File name:

c5e19b4aa3f82436910d009a5f36bdddf44314f6a68f6cd9314d6b958382d9fc.exe

Full analysis: https://app.any.run/tasks/f8890bc1-ebc0-4b63-83c5-5dbe4821d018
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: March 26, 2024, 10:14:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
agenttesla
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5:

8F1DAD67EA5F8DB133CEC0B34D1B32F3

SHA1:

4731E8F991CE738B500891231A3693F836844F31

SHA256:

C5E19B4AA3F82436910D009A5F36BDDDF44314F6A68F6CD9314D6B958382D9FC

SSDEEP:

24576:vILpe46lO1Qdf2pSblJD/N3NFt3HHlPn7JL5pBYgaqfRHKt4PLeyvS:vINe46Y1Qdf2pSblJD/N3NFt3HFPn7J8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • c5e19b4aa3f82436910d009a5f36bdddf44314f6a68f6cd9314d6b958382d9fc.exe (PID: 3196)

    • Scans artifacts that could help determine the target

      • AddInProcess32.exe (PID: 6560)

    • AGENTTESLA has been detected (YARA)

      • AddInProcess32.exe (PID: 6560)

    • Steals credentials from Web Browsers

      • AddInProcess32.exe (PID: 6560)

    • Actions looks like stealing of personal data

      • AddInProcess32.exe (PID: 6560)

  • SUSPICIOUS

    • Executes application which crashes

      • c5e19b4aa3f82436910d009a5f36bdddf44314f6a68f6cd9314d6b958382d9fc.exe (PID: 3196)

    • Connects to SMTP port

      • AddInProcess32.exe (PID: 6560)

  • INFO

    • Checks supported languages

      • AddInProcess32.exe (PID: 6560)
      • c5e19b4aa3f82436910d009a5f36bdddf44314f6a68f6cd9314d6b958382d9fc.exe (PID: 3196)

    • Reads the computer name

      • c5e19b4aa3f82436910d009a5f36bdddf44314f6a68f6cd9314d6b958382d9fc.exe (PID: 3196)
      • AddInProcess32.exe (PID: 6560)

    • Reads Environment values

      • AddInProcess32.exe (PID: 6560)

    • Reads the machine GUID from the registry

      • AddInProcess32.exe (PID: 6560)
      • c5e19b4aa3f82436910d009a5f36bdddf44314f6a68f6cd9314d6b958382d9fc.exe (PID: 3196)

    • Checks proxy server information

      • WerFault.exe (PID: 6364)
      • slui.exe (PID: 1488)

    • Reads Microsoft Office registry keys

      • AddInProcess32.exe (PID: 6560)

    • Reads the software policy settings

      • WerFault.exe (PID: 6364)
      • AddInProcess32.exe (PID: 6560)
      • slui.exe (PID: 1488)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AgentTesla

(PID) Process(6560) AddInProcess32.exe
Protocolsmtp
Hostv116306.kasserver.com
Port587
Usernamebestellung@fmz-gmbh.de
PasswordT7qkM5vwo3t47fFh
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2079:06:22 00:20:04+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 48
CodeSize: 15264
InitializedDataSize: 1494
UninitializedDataSize: -
EntryPoint: 0x0000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: WeAreNotHealthy
FileVersion: 1.0.0.0
InternalName: WeAreNotHealthy.exe
LegalCopyright: Copyright © 2024
LegalTrademarks: -
OriginalFileName: WeAreNotHealthy.exe
ProductName: WeAreNotHealthy
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start c5e19b4aa3f82436910d009a5f36bdddf44314f6a68f6cd9314d6b958382d9fc.exe #AGENTTESLA addinprocess32.exe addinprocess32.exe no specs werfault.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1488C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
3196"C:\Users\admin\AppData\Local\Temp\c5e19b4aa3f82436910d009a5f36bdddf44314f6a68f6cd9314d6b958382d9fc.exe" C:\Users\admin\AppData\Local\Temp\c5e19b4aa3f82436910d009a5f36bdddf44314f6a68f6cd9314d6b958382d9fc.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
WeAreNotHealthy
Exit code:
3221226356
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\c5e19b4aa3f82436910d009a5f36bdddf44314f6a68f6cd9314d6b958382d9fc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6364C:\WINDOWS\system32\WerFault.exe -u -p 3196 -s 1112C:\Windows\System32\WerFault.exe
c5e19b4aa3f82436910d009a5f36bdddf44314f6a68f6cd9314d6b958382d9fc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
6560"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
c5e19b4aa3f82436910d009a5f36bdddf44314f6a68f6cd9314d6b958382d9fc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
AgentTesla
(PID) Process(6560) AddInProcess32.exe
Protocolsmtp
Hostv116306.kasserver.com
Port587
Usernamebestellung@fmz-gmbh.de
PasswordT7qkM5vwo3t47fFh
6568"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exec5e19b4aa3f82436910d009a5f36bdddf44314f6a68f6cd9314d6b958382d9fc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
4294967295
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
6 558
Read events
6 554
Write events
4
Delete events
0

