URL:

http://www.freevpn.win

Full analysis: https://app.any.run/tasks/b4c48ca6-dd5c-4571-8058-381606237a6c
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: October 07, 2019, 09:07:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
adware
Indicators:
MD5:

F4ED9E2AB9E16FD8BAA5F6E50BFAD46B

SHA1:

A455502C4D15D851D499E0DA72EB63D08A2D4717

SHA256:

3406DA8CF2CE273979AF6B64A64F4B8A75178F3482293A15ADD8111064B1C78A

SSDEEP:

3:N1KJS4LbLmK:Cc4HLP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • freevpn_setup.exe (PID: 2696)
      • freevpn_setup.exe (PID: 1944)
      • ns596E.tmp (PID: 3780)
      • ns59EC.tmp (PID: 3060)
      • ns6661.tmp (PID: 2704)
      • ns741D.tmp (PID: 3364)
      • sa_inst.exe (PID: 2340)
      • FreeVPN.exe (PID: 1744)
      • certutil.exe (PID: 2268)
      • certutil.exe (PID: 2736)
      • certutil.exe (PID: 3848)
      • certutil.exe (PID: 1084)
      • certutil.exe (PID: 2896)
      • certutil.exe (PID: 3852)
      • certutil.exe (PID: 3144)
      • certutil.exe (PID: 2448)
      • FreeVPN.exe (PID: 2928)
      • ns763D.tmp (PID: 3912)
      • setup.exe (PID: 2820)
      • pc-repair-kit-setup[1].exe (PID: 1908)
      • pc-repair-kit-setup[1].exe (PID: 2168)
      • PCRepairKit.exe (PID: 2220)
      • PCRepairKit.exe (PID: 2260)

    • Loads dropped or rewritten executable

      • freevpn_setup.exe (PID: 1944)
      • certutil.exe (PID: 2268)
      • certutil.exe (PID: 3848)
      • certutil.exe (PID: 2736)
      • certutil.exe (PID: 3144)
      • certutil.exe (PID: 2896)
      • certutil.exe (PID: 3852)
      • sa_inst.exe (PID: 2340)
      • certutil.exe (PID: 1084)
      • FreeVPN.exe (PID: 1744)
      • FreeVPN.exe (PID: 2928)
      • certutil.exe (PID: 2448)
      • regsvr32.exe (PID: 2652)
      • PCRepairKit.exe (PID: 2220)
      • PCRepairKit.exe (PID: 2260)

    • Changes settings of System certificates

      • freevpn_setup.exe (PID: 1944)
      • pc-repair-kit-setup[1].tmp (PID: 2908)
      • PCRepairKit.exe (PID: 2220)

    • Writes to the hosts file

      • setup.exe (PID: 2820)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3928)

    • Registers / Runs the DLL via REGSVR32.EXE

      • pc-repair-kit-setup[1].tmp (PID: 2908)

    • Loads the Task Scheduler COM API

      • PCRepairKit.exe (PID: 2220)
      • PCRepairKit.exe (PID: 2260)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 2136)
      • chrome.exe (PID: 2940)
      • freevpn_setup.exe (PID: 1944)
      • sa_inst.exe (PID: 2340)
      • iexplore.exe (PID: 3096)
      • pc-repair-kit-setup[1].exe (PID: 1908)
      • iexplore.exe (PID: 3928)
      • pc-repair-kit-setup[1].exe (PID: 2168)
      • pc-repair-kit-setup[1].tmp (PID: 2908)

    • Creates files in the user directory

      • freevpn_setup.exe (PID: 1944)
      • certutil.exe (PID: 2268)
      • cmd.exe (PID: 3480)
      • certutil.exe (PID: 1084)
      • DefaultBrowserFinder.exe (PID: 3688)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2940)

    • Creates files in the program directory

      • freevpn_setup.exe (PID: 1944)
      • certutil.exe (PID: 2896)
      • cmd.exe (PID: 3480)
      • sa_inst.exe (PID: 2340)
      • PCRepairKit.exe (PID: 2220)
      • PCRepairKit.exe (PID: 2260)

    • Starts application with an unusual extension

      • freevpn_setup.exe (PID: 1944)
      • sa_inst.exe (PID: 2340)

