URL:

https://www.thunderbird.net/en-US/download/

Full analysis: https://app.any.run/tasks/ef9d656a-f6e7-4ad3-a7e9-733d32e539f6
Verdict: Malicious activity
Analysis date: June 25, 2024, 08:31:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
upx
Indicators:
MD5:

E1C507B35CC97BCB3F90176A6034F47F

SHA1:

3016624668FA2936092FA577B4DF4BAE6CF3ABC9

SHA256:

B3A41CE2D065C8A9BF6A74C4AC59507DDA9E4171C37FDBF218C0C8FC3D945886

SSDEEP:

3:N8DSLEL2Xc0h8wtBKSLJkn:2OLTcQ8wmL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Thunderbird Setup 115.12.2.exe (PID: 1796)
      • setup.exe (PID: 2788)
      • setup.exe (PID: 2000)
      • maintenanceservice_installer.exe (PID: 1460)
      • maintenanceservice_tmp.exe (PID: 3952)

    • Actions looks like stealing of personal data

      • setup.exe (PID: 2000)
      • Thunderbird Setup 115.12.2.exe (PID: 1796)
      • setup.exe (PID: 2788)
      • thunderbird.exe (PID: 1600)
      • thunderbird.exe (PID: 2264)
      • thunderbird.exe (PID: 4052)
      • thunderbird.exe (PID: 1420)
      • thunderbird.exe (PID: 3240)

    • Steals credentials from Web Browsers

      • thunderbird.exe (PID: 3240)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • Thunderbird Setup 115.12.2.exe (PID: 1796)
      • setup.exe (PID: 2000)

    • The process drops C-runtime libraries

      • Thunderbird Setup 115.12.2.exe (PID: 1796)
      • setup.exe (PID: 2000)

    • Executable content was dropped or overwritten

      • Thunderbird Setup 115.12.2.exe (PID: 1796)
      • setup.exe (PID: 2788)
      • setup.exe (PID: 2000)
      • maintenanceservice_installer.exe (PID: 1460)
      • maintenanceservice_tmp.exe (PID: 3952)

    • The process drops Mozilla's DLL files

      • Thunderbird Setup 115.12.2.exe (PID: 1796)
      • setup.exe (PID: 2000)

    • The process creates files with name similar to system file names

      • setup.exe (PID: 2788)
      • setup.exe (PID: 2000)
      • maintenanceservice_installer.exe (PID: 1460)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • setup.exe (PID: 2788)
      • setup.exe (PID: 2000)
      • maintenanceservice_installer.exe (PID: 1460)

    • Application launched itself

      • setup.exe (PID: 2788)
      • thunderbird.exe (PID: 3240)

    • Searches for installed software

      • setup.exe (PID: 2000)

    • Creates a software uninstall entry

      • setup.exe (PID: 2000)
      • maintenanceservice_installer.exe (PID: 1460)
      • maintenanceservice_tmp.exe (PID: 3952)

    • Starts application with an unusual extension

      • setup.exe (PID: 2000)

    • Creates/Modifies COM task schedule object

      • setup.exe (PID: 2000)

    • Reads the Internet Settings

      • thunderbird.exe (PID: 3240)

  • INFO

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 3700)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2652)
      • Thunderbird Setup 115.12.2.exe (PID: 1796)

    • Checks supported languages

      • wmpnscfg.exe (PID: 2652)
      • Thunderbird Setup 115.12.2.exe (PID: 1796)
      • setup.exe (PID: 2788)
      • setup.exe (PID: 2000)
      • ns59D0.tmp (PID: 3496)
      • maintenanceservice_installer.exe (PID: 1460)
      • maintenanceservice_tmp.exe (PID: 3952)
      • thunderbird.exe (PID: 3240)
      • thunderbird.exe (PID: 1600)
      • thunderbird.exe (PID: 2264)
      • thunderbird.exe (PID: 1420)
      • thunderbird.exe (PID: 4052)

    • Reads the computer name

      • wmpnscfg.exe (PID: 2652)
      • setup.exe (PID: 2788)
      • setup.exe (PID: 2000)
      • maintenanceservice_installer.exe (PID: 1460)
      • thunderbird.exe (PID: 3240)
      • thunderbird.exe (PID: 1600)
      • maintenanceservice_tmp.exe (PID: 3952)
      • thunderbird.exe (PID: 1420)
      • thunderbird.exe (PID: 2264)
      • thunderbird.exe (PID: 4052)

