File name:

66bddfcb52736_vidar.exe

Full analysis: https://app.any.run/tasks/09add153-9067-4d71-98d7-11433d95fc92
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: October 02, 2024, 10:42:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
telegram
pyinstaller
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

FEDB687ED23F77925B35623027F799BB

SHA1:

7F27D0290ECC2C81BF2B2D0FA1026F54FD687C81

SHA256:

325396D5FFCA8546730B9A56C2D0ED99238D48B5E1C3C49E7D027505EA13B8D1

SSDEEP:

6144:yZIlGEaS7npmSNIfI330znhlBf4hJYBaZaH55B:rGEaSVmSmI30znhSYaZa5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • RegAsm.exe (PID: 1480)

    • Starts CMD.EXE for self-deleting

      • RegAsm.exe (PID: 1480)
      • RegAsm.exe (PID: 7844)
      • RegAsm.exe (PID: 8004)
      • RegAsm.exe (PID: 1448)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • RegAsm.exe (PID: 1480)

    • Checks Windows Trust Settings

      • RegAsm.exe (PID: 1480)

    • Searches for installed software

      • RegAsm.exe (PID: 1480)

    • Starts CMD.EXE for commands execution

      • RegAsm.exe (PID: 1480)
      • fakenet.exe (PID: 8032)
      • RegAsm.exe (PID: 7844)
      • fakenet.exe (PID: 1080)
      • RegAsm.exe (PID: 8004)
      • fakenet.exe (PID: 6632)
      • RegAsm.exe (PID: 1448)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • RegAsm.exe (PID: 1480)

    • Drops a system driver (possible attempt to evade defenses)

      • fakenet.exe (PID: 7940)
      • fakenet.exe (PID: 2844)
      • fakenet.exe (PID: 4236)
      • fakenet.exe (PID: 3036)
      • fakenet.exe (PID: 1432)
      • fakenet.exe (PID: 7948)

    • Process drops legitimate windows executable

      • fakenet.exe (PID: 7940)
      • fakenet.exe (PID: 2844)
      • fakenet.exe (PID: 4236)
      • fakenet.exe (PID: 3036)
      • fakenet.exe (PID: 7948)
      • fakenet.exe (PID: 1432)

    • Executable content was dropped or overwritten

      • fakenet.exe (PID: 7940)
      • fakenet.exe (PID: 2844)
      • fakenet.exe (PID: 4236)
      • fakenet.exe (PID: 3036)
      • fakenet.exe (PID: 1432)
      • fakenet.exe (PID: 7948)

    • Process drops python dynamic module

      • fakenet.exe (PID: 7940)
      • fakenet.exe (PID: 2844)
      • fakenet.exe (PID: 4236)
      • fakenet.exe (PID: 3036)
      • fakenet.exe (PID: 1432)
      • fakenet.exe (PID: 7948)

    • The process drops C-runtime libraries

      • fakenet.exe (PID: 7940)
      • fakenet.exe (PID: 2844)
      • fakenet.exe (PID: 4236)
      • fakenet.exe (PID: 3036)
      • fakenet.exe (PID: 1432)
      • fakenet.exe (PID: 7948)

    • Application launched itself

      • fakenet.exe (PID: 7940)
      • fakenet.exe (PID: 2844)
      • fakenet.exe (PID: 4236)
      • fakenet.exe (PID: 3036)
      • fakenet.exe (PID: 1432)
      • fakenet.exe (PID: 7948)

    • Process uses IPCONFIG to clear DNS cache

      • cmd.exe (PID: 8120)
      • cmd.exe (PID: 1636)
      • cmd.exe (PID: 6972)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 3292)
      • cmd.exe (PID: 7984)
      • cmd.exe (PID: 7104)
      • cmd.exe (PID: 6844)

  • INFO

    • Reads the computer name

      • 66bddfcb52736_vidar.exe (PID: 6176)
      • RegAsm.exe (PID: 1480)

    • Checks supported languages

      • 66bddfcb52736_vidar.exe (PID: 6176)
      • RegAsm.exe (PID: 1480)

    • Creates files in the program directory

      • RegAsm.exe (PID: 1480)

    • Checks proxy server information

      • RegAsm.exe (PID: 1480)

    • Creates files or folders in the user directory

      • RegAsm.exe (PID: 1480)

    • Reads Environment values

      • RegAsm.exe (PID: 1480)

    • Reads the software policy settings

      • RegAsm.exe (PID: 1480)

