File name:

Sigmanly_eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc

Full analysis: https://app.any.run/tasks/29c46ef4-57cb-4dd9-8e06-c23104217585
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 16:49:30
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
formbook
stealer
netreactor
xloader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

A53B9359519E75D2661F3E2AB2721FCE

SHA1:

4A1649E95FE665BEFCC8962B60086920B72945DC

SHA256:

EBA602F26CA14D5E494059001ECF363110BA504D9E0184B8ABFA45905BD650CC

SSDEEP:

24576:/OZ9enanQtbhhhm37CpcZP29Di4adyL5boewOh0GkkjY39xonKF9O5JYqse5QTUx:2Z9enanQtbhhhm37CpcZP29Di4adyL5X

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • Sigmanly_eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc.exe (PID: 7676)

    • FORMBOOK has been detected

      • msiexec.exe (PID: 664)

    • FORMBOOK has been detected (YARA)

      • msiexec.exe (PID: 664)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • Sigmanly_eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc.exe (PID: 7676)

    • Process drops legitimate windows executable

      • Sigmanly_eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc.exe (PID: 7676)

    • The process executes via Task Scheduler

      • default-browser-agent.exe (PID: 7948)

    • Loads DLL from Mozilla Firefox

      • default-browser-agent.exe (PID: 7948)

    • Executable content was dropped or overwritten

      • Sigmanly_eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc.exe (PID: 7676)

    • Reads security settings of Internet Explorer

      • Sigmanly_eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc.exe (PID: 7676)

    • Starts CMD.EXE for commands execution

      • msiexec.exe (PID: 664)

    • Deletes system .NET executable

      • cmd.exe (PID: 7508)

  • INFO

    • Checks supported languages

      • Sigmanly_eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc.exe (PID: 7676)
      • default-browser-agent.exe (PID: 7948)
      • RegSvcs.exe (PID: 1348)

    • Reads the computer name

      • Sigmanly_eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc.exe (PID: 7676)
      • RegSvcs.exe (PID: 1348)

    • Reads the machine GUID from the registry

      • Sigmanly_eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc.exe (PID: 7676)

    • Application launched itself

      • firefox.exe (PID: 7968)

    • .NET Reactor protector has been detected

      • Sigmanly_eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc.exe (PID: 7676)

    • Creates files or folders in the user directory

      • Sigmanly_eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc.exe (PID: 7676)

    • Create files in a temporary directory

      • Sigmanly_eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc.exe (PID: 7676)

    • Process checks computer location settings

      • Sigmanly_eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc.exe (PID: 7676)

    • Manual execution by a user

      • msiexec.exe (PID: 664)

    • Checks proxy server information

      • slui.exe (PID: 6488)

    • Reads the software policy settings

      • slui.exe (PID: 6488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Formbook

