URL:

http://www.freevpn.win

Full analysis: https://app.any.run/tasks/b4c48ca6-dd5c-4571-8058-381606237a6c
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: October 07, 2019, 09:07:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
adware
Indicators:
MD5:

F4ED9E2AB9E16FD8BAA5F6E50BFAD46B

SHA1:

A455502C4D15D851D499E0DA72EB63D08A2D4717

SHA256:

3406DA8CF2CE273979AF6B64A64F4B8A75178F3482293A15ADD8111064B1C78A

SSDEEP:

3:N1KJS4LbLmK:Cc4HLP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • freevpn_setup.exe (PID: 1944)
      • freevpn_setup.exe (PID: 2696)
      • ns596E.tmp (PID: 3780)
      • ns59EC.tmp (PID: 3060)
      • ns6661.tmp (PID: 2704)
      • ns741D.tmp (PID: 3364)
      • sa_inst.exe (PID: 2340)
      • FreeVPN.exe (PID: 1744)
      • certutil.exe (PID: 2736)
      • certutil.exe (PID: 3852)
      • certutil.exe (PID: 2896)
      • certutil.exe (PID: 1084)
      • certutil.exe (PID: 3144)
      • certutil.exe (PID: 2448)
      • certutil.exe (PID: 2268)
      • certutil.exe (PID: 3848)
      • FreeVPN.exe (PID: 2928)
      • ns763D.tmp (PID: 3912)
      • setup.exe (PID: 2820)
      • pc-repair-kit-setup[1].exe (PID: 2168)
      • pc-repair-kit-setup[1].exe (PID: 1908)
      • PCRepairKit.exe (PID: 2220)
      • PCRepairKit.exe (PID: 2260)

    • Loads dropped or rewritten executable

      • freevpn_setup.exe (PID: 1944)
      • certutil.exe (PID: 2268)
      • certutil.exe (PID: 2896)
      • certutil.exe (PID: 3852)
      • certutil.exe (PID: 3144)
      • certutil.exe (PID: 2736)
      • sa_inst.exe (PID: 2340)
      • certutil.exe (PID: 3848)
      • certutil.exe (PID: 1084)
      • certutil.exe (PID: 2448)
      • FreeVPN.exe (PID: 2928)
      • FreeVPN.exe (PID: 1744)
      • regsvr32.exe (PID: 2652)
      • PCRepairKit.exe (PID: 2220)
      • PCRepairKit.exe (PID: 2260)

    • Changes settings of System certificates

      • freevpn_setup.exe (PID: 1944)
      • pc-repair-kit-setup[1].tmp (PID: 2908)
      • PCRepairKit.exe (PID: 2220)

    • Writes to the hosts file

      • setup.exe (PID: 2820)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3928)

    • Registers / Runs the DLL via REGSVR32.EXE

      • pc-repair-kit-setup[1].tmp (PID: 2908)

    • Loads the Task Scheduler COM API

      • PCRepairKit.exe (PID: 2220)
      • PCRepairKit.exe (PID: 2260)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 2940)
      • chrome.exe (PID: 2136)
      • freevpn_setup.exe (PID: 1944)
      • sa_inst.exe (PID: 2340)
      • iexplore.exe (PID: 3928)
      • iexplore.exe (PID: 3096)
      • pc-repair-kit-setup[1].exe (PID: 1908)
      • pc-repair-kit-setup[1].exe (PID: 2168)
      • pc-repair-kit-setup[1].tmp (PID: 2908)

    • Creates files in the program directory

      • freevpn_setup.exe (PID: 1944)
      • certutil.exe (PID: 2896)
      • cmd.exe (PID: 3480)
      • sa_inst.exe (PID: 2340)
      • PCRepairKit.exe (PID: 2220)
      • PCRepairKit.exe (PID: 2260)

    • Creates files in the user directory

      • freevpn_setup.exe (PID: 1944)
      • cmd.exe (PID: 3480)
      • certutil.exe (PID: 1084)
      • certutil.exe (PID: 2268)
      • DefaultBrowserFinder.exe (PID: 3688)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2940)

    • Creates a software uninstall entry

      • freevpn_setup.exe (PID: 1944)
      • sa_inst.exe (PID: 2340)

    • Starts SC.EXE for service management

      • ns596E.tmp (PID: 3780)
      • cmd.exe (PID: 2616)

    • Starts CMD.EXE for commands execution

      • ns59EC.tmp (PID: 3060)
      • ns6661.tmp (PID: 2704)
      • pc-repair-kit-setup[1].tmp (PID: 2908)

    • Starts application with an unusual extension

      • freevpn_setup.exe (PID: 1944)
      • sa_inst.exe (PID: 2340)

    • Executed as Windows Service

      • FreeVPN.exe (PID: 2928)

    • Reads Windows owner or organization settings

      • pc-repair-kit-setup[1].tmp (PID: 2908)

    • Reads the Windows organization settings

      • pc-repair-kit-setup[1].tmp (PID: 2908)

    • Reads the machine GUID from the registry

      • pc-repair-kit-setup[1].tmp (PID: 2908)
      • PCRepairKit.exe (PID: 2220)
      • PCRepairKit.exe (PID: 2260)

    • Reads the cookies of Mozilla Firefox

      • DefaultBrowserFinder.exe (PID: 3688)

    • Reads the cookies of Google Chrome

      • DefaultBrowserFinder.exe (PID: 3688)

    • Creates COM task schedule object

      • regsvr32.exe (PID: 2652)

