTrigger> <Repetition> <Interval>PT11M</Interval> <Duration>P414DT11H23M</Duration> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <StartBoundary>
</LogonTrigger>
<LogonTrigger> <Enabled>true</Enabled>
</BootTrigger>
<BootTrigger> <Enabled>true</Enabled>
<?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Version>1.0.0</Version> <Author>AuthorName</Author> <Description>Download http service</Description> </RegistrationInfo> <Triggers>
<LogonType>InteractiveToken</LogonType> <RunLevel>LeastPrivilege</RunLevel>
<RunLevel>HighestAvailable</RunLevel> <GroupId>NT AUTHORITY\SYSTEM</GroupId> <LogonType>InteractiveToken</LogonType>
%s.%s
<moduleconfig>*</moduleconfig>
%s %s
%s sTart
SYSTEM
Download http service
TS_
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
ExitProcess
ResetEvent
CloseHandle
WaitForSingleObject
SignalObjectAndWait
/%s/%s/14/%s/%s/0/
%s%s
WTSQueryUserToken
WTSGetActiveConsoleSessionId
WTSFreeMemory
WTSEnumerateSessionsA
wtsapi32
noname
%s/%s/63/%s/%s/%s/%s/
explorer.exe
%d%d%d.
PROMPT
GET
data\
user
Release
FreeBuffer
Control
Start
LoadLibraryW
UrlEscapeW
shlwapi
/%s/%s/0/%s/%s/%s/%s/%s/
SignatureLength
ECCPUBLICBLOB
ECDSA_P384
/C cscript
Data\
Module is not valid
POST
winsta0\default
D:(A;;GA;;;WD)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;RC)
%s%s_configs\
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
%s.%s.%s.%s
svchost.exe
%02X
.tmp
/%s/%s/10/%s/%s/%d/
1075
ver.txt
spk
Microsoft Software Key Storage Provider
pIT NULL
Register u failed, 0x%x
Create xml2 failed
Register s failed, 0x%x
Create xml failed
pIT GetFolder failed, 0x%x
pIT connect failed, 0x%x
Windows Server 2008 R2
Windows Server 2008
Windows Server 2012 R2
Windows Server 2012
%s %s SP%d
x86
x64
Unknown
Windows 7
Windows 8.1
Windows 8
Windows XP
Windows 2000
Windows 10 Server
Windows Vista
Windows Server 2003
Windows 10
/%s/%s/5/%s/
/%s/%s/1/%s/
Run D failed
Create ZP failed
Load to P failed
Find P failed
Module has already been loaded
Launch USER failed
Load to M failed
exc
E: 0x%x A: 0x%p
Global\%08lX%04lX%lu
Global\First
S-1-5-18
autorun
Module already unloaded
working
Process has been finished
Process was unloaded
Unable to load module from server
GetParentInfo error
Decode from BASE64 error
Invalid params count
No params
delete
release
start
/%s/%s/25/%s/
OLEAUT32.dll
WINHTTP.dll
ncrypt.dll
CRYPT32.dll
SHLWAPI.dll
ADVAPI32.dll
bcrypt.dll
USERENV.dll
ntdll.dll
WS2_32.dll
SHELL32.dll
ole32.dll
IPHLPAPI.DLL
USER32.dll
B
A0
C
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:10:28 09:44:53+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 7.1
CodeSize: 163840
InitializedDataSize: 274432
UninitializedDataSize: -
EntryPoint: 0xeaf2
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: -
FileDescription: MfcTTT MFC Application
FileVersion: 1, 0, 0, 1
InternalName: MfcTTT
LegalCopyright: Copyright (C) 2002
LegalTrademarks: -
OriginalFileName: MfcTTT.EXE
ProductName: MfcTTT Application
ProductVersion: 1, 0, 0, 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
189
Monitored processes
34
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start trickbot.exe анаоすは래별.exe no specs CMSTPLUA анаоすは래별.exe no specs #TRICKBOT svchost.exe slui.exe анаоすは래별.exe no specs #TRICKBOT svchost.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs systemsettings.exe UIAutomationCrossBitnessHook32 Class no specs

Process information

PID
CMD
Path
Indicators
Parent process
1288"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2780,i,12200796301490742310,17409792086637911960,262144 --variations-seed-version --mojo-platform-channel-handle=2808 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
2028"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --disable-quic --onnx-enabled-for-ee --string-annotations --always-read-main-dll --field-trial-handle=4896,i,12200796301490742310,17409792086637911960,262144 --variations-seed-version --mojo-platform-channel-handle=5540 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
2292"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3560,i,12200796301490742310,17409792086637911960,262144 --variations-seed-version --mojo-platform-channel-handle=3708 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
2312C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