    • Drops the executable file immediately after the start

      • msedge.exe (PID: 3700)

    • The process uses the downloaded file

      • msedge.exe (PID: 3924)
      • msedge.exe (PID: 3944)

    • Create files in a temporary directory

      • Thunderbird Setup 115.12.2.exe (PID: 1796)
      • setup.exe (PID: 2788)
      • setup.exe (PID: 2000)
      • maintenanceservice_installer.exe (PID: 1460)
      • thunderbird.exe (PID: 3240)

    • Application launched itself

      • msedge.exe (PID: 3700)

    • UPX packer has been detected

      • Thunderbird Setup 115.12.2.exe (PID: 1796)

    • Process checks whether UAC notifications are on

      • setup.exe (PID: 2788)

    • Creates files in the program directory

      • setup.exe (PID: 2000)
      • maintenanceservice_installer.exe (PID: 1460)
      • thunderbird.exe (PID: 3240)

    • Reads the machine GUID from the registry

      • setup.exe (PID: 2000)
      • maintenanceservice_installer.exe (PID: 1460)
      • thunderbird.exe (PID: 3240)

    • Creates files or folders in the user directory

      • thunderbird.exe (PID: 3240)

    • Reads CPU info

      • thunderbird.exe (PID: 3240)

    • Process checks computer location settings

      • thunderbird.exe (PID: 3240)

    • Checks proxy server information

      • thunderbird.exe (PID: 3240)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
96
Monitored processes
52
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs wmpnscfg.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs THREAT thunderbird setup 115.12.2.exe setup.exe setup.exe ns59d0.tmp no specs maintenanceservice_installer.exe maintenanceservice_tmp.exe thunderbird.exe thunderbird.exe thunderbird.exe thunderbird.exe thunderbird.exe msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
312"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1448 --field-trial-handle=1296,i,186080261755287453,17793480745856089750,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1164"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3804 --field-trial-handle=1296,i,186080261755287453,17793480745856089750,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1284"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3596 --field-trial-handle=1296,i,186080261755287453,17793480745856089750,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1420"C:\Program Files\Mozilla Thunderbird\thunderbird.exe" -contentproc --channel="3240.1.264413438\2068412752" -childID 1 -isForBrowser -prefsHandle 1788 -prefMapHandle 1784 -prefsLen 3793 -prefMapSize 253379 -jsInitHandle 868 -jsInitLen 240916 -parentBuildID 20240621154414 -appDir "C:\Program Files\Mozilla Thunderbird" - {06400625-9897-47cf-8fbd-8b5a6e76ce95} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 1800 tabC:\Program Files\Mozilla Thunderbird\thunderbird.exe
thunderbird.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Thunderbird
Exit code:
0
Version:
115.12.2
Modules
Images
c:\program files\mozilla thunderbird\thunderbird.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla thunderbird\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla thunderbird\msvcp140.dll
c:\program files\mozilla thunderbird\vcruntime140.dll
1460"C:\Program Files\Mozilla Thunderbird\maintenanceservice_installer.exe"C:\Program Files\Mozilla Thunderbird\maintenanceservice_installer.exe
ns59D0.tmp
User:
admin
Company:
Mozilla Corporation
Integrity Level:
HIGH
Description:
Mozilla Maintenance Service Installer
Exit code:
0
Version:
115.12.2
Modules
Images
c:\program files\mozilla thunderbird\maintenanceservice_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
1524"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3740 --field-trial-handle=1296,i,186080261755287453,17793480745856089750,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1600"C:\Program Files\Mozilla Thunderbird\thunderbird.exe" -contentproc --channel="3240.0.17401794\695291977" -parentBuildID 20240621154414 -prefsHandle 1156 -prefMapHandle 1148 -prefsLen 3458 -prefMapSize 253379 -appDir "C:\Program Files\Mozilla Thunderbird" - {ad8bffa3-c787-473a-97d4-bcfd0ea2b533} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 1240 gpuC:\Program Files\Mozilla Thunderbird\thunderbird.exe
thunderbird.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Thunderbird
Version:
115.12.2
Modules
Images
c:\program files\mozilla thunderbird\thunderbird.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla thunderbird\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla thunderbird\msvcp140.dll
c:\program files\mozilla thunderbird\vcruntime140.dll
1796"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3636 --field-trial-handle=1296,i,186080261755287453,17793480745856089750,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1796"C:\Users\admin\Downloads\Thunderbird Setup 115.12.2.exe" C:\Users\admin\Downloads\Thunderbird Setup 115.12.2.exe
explorer.exe
User:
admin
Company:
Mozilla
Integrity Level:
MEDIUM
Description:
Thunderbird
Exit code:
0
Version:
18.05
Modules
Images
c:\users\admin\downloads\thunderbird setup 115.12.2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
1916"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4424 --field-trial-handle=1296,i,186080261755287453,17793480745856089750,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
36 309
Read events
36 050
Write events
214
Delete events
45