    • Reads the machine GUID from the registry

      • RegAsm.exe (PID: 1480)

    • Reads product name

      • RegAsm.exe (PID: 1480)

    • Reads CPU info

      • RegAsm.exe (PID: 1480)

    • Process checks computer location settings

      • RegAsm.exe (PID: 1480)

    • The process uses the downloaded file

      • RegAsm.exe (PID: 1480)

    • Manual execution by a user

      • fakenet.exe (PID: 7940)
      • firefox.exe (PID: 3256)
      • WinRAR.exe (PID: 7684)
      • fakenet.exe (PID: 7884)
      • fakenet.exe (PID: 7624)
      • fakenet.exe (PID: 2844)
      • 66bddfcb52736_vidar.exe (PID: 5688)
      • fakenet.exe (PID: 1672)
      • fakenet.exe (PID: 4236)
      • fakenet.exe (PID: 3036)
      • 66bddfcb52736_vidar.exe (PID: 8016)
      • fakenet.exe (PID: 6548)
      • fakenet.exe (PID: 6716)
      • fakenet.exe (PID: 1432)
      • fakenet.exe (PID: 7948)
      • fakenet.exe (PID: 2212)
      • 66bddfcb52736_vidar.exe (PID: 752)

    • Attempting to use instant messaging service

      • RegAsm.exe (PID: 1480)

    • Application launched itself

      • firefox.exe (PID: 3256)
      • firefox.exe (PID: 5832)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7684)

    • PyInstaller has been detected (YARA)

      • fakenet.exe (PID: 7940)
      • fakenet.exe (PID: 2844)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:08:17 01:24:51+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 192000
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x30cfe
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Cursedness
CompanyName: Wadders Outchide
FileDescription: Guises Underrating
FileVersion: 1.0.0.0
InternalName: MSG.exe
LegalCopyright: Copyright © 2024
OriginalFileName: MSG.exe
ProductName: Demised Neutralised
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
213
Monitored processes
71
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 66bddfcb52736_vidar.exe no specs regasm.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs svchost.exe firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs winrar.exe fakenet.exe no specs THREAT fakenet.exe conhost.exe no specs fakenet.exe no specs cmd.exe no specs ipconfig.exe no specs shellexperiencehost.exe no specs fakenet.exe no specs THREAT fakenet.exe conhost.exe no specs fakenet.exe no specs 66bddfcb52736_vidar.exe no specs regasm.exe cmd.exe no specs ipconfig.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs explorer.exe no specs COpenControlPanel no specs COpenControlPanel no specs Connection Manager LUA Host Object no specs fakenet.exe no specs fakenet.exe conhost.exe no specs fakenet.exe no specs 66bddfcb52736_vidar.exe no specs regasm.exe no specs regasm.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs fakenet.exe no specs fakenet.exe conhost.exe no specs fakenet.exe no specs fakenet.exe no specs fakenet.exe conhost.exe no specs fakenet.exe no specs fakenet.exe no specs fakenet.exe conhost.exe no specs fakenet.exe no specs cmd.exe no specs ipconfig.exe no specs 66bddfcb52736_vidar.exe no specs regasm.exe no specs regasm.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
752"C:\Users\admin\Desktop\66bddfcb52736_vidar.exe" C:\Users\admin\Desktop\66bddfcb52736_vidar.exeexplorer.exe
User:
admin
Company:
Wadders Outchide
Integrity Level:
MEDIUM
Description:
Guises Underrating
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\66bddfcb52736_vidar.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
1080"C:\Users\admin\Downloads\fakenet1.4.11\fakenet.exe" C:\Users\admin\Downloads\fakenet1.4.11\fakenet.exefakenet.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225786
Modules
Images
c:\users\admin\downloads\fakenet1.4.11\fakenet.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1336"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 3 -isForBrowser -prefsHandle 5584 -prefMapHandle 5152 -prefsLen 31161 -prefMapSize 244343 -jsInitHandle 1344 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cd38639-1650-400f-857d-2b091b152e03} 5832 "\\.\pipe\gecko-crash-server-pipe.5832" 29a64dfe850 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1432"C:\Users\admin\Downloads\fakenet1.4.11\fakenet.exe" C:\Users\admin\Downloads\fakenet1.4.11\fakenet.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\downloads\fakenet1.4.11\fakenet.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1448"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
66bddfcb52736_vidar.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1480"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
66bddfcb52736_vidar.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1636C:\WINDOWS\system32\cmd.exe /c "ipconfig /flushdns"C:\Windows\SysWOW64\cmd.exefakenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1672"C:\Users\admin\Downloads\fakenet1.4.11\fakenet.exe" C:\Users\admin\Downloads\fakenet1.4.11\fakenet.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\downloads\fakenet1.4.11\fakenet.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2212"C:\Users\admin\Downloads\fakenet1.4.11\fakenet.exe" C:\Users\admin\Downloads\fakenet1.4.11\fakenet.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\downloads\fakenet1.4.11\fakenet.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
59 587
Read events
59 429
Write events
151
Delete events
7

