URL:

http://tinurli.com/1x3i1x

Full analysis: https://app.any.run/tasks/36d999fa-c9a4-4a6e-8af3-3646dc2b3131
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: May 18, 2025, 19:57:30
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
adware
downloadassistant
inno
installer
delphi
loader
neoreklami
Indicators:
MD5:

E42A62EBB6D316D734F1F53B1B98489F

SHA1:

4BD9075E583AEC14E62BE1B382A1C5F614525427

SHA256:

28B65216ECCD4B6A56F6BC0D2127354653E0DB317C7CEE46A65C94BEF6CF88A5

SSDEEP:

3:N1KKMWKGK3EY:CKcdUY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ADWARE has been detected (SURICATA)

      • duplicatefilessearch35.exe (PID: 2904)
      • rundll32.exe (PID: 5304)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2908)
      • powershell.exe (PID: 1116)
      • powershell.exe (PID: 8976)
      • powershell.exe (PID: 6644)
      • powershell.exe (PID: 7628)
      • powershell.exe (PID: 2564)
      • powershell.exe (PID: 6244)

    • Uses WMIC.EXE to add exclusions to the Windows Defender

      • powershell.exe (PID: 2908)
      • powershell.exe (PID: 1116)
      • powershell.exe (PID: 8976)
      • cmd.exe (PID: 7636)
      • cmd.exe (PID: 1196)
      • cmd.exe (PID: 7588)

    • Uses Task Scheduler to run other applications

      • msiexec.exe (PID: 7952)
      • R4D1ptX8CKPBcIES2yCu.exe (PID: 6228)
      • gvVlOBZ.exe (PID: 4728)
      • MpkAPQB.exe (PID: 1660)

    • Uses Task Scheduler to autorun other applications

      • MpkAPQB.exe (PID: 1660)

    • NEOREKLAMI has been detected (SURICATA)

      • rundll32.exe (PID: 5304)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • rebuilder_vPueZDT2ok.exe (PID: 6248)
      • rebuilder_vPueZDT2ok.tmp (PID: 8748)
      • rebuilder_vPueZDT2ok.exe (PID: 8580)
      • 9NJb8BTRKThaRfM.exe (PID: 4932)
      • duplicatefilessearch35.exe (PID: 2904)
      • jDTmhe7QN94L.exe (PID: 5988)
      • jDTmhe7QN94L.tmp (PID: 4068)
      • duplicatevideoremover15.exe (PID: 7180)
      • 9NJb8BTRKThaRfM.exe (PID: 8936)
      • R4D1ptX8CKPBcIES2yCu.exe (PID: 6228)
      • MpkAPQB.exe (PID: 1660)
      • gvVlOBZ.exe (PID: 4728)

    • Process drops legitimate windows executable

      • rebuilder_vPueZDT2ok.tmp (PID: 8748)
      • jDTmhe7QN94L.tmp (PID: 4068)

    • Potential Corporate Privacy Violation

      • duplicatefilessearch35.exe (PID: 2904)

    • The process drops C-runtime libraries

      • rebuilder_vPueZDT2ok.tmp (PID: 8748)
      • jDTmhe7QN94L.tmp (PID: 4068)

    • Executes application which crashes

      • duplicatefilessearch35.exe (PID: 2904)

    • Access to an unwanted program domain was detected

      • duplicatefilessearch35.exe (PID: 2904)
      • rundll32.exe (PID: 5304)

    • Process requests binary or script from the Internet

      • duplicatefilessearch35.exe (PID: 2904)

    • Reads security settings of Internet Explorer

      • rebuilder_vPueZDT2ok.tmp (PID: 8656)

    • Starts CMD.EXE for commands execution

      • duplicatefilessearch35.exe (PID: 2904)
      • R4D1ptX8CKPBcIES2yCu.exe (PID: 6228)
      • forfiles.exe (PID: 8800)
      • forfiles.exe (PID: 6068)
      • forfiles.exe (PID: 3804)
      • powershell.exe (PID: 7240)
      • powershell.exe (PID: 7312)
      • forfiles.exe (PID: 7584)
      • MpkAPQB.exe (PID: 1660)
      • forfiles.exe (PID: 7428)
      • forfiles.exe (PID: 5964)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 8844)
      • cmd.exe (PID: 4884)
      • cmd.exe (PID: 7708)
      • cmd.exe (PID: 4200)
      • cmd.exe (PID: 1532)
      • cmd.exe (PID: 8456)
      • gvVlOBZ.exe (PID: 4728)
      • cmd.exe (PID: 7636)
      • cmd.exe (PID: 1196)
      • cmd.exe (PID: 7588)