    • Starts SC.EXE for service management

      • ns596E.tmp (PID: 3780)
      • cmd.exe (PID: 2616)

    • Starts CMD.EXE for commands execution

      • ns59EC.tmp (PID: 3060)
      • ns6661.tmp (PID: 2704)
      • pc-repair-kit-setup[1].tmp (PID: 2908)

    • Creates a software uninstall entry

      • freevpn_setup.exe (PID: 1944)
      • sa_inst.exe (PID: 2340)

    • Executed as Windows Service

      • FreeVPN.exe (PID: 2928)

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2852)

    • Reads Windows owner or organization settings

      • pc-repair-kit-setup[1].tmp (PID: 2908)

    • Reads the Windows organization settings

      • pc-repair-kit-setup[1].tmp (PID: 2908)

    • Reads Windows Product ID

      • pc-repair-kit-setup[1].tmp (PID: 2908)
      • PCRepairKit.exe (PID: 2220)
      • PCRepairKit.exe (PID: 2260)

    • Reads the machine GUID from the registry

      • pc-repair-kit-setup[1].tmp (PID: 2908)
      • PCRepairKit.exe (PID: 2220)
      • PCRepairKit.exe (PID: 2260)

    • Reads the cookies of Google Chrome

      • DefaultBrowserFinder.exe (PID: 3688)

    • Adds / modifies Windows certificates

      • pc-repair-kit-setup[1].tmp (PID: 2908)
      • PCRepairKit.exe (PID: 2220)

    • Reads the cookies of Mozilla Firefox

      • DefaultBrowserFinder.exe (PID: 3688)

    • Creates COM task schedule object

      • regsvr32.exe (PID: 2652)

    • Searches for installed software

      • pc-repair-kit-setup[1].tmp (PID: 2908)
      • PCRepairKit.exe (PID: 2260)

    • Starts Internet Explorer

      • cmd.exe (PID: 2496)

    • Reads the BIOS version

      • PCRepairKit.exe (PID: 2220)
      • pc-repair-kit-setup[1].tmp (PID: 2908)
      • PCRepairKit.exe (PID: 2260)

    • Low-level read access rights to disk partition

      • PCRepairKit.exe (PID: 2260)

  • INFO

    • Reads Internet Cache Settings

      • chrome.exe (PID: 2940)
      • iexplore.exe (PID: 3928)
      • iexplore.exe (PID: 2508)

    • Reads the hosts file

      • chrome.exe (PID: 2136)
      • chrome.exe (PID: 2940)
      • freevpn_setup.exe (PID: 1944)

    • Application launched itself

      • chrome.exe (PID: 2940)
      • iexplore.exe (PID: 2348)

    • Manual execution by user

      • iexplore.exe (PID: 3096)

    • Changes internet zones settings

      • iexplore.exe (PID: 3096)
      • iexplore.exe (PID: 2348)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3096)
      • iexplore.exe (PID: 2348)

    • Creates files in the user directory

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2852)
      • iexplore.exe (PID: 3928)
      • iexplore.exe (PID: 2508)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3928)
      • iexplore.exe (PID: 2508)

    • Application was dropped or rewritten from another process

      • pc-repair-kit-setup[1].tmp (PID: 3892)
      • pc-repair-kit-setup[1].tmp (PID: 2908)
      • DefaultBrowserFinder.exe (PID: 3688)
      • reader.exe (PID: 3656)

    • Loads dropped or rewritten executable

      • pc-repair-kit-setup[1].tmp (PID: 2908)
      • DefaultBrowserFinder.exe (PID: 3688)

    • Creates files in the program directory

      • pc-repair-kit-setup[1].tmp (PID: 2908)

    • Creates a software uninstall entry

      • pc-repair-kit-setup[1].tmp (PID: 2908)

    • Dropped object may contain Bitcoin addresses

      • pc-repair-kit-setup[1].tmp (PID: 2908)

    • Reads Microsoft Office registry keys

      • PCRepairKit.exe (PID: 2260)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
67
Malicious processes
20
Suspicious processes
10