Modification events

(PID) Process:(1480) RegAsm.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1480) RegAsm.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1480) RegAsm.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1480) RegAsm.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214EF-0000-0000-C000-000000000046} 0xFFFF
Value:
0100000000000000CB9AC8CAB714DB01
(PID) Process:(5832) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(7684) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7684) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7684) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7684) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(8032) fakenet.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{d950ca8d-448e-4ca2-89de-a65a1ac2b2a6}
Operation:writeName:NameServer
Value:
192.168.100.14
Executable files
128
Suspicious files
192
Text files
137
Unknown types
3

Dropped files

PID
Process
Filename
Type
5832firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs.jstext
MD5:75CF54643BE9AA8FB074F56AA747C593
SHA256:7A5B4D88661FF6F17B97F84C7737983734EF87D7448A5081E77CF156451EF407
5832firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
5832firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
5832firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
5832firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\SiteSecurityServiceState.binbinary
MD5:2070D7F4883DE9F660DB3C9278490DC6
SHA256:38CC9AA470D23D6A718F89B7AB78C647C95D0C21B36EC289E86CD96DE98EE888
5832firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\AlternateServices.binbinary
MD5:8EF02F2253D2E46935DA266A8EE13FCD
SHA256:84835D20BCB79D4D052FAA5BB15858E2305ACB25DBB353EAE2AD7E55AD480937
5832firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
5832firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
5832firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:297E88D7CEB26E549254EC875649F4EB
SHA256:8B75D4FB1845BAA06122888D11F6B65E6A36B140C54A72CC13DF390FD7C95702
5832firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cert9.db-journalbinary
MD5:7DF175265BAD13F52096B23E25B7C3A6
SHA256:2DAE73C91ADCF802AC416531E3AF0F21443874E1FE8DFD45AE9E3171D0099737
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
38
TCP/UDP connections
149
DNS requests
154
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3588
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1972
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4920
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5832
firefox.exe
POST
200
142.250.184.227:80
http://o.pki.goog/s/wr3/XjA
unknown
whitelisted
5832
firefox.exe
POST
200
184.24.77.53:80
http://r10.o.lencr.org/
unknown
whitelisted
5832
firefox.exe
POST
200
184.24.77.53:80
http://r10.o.lencr.org/
unknown
whitelisted
5832
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
5832
firefox.exe
POST
200
184.24.77.53:80
http://r10.o.lencr.org/
unknown
whitelisted
5832
firefox.exe
POST
200
142.250.184.227:80
http://o.pki.goog/wr2
unknown
whitelisted
5832
firefox.exe
POST
200
184.24.77.82:80
http://r11.o.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
3588
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4324
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1480
RegAsm.exe
104.102.49.254:443
steamcommunity.com
AKAMAI-AS
DE
whitelisted
1480
RegAsm.exe
195.201.118.191:443
Hetzner Online GmbH
DE
unknown
1480
RegAsm.exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
whitelisted
3588
svchost.exe
52.167.249.196:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
www.microsoft.com
  • 88.221.169.152
  • 184.30.21.171
whitelisted
google.com
  • 216.58.206.78
whitelisted
steamcommunity.com
  • 104.102.49.254
whitelisted
t.me
  • 149.154.167.99
whitelisted
arpdabl.zapto.org
  • 0.0.0.0
unknown
settings-win.data.microsoft.com
  • 52.167.249.196
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.75
  • 20.190.159.71
  • 40.126.31.73
  • 40.126.31.67
  • 20.190.159.2
  • 40.126.31.69
  • 20.190.159.68
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.115.3.253
  • 40.113.110.67
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted

Threats

PID
Process
Class
Message
1480
RegAsm.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
2256
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.zapto .org
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
66bddfcb52736_vidar.exe