File name:

a6a5208cae8be2c21938dedf051d8a6cc075e1b9084f6cfe38399ecf8a0306c5

Full analysis: https://app.any.run/tasks/38247473-3332-4c7e-a777-df588357454b
Verdict: Malicious activity
Threats:

TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage.

Malware Trends Tracker     >>>
Analysis date: November 23, 2024, 17:40:08
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
trickbot
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

AD9934FE2CF08BE5C2DEA178B065433F

SHA1:

E209EA20E72138BD49EBE88F7F7427E04D5B86C9

SHA256:

A6A5208CAE8BE2C21938DEDF051D8A6CC075E1B9084F6CFE38399ECF8A0306C5

SSDEEP:

24576:7UAebUK2zOdtHi7j/9TxcuZHEZ18NdCHfUO:7r+UKaOdtHi7jFTxc0HEZ18EfUO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TRICKBOT has been detected (YARA)

      • wermgr.exe (PID: 4176)

  • SUSPICIOUS

    • Executes application which crashes

      • a6a5208cae8be2c21938dedf051d8a6cc075e1b9084f6cfe38399ecf8a0306c5.exe (PID: 6956)

    • Starts CMD.EXE for commands execution

      • a6a5208cae8be2c21938dedf051d8a6cc075e1b9084f6cfe38399ecf8a0306c5.exe (PID: 6956)

  • INFO

    • Checks supported languages

      • a6a5208cae8be2c21938dedf051d8a6cc075e1b9084f6cfe38399ecf8a0306c5.exe (PID: 6956)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 4800)

    • Reads the Internet Settings

      • WerFault.exe (PID: 4800)

    • Checks proxy server information

      • WerFault.exe (PID: 4800)

