File name:

plugmimier.exe

Full analysis: https://app.any.run/tasks/35322fde-c42d-4ed7-83e7-cc176cfe8b12
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: December 02, 2023, 11:20:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
keylogger
remcos
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

C47D7C6A2152F8920827706ED1792B44

SHA1:

0BD18BA2B49CAB8B9F86A301047E4909F3F080FE

SHA256:

EE6213DBB899250662C38091974BAC9E7DFE549A969AFAF5E79ECE10EBABA2B8

SSDEEP:

12288:sSwC6DC6lOTyVK5pEeHCyTYXHcXQKN0ygnfD+d670RR+JD1u0tEc24w3nBKGhL:xaiTyWtHTtf0ygf90y1ubSw3noGhL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • REMCOS has been detected (YARA)

      • plugmimier.exe (PID: 1420)

  • SUSPICIOUS

    • Application launched itself

      • plugmimier.exe (PID: 2144)

    • Writes files like Keylogger logs

      • plugmimier.exe (PID: 1420)

    • Connects to unusual port

      • plugmimier.exe (PID: 1420)

  • INFO

    • Checks supported languages

      • plugmimier.exe (PID: 2144)
      • plugmimier.exe (PID: 1420)
      • wmpnscfg.exe (PID: 292)

    • Manual execution by a user

      • firefox.exe (PID: 2964)
      • WINWORD.EXE (PID: 3816)
      • wmpnscfg.exe (PID: 292)

    • Reads the computer name

      • plugmimier.exe (PID: 2144)
      • plugmimier.exe (PID: 1420)
      • wmpnscfg.exe (PID: 292)

    • Reads the machine GUID from the registry

      • plugmimier.exe (PID: 2144)

    • Application launched itself

      • firefox.exe (PID: 604)
      • firefox.exe (PID: 2964)

    • Reads Environment values

      • plugmimier.exe (PID: 1420)

    • Reads product name

      • plugmimier.exe (PID: 1420)

    • Creates files in the program directory

      • plugmimier.exe (PID: 1420)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Remcos

(PID) Process(1420) plugmimier.exe
C2 (1)seanblacin.sytes.net:6110
BotnetHtfruning
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell100000
Setup_path%LOCALAPPDATA%
Copy_filehtfruning.exe
Startup_valueFalse
Hide_fileFalse
Mutex_nameRmc-BIDEV2
Keylog_flag1
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirHtfruning
Keylog_dirhtfruning
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2046:06:02 13:16:39+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 997376
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0xf572a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: QL-NhaSachMini
FileVersion: 1.0.0.0
InternalName: SsKu.exe
LegalCopyright: Copyright © 2020
LegalTrademarks: -
OriginalFileName: SsKu.exe
ProductName: QL-NhaSachMini
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
14
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start plugmimier.exe no specs winword.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs #REMCOS plugmimier.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs wmpnscfg.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
292"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
604"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
1420"C:\Users\admin\AppData\Local\Temp\plugmimier.exe"C:\Users\admin\AppData\Local\Temp\plugmimier.exe
plugmimier.exe
User:
admin
Integrity Level:
MEDIUM
Description:
QL-NhaSachMini
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\plugmimier.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Remcos
(PID) Process(1420) plugmimier.exe
C2 (1)seanblacin.sytes.net:6110
BotnetHtfruning
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell100000
Setup_path%LOCALAPPDATA%
Copy_filehtfruning.exe
Startup_valueFalse
Hide_fileFalse
Mutex_nameRmc-BIDEV2
Keylog_flag1
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirHtfruning
Keylog_dirhtfruning
1992"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="604.4.1482125591\215599117" -childID 3 -isForBrowser -prefsHandle 3732 -prefMapHandle 3728 -prefsLen 29209 -prefMapSize 244195 -jsInitHandle 892 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f93939a-aaf7-488c-80e3-ff4775d14ec1} 604 "\\.\pipe\gecko-crash-server-pipe.604" 3744 176f7840 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
2144"C:\Users\admin\AppData\Local\Temp\plugmimier.exe" C:\Users\admin\AppData\Local\Temp\plugmimier.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
QL-NhaSachMini
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\plugmimier.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2316"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="604.1.417989672\802355290" -parentBuildID 20230710165010 -prefsHandle 1396 -prefMapHandle 1392 -prefsLen 28600 -prefMapSize 244195 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c183037b-4ba7-410e-82c0-50b17f0960bb} 604 "\\.\pipe\gecko-crash-server-pipe.604" 1408 d317cf0 socketC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
2860"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="604.0.179365084\223036097" -parentBuildID 20230710165010 -prefsHandle 1100 -prefMapHandle 1092 -prefsLen 28523 -prefMapSize 244195 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebc1f6d7-d5d9-4c27-9e3c-c1e8ac833cf1} 604 "\\.\pipe\gecko-crash-server-pipe.604" 1172 d3a9000 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
1
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
2964"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
3316"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="604.2.134381919\925967982" -childID 1 -isForBrowser -prefsHandle 2040 -prefMapHandle 2036 -prefsLen 28777 -prefMapSize 244195 -jsInitHandle 892 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {beb18809-ba76-40d2-ba25-b91ecbc95341} 604 "\\.\pipe\gecko-crash-server-pipe.604" 2056 127c3560 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
3740"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="604.6.374665841\153513377" -childID 5 -isForBrowser -prefsHandle 4072 -prefMapHandle 4068 -prefsLen 29209 -prefMapSize 244195 -jsInitHandle 892 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c9b261e-f019-40dd-9585-618af3c937de} 604 "\\.\pipe\gecko-crash-server-pipe.604" 4044 176f79b0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
Total events
12 368
Read events
12 148
Write events
69
Delete events
151