2512"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=6816,i,12200796301490742310,17409792086637911960,262144 --variations-seed-version --mojo-platform-channel-handle=6684 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
2576"C:\ProgramData\аНаоすは래별.exe" C:\ProgramData\аНаоすは래별.exeTrickbot.exe
User:
admin
Integrity Level:
MEDIUM
Description:
MfcTTT MFC Application
Exit code:
0
Version:
1, 0, 0, 1
2916"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=2372,i,3134611631851403099,9112915275772392106,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=2392 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
3028"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3804,i,3134611631851403099,9112915275772392106,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=3816 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
3100C:\WINDOWS\system32\svchost.exeC:\Windows\System32\svchost.exe
аНаоすは래별.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
3356C:\WINDOWS\system32\svchost.exeC:\Windows\System32\svchost.exe
аНаоすは래별.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
TrickBot
(PID) Process(3356) svchost.exe
C2 (45)101.108.92.111:449
103.69.216.86:449
128.201.174.107:449
131.161.253.190:449
144.91.79.12:443
144.91.79.9:443
146.185.219.29:443
170.233.120.53:449
170.82.156.53:449
172.245.97.148:443
177.103.240.149:449
178.183.150.169:449
181.10.207.234:449
181.112.52.26:449
181.49.61.237:449
185.222.202.192:443
185.222.202.76:443
185.62.188.117:443
185.68.93.43:443
186.42.98.254:449
186.71.150.23:449
187.58.56.26:449
190.111.255.219:449
190.13.160.19:449
190.152.125.22:449
190.152.4.98:449
190.154.203.218:449
195.123.238.191:443
195.133.196.151:443
195.93.223.100:449
200.116.199.10:449
200.127.121.99:449
200.21.51.38:449
201.187.105.123:449
201.210.120.239:449
23.227.206.170:443
31.128.13.45:449
31.214.138.207:449
36.89.85.103:449
45.235.213.126:449
46.174.235.36:449
81.190.160.139:449
85.204.116.139:443
89.228.243.148:449
91.235.129.60:443
Options
Version1000480
Botnetono23
KeyRUNTMzAAAADzIIbbIE3wcze1+xiwwK+Au/P78UrAO8YAHyPvHEwGVKOPphl8QVfrC7x/QaFYeXANw6E4HF7ietEp+7ZVQdWOx8c+HvO0Z2PTUPVbX9HAVrg4h9u1RNfhOHk+YysDLsg=
Autorun
module
@namesysteminfo
@ctlGetSystemInfo
@namepwgrab
Strings (199)checkip.amazonaws.com
ipecho.net
ipinfo.io
api.ipify.org
icanhazip.com
myexternalip.com
wtfismyip.com
ip.anysrc.net
api.ipify.org
api.ip.sb
ident.me
www.myexternalip.com
/plain
/ip
/raw
/text
/?format=text
zen.spamhaus.org
cbl.abuseat.org
b.barracudacentral.org
dnsbl-1.uceprotect.net
spam.dnsbl.sorbs.net
path
not listed
listed
DNSBL
client is behind NAT
failed
NAT status
client is not behind NAT
tmp
0.0.0.0
/%s/%s/23/%d/
%u %u %u %u
settings.ini
SINJ
VERS
WantRelease
ModuleQuery
info
data
%s/%s/64/%s/%s/%s/
SeTcbPrivilege
GetProcAddress
kernel32.dll
\NuiGet
Win32 error
Start failed
Control failed
CI failed, 0x%x
--%s--
--%s Content-Disposition: form-data; name="%S"
Content-Type: multipart/form-data; boundary=%s Content-Length: %d
------Boundary%08X
50
cmd.exe
</Command> </Exec> </Actions> </Task>
</Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</Sta...
</UserId>
<UserId>
</StartBoundary> <Enabled>true</Enabled> </TimeTrigger> </Triggers> <Principals> <Principal id="Author">
%04d-%02d-%02dT%02d:%02d:%02d
<TimeTrigger> <Repetition> <Interval>PT11M</Interval> <Duration>P414DT11H23M</Duration> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <StartBoundary>
</LogonTrigger>
<LogonTrigger> <Enabled>true</Enabled>
</BootTrigger>
<BootTrigger> <Enabled>true</Enabled>
<?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Version>1.0.0</Version> <Author>AuthorName</Author> <Description>Download http service</Description> </RegistrationInfo> <Triggers>
<LogonType>InteractiveToken</LogonType> <RunLevel>LeastPrivilege</RunLevel>
<RunLevel>HighestAvailable</RunLevel> <GroupId>NT AUTHORITY\SYSTEM</GroupId> <LogonType>InteractiveToken</LogonType>
%s.%s
<moduleconfig>*</moduleconfig>
%s %s
%s sTart
SYSTEM
Download http service
TS_
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
ExitProcess
ResetEvent
CloseHandle
WaitForSingleObject
SignalObjectAndWait
/%s/%s/14/%s/%s/0/
%s%s
WTSQueryUserToken
WTSGetActiveConsoleSessionId
WTSFreeMemory
WTSEnumerateSessionsA
wtsapi32
noname
%s/%s/63/%s/%s/%s/%s/
explorer.exe
%d%d%d.
PROMPT
GET
data\
user
Release
FreeBuffer
Control
Start
LoadLibraryW
UrlEscapeW
shlwapi
/%s/%s/0/%s/%s/%s/%s/%s/
SignatureLength
ECCPUBLICBLOB
ECDSA_P384
/C cscript
Data\
Module is not valid
POST
winsta0\default
D:(A;;GA;;;WD)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;RC)
%s%s_configs\
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
%s.%s.%s.%s
svchost.exe
%02X
.tmp
/%s/%s/10/%s/%s/%d/
1075
ver.txt
spk
Microsoft Software Key Storage Provider
pIT NULL
Register u failed, 0x%x
Create xml2 failed
Register s failed, 0x%x
Create xml failed
pIT GetFolder failed, 0x%x
pIT connect failed, 0x%x
Windows Server 2008 R2
Windows Server 2008
Windows Server 2012 R2
Windows Server 2012
%s %s SP%d
x86
x64
Unknown
Windows 7
Windows 8.1
Windows 8
Windows XP
Windows 2000
Windows 10 Server
Windows Vista
Windows Server 2003
Windows 10
/%s/%s/5/%s/
/%s/%s/1/%s/
Run D failed
Create ZP failed
Load to P failed
Find P failed
Module has already been loaded
Launch USER failed
Load to M failed
exc
E: 0x%x A: 0x%p
Global\%08lX%04lX%lu
Global\First
S-1-5-18
autorun
Module already unloaded
working
Process has been finished
Process was unloaded
Unable to load module from server
GetParentInfo error
Decode from BASE64 error
Invalid params count
No params
delete
release
start
/%s/%s/25/%s/
OLEAUT32.dll
WINHTTP.dll
ncrypt.dll
CRYPT32.dll
SHLWAPI.dll
ADVAPI32.dll
bcrypt.dll
USERENV.dll
ntdll.dll
WS2_32.dll
SHELL32.dll
ole32.dll
IPHLPAPI.DLL
USER32.dll
B
A0
C
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
103
Text files
67
Unknown types
0

Dropped files

PID
Process
Filename
Type
3972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF19814c.TMP
MD5:
SHA256:
3972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
3972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF19815b.TMP
MD5:
SHA256:
3972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
3972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF19815b.TMP
MD5:
SHA256:
3972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF19815b.TMP
MD5:
SHA256:
3972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
3972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF19815b.TMP
MD5:
SHA256:
3972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
3972msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
83
DNS requests
47
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4956
chrome.exe
GET
404
142.250.186.78:80
http://clients2.google.com/time/1/current?cup2key=8:F8FtOFcmThvOI8AqopU7ZjwEDV1ph4rknv2Jh_Cp_po&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
4912
msedge.exe
GET
404
150.171.27.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:DykMgHow9KSk98MciPqcuqqmCCgBwTPZoBaDUgxFJhI&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5596
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5524
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
412
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2540
slui.exe
4.154.209.85:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3356
svchost.exe
146.185.219.29:443
G-Core Labs S.A.
IL
unknown
3356
svchost.exe
172.245.97.148:443
AS-COLOCROSSING
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.206
whitelisted
activation-v2.sls.microsoft.com
  • 4.154.209.85
whitelisted
dns.msftncsi.com
  • 131.107.255.255
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
config.edge.skype.com
  • 150.171.22.17
whitelisted
ntp.msn.com
  • 2.16.206.142
  • 2.16.206.146
whitelisted
copilot.microsoft.com
  • 2.16.204.141
  • 2.16.204.153
whitelisted
update.googleapis.com
  • 142.250.186.67
whitelisted
www.bing.com
  • 2.16.204.159
  • 2.16.204.153
  • 2.16.204.158
  • 2.16.204.146
  • 2.16.204.145
  • 2.16.204.151
  • 2.16.204.152
  • 2.16.204.148
  • 2.16.204.157
  • 2.16.204.139
  • 2.16.204.134
  • 2.16.204.140
  • 2.16.204.136
  • 2.16.204.138
  • 2.16.204.137
  • 2.16.204.132
  • 2.16.204.135
  • 2.16.204.141
  • 2.16.204.156
  • 2.16.204.160
  • 2.16.204.161
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Trickbot.exe