Modification events

(PID) Process:(6364) WerFault.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
Operation:writeName:0018C00CDC5C2937
Value:
0100000001000000D08C9DDF0115D1118C7A00C04FC297EB01000000C66C4C2452BC3E41B39B979DAB8925F700000000020000000000106600000001000020000000004C90042FD8ABA32A61CEFFDE81482BB3DE0E8941468068E292CA035E5B55F6000000000E8000000002000020000000D880B61CD28DABE980DAED0D32ECFA5820BF8B14167B5A4E863C268F0F0E6A2080000000B1B00B117F73B02FBF1F417910638A949859ADD00B3987388AF2ED987420BEE9067AD0884B886AA40AB14D60E9A9C0ED1753E0BD4BAE8790BE83566823B05DC455628CD47377537110BB6463E84796FA3BE841CAB090BEDB558E35EBD4759C7E7E777BA33EB1BE4DD64633400546229269314C8AB78925EEFABD7805131E8AB34000000013E4AE628393A56B16BD82F50B7F2CC5E40BE29DE4B573E093BDA3BABE0973C67B419CC48B75A6BA7C8895CB472410F5B154FA2BEC9EEFB01F958FE468FB63BA
(PID) Process:(6364) WerFault.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
Operation:writeName:DeviceTicket
Value:
0100000001000000D08C9DDF0115D1118C7A00C04FC297EB01000000C66C4C2452BC3E41B39B979DAB8925F7000000000200000000001066000000010000200000007520FB4386A89F0BCFDA76A0E37CDAEE2E1535A5F73B9E38DA58A7DF7EE3D186000000000E80000000020000200000004A401763999387F8ED94A8E3442E0A323F6CA2C411110D31AFEC09DCBE90830110080000CADD70C86E9F63EA9DA0B4C233E8DBD681A89843E8DA6826039F24638471291905FAFA4C7C1E0F6CC05E0495DE2FAD3C5856D192A7C26422471ABE06FF40A67DCCCF6AFE9986F9DE00CA205B0E24AA8DB94153C400AC1AE8299CCF8E094E9C8F7CDDF80ACA7D4A539EECE60741140AC6F9EC03EE226005768784EFB6D83A1B31D04D8C811B9A106E7FC18B3AC7DB7F84FC50147ADFC7F20CF5DB4E2527F40E53306BD57BD98620B95D0982445CBD8D362700AA01D9148C499FBBAE99621EA7AFC7046496584CB66F4C0551261C6620229DDFD48269B4667EF9711D787896C8F3C8595C2C9D0FCC34286044CD6C7964A0D5E2AFB05508317A2EF3B2ED08ADA53EDEF3950F0FDCDA86630667B3061278FA46FD50C1ECED923C07D350F607039B28AFEE69889D0E2CADE9F12A5E4FAC8C8CD2E5FFA9A5D8B2D930B0545C8748028866B53C5476FEF468E4FBBC7DBEB2D1079EFAF219B9CC6D578A0E33193D327AC28FC7C348DB3B3D7A4FCFFA03E9DA854B4FDB45DF89CFFFD0F5B9B1D4F7728A9ABE9B7933B3C5F326F32208EECBAABEAD4506BF891B90DA0A9A9D880246B251EE65FADAEFC4329D1AD203C4DDCA4D9C37454D1267B413B2412ED6BBC5A351BC341C5D213306AF7E812431CBEB1AAF5BDE0B2E8FECE75A81A036A2BA96E7077DAFECAA21C257B66862F2D5B29872B09A48C2EC3D5FB6FAECC7A2D0F4FEE7ACDC244AE19A3381CFCDF5B265467735D22FE5BE13459B7510AE2FF88F4723E130162450705C73669AB6A88104A03D5EFA29A7B8B651ED2821E108BD63FE79287D94BED524B7A8D29DF5F0DCC90A87CC9CEC789BDE3689C2491EECEABE6597FC738DD112BAB224826FBE59605FDD8DDF46260FF4EE5F3F3053B57C4F072DCB5AE7AEBA0A6EA5E6316F91553125DC7ACF483D2972543088ADB01DD0FEEC3ADE891FF66B9B6BB9692D8065B27F16089F056C50AB09108D2266D935BEEE76A438F95B93605FB5550AFDA24479491A720BBE38528A47C2E4B9CC6DEA038FE0F56158FE8E52FE8B74C4E250D20C0E4156EDAB847EFD98110DFCD64986398DB45201827089972F6BE7A33D19F37697720FFD83F7EE9357E815C36B3E9227736169320DAECF17661055DE01992124D9F4A00B33CA1837C311C4E8941A19DDBD84F0847FA3A33E810E3F761F26002BFCE33C0479240A2B87560C545036FC24105F281C98F35A41A2D6225A787348C7CFF6336CBCD3E6FF711075A5DA7873CC2D9074B459747F2FDAF1724755F9E47D444022FCF221CE45F72CF23F21C2E579DCB7F16F50D22F9523F1C93977A6E5DD880D948363FCAC6608384F57462D1547547CF1AC39EE97F8FA6EFBCE9C817791B07E31247A70626FAECC38F9E7734E41BED932E61534E6A4DEFE3C5108986976B2CB85C126222E42496A2EF198FB95E1B830400AF56DCDF97FBF5C1AFB6B4E2A32F3D602C18BB87AB645359ECF8F9C79EDC4056D4AD6C3281D2C798BB8EBA93EB43BA4FCFB3DFC9A9603C29C89CB4BF8D0389E0A46F1DB74F7E168C66FAF9DC1C52A485C17DEB35734A96681D5B56A5B24AA6766669DF933C95EA1A5977F9AD363F86DF5D25BD189FA91EC2307402AEC4B1EBF174703B14CABE3099C4D6B1B918696F5A9A2FE747D02549EF95ABCDE7BEAB8FCF5318AAA893190AFD74332C766BCC05041606BBE246864A53C909285BEF1396BE94D2EE73354C4C83AB2E3F3D2185CD92F9D6AFE13CED53683D8C9856203F91A2174EB3C23D05158387F57F73B5CD0A6B9084C7BDDCB7435F4BAF17529A5BF666E80D8CA94CE376B37A7B84215FFE88B60CBE47B40005370A2858E1A45FDDDE390362064B30DB2D2F4638A928A52602FA62F4EFAA9825B0AE9B6904FE6A172C53EF9E441749BF50552F115095B31EF744C99FE09A64FC2A680C4A3CCF38E29B75B2465A914B358485776BDE8139BE5718B5C88FACE2D682B56FD0C52113FE0B75C1D41D8C93E8C7FC6277F3C66A512DCC401785D0D313C8F9244D45E0046EE68E0EFD3279584C914FB9E40ADC318EF6330906CD8A21B48A21A4E05DA8F3F3B0B2F97EA24F14E3A7565934CAA637C8BF814DC91E2211947B3286A5BCFED56A6257890AC54DFCFEA9D09FF2591A7FA7BE7151DB2EA092E55BFE5621C7938338C727292EC4C91455EA692BE2BD763107D532C0888F77D0CC86517D88427B3001825AD88DD14FCA263DE53D7E175EDC529B1DED01EE95D365AD744E6ACA2DCD30ADADF77E7F50D7B9145DAD76D7FA59ADF0CB7AEB581340B83EB13138DD68FE67739D7C6200616C6438CA0749C9D2B665E27E10EF988AE795EF699E336E3B0662E373C437B6FE146D91CC636415B8EC625E02A15313BF3DAC5A202BF2C7412C971F526761E876E817058947185852C25E314522B32177E8CDFBA3D49BC533AB1E0F492BEFE402BF54E9E942D059259DB44D9E65725DF1F1245DC16DA9BFE504D0E40220D7ABC5B9B75CCF4D7E070743B91C155AF749E6448C2394849681522F3C3F4332EA9DD2564A36498FDE083E733BEE6E60560B46E719F4CEFE2A762BBAC05D659C194ED57153644EA9FC40FD7C7447820544D535297021C87D5960A19C54F786DDFA7116C7CB164BBA6925AA1AD296FB0E2318D36092E936A21C8EC3FB15B67E05F9688221E9DDA85853F904AF7A298B84A7F8A1B69DC48B9F0FF1DF6667DE3FC5C4D84FED9DDB9F89992CFF48C6BF57628E19A750C0FC9B227488B8C890FB586E5ECEF04F66EFDED25313BFF792F69A5E45A35E2F1BE115006861C963454BAFC19ED2EA287E7B86836DEA47BE414652B4221A926A756A3485F8D7F6899D8A5E8E1D577BA6CD9DA5CC375A96C404C73CB0DF99E926FD719CD7B951D3DAAB1B8CBB2404D13D6B735A226995B7742486F02BE37B63D400000004CE2D6554092F2DD639CE5795D4F17340D1F811734A3DEBE8EE7316B759740F31EA51EE78516C252068B05BA7A5B5DDC7D0CA41CBE94C4A3FE516C1872E5C0AA
(PID) Process:(6364) WerFault.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
Operation:writeName:DeviceId
Value:
0018C00CDC5C2937
(PID) Process:(6364) WerFault.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
Operation:writeName:ApplicationFlags
Value:
1
Executable files
0
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6364WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERFE08.tmp.dmpbinary
MD5:
SHA256:
6364WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER27D.tmp.WERInternalMetadata.xmlxml
MD5:
SHA256:
6364WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER388.tmp.xmlxml
MD5:
SHA256:
6364WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_c5e19b4aa3f82436_64af8380507ec3f086b8ed282a44c2e75030bd2e_0b3328d9_b6a3d84e-5253-44c9-aa4a-c208cdfd73ce\Report.wer
MD5:
SHA256:
6364WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\c5e19b4aa3f82436910d009a5f36bdddf44314f6a68f6cd9314d6b958382d9fc.exe.3196.dmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
31
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3996
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
4468
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
unknown
unknown
5112
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
5112
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4828
svchost.exe
239.255.255.250:1900
unknown
3996
svchost.exe
40.126.31.71:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4084
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1280
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3996
svchost.exe
192.229.221.95:80
EDGECAST
US
whitelisted
6364
WerFault.exe
52.168.117.173:443
umwatson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
6560
AddInProcess32.exe
85.13.147.213:587
v116306.kasserver.com
Neue Medien Muennich GmbH
DE
unknown
3996
svchost.exe
20.190.159.64:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1072
backgroundTaskHost.exe
104.126.37.155:443
www.bing.com
Akamai International B.V.
DE
unknown
1280
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
umwatson.events.data.microsoft.com
  • 52.168.117.173
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
v116306.kasserver.com
  • 85.13.147.213
unknown
www.bing.com
  • 104.126.37.155
  • 104.126.37.131
  • 104.126.37.139
  • 104.126.37.123
  • 104.126.37.153
  • 104.126.37.130
  • 104.126.37.137
  • 104.126.37.144
  • 104.126.37.154
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
slscr.update.microsoft.com
  • 40.68.123.157
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
c5e19b4aa3f82436910d009a5f36bdddf44314f6a68f6cd9314d6b958382d9fc.exe