URL:

packetshare.io

Full analysis: https://app.any.run/tasks/79368e53-3879-441b-b03d-35942eac2499
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: August 14, 2024, 10:10:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
pua
adware
Indicators:
MD5:

B5388F6ACD3E3112967BD108C919D5B6

SHA1:

48066899A2EBCE541EB11437943966CCD280F407

SHA256:

220AA026279C9605C2535CBE6C44F940DAE4354F7807AC509056DE55DF1D4749

SSDEEP:

3:lwN/LMK:lwN/LMK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ADWARE has been detected (SURICATA)

      • firefox.exe (PID: 6672)

    • Changes the autorun value in the registry

      • Install.exe (PID: 7208)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • packetshare_win_1.0.23.exe (PID: 6700)
      • Install.exe (PID: 7208)

    • The process drops C-runtime libraries

      • packetshare_win_1.0.23.exe (PID: 6700)
      • Install.exe (PID: 7208)

    • Reads the date of Windows installation

      • packetshare_win_1.0.23.exe (PID: 6700)

    • Reads security settings of Internet Explorer

      • packetshare_win_1.0.23.exe (PID: 6700)
      • Install.exe (PID: 7208)

    • Process drops legitimate windows executable

      • packetshare_win_1.0.23.exe (PID: 6700)
      • Install.exe (PID: 7208)

    • Uses TASKKILL.EXE to kill process

      • Install.exe (PID: 7208)

    • Uses WMIC.EXE to obtain Windows Installer data

      • Install.exe (PID: 7208)

    • Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)

      • Install.exe (PID: 7208)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 8136)

    • Creates file in the systems drive root

      • Install.exe (PID: 7208)

    • Executable content was dropped or overwritten

      • Install.exe (PID: 7208)
      • packetshare_win_1.0.23.exe (PID: 6700)

    • Creates a software uninstall entry

      • Install.exe (PID: 7208)

    • Searches for installed software

      • Install.exe (PID: 7208)
      • explorer.exe (PID: 6552)

  • INFO

    • Checks supported languages

      • packetshare_win_1.0.23.exe (PID: 6700)
      • Install.exe (PID: 7208)
      • PacketShare.exe (PID: 7648)
      • TextInputHost.exe (PID: 6496)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 6672)

    • Application launched itself

      • firefox.exe (PID: 6596)
      • firefox.exe (PID: 6672)

    • Reads Microsoft Office registry keys

      • firefox.exe (PID: 6672)

    • Reads the computer name

      • packetshare_win_1.0.23.exe (PID: 6700)
      • Install.exe (PID: 7208)
      • PacketShare.exe (PID: 7648)
      • TextInputHost.exe (PID: 6496)

    • Process checks computer location settings

      • packetshare_win_1.0.23.exe (PID: 6700)

    • Create files in a temporary directory

      • packetshare_win_1.0.23.exe (PID: 6700)
      • Install.exe (PID: 7208)
      • PacketShare.exe (PID: 7648)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 8136)
      • WMIC.exe (PID: 7288)
      • explorer.exe (PID: 6552)

    • Creates files or folders in the user directory

      • Install.exe (PID: 7208)

    • Creates files in the program directory

      • Install.exe (PID: 7208)

    • The process uses the downloaded file

      • firefox.exe (PID: 6672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
167
Monitored processes
27
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start firefox.exe no specs #ADWARE firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs packetshare_win_1.0.23.exe no specs packetshare_win_1.0.23.exe textinputhost.exe no specs explorer.exe no specs COpenControlPanel no specs install.exe taskkill.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs packetshare.exe COpenControlPanel no specs

Process information

PID
CMD
Path
Indicators
Parent process
3996C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\SysWOW64\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
4344"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5376 -childID 3 -isForBrowser -prefsHandle 5432 -prefMapHandle 5180 -prefsLen 36339 -prefMapSize 244343 -jsInitHandle 1380 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {140b1568-62a1-4966-84e4-6b6122398ef0} 6672 "\\.\pipe\gecko-crash-server-pipe.6672" 2468f45ba10 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
5088"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4980 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 4908 -prefMapHandle 5164 -prefsLen 36339 -prefMapSize 244343 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d41c409-6752-4f01-a93e-f8cf1da4302d} 6672 "\\.\pipe\gecko-crash-server-pipe.6672" 2468fb89310 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
6184"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5768 -childID 4 -isForBrowser -prefsHandle 5656 -prefMapHandle 5736 -prefsLen 31161 -prefMapSize 244343 -jsInitHandle 1380 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab1d0870-b785-4a02-ba0a-a659e9216036} 6672 "\\.\pipe\gecko-crash-server-pipe.6672" 246919b6a10 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
6208"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5988 -childID 5 -isForBrowser -prefsHandle 5908 -prefMapHandle 5916 -prefsLen 31161 -prefMapSize 244343 -jsInitHandle 1380 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6be73f6-303c-41f0-b47d-e18672ce3239} 6672 "\\.\pipe\gecko-crash-server-pipe.6672" 246919b6bd0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
6216"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6128 -childID 6 -isForBrowser -prefsHandle 6136 -prefMapHandle 6140 -prefsLen 31161 -prefMapSize 244343 -jsInitHandle 1380 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2eea5026-c7b1-49ab-9690-5f0fc27abe3c} 6672 "\\.\pipe\gecko-crash-server-pipe.6672" 246919b6d90 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
6336"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4424 -childID 2 -isForBrowser -prefsHandle 4416 -prefMapHandle 4412 -prefsLen 36263 -prefMapSize 244343 -jsInitHandle 1380 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6743fea9-3bec-4362-bcc8-2905b5ac5aa3} 6672 "\\.\pipe\gecko-crash-server-pipe.6672" 2468c6b4a10 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
6496"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Version:
123.26505.0.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
6552C:\WINDOWS\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\twinapi.dll
6596"C:\Program Files\Mozilla Firefox\firefox.exe" "packetshare.io"C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
c:\program files\mozilla firefox\vcruntime140.dll
Total events
81 313
Read events
81 031
Write events
267
Delete events
15