(PID) Process(664) msiexec.exe
C2www.2345bgnrty.lol/kp18/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)nsitechsolatam.net
ubliccnfdcbqae.xyz
lus-size-swimsuit.today
ntelligenceplatform.xyz
ataleague.xyz
oyle-lawgroup.online
eforcertx5090.shop
arveno.online
ndreas-marketing.xyz
eltatechnologies.info
tp-jos178-a1.online
lexacons.net
ahamasskate.xyz
asereward.cloud
romof.irish
3groupe.business
devgirdi.cfd
naycrystalsava.shop
perturear.xyz
egapromodealsdirect.world
erityhub.tech
raft-opia.app
ishlist.run
jhekite.shop
aminvip3210.sbs
omfortemporium.online
avada129.casino
odeinfra.xyz
ordphanter.info
arkettelligence.net
ealallergystudyhall.online
tfe2f.shop
ncryptchat.xyz
ochafariasbusiness.online
asternky.university
mallelectricarsgb.bond
alancedteam.info
ridgingruralcommunities.net
etrev.world
vatardesigns.xyz
eomappa.net
rimeone.fun
nipers.digital
iami-florida-county.cfd
implyhome.info
iomar.biz
pblanket.xyz
ar79872479489.today
itness-center-id-5619388.world
hatchadoin.net
rca-nc-test-13.fyi
eaconfactory.xyz
sghgs.xyz
ailis.cfd
ronbloodtattoos.net
b-us-stone-panels-27f.today
arehouse-jobs-52853.bond
oogleplay.xyz
egapersoneaals.online
usclecarsales.online
gkdemy.net
ouasd.xyz
ercowboy.net
isneyai.online
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (72.2)
.scr | Windows screen saver (12.9)
.dll | Win32 Dynamic Link Library (generic) (6.4)
.exe | Win32 Executable (generic) (4.4)
.exe | Generic Win/DOS Executable (1.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:12 06:43:39+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 631296
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0x9c046
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: Microsoft Corporation
FileDescription: Quick Assist
FileVersion: 1.0.0.0
InternalName: weui.exe
LegalCopyright: Copyright © Microsoft Corporation. All rights reserved.
LegalTrademarks: -
OriginalFileName: weui.exe
ProductName: Quick Assist
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
11
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start sigmanly_eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc.exe default-browser-agent.exe no specs firefox.exe no specs firefox.exe no specs schtasks.exe no specs conhost.exe no specs regsvcs.exe no specs #FORMBOOK msiexec.exe no specs cmd.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
664"C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Formbook
(PID) Process(664) msiexec.exe
C2www.2345bgnrty.lol/kp18/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)nsitechsolatam.net
ubliccnfdcbqae.xyz
lus-size-swimsuit.today
ntelligenceplatform.xyz
ataleague.xyz
oyle-lawgroup.online
eforcertx5090.shop
arveno.online
ndreas-marketing.xyz
eltatechnologies.info
tp-jos178-a1.online
lexacons.net
ahamasskate.xyz
asereward.cloud
romof.irish
3groupe.business
devgirdi.cfd
naycrystalsava.shop
perturear.xyz
egapromodealsdirect.world
erityhub.tech
raft-opia.app
ishlist.run
jhekite.shop
aminvip3210.sbs
omfortemporium.online
avada129.casino
odeinfra.xyz
ordphanter.info
arkettelligence.net
ealallergystudyhall.online
tfe2f.shop
ncryptchat.xyz
ochafariasbusiness.online
asternky.university
mallelectricarsgb.bond
alancedteam.info
ridgingruralcommunities.net
etrev.world
vatardesigns.xyz
eomappa.net
rimeone.fun
nipers.digital
iami-florida-county.cfd
implyhome.info
iomar.biz
pblanket.xyz
ar79872479489.today
itness-center-id-5619388.world
hatchadoin.net
rca-nc-test-13.fyi
eaconfactory.xyz
sghgs.xyz
ailis.cfd
ronbloodtattoos.net
b-us-stone-panels-27f.today
arehouse-jobs-52853.bond
oogleplay.xyz
egapersoneaals.online
usclecarsales.online
gkdemy.net
ouasd.xyz
ercowboy.net
isneyai.online
1348"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSigmanly_eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4688"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZBxdVyTKxpy" /XML "C:\Users\admin\AppData\Local\Temp\tmp2577.tmp"C:\Windows\SysWOW64\schtasks.exeSigmanly_eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6488C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7300\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7496\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7508/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\SysWOW64\cmd.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7676"C:\Users\admin\Desktop\Sigmanly_eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc.exe" C:\Users\admin\Desktop\Sigmanly_eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Quick Assist
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\sigmanly_eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7948"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task "308046B0AF4A39CB"C:\Program Files\Mozilla Firefox\default-browser-agent.exesvchost.exe
User:
admin
Company:
Mozilla Foundation
Integrity Level:
MEDIUM
Exit code:
2147500037
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\default-browser-agent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
7968"C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask defaultagent do-task 308046B0AF4A39CBC:\Program Files\Mozilla Firefox\firefox.exedefault-browser-agent.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
3
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
Total events
4 660
Read events
4 659
Write events
1
Delete events
0

Modification events

(PID) Process:(7988) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
Executable files
1
Suspicious files
4
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
7988firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\93u99co2.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\prefs.jstext
MD5:E83A05E815F2A6C4499BFCB56CA13043
SHA256:3256F75458D539FCD3C0DB6AFD1E6FF5FBE26D99CE960559245658A2117AA424
7988firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\93u99co2.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\prefs-1.jstext
MD5:E83A05E815F2A6C4499BFCB56CA13043
SHA256:3256F75458D539FCD3C0DB6AFD1E6FF5FBE26D99CE960559245658A2117AA424
7988firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\93u99co2.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\datareporting\glean\db\data.safe.binbinary
MD5:7D3D11283370585B060D50A12715851A
SHA256:86BFF840E1BEC67B7C91F97F4D37E3A638C5FDC7B56AAE210B01745F292347B9
7676Sigmanly_eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc.exeC:\Users\admin\AppData\Local\Temp\tmp2577.tmpxml
MD5:87185D23195632762533D32818453FE6
SHA256:A8FE50E92FF6DA6712B98D1FA2416000D931CAF3F27981FFECD0D0238A6BECA8
7676Sigmanly_eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc.exeC:\Users\admin\AppData\Roaming\ZBxdVyTKxpy.exeexecutable
MD5:A53B9359519E75D2661F3E2AB2721FCE
SHA256:EBA602F26CA14D5E494059001ECF363110BA504D9E0184B8ABFA45905BD650CC
7988firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\93u99co2.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\datareporting\glean\db\data.safe.tmpbinary
MD5:7D3D11283370585B060D50A12715851A
SHA256:86BFF840E1BEC67B7C91F97F4D37E3A638C5FDC7B56AAE210B01745F292347B9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
22
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
23.48.23.145:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
7444
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6488
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.46
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.145
  • 23.48.23.188
  • 23.48.23.134
  • 23.48.23.140
  • 23.48.23.193
  • 23.48.23.181
  • 23.48.23.191
  • 23.48.23.185
  • 23.48.23.144
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
www.arkettelligence.net
unknown
www.egapromodealsdirect.world
unknown
www.implyhome.info
unknown
www.ar79872479489.today
unknown
www.vatardesigns.xyz
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Sigmanly_eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc