URL:

https://www.thunderbird.net/en-US/download/

Full analysis: https://app.any.run/tasks/ef9d656a-f6e7-4ad3-a7e9-733d32e539f6
Verdict: Malicious activity
Analysis date: June 25, 2024, 08:31:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
upx
Indicators:
MD5:

E1C507B35CC97BCB3F90176A6034F47F

SHA1:

3016624668FA2936092FA577B4DF4BAE6CF3ABC9

SHA256:

B3A41CE2D065C8A9BF6A74C4AC59507DDA9E4171C37FDBF218C0C8FC3D945886

SSDEEP:

3:N8DSLEL2Xc0h8wtBKSLJkn:2OLTcQ8wmL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • Thunderbird Setup 115.12.2.exe (PID: 1796)
      • setup.exe (PID: 2000)
      • thunderbird.exe (PID: 1600)
      • thunderbird.exe (PID: 1420)
      • thunderbird.exe (PID: 2264)
      • setup.exe (PID: 2788)
      • thunderbird.exe (PID: 4052)
      • thunderbird.exe (PID: 3240)

    • Drops the executable file immediately after the start

      • Thunderbird Setup 115.12.2.exe (PID: 1796)
      • setup.exe (PID: 2788)
      • setup.exe (PID: 2000)
      • maintenanceservice_installer.exe (PID: 1460)
      • maintenanceservice_tmp.exe (PID: 3952)

    • Steals credentials from Web Browsers

      • thunderbird.exe (PID: 3240)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • Thunderbird Setup 115.12.2.exe (PID: 1796)
      • setup.exe (PID: 2000)

    • Executable content was dropped or overwritten

      • Thunderbird Setup 115.12.2.exe (PID: 1796)
      • setup.exe (PID: 2000)
      • setup.exe (PID: 2788)
      • maintenanceservice_installer.exe (PID: 1460)
      • maintenanceservice_tmp.exe (PID: 3952)

    • The process drops Mozilla's DLL files

      • Thunderbird Setup 115.12.2.exe (PID: 1796)
      • setup.exe (PID: 2000)

    • The process drops C-runtime libraries

      • Thunderbird Setup 115.12.2.exe (PID: 1796)
      • setup.exe (PID: 2000)

    • The process creates files with name similar to system file names

      • setup.exe (PID: 2788)
      • setup.exe (PID: 2000)
      • maintenanceservice_installer.exe (PID: 1460)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • setup.exe (PID: 2788)
      • setup.exe (PID: 2000)
      • maintenanceservice_installer.exe (PID: 1460)

    • Application launched itself

      • setup.exe (PID: 2788)
      • thunderbird.exe (PID: 3240)

    • Searches for installed software

      • setup.exe (PID: 2000)

    • Creates a software uninstall entry

      • setup.exe (PID: 2000)
      • maintenanceservice_installer.exe (PID: 1460)
      • maintenanceservice_tmp.exe (PID: 3952)

    • Starts application with an unusual extension

      • setup.exe (PID: 2000)

    • Creates/Modifies COM task schedule object

      • setup.exe (PID: 2000)

    • Reads the Internet Settings

      • thunderbird.exe (PID: 3240)

  • INFO

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2652)
      • Thunderbird Setup 115.12.2.exe (PID: 1796)

    • Reads the computer name

      • wmpnscfg.exe (PID: 2652)
      • setup.exe (PID: 2788)
      • setup.exe (PID: 2000)
      • maintenanceservice_installer.exe (PID: 1460)
      • maintenanceservice_tmp.exe (PID: 3952)
      • thunderbird.exe (PID: 3240)
      • thunderbird.exe (PID: 1600)
      • thunderbird.exe (PID: 1420)
      • thunderbird.exe (PID: 4052)
      • thunderbird.exe (PID: 2264)

    • Checks supported languages

      • wmpnscfg.exe (PID: 2652)
      • Thunderbird Setup 115.12.2.exe (PID: 1796)
      • setup.exe (PID: 2788)
      • setup.exe (PID: 2000)
      • maintenanceservice_tmp.exe (PID: 3952)
      • maintenanceservice_installer.exe (PID: 1460)
      • ns59D0.tmp (PID: 3496)
      • thunderbird.exe (PID: 3240)
      • thunderbird.exe (PID: 1600)
      • thunderbird.exe (PID: 1420)
      • thunderbird.exe (PID: 2264)
      • thunderbird.exe (PID: 4052)