Modification events

(PID) Process:(6596) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Launcher
Value:
37CA44C800000000
(PID) Process:(6672) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Browser
Value:
E16146C800000000
(PID) Process:(6672) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Progress
Value:
0
(PID) Process:(6672) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Progress
Value:
1
(PID) Process:(6672) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Installer\308046B0AF4A39CB
Operation:delete valueName:installer.taskbarpin.win10.enabled
Value:
(PID) Process:(6672) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry
Value:
0
(PID) Process:(6672) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(6672) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Theme
Value:
1
(PID) Process:(6672) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Enabled
Value:
1
(PID) Process:(6672) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Default Browser Agent
Operation:writeName:C:\Program Files\Mozilla Firefox|DisableTelemetry
Value:
1
Executable files
131
Suspicious files
887
Text files
1 475
Unknown types
12

Dropped files

PID
Process
Filename
Type
6672firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6672firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
6672firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
6672firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.jstext
MD5:8D726821EEA764776D8A9918B69CA215
SHA256:A3F329BBE12159E2D10039D1CA3FA99AD11CD002E39D47F1C4B8BEA7F7221F3C
6672firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6672firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6672firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6672firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\datareporting\glean\db\data.safe.binbinary
MD5:D30F5B10F3D4B3992E4D666F622163F4
SHA256:2585819A7401A308DA879FA416278E473CEA5F6D0D24C59F514C5A698C61D03A
6672firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\AlternateServices.binbinary
MD5:197C158E1180857516B0E66F83C3C0B7
SHA256:9A86A92B1F2AA773B7CA7BBCC3674C8A79EFF8A9D5802A1921B8422F06708B2A
6672firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cert9.dbbinary
MD5:461588F19A1E8CA68DE5402A856C60BF
SHA256:8DA94309046D50A3FE4133855E6E483C48CDC67F6899039B509B6D52B42F58CF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
122
DNS requests
163
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6672
firefox.exe
POST
200
23.53.40.161:80
http://r10.o.lencr.org/
unknown
unknown
4316
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6672
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6672
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
6672
firefox.exe
POST
200
23.53.40.161:80
http://r11.o.lencr.org/
unknown
unknown
6672
firefox.exe
GET
301
188.114.97.3:80
http://packetshare.io/
unknown
whitelisted
6672
firefox.exe
POST
200
142.250.185.163:80
http://o.pki.goog/wr2
unknown
unknown
6672
firefox.exe
POST
200
23.53.40.161:80
http://r10.o.lencr.org/
unknown
unknown
6672
firefox.exe
POST
200
23.53.40.161:80
http://r10.o.lencr.org/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2804
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5336
SearchApp.exe
104.126.37.123:443
www.bing.com
Akamai International B.V.
DE
unknown
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4316
svchost.exe
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4316
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.184.206
whitelisted
www.bing.com
  • 104.126.37.123
  • 104.126.37.170
  • 104.126.37.168
  • 104.126.37.184
  • 104.126.37.163
  • 104.126.37.128
  • 104.126.37.177
  • 104.126.37.178
  • 104.126.37.171
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.73
  • 40.126.31.69
  • 20.190.159.0
  • 20.190.159.2
  • 20.190.159.71
  • 20.190.159.4
  • 40.126.31.73
  • 40.126.31.67
whitelisted
th.bing.com
  • 104.126.37.177
  • 104.126.37.170
  • 104.126.37.163
  • 104.126.37.168
  • 104.126.37.161
  • 104.126.37.178
  • 104.126.37.171
  • 104.126.37.162
  • 104.126.37.184
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
packetshare.io
  • 188.114.97.3
  • 188.114.96.3
unknown
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Misc activity
ET ADWARE_PUP DNS Query to PacketShare Proxy API Domain (api .packetshare .io)
2256
svchost.exe
Misc activity
ET ADWARE_PUP DNS Query to PacketShare Proxy API Domain (api .packetshare .io)
2256
svchost.exe
Misc activity
ET ADWARE_PUP DNS Query to PacketShare Proxy API Domain (api .packetshare .io)
6672
firefox.exe
Misc activity
ET ADWARE_PUP Observed PacketShare Proxy Domain Domain (api .packetshare .io in TLS SNI)
2256
svchost.exe
Misc activity
ET ADWARE_PUP DNS Query to PacketShare Proxy API Domain (api .packetshare .io)
Process
Message
Install.exe
systemHide cmd: "taskkill /F /IM PacketShare.exe"
Install.exe
systemHide result: "ERROR: The process \"PacketShare.exe\" not found.\r\n"
Install.exe
ConfigLocation "C:/Users/admin/AppData/Local/Install"
Install.exe
DownloadLocation "C:/Users/admin/Downloads"
Install.exe
AppDataLocation ---use this place--- "C:/Users/admin/AppData/Roaming/Install"
Install.exe
AppConfigLocation "C:/Users/admin/AppData/Local/Install"
Install.exe
AppLocalDataLocation "C:/Users/admin/AppData/Local/Install"
Install.exe
read PSData.json null
Install.exe
line: "{\n"
Install.exe
line: " \"channel\": \"official\"\n"
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
packetshare.io