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs freevpn_setup.exe no specs freevpn_setup.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs ns596e.tmp no specs sc.exe no specs ns59ec.tmp no specs cmd.exe no specs sc.exe no specs find.exe no specs ns6661.tmp no specs cmd.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs findstr.exe no specs certutil.exe no specs findstr.exe no specs ns741d.tmp no specs sa_inst.exe ns763d.tmp no specs setup.exe no specs freevpn.exe no specs freevpn.exe iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs pc-repair-kit-setup[1].exe pc-repair-kit-setup[1].tmp no specs pc-repair-kit-setup[1].exe pc-repair-kit-setup[1].tmp defaultbrowserfinder.exe no specs reader.exe no specs regsvr32.exe no specs pcrepairkit.exe cmd.exe no specs pcrepairkit.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1084"C:\Program Files\FreeVPN\FF\bin\certutil.exe" -A -n "AddedByUser C:\Program Files\FreeVPN\FF\cacert\ca.cert" -i "C:\Program Files\FreeVPN\FF\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d sql:"C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default" C:\Program Files\FreeVPN\FF\bin\certutil.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\freevpn\ff\bin\certutil.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\program files\freevpn\ff\bin\nssutil3.dll
c:\program files\freevpn\ff\bin\plc4.dll
c:\program files\freevpn\ff\bin\nspr4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1744"C:\Program Files\FreeVPN\FreeVPN.exe" -inC:\Program Files\FreeVPN\FreeVPN.exefreevpn_setup.exe
User:
admin
Company:
FreeVPN
Integrity Level:
HIGH
Description:
FreeVPN
Exit code:
32
Version:
0.98
Modules
Images
c:\program files\freevpn\freevpn.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\freevpn\libcurl.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wldap32.dll
1904sc query "FreeVPN" C:\Windows\system32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1060
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1908"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\pc-repair-kit-setup[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\pc-repair-kit-setup[1].exe
iexplore.exe
User:
admin
Company:
TweakBit
Integrity Level:
MEDIUM
Description:
TweakBit PCRepairKit Installation File
Exit code:
0
Version:
1.x
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\lh043oam\pc-repair-kit-setup[1].exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1944"C:\Users\admin\Downloads\freevpn_setup.exe" C:\Users\admin\Downloads\freevpn_setup.exe
chrome.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\downloads\freevpn_setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2012FIND /C "1060"C:\Windows\system32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\find.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2136"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1016,18238502409908269914,18146609908720650686,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=14166175833916844516 --mojo-platform-channel-handle=1628 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2168"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\pc-repair-kit-setup[1].exe" /SPAWNWND=$20270 /NOTIFYWND=$3027E C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\pc-repair-kit-setup[1].exe
pc-repair-kit-setup[1].tmp
User:
admin
Company:
TweakBit
Integrity Level:
HIGH
Description:
TweakBit PCRepairKit Installation File
Exit code:
0
Version:
1.x
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\lh043oam\pc-repair-kit-setup[1].exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2220"C:\Program Files\TweakBit\PCRepairKit\PCRepairKit.exe" /Install /Language:"ENU" /AutoStart /SendInfoC:\Program Files\TweakBit\PCRepairKit\PCRepairKit.exe
pc-repair-kit-setup[1].tmp
User:
admin
Company:
TweakBit
Integrity Level:
HIGH
Description:
PC Repair Kit
Exit code:
0
Version:
1.8.4.16
Modules
Images
c:\program files\tweakbit\pcrepairkit\pcrepairkit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\program files\tweakbit\pcrepairkit\rtl160.bpl
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2260"C:\Program Files\TweakBit\PCRepairKit\PCRepairKit.exe" /FromInstallerC:\Program Files\TweakBit\PCRepairKit\PCRepairKit.exe
pc-repair-kit-setup[1].tmp
User:
admin
Company:
TweakBit
Integrity Level:
HIGH
Description:
PC Repair Kit
Exit code:
0
Version:
1.8.4.16
Modules
Images
c:\program files\tweakbit\pcrepairkit\pcrepairkit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\tweakbit\pcrepairkit\rtl160.bpl
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
12 626
Read events
12 140
Write events
472
Delete events
14

Modification events

(PID) Process:(2940) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2940) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(2940) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(2940) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(2940) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(2720) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:writeName:2940-13214912875090875
Value:
259
(PID) Process:(2940) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(2940) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(2940) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:delete valueName:1512-13197841398593750
Value:
0
(PID) Process:(2940) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
Executable files
105
Suspicious files
76
Text files
440
Unknown types
45