    • Drops the executable file immediately after the start

      • msedge.exe (PID: 3700)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 3700)

    • Create files in a temporary directory

      • Thunderbird Setup 115.12.2.exe (PID: 1796)
      • setup.exe (PID: 2788)
      • setup.exe (PID: 2000)
      • maintenanceservice_installer.exe (PID: 1460)
      • thunderbird.exe (PID: 3240)

    • The process uses the downloaded file

      • msedge.exe (PID: 3924)
      • msedge.exe (PID: 3944)

    • Application launched itself

      • msedge.exe (PID: 3700)

    • Process checks whether UAC notifications are on

      • setup.exe (PID: 2788)

    • UPX packer has been detected

      • Thunderbird Setup 115.12.2.exe (PID: 1796)

    • Creates files in the program directory

      • setup.exe (PID: 2000)
      • maintenanceservice_installer.exe (PID: 1460)
      • thunderbird.exe (PID: 3240)

    • Reads the machine GUID from the registry

      • setup.exe (PID: 2000)
      • maintenanceservice_installer.exe (PID: 1460)
      • thunderbird.exe (PID: 3240)

    • Creates files or folders in the user directory

      • thunderbird.exe (PID: 3240)

    • Reads CPU info

      • thunderbird.exe (PID: 3240)

    • Process checks computer location settings

      • thunderbird.exe (PID: 3240)

    • Checks proxy server information

      • thunderbird.exe (PID: 3240)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
96
Monitored processes
52
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs wmpnscfg.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs THREAT thunderbird setup 115.12.2.exe setup.exe setup.exe ns59d0.tmp no specs maintenanceservice_installer.exe maintenanceservice_tmp.exe thunderbird.exe thunderbird.exe thunderbird.exe thunderbird.exe thunderbird.exe msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
312"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1448 --field-trial-handle=1296,i,186080261755287453,17793480745856089750,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1164"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3804 --field-trial-handle=1296,i,186080261755287453,17793480745856089750,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1284"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3596 --field-trial-handle=1296,i,186080261755287453,17793480745856089750,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1420"C:\Program Files\Mozilla Thunderbird\thunderbird.exe" -contentproc --channel="3240.1.264413438\2068412752" -childID 1 -isForBrowser -prefsHandle 1788 -prefMapHandle 1784 -prefsLen 3793 -prefMapSize 253379 -jsInitHandle 868 -jsInitLen 240916 -parentBuildID 20240621154414 -appDir "C:\Program Files\Mozilla Thunderbird" - {06400625-9897-47cf-8fbd-8b5a6e76ce95} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 1800 tabC:\Program Files\Mozilla Thunderbird\thunderbird.exe
thunderbird.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Thunderbird
Exit code:
0
Version:
115.12.2
Modules
Images
c:\program files\mozilla thunderbird\thunderbird.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla thunderbird\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla thunderbird\msvcp140.dll
c:\program files\mozilla thunderbird\vcruntime140.dll
1460"C:\Program Files\Mozilla Thunderbird\maintenanceservice_installer.exe"C:\Program Files\Mozilla Thunderbird\maintenanceservice_installer.exe
ns59D0.tmp
User:
admin
Company:
Mozilla Corporation
Integrity Level:
HIGH
Description:
Mozilla Maintenance Service Installer
Exit code:
0
Version:
115.12.2
Modules
Images
c:\program files\mozilla thunderbird\maintenanceservice_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
1524"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3740 --field-trial-handle=1296,i,186080261755287453,17793480745856089750,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1600"C:\Program Files\Mozilla Thunderbird\thunderbird.exe" -contentproc --channel="3240.0.17401794\695291977" -parentBuildID 20240621154414 -prefsHandle 1156 -prefMapHandle 1148 -prefsLen 3458 -prefMapSize 253379 -appDir "C:\Program Files\Mozilla Thunderbird" - {ad8bffa3-c787-473a-97d4-bcfd0ea2b533} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 1240 gpuC:\Program Files\Mozilla Thunderbird\thunderbird.exe
thunderbird.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Thunderbird
Version:
115.12.2
Modules
Images
c:\program files\mozilla thunderbird\thunderbird.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla thunderbird\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla thunderbird\msvcp140.dll
c:\program files\mozilla thunderbird\vcruntime140.dll
1796"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3636 --field-trial-handle=1296,i,186080261755287453,17793480745856089750,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1796"C:\Users\admin\Downloads\Thunderbird Setup 115.12.2.exe" C:\Users\admin\Downloads\Thunderbird Setup 115.12.2.exe
explorer.exe
User:
admin
Company:
Mozilla
Integrity Level:
MEDIUM
Description:
Thunderbird
Exit code:
0
Version:
18.05
Modules
Images
c:\users\admin\downloads\thunderbird setup 115.12.2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
1916"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4424 --field-trial-handle=1296,i,186080261755287453,17793480745856089750,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
36 309
Read events
36 050
Write events
214
Delete events
45