    • Reads the software policy settings

      • WerFault.exe (PID: 4800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

TrickBot

(PID) Process(4176) wermgr.exe
C2
srv (5)65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
srva (13)181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
version100019
Botnetlip139
KeyRUNTMzAAAABbfmkJRvwyw7iFkX40hL2HwsUeOSZZZo0FRRWGkY6J1+gf3YKq13Ee4sY3Jb9/0myCr0MwzNK1K2l5yuY87nW29Q/yjMJG0ISDj0HNBC3G+ZGta6Oi9QkjCwnNGbw2hQ4=
Autorun
module
@namepwgrabb
@namepwgrabc
other (233)checkip.amazonaws.com
ipecho.net
ipinfo.io
api.ipify.org
icanhazip.com
myexternalip.com
wtfismyip.com
ip.anysrc.net
api.ipify.org
api.ip.sb
ident.me
www.myexternalip.com
/plain
/ip
/raw
/text
/?format=text
zen.spamhaus.org
cbl.abuseat.org
b.barracudacentral.org
dnsbl-1.uceprotect.net
spam.dnsbl.sorbs.net
bdns.at
bdns.by
bdns.co
bdns.im
bdns.link
bdns.nu
bdns.pro
b-dns.se
GetProcAddress
freebuffer
Windows 8.1
WTSFreeMemory
/%s/%s/25/%s/
52
Start failed
/C powershell -executionpolicy bypass -File
reload%d
shlwapi
%u.%u.%u.%u
pIT NULL
Windows Server 2012 R2
path
/C cscript
Create xml2 failed
pIT GetFolder failed, 0x%x
Execute from user
</BootTrigger>
------Boundary%08X
%s sTart
/%s/%s/23/%u/
<?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo><Version>1.1.1</Version> <Author>NetCache</Author> <Description>Net Cash is a desktop customize tool for your computer. With this tool, you can easily customiz...
ExitProcess
client is not behind NAT
PROMPT
LeaveCriticalSection
WTSGetActiveConsoleSessionId
m:
dsize:%u
ps1
start
mutant
Register s failed, 0x%x
kernel32.dll
<BootTrigger> <Enabled>true</Enabled>
exc
InitializeCriticalSection
Module has already been loaded
GET
wtsapi32
50
S-1-5-18
Unable to load module from server
release
No params
Content-Type: multipart/form-data; boundary=%s Content-Length: %d
E: 0x%x A: 0x%p
settings.ini
WantRelease
Create ZP failed
t:
in
/%s/%s/0/%s/%s/%s/%s/%s/
DNSBL
Create xml failed
SeDebugPrivilege
Windows 7
Unknown
working
SINJ
cmd.exe
set
chcp 65001
Load to M failed
Win32 error
ResetEvent
Param 0
Windows Server 2012
First
cmdrun.bat
<RunLevel>HighestAvailable</RunLevel> <GroupId>NT AUTHORITY\SYSTEM</GroupId> <LogonType>InteractiveToken</LogonType>
/%s/%s/5/%s/
.reloc
Windows 10 Server
delete
%08lX%04lX%u
ver.txt
VERS
<LogonType>InteractiveToken</LogonType> <RunLevel>LeastPrivilege</RunLevel>
Windows 8
pIT connect failed, 0x%x
control
SignatureLength
--%s Content-Disposition: form-data; name="%S"
=set
Windows Server 2008
Windows 2000
info
ModuleQuery
Run D failed
0.0.0.0
Windows Server 2003
LoadLibraryW
.txt
Global\
Process was unloaded
winsta0\default
Invalid params count
\svchost.exe
Control failed
CI failed, 0x%x
\*
%02X
noname
UrlEscapeW
set
data
WTSEnumerateSessionsA
WaitForSingleObject
tmp
client is behind NAT
Launch USER failed
.tmp
%s/%s/64/%s/%s/%s/
1108
x64
%s %s
Module is not valid
==
%016llX%016llX
EnterCriticalSection
</Command> </Exec> </Actions> </Task>
SYSTEM
eventfail
</Triggers> <Principals> <Principal id="Author">
Find P failed
Decode param64 error
curl/7.77.0
rundll32.exe
start
%s/%s/63/%s/%s/%s/%s/
/%s/%s/14/%s/%s/0/
\cmd.exe
NetData Cache Windows
e:
</Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAva...
SignalObjectAndWait
%u%u%u.
%s.%s
Load to P failed
/%s/%s/1/%s/
GetParentInfo error
ECDSA_P384
file
NAT status
/%s/%s/10/%s/%s/%u/
<LogonTrigger> <Enabled>true</Enabled>
gte_
</LogonTrigger>
Register u failed, 0x%x
<moduleconfig>*</moduleconfig>
cn\
Windows XP
Windows Server 2008 R2
Execute from system
Module already unloaded
/
Process has been finished
%s%s
%u %u %u %u
</UserId>
WTSQueryUserToken
SeTcbPrivilege
Windows Vista
EN\
failed
listed
\NetCache-
=
%s.%s.%s.%s
%s %s SP%u
CloseHandle
explorer.exe
=
not listed
D:(A;;GA;;;WD)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;RC)
<UserId>
ECCPUBLICBLOB
testscript
user
i:
x86
POST
--%s--
Windows 10
bcrypt.dll
ADVAPI32.dll
WS2_32.dll
ntdll.dll
ole32.dll
USER32.dll
IPHLPAPI.DLL
SHELL32.dll
CRYPT32.dll
WINHTTP.dll
ncrypt.dll
USERENV.dll
OLEAUT32.dll
SHLWAPI.dll
5
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:07:06 22:38:53+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 126976
InitializedDataSize: 352256
UninitializedDataSize: -
EntryPoint: 0xb424
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileDescription: Demo Microsoft 基础类应用程序
FileVersion: 1, 0, 0, 1
InternalName: Demo
LegalCopyright: 版权所有 (C) 2008
OriginalFileName: Demo.EXE
ProductName: Demo 应用程序
ProductVersion: 1, 0, 0, 1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
119