    • Connects to the server without a host name

      • duplicatefilessearch35.exe (PID: 2904)

    • Starts itself from another location

      • 9NJb8BTRKThaRfM.exe (PID: 4932)

    • Found strings related to reading or modifying Windows Defender settings

      • R4D1ptX8CKPBcIES2yCu.exe (PID: 6228)
      • forfiles.exe (PID: 6068)
      • forfiles.exe (PID: 8800)
      • forfiles.exe (PID: 3804)
      • powershell.exe (PID: 7240)
      • powershell.exe (PID: 7312)
      • forfiles.exe (PID: 7584)
      • MpkAPQB.exe (PID: 1660)
      • forfiles.exe (PID: 7428)
      • forfiles.exe (PID: 5964)

    • Searches and executes a command on selected files

      • forfiles.exe (PID: 6068)
      • forfiles.exe (PID: 8800)
      • forfiles.exe (PID: 3804)
      • forfiles.exe (PID: 7584)
      • forfiles.exe (PID: 7428)
      • forfiles.exe (PID: 5964)

    • There is functionality for taking screenshot (YARA)

      • R4D1ptX8CKPBcIES2yCu.exe (PID: 6228)
      • gvVlOBZ.exe (PID: 4728)

    • The process executes via Task Scheduler

      • gvVlOBZ.exe (PID: 4728)
      • powershell.exe (PID: 6644)
      • rundll32.exe (PID: 3332)
      • MpkAPQB.exe (PID: 1660)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6488)
      • powershell.exe (PID: 7240)
      • cmd.exe (PID: 3796)
      • powershell.exe (PID: 7312)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 3268)
      • schtasks.exe (PID: 8200)
      • schtasks.exe (PID: 8024)
      • schtasks.exe (PID: 1312)
      • schtasks.exe (PID: 6644)

    • Connects to unusual port

      • duplicatevideoremover15.exe (PID: 7180)

  • INFO

    • Application launched itself

      • firefox.exe (PID: 5512)
      • msedge.exe (PID: 9124)
      • firefox.exe (PID: 6156)
      • msedge.exe (PID: 7292)

    • Checks supported languages

      • identity_helper.exe (PID: 8348)
      • identity_helper.exe (PID: 7336)
      • rebuilder_vPueZDT2ok.exe (PID: 6248)
      • rebuilder_vPueZDT2ok.tmp (PID: 8656)

    • Reads the computer name

      • identity_helper.exe (PID: 8348)
      • identity_helper.exe (PID: 7336)
      • rebuilder_vPueZDT2ok.tmp (PID: 8656)

    • Manual execution by a user

      • msedge.exe (PID: 9124)
      • rebuilder_vPueZDT2ok.exe (PID: 6248)

    • Reads the software policy settings

      • slui.exe (PID: 7436)

    • Reads Environment values

      • identity_helper.exe (PID: 8348)
      • identity_helper.exe (PID: 7336)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 9124)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 8632)
      • msiexec.exe (PID: 7952)
      • msiexec.exe (PID: 8816)

    • Create files in a temporary directory

      • rebuilder_vPueZDT2ok.exe (PID: 6248)

    • Process checks computer location settings

      • rebuilder_vPueZDT2ok.tmp (PID: 8656)

    • The sample compiled with english language support

      • rebuilder_vPueZDT2ok.tmp (PID: 8748)
      • 9NJb8BTRKThaRfM.exe (PID: 8936)
      • jDTmhe7QN94L.tmp (PID: 4068)

    • Detects InnoSetup installer (YARA)