Modification events

(PID) Process:(3700) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(3700) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(3700) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(3700) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(3700) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(3700) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:writeName:dr
Value:
1
(PID) Process:(3700) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(3700) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1302019708-1500728564-335382590-1000
Value:
CA80C902497A2F00
(PID) Process:(3700) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\FirstNotDefault
Operation:delete valueName:S-1-5-21-1302019708-1500728564-335382590-1000
Value:
(PID) Process:(3700) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge
Operation:writeName:UsageStatsInSample
Value:
1
Executable files
137
Suspicious files
348
Text files
102
Unknown types
15

Dropped files

PID
Process
Filename
Type
3700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF4df12.TMP
MD5:
SHA256:
3700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
3700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF4df21.TMP
MD5:
SHA256:
3700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF4df21.TMP
MD5:
SHA256:
3700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
3700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF4df50.TMP
MD5:
SHA256:
3700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
3700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Variationsbinary
MD5:961E3604F228B0D10541EBF921500C86
SHA256:F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED
3700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datbinary
MD5:4B74C392839DDD59792975091A30DB00
SHA256:7A5A3B8CC4D5BB579FA5E6C6A831964FB245A5CFF9AD3B80F5E9DC34DA4A7D53
3700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old~RF4e02b.TMPtext
MD5:4F516DF8B34DA06ABB78EA4BCACC44E8
SHA256:50BC2AE152862680DB51849904682C5D10BA6449315CE79F4CBDC878416DA346
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
102
DNS requests
117
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1372
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
3700
msedge.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?54032e316b887179
unknown
unknown
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1060
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75
unknown
unknown
3240
thunderbird.exe
POST
200
2.16.202.115:80
http://r11.o.lencr.org/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
3700
msedge.exe
239.255.255.250:1900
whitelisted
2940
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2940
msedge.exe
104.26.2.27:443
www.thunderbird.net
CLOUDFLARENET
US
unknown
2940
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1372
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2940
msedge.exe
2.23.209.189:443
www.bing.com
Akamai International B.V.
GB
unknown

DNS requests

Domain
IP
Reputation
www.thunderbird.net
  • 104.26.2.27
  • 104.26.3.27
  • 172.67.74.82
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
www.bing.com
  • 2.23.209.189
  • 2.23.209.193
  • 2.23.209.181
  • 2.23.209.185
  • 2.23.209.182
  • 2.23.209.183
  • 2.23.209.130
  • 2.23.209.186
  • 2.23.209.187
  • 95.101.27.107
  • 95.101.27.119
  • 95.101.27.117
  • 95.101.27.106
  • 95.101.27.116
  • 95.101.27.108
  • 95.101.27.112
  • 95.101.27.109
  • 95.101.27.105
whitelisted
cdn.fundraiseup.com
  • 172.67.72.38
  • 104.26.5.251
  • 104.26.4.251
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
thunderbird.innocraft.cloud
  • 18.157.122.248
  • 18.195.235.189
  • 3.126.133.169
whitelisted
static.fundraiseup.com
  • 104.26.5.251
  • 104.26.4.251
  • 172.67.72.38
whitelisted
fndrsp.net
  • 188.114.96.3
  • 188.114.97.3
whitelisted
ucarecdn.com
  • 2.22.242.89
  • 2.22.242.91
  • 2.19.126.150
  • 2.19.126.134
whitelisted

Threats

PID
Process
Class
Message
2940
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.thunderbird.net/en-US/download/