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start a6a5208cae8be2c21938dedf051d8a6cc075e1b9084f6cfe38399ecf8a0306c5.exe #TRICKBOT wermgr.exe cmd.exe no specs werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
4176C:\Windows\system32\wermgr.exeC:\Windows\System32\wermgr.exe
a6a5208cae8be2c21938dedf051d8a6cc075e1b9084f6cfe38399ecf8a0306c5.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Version:
10.0.22000.653 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wermgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
TrickBot
(PID) Process(4176) wermgr.exe
C2
srv (5)65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
srva (13)181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
version100019
Botnetlip139
KeyRUNTMzAAAABbfmkJRvwyw7iFkX40hL2HwsUeOSZZZo0FRRWGkY6J1+gf3YKq13Ee4sY3Jb9/0myCr0MwzNK1K2l5yuY87nW29Q/yjMJG0ISDj0HNBC3G+ZGta6Oi9QkjCwnNGbw2hQ4=
Autorun
module
@namepwgrabb
@namepwgrabc
other (233)checkip.amazonaws.com
ipecho.net
ipinfo.io
api.ipify.org
icanhazip.com
myexternalip.com
wtfismyip.com
ip.anysrc.net
api.ipify.org
api.ip.sb
ident.me
www.myexternalip.com
/plain
/ip
/raw
/text
/?format=text
zen.spamhaus.org
cbl.abuseat.org
b.barracudacentral.org
dnsbl-1.uceprotect.net
spam.dnsbl.sorbs.net
bdns.at
bdns.by
bdns.co
bdns.im
bdns.link
bdns.nu
bdns.pro
b-dns.se
GetProcAddress
freebuffer
Windows 8.1
WTSFreeMemory
/%s/%s/25/%s/
52
Start failed
/C powershell -executionpolicy bypass -File
reload%d
shlwapi
%u.%u.%u.%u
pIT NULL
Windows Server 2012 R2
path
/C cscript
Create xml2 failed
pIT GetFolder failed, 0x%x
Execute from user
</BootTrigger>
------Boundary%08X
%s sTart
/%s/%s/23/%u/
<?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo><Version>1.1.1</Version> <Author>NetCache</Author> <Description>Net Cash is a desktop customize tool for your computer. With this tool, you can easily customiz...
ExitProcess
client is not behind NAT
PROMPT
LeaveCriticalSection
WTSGetActiveConsoleSessionId
m:
dsize:%u
ps1
start
mutant
Register s failed, 0x%x
kernel32.dll
<BootTrigger> <Enabled>true</Enabled>
exc
InitializeCriticalSection
Module has already been loaded
GET
wtsapi32
50
S-1-5-18
Unable to load module from server
release
No params
Content-Type: multipart/form-data; boundary=%s Content-Length: %d
E: 0x%x A: 0x%p
settings.ini
WantRelease
Create ZP failed
t:
in
/%s/%s/0/%s/%s/%s/%s/%s/
DNSBL
Create xml failed
SeDebugPrivilege
Windows 7
Unknown
working
SINJ
cmd.exe
set
chcp 65001
Load to M failed
Win32 error
ResetEvent
Param 0
Windows Server 2012
First
cmdrun.bat
<RunLevel>HighestAvailable</RunLevel> <GroupId>NT AUTHORITY\SYSTEM</GroupId> <LogonType>InteractiveToken</LogonType>
/%s/%s/5/%s/
.reloc
Windows 10 Server
delete
%08lX%04lX%u
ver.txt
VERS
<LogonType>InteractiveToken</LogonType> <RunLevel>LeastPrivilege</RunLevel>
Windows 8
pIT connect failed, 0x%x
control
SignatureLength
--%s Content-Disposition: form-data; name="%S"
=set
Windows Server 2008
Windows 2000
info
ModuleQuery
Run D failed
0.0.0.0
Windows Server 2003
LoadLibraryW
.txt
Global\
Process was unloaded
winsta0\default
Invalid params count
\svchost.exe
Control failed
CI failed, 0x%x
\*
%02X
noname
UrlEscapeW
set
data
WTSEnumerateSessionsA
WaitForSingleObject
tmp
client is behind NAT
Launch USER failed
.tmp
%s/%s/64/%s/%s/%s/
1108
x64
%s %s
Module is not valid
==
%016llX%016llX
EnterCriticalSection
</Command> </Exec> </Actions> </Task>
SYSTEM
eventfail
</Triggers> <Principals> <Principal id="Author">
Find P failed
Decode param64 error
curl/7.77.0
rundll32.exe
start
%s/%s/63/%s/%s/%s/%s/
/%s/%s/14/%s/%s/0/
\cmd.exe
NetData Cache Windows
e:
</Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAva...
SignalObjectAndWait
%u%u%u.
%s.%s
Load to P failed
/%s/%s/1/%s/
GetParentInfo error
ECDSA_P384
file
NAT status
/%s/%s/10/%s/%s/%u/
<LogonTrigger> <Enabled>true</Enabled>
gte_
</LogonTrigger>
Register u failed, 0x%x
<moduleconfig>*</moduleconfig>
cn\
Windows XP
Windows Server 2008 R2
Execute from system
Module already unloaded
/
Process has been finished
%s%s
%u %u %u %u
</UserId>
WTSQueryUserToken
SeTcbPrivilege
Windows Vista
EN\
failed
listed
\NetCache-
=
%s.%s.%s.%s
%s %s SP%u
CloseHandle
explorer.exe
=
not listed
D:(A;;GA;;;WD)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;RC)
<UserId>
ECCPUBLICBLOB
testscript
user
i:
x86
POST
--%s--
Windows 10
bcrypt.dll
ADVAPI32.dll
WS2_32.dll
ntdll.dll
ole32.dll
USER32.dll
IPHLPAPI.DLL
SHELL32.dll
CRYPT32.dll
WINHTTP.dll
ncrypt.dll
USERENV.dll
OLEAUT32.dll
SHLWAPI.dll
5
4800C:\Windows\SysWOW64\WerFault.exe -u -p 6956 -s 576C:\Windows\SysWOW64\WerFault.exe
a6a5208cae8be2c21938dedf051d8a6cc075e1b9084f6cfe38399ecf8a0306c5.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.22000.653 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