      • rebuilder_vPueZDT2ok.tmp (PID: 8656)
      • rebuilder_vPueZDT2ok.exe (PID: 6248)
      • rebuilder_vPueZDT2ok.exe (PID: 8580)
      • rebuilder_vPueZDT2ok.tmp (PID: 8748)
      • jDTmhe7QN94L.exe (PID: 5988)
      • jDTmhe7QN94L.tmp (PID: 4068)

    • Compiled with Borland Delphi (YARA)

      • rebuilder_vPueZDT2ok.exe (PID: 6248)
      • rebuilder_vPueZDT2ok.tmp (PID: 8656)
      • rebuilder_vPueZDT2ok.exe (PID: 8580)
      • rebuilder_vPueZDT2ok.tmp (PID: 8748)
      • jDTmhe7QN94L.exe (PID: 5988)
      • jDTmhe7QN94L.tmp (PID: 4068)
      • R4D1ptX8CKPBcIES2yCu.exe (PID: 6228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
473
Monitored processes
278
Malicious processes
13
Suspicious processes
10

Behavior graph

Click at the process to see the details
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs sppextcomobj.exe no specs slui.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rebuilder_vpuezdt2ok.exe rebuilder_vpuezdt2ok.tmp no specs rebuilder_vpuezdt2ok.exe rebuilder_vpuezdt2ok.tmp #ADWARE duplicatefilessearch35.exe werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs werfault.exe no specs rundll32.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs 9njb8btrktharfm.exe jdtmhe7qn94l.exe r4d1ptx8ckpbcies2ycu.exe jdtmhe7qn94l.tmp werfault.exe no specs 9njb8btrktharfm.exe cmd.exe no specs conhost.exe no specs forfiles.exe no specs duplicatevideoremover15.exe cmd.exe no specs powershell.exe no specs werfault.exe no specs werfault.exe no specs msiexec.exe wmic.exe no specs msiexec.exe forfiles.exe no specs cmd.exe no specs powershell.exe no specs werfault.exe no specs schtasks.exe no specs conhost.exe no specs werfault.exe no specs schtasks.exe no specs conhost.exe no specs wmic.exe no specs forfiles.exe no specs cmd.exe no specs powershell.exe no specs werfault.exe no specs werfault.exe no specs wmic.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs msedge.exe no specs msedge.exe no specs gvvlobz.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs gpupdate.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs schtasks.exe no specs conhost.exe no specs msedge.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs mpkapqb.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs werfault.exe no specs rundll32.exe no specs #NEOREKLAMI rundll32.exe schtasks.exe no specs conhost.exe no specs werfault.exe no specs cmd.exe no specs schtasks.exe no specs conhost.exe no specs conhost.exe no specs forfiles.exe no specs cmd.exe no specs powershell.exe no specs werfault.exe no specs werfault.exe no specs wmic.exe no specs forfiles.exe no specs cmd.exe no specs powershell.exe no specs wmic.exe no specs forfiles.exe no specs cmd.exe no specs powershell.exe no specs wmic.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
616C:\WINDOWS\SysWOW64\WerFault.exe -u -p 2904 -s 2288C:\Windows\SysWOW64\WerFault.exeduplicatefilessearch35.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
616"C:\WINDOWS\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UirpqpYedOuU2" /t REG_DWORD /d 0 /reg:32C:\Windows\SysWOW64\reg.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
664"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5540 --field-trial-handle=2372,i,12019771775518012724,3738289930657151106,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
664schtasks /CREATE /TN "bDOFhrxruCblwnuomi" /SC once /ST 20:00:00 /RU "SYSTEM" /TR "\"C:\Users\admin\AppData\Local\Temp\soeyBznNjrjtnFFlv\wBjXHFJjdzWXJOu\gvVlOBZ.exe\" 9i /gQdidVXUJ 757674 /S" /V1 /FC:\Windows\SysWOW64\schtasks.exeR4D1ptX8CKPBcIES2yCu.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
672C:\WINDOWS\SysWOW64\WerFault.exe -u -p 2904 -s 1760C:\Windows\SysWOW64\WerFault.exeduplicatefilessearch35.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
728"C:\WINDOWS\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32C:\Windows\SysWOW64\reg.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
780"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4380 --field-trial-handle=2232,i,8171930298515933784,4703110149071377264,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
812C:\WINDOWS\SysWOW64\WerFault.exe -u -p 2904 -s 876C:\Windows\SysWOW64\WerFault.exeduplicatefilessearch35.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1052C:\WINDOWS\SysWOW64\WerFault.exe -u -p 2904 -s 1112C:\Windows\SysWOW64\WerFault.exeduplicatefilessearch35.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1116powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=dll Force=TrueC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
Total events
160 439
Read events
159 852
Write events
429
Delete events
158