Dropped files

PID
Process
Filename
Type
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\7dc180ba-6c54-4518-84a2-a4d255e5334d.tmp
MD5:
SHA256:
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000020.dbtmp
MD5:
SHA256:
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:
SHA256:
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:
SHA256:
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old
MD5:
SHA256:
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:
SHA256:
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RFf13cd.TMPtext
MD5:
SHA256:
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RFf13cd.TMPtext
MD5:
SHA256:
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
MD5:
SHA256:
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.oldtext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
144
DNS requests
77
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2136
chrome.exe
GET
301
104.18.59.136:80
http://www.freevpn.win/
US
malicious
2136
chrome.exe
GET
302
216.58.207.142:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
510 b
whitelisted
3928
iexplore.exe
GET
200
149.56.19.59:80
http://dynamicdownloads.tweakbit.com/prk/st/def/pc-repair-kit-setup
CA
executable
16.3 Mb
whitelisted
3928
iexplore.exe
GET
200
91.199.212.52:80
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
GB
der
1.37 Kb
whitelisted
GET
200
92.122.244.34:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
FR
der
1.37 Kb
whitelisted
2136
chrome.exe
GET
302
216.58.207.142:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
515 b
whitelisted
GET
200
92.122.244.64:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgNpWFtWBAvYDGvtw1760Zgjzg%3D%3D
FR
der
527 b
whitelisted
2136
chrome.exe
GET
200
74.125.100.71:80
http://r2---sn-5hne6nsz.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=185.107.47.171&mm=28&mn=sn-5hne6nsz&ms=nvh&mt=1570439233&mv=m&mvi=1&pl=23&shardbypass=yes
US
crx
293 Kb
whitelisted
3096
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2908
pc-repair-kit-setup[1].tmp
POST
200
172.217.22.206:80
http://www.google-analytics.com/collect
US
image
35 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2136
chrome.exe
104.18.59.136:80
www.freevpn.win
Cloudflare Inc
US
suspicious
2136
chrome.exe
172.217.22.205:443
accounts.google.com
Google Inc.
US
unknown
2136
chrome.exe
216.58.207.163:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2136
chrome.exe
216.58.207.132:443
www.google.com
Google Inc.
US
whitelisted
2136
chrome.exe
104.18.59.136:443
www.freevpn.win
Cloudflare Inc
US
suspicious
2136
chrome.exe
104.19.197.151:443
cdnjs.cloudflare.com
Cloudflare Inc
US
shared
2136
chrome.exe
51.77.64.70:443
pro.ip-api.com
GB
suspicious
2136
chrome.exe
172.217.22.206:443
clients2.google.com
Google Inc.
US
whitelisted
2136
chrome.exe
216.58.207.142:80
redirector.gvt1.com
Google Inc.
US
whitelisted
2136
chrome.exe
74.125.100.71:80
r2---sn-5hne6nsz.gvt1.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 216.58.207.163
whitelisted
www.freevpn.win
  • 104.18.59.136
malicious
accounts.google.com
  • 172.217.22.205
shared
www.google.com
  • 216.58.207.132
  • 172.217.22.196
malicious
fonts.googleapis.com
  • 216.58.207.170
whitelisted
cdnjs.cloudflare.com
  • 104.19.197.151
whitelisted
fonts.gstatic.com
  • 172.217.22.227
whitelisted
pro.ip-api.com
  • 51.77.64.70
shared
ssl.gstatic.com
  • 216.58.207.163
whitelisted
clients2.google.com
  • 172.217.22.206
whitelisted

Threats

PID
Process
Class
Message
1072
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
1072
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
1072
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
1072
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
1072
svchost.exe
Potentially Bad Traffic
ET DNS Query for .to TLD
2260
PCRepairKit.exe
Misc activity
ADWARE [PTsecurity] PUP.Tweakbit External IP with minimal header
1 ETPRO signatures available at the full report
Process
Message
freevpn_setup.exe
ExecShellAsUser: DLL_PROCESS_ATTACH
freevpn_setup.exe
ExecShellAsUser: got desktop
freevpn_setup.exe
ExecShellAsUser: elevated process detected
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.freevpn.win