Modification events

(PID) Process:(3816) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3816) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
On
(PID) Process:(3816) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
On
(PID) Process:(3816) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
On
(PID) Process:(3816) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
On
(PID) Process:(3816) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
On
(PID) Process:(3816) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
On
(PID) Process:(3816) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
On
(PID) Process:(3816) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
On
(PID) Process:(3816) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
On
Executable files
1
Suspicious files
161
Text files
27
Unknown types
0

Dropped files

PID
Process
Filename
Type
3816WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA0C8.tmp.cvr
MD5:
SHA256:
3816WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:8E549F8565AB304515F45DCC2297E0BB
SHA256:A85344CA148DE59D82E7FE5DF323D09350BE9C449751042973AA265B6713C3F9
3816WINWORD.EXEC:\Users\admin\AppData\Local\Temp\msohtmlclip1\01\clip_themedata.thmxbinary
MD5:2B26E4DD316F857EBB6E2B6B0E1E0282
SHA256:40BB5B5897D76A8EEFB7136E658BDDAA65F094C9689B931A78A01601F9EE02CB
3816WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0000.docxdocument
MD5:435BEEACE0E2A1DAE18689587DECFFF6
SHA256:C80ABCFB39464892C9BB8159443E4D71BA01515C938AB56F38D24AADDCA83124
3816WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0002.docxdocument
MD5:B85D076C43DED12FD348676B268CA741
SHA256:B253CF0F7FF1E937B05144D8950AEFC184E7B11CFC0DEB77D564D9C5632AEADB
3816WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~$RD0000.docxbinary
MD5:B04C9D4DF2D675909D6F497EE416D9E7
SHA256:5F8AC337A797D2AC806F9C22E4739111B728FEA85CD82232ED1EEA22EBA7C466
3816WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3F64EC8B-76BD-4DCF-A4F8-49C6F9AE3B8C}.tmpbinary
MD5:5D4D94EE7E06BBB0AF9584119797B23A
SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
604firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.binbinary
MD5:B7A3C61D0C144CC5E166B1E769CA8F8C
SHA256:7FADCB77FFACA6B9E9F15C6F1CD3AAD4C20DCD90FA92429A627A3A7110CA2644
3816WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{0973A3CB-C658-4D68-B0A1-43824CD5E858}.tmpbinary
MD5:642E5EBA44F3351032C6A44D829EBA06
SHA256:8491C60861428D29C434D70C83CAEE7C193374A587C85D2CF371BF2B3ACE8CBE
3816WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\matteroverview.rtf.LNKbinary
MD5:4BFF860B16AB11AFD5E817DD04A9B14F
SHA256:B2FE3DE4208DD05341916DBF67B6E3453746A254CD43D9732AE9BB1CD3DD1054
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
92
DNS requests
119
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
604
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
text
90 b
unknown
604
firefox.exe
POST
200
142.250.186.131:80
http://ocsp.pki.goog/gts1c3
unknown
binary
472 b
unknown
604
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
text
8 b
unknown
604
firefox.exe
POST
200
184.24.77.62:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
604
firefox.exe
POST
200
184.24.77.62:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
604
firefox.exe
POST
200
142.250.186.131:80
http://ocsp.pki.goog/gts1c3
unknown
binary
472 b
unknown
604
firefox.exe
POST
200
18.245.65.219:80
http://ocsp.r2m02.amazontrust.com/
unknown
binary
471 b
unknown
604
firefox.exe
POST
200
184.24.77.62:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
604
firefox.exe
POST
200
184.24.77.62:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
604
firefox.exe
POST
200
142.250.186.131:80
http://ocsp.pki.goog/gts1c3
unknown
binary
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
604
firefox.exe
142.250.184.234:443
safebrowsing.googleapis.com
whitelisted
604
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
604
firefox.exe
34.120.115.102:443
contile-images.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
unknown
604
firefox.exe
34.117.237.239:443
contile.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
unknown
604
firefox.exe
142.250.186.131:80
ocsp.pki.goog
GOOGLE
US
whitelisted
604
firefox.exe
34.233.191.125:443
spocs.getpocket.com
AMAZON-AES
US
unknown

DNS requests

Domain
IP
Reputation
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
example.org
  • 93.184.216.34
whitelisted
ipv4only.arpa
  • 192.0.0.170
  • 192.0.0.171
whitelisted
contile.services.mozilla.com
  • 34.117.237.239
whitelisted
spocs.getpocket.com
  • 34.233.191.125
  • 54.81.250.249
  • 52.70.65.106
  • 34.204.4.120
shared
proxyserverecs-1736642167.us-east-1.elb.amazonaws.com
  • 52.70.65.106
  • 34.204.4.120
  • 54.81.250.249
  • 34.233.191.125
shared
firefox.settings.services.mozilla.com
  • 34.149.100.209
whitelisted
prod.remote-settings.prod.webservices.mozgcp.net
  • 34.149.100.209
whitelisted
r3.o.lencr.org
  • 184.24.77.62
  • 184.24.77.54
  • 184.24.77.46
shared

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.sytes.net Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
plugmimier.exe