Modification events

(PID) Process:(3700) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(3700) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(3700) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(3700) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(3700) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(3700) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:writeName:dr
Value:
1
(PID) Process:(3700) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(3700) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1302019708-1500728564-335382590-1000
Value:
CA80C902497A2F00
(PID) Process:(3700) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\FirstNotDefault
Operation:delete valueName:S-1-5-21-1302019708-1500728564-335382590-1000
Value:
(PID) Process:(3700) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge
Operation:writeName:UsageStatsInSample
Value:
1
Executable files
137
Suspicious files
348
Text files
102
Unknown types
15

Dropped files

PID
Process
Filename
Type
3700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF4df12.TMP
MD5:
SHA256:
3700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
3700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF4df21.TMP
MD5:
SHA256:
3700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF4df21.TMP
MD5:
SHA256:
3700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
3700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF4df50.TMP
MD5:
SHA256:
3700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
3700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG.old~RF4dffc.TMPtext
MD5:00AA7B4B4257D481C40A58482D5D6B24
SHA256:65A7BF11BD80C6FE73C58A20E4BB0F8FA653EEB70B707DA7D16DD9E7F954CA21
3280msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics.pmabinary
MD5:886E82F2CA62ECCCE64601B30592078A
SHA256:E5E13D53601100FF3D6BB71514CBCCC4C73FE9B7EF5E930100E644187B42948E
3700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datbinary
MD5:4B74C392839DDD59792975091A30DB00
SHA256:7A5A3B8CC4D5BB579FA5E6C6A831964FB245A5CFF9AD3B80F5E9DC34DA4A7D53
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
102
DNS requests
117
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
3700
msedge.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?54032e316b887179
unknown
1372
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
1060
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75
unknown
3240
thunderbird.exe
POST
200
2.16.202.115:80
http://r11.o.lencr.org/
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
2564
svchost.exe
239.255.255.250:3702
unknown
1060
svchost.exe
224.0.0.252:5355
unknown
3700
msedge.exe
239.255.255.250:1900
unknown
2940
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2940
msedge.exe
104.26.2.27:443
www.thunderbird.net
CLOUDFLARENET
US
unknown
2940
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1372
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
unknown
2940
msedge.exe
2.23.209.189:443
www.bing.com
Akamai International B.V.
GB
unknown

DNS requests

Domain
IP
Reputation
www.thunderbird.net
  • 104.26.2.27
  • 104.26.3.27
  • 172.67.74.82
unknown
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
unknown
config.edge.skype.com
  • 13.107.42.16
unknown
www.bing.com
  • 2.23.209.189
  • 2.23.209.193
  • 2.23.209.181
  • 2.23.209.185
  • 2.23.209.182
  • 2.23.209.183
  • 2.23.209.130
  • 2.23.209.186
  • 2.23.209.187
  • 95.101.27.107
  • 95.101.27.119
  • 95.101.27.117
  • 95.101.27.106
  • 95.101.27.116
  • 95.101.27.108
  • 95.101.27.112
  • 95.101.27.109
  • 95.101.27.105
unknown
cdn.fundraiseup.com
  • 172.67.72.38
  • 104.26.5.251
  • 104.26.4.251
unknown
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
unknown
thunderbird.innocraft.cloud
  • 18.157.122.248
  • 18.195.235.189
  • 3.126.133.169
unknown
static.fundraiseup.com
  • 104.26.5.251
  • 104.26.4.251
  • 172.67.72.38
unknown
fndrsp.net
  • 188.114.96.3
  • 188.114.97.3
unknown
ucarecdn.com
  • 2.22.242.89
  • 2.22.242.91
  • 2.19.126.150
  • 2.19.126.134
unknown

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.thunderbird.net/en-US/download/