Modification events

(PID) Process:(5512) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(9124) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(9124) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(9124) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(9124) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(9124) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
86350EB904942F00
(PID) Process:(9124) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
5A161CB904942F00
(PID) Process:(9124) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\131696
Operation:writeName:WindowTabManagerFileMappingId
Value:
{6D73E8B4-3C50-4D67-8A70-646933632D6E}
(PID) Process:(9124) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\131696
Operation:writeName:WindowTabManagerFileMappingId
Value:
{DDD1E3F4-5459-4F05-99D2-A1C8697CAFAE}
(PID) Process:(9124) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\131696
Operation:writeName:WindowTabManagerFileMappingId
Value:
{A1AA2815-14B5-42EF-A547-0286C63917BC}
Executable files
88
Suspicious files
730
Text files
331
Unknown types
3

Dropped files

PID
Process
Filename
Type
5512firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
5512firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
5512firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
5512firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-child-current.binbinary
MD5:C95DDC2B1A525D1A243E4C294DA2F326
SHA256:3A5919E086BFB31E36110CF636D2D5109EB51F2C410B107F126126AB25D67363
5512firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
5512firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
5512firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.jsonbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
5512firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:297E88D7CEB26E549254EC875649F4EB
SHA256:8B75D4FB1845BAA06122888D11F6B65E6A36B140C54A72CC13DF390FD7C95702
5512firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs.jstext
MD5:2C99A16AED3906D92FFE3EF1808E2753
SHA256:08412578CC3BB4922388F8FF8C23962F616B69A1588DA720ADE429129C73C452
5512firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\datareporting\glean\db\data.safe.binbinary
MD5:4006DDC2918B16C7EF5516C58373842B
SHA256:269EA23B77EDE0874628BD8611BCC5A3E87E0C44CA8A821C0D028B929D4F468F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
75
TCP/UDP connections
167
DNS requests
212
Threats
35

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5512
firefox.exe
POST
200
172.217.16.195:80
http://o.pki.goog/we2
unknown
whitelisted
5512
firefox.exe
POST
200
172.217.16.195:80
http://o.pki.goog/we2
unknown
whitelisted
5512
firefox.exe
POST
200
172.217.16.195:80
http://o.pki.goog/we2
unknown
whitelisted
5512
firefox.exe
POST
200
172.217.16.195:80
http://o.pki.goog/we2
unknown
whitelisted
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5512
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5512
firefox.exe
GET
302
104.21.60.220:80
http://tinurli.com/1x3i1x
unknown
malicious
5512
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5512
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
5512
firefox.exe
104.21.60.220:80
tinurli.com
CLOUDFLARENET
malicious
5512
firefox.exe
34.36.137.203:443
contile.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
whitelisted
5512
firefox.exe
34.160.144.191:443
content-signature-2.cdn.mozilla.net
GOOGLE
US
whitelisted
5512
firefox.exe
2.16.168.119:80
r11.o.lencr.org
Akamai International B.V.
RU
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.142
whitelisted
tinurli.com
  • 104.21.60.220
  • 172.67.201.240
  • 2606:4700:3030::6815:3cdc
  • 2606:4700:3030::ac43:c9f0
malicious
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
example.org
  • 96.7.128.192
  • 23.215.0.133
  • 96.7.128.186
  • 23.215.0.132
whitelisted
ipv4only.arpa
  • 192.0.0.171
  • 192.0.0.170
whitelisted
contile.services.mozilla.com
  • 34.36.137.203
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (cononspace24 .ru)
2196
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (cononspace24 .ru)
2196
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (cononspace24 .ru)
2196
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (cononspace24 .ru)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
7868
msedge.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (cononspace24 .ru)
7868
msedge.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (cononspace24 .ru)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://tinurli.com/1x3i1x