5496C:\Windows\system32\cmd.exeC:\Windows\System32\cmd.exea6a5208cae8be2c21938dedf051d8a6cc075e1b9084f6cfe38399ecf8a0306c5.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
6956"C:\Users\admin\Desktop\a6a5208cae8be2c21938dedf051d8a6cc075e1b9084f6cfe38399ecf8a0306c5.exe" C:\Users\admin\Desktop\a6a5208cae8be2c21938dedf051d8a6cc075e1b9084f6cfe38399ecf8a0306c5.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Demo Microsoft 基础类应用程序
Exit code:
3221225477
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\desktop\a6a5208cae8be2c21938dedf051d8a6cc075e1b9084f6cfe38399ecf8a0306c5.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
Total events
12 224
Read events
12 224
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4800WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a6a5208cae8be2c2_e44ddf9578324e34ee230808015d436f7d31864_563cb99b_3f10ea55-eea3-476a-b959-cec9bacf9020\Report.wer
MD5:
SHA256:
4800WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\a6a5208cae8be2c21938dedf051d8a6cc075e1b9084f6cfe38399ecf8a0306c5.exe.6956.dmpbinary
MD5:8F550F5AF21EA5F6D3BA4E7C3C591A3E
SHA256:AF0A69D2D89E0FB1CCDCDFB6BF85B7E5CB6EE8A6E073AF3629F2F53402AD45B5
4800WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER.b8211173-085e-4917-97b4-04bead89436f.tmp.xmlxml
MD5:43E4FC0C46ACCEAE79C3869AABAE8168
SHA256:66B3EEDE6BADFF76EF7B9AE7F0E554C1550138454C6EB321BBA9C8A0CBCFABA9
4800WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER.53136886-1ad5-4a22-a83c-4a8260bac1ca.tmp.dmpbinary
MD5:21BC28CE8009C4A4551F0FEB56D663AC
SHA256:B994FD2A144B84E41F1B511C3CC1DC103972B050C72D666EF2F5AB7FA89AC9BC
4800WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER.46b5d61e-252f-4174-a325-f0b691fdfdb9.tmp.WERInternalMetadata.xmlxml
MD5:58C16B0502D2ACBA4F1A00347BFEDB6D
SHA256:A074CFAEC8F0BF5C2F035C82CA83BC541561B97055D85FA4B1566A40612D6399
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
31
DNS requests
31
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2616
firefox.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
US
binary
471 b
whitelisted
2616
firefox.exe
POST
200
2.18.121.71:80
http://r10.o.lencr.org/
FR
binary
504 b
whitelisted
2616
firefox.exe
POST
200
2.18.121.71:80
http://r10.o.lencr.org/
FR
binary
504 b
whitelisted
2616
firefox.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
US
binary
471 b
whitelisted
4668
rundll32.exe
GET
304
217.20.57.39:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5bf9f3e68500a67f
US
whitelisted
HEAD
200
23.53.114.19:443
https://fs.microsoft.com/fs/windows/config.json
US
unknown
1296
svchost.exe
GET
200
23.55.161.193:80
http://www.msftconnecttest.com/connecttest.txt
DE
text
22 b
whitelisted
2616
firefox.exe
POST
200
2.18.121.71:80
http://r10.o.lencr.org/
FR
binary
504 b
whitelisted
6204
MoUsoCoreWorker.exe
GET
304
217.20.57.39:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ff32f3c75978ac1a
US
whitelisted
2860
svchost.exe
GET
304
217.20.57.41:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0811ccc60b3de69d
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4668
rundll32.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5552
svchost.exe
239.255.255.250:1900
whitelisted
192.168.100.255:137
whitelisted
772
OfficeC2RClient.exe
52.109.89.18:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2616
firefox.exe
34.149.100.209:443
firefox.settings.services.mozilla.com
GOOGLE
US
whitelisted
2616
firefox.exe
34.120.208.123:443
incoming.telemetry.mozilla.org
GOOGLE-CLOUD-PLATFORM
US
whitelisted
1296
svchost.exe
23.55.161.193:80
Akamai International B.V.
DE
unknown
2616
firefox.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2616
firefox.exe
2.18.121.71:80
r10.o.lencr.org
AKAMAI-AS
FR
whitelisted
4668
rundll32.exe
217.20.57.39:80
ctldl.windowsupdate.com
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
officeclient.microsoft.com
  • 52.109.89.18
whitelisted
firefox.settings.services.mozilla.com
  • 34.149.100.209
whitelisted
incoming.telemetry.mozilla.org
  • 34.120.208.123
whitelisted
prod.remote-settings.prod.webservices.mozgcp.net
  • 34.149.100.209
whitelisted
telemetry-incoming.r53-2.services.mozilla.com
  • 34.120.208.123
whitelisted
google.com
  • 142.250.186.110
whitelisted
r10.o.lencr.org
  • 2.18.121.71
  • 2.18.121.78
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
fp2e7a.wpc.phicdn.net
  • 192.229.221.95
  • 2606:2800:233:fa02:67b:9ff6:6107:833
whitelisted

Threats

PID
Process
Class
Message
1296
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
a6a5208cae8be2c21938dedf051d8a6cc075e1b9084f6cfe38399ecf8a0306c5