    • Searches for installed software

      • pc-repair-kit-setup[1].tmp (PID: 2908)
      • PCRepairKit.exe (PID: 2260)

    • Reads the BIOS version

      • pc-repair-kit-setup[1].tmp (PID: 2908)
      • PCRepairKit.exe (PID: 2220)
      • PCRepairKit.exe (PID: 2260)

    • Adds / modifies Windows certificates

      • PCRepairKit.exe (PID: 2220)
      • pc-repair-kit-setup[1].tmp (PID: 2908)

    • Reads Windows Product ID

      • PCRepairKit.exe (PID: 2220)
      • pc-repair-kit-setup[1].tmp (PID: 2908)
      • PCRepairKit.exe (PID: 2260)

    • Starts Internet Explorer

      • cmd.exe (PID: 2496)

    • Low-level read access rights to disk partition

      • PCRepairKit.exe (PID: 2260)

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2852)

  • INFO

    • Application launched itself

      • chrome.exe (PID: 2940)
      • iexplore.exe (PID: 2348)

    • Reads the hosts file

      • chrome.exe (PID: 2940)
      • chrome.exe (PID: 2136)
      • freevpn_setup.exe (PID: 1944)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 2940)
      • iexplore.exe (PID: 3928)
      • iexplore.exe (PID: 2508)

    • Manual execution by user

      • iexplore.exe (PID: 3096)

    • Changes internet zones settings

      • iexplore.exe (PID: 3096)
      • iexplore.exe (PID: 2348)

    • Creates files in the user directory

      • iexplore.exe (PID: 3928)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2852)
      • iexplore.exe (PID: 2508)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3928)
      • iexplore.exe (PID: 2508)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3096)
      • iexplore.exe (PID: 2348)

    • Application was dropped or rewritten from another process

      • pc-repair-kit-setup[1].tmp (PID: 3892)
      • pc-repair-kit-setup[1].tmp (PID: 2908)
      • DefaultBrowserFinder.exe (PID: 3688)
      • reader.exe (PID: 3656)

    • Loads dropped or rewritten executable

      • DefaultBrowserFinder.exe (PID: 3688)
      • pc-repair-kit-setup[1].tmp (PID: 2908)

    • Dropped object may contain Bitcoin addresses

      • pc-repair-kit-setup[1].tmp (PID: 2908)

    • Creates files in the program directory

      • pc-repair-kit-setup[1].tmp (PID: 2908)

    • Creates a software uninstall entry

      • pc-repair-kit-setup[1].tmp (PID: 2908)

    • Reads Microsoft Office registry keys

      • PCRepairKit.exe (PID: 2260)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
67
Malicious processes
20
Suspicious processes
10

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs freevpn_setup.exe no specs freevpn_setup.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs ns596e.tmp no specs sc.exe no specs ns59ec.tmp no specs cmd.exe no specs sc.exe no specs find.exe no specs ns6661.tmp no specs cmd.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs findstr.exe no specs certutil.exe no specs findstr.exe no specs ns741d.tmp no specs sa_inst.exe ns763d.tmp no specs setup.exe no specs freevpn.exe no specs freevpn.exe iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs pc-repair-kit-setup[1].exe pc-repair-kit-setup[1].tmp no specs pc-repair-kit-setup[1].exe pc-repair-kit-setup[1].tmp defaultbrowserfinder.exe no specs reader.exe no specs regsvr32.exe no specs pcrepairkit.exe cmd.exe no specs pcrepairkit.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1084"C:\Program Files\FreeVPN\FF\bin\certutil.exe" -A -n "AddedByUser C:\Program Files\FreeVPN\FF\cacert\ca.cert" -i "C:\Program Files\FreeVPN\FF\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d sql:"C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default" C:\Program Files\FreeVPN\FF\bin\certutil.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\freevpn\ff\bin\certutil.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\program files\freevpn\ff\bin\nssutil3.dll
c:\program files\freevpn\ff\bin\plc4.dll
c:\program files\freevpn\ff\bin\nspr4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1744"C:\Program Files\FreeVPN\FreeVPN.exe" -inC:\Program Files\FreeVPN\FreeVPN.exefreevpn_setup.exe
User:
admin
Company:
FreeVPN
Integrity Level:
HIGH
Description:
FreeVPN
Exit code:
32
Version:
0.98
Modules
Images
c:\program files\freevpn\freevpn.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\freevpn\libcurl.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wldap32.dll
1904sc query "FreeVPN" C:\Windows\system32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1060
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1908"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\pc-repair-kit-setup[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\pc-repair-kit-setup[1].exe
iexplore.exe
User:
admin
Company:
TweakBit
Integrity Level:
MEDIUM
Description:
TweakBit PCRepairKit Installation File
Exit code:
0
Version:
1.x
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\lh043oam\pc-repair-kit-setup[1].exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1944"C:\Users\admin\Downloads\freevpn_setup.exe" C:\Users\admin\Downloads\freevpn_setup.exe
chrome.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\downloads\freevpn_setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2012FIND /C "1060"C:\Windows\system32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\find.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2136"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1016,18238502409908269914,18146609908720650686,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=14166175833916844516 --mojo-platform-channel-handle=1628 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2168"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\pc-repair-kit-setup[1].exe" /SPAWNWND=$20270 /NOTIFYWND=$3027E C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\pc-repair-kit-setup[1].exe
pc-repair-kit-setup[1].tmp
User:
admin
Company:
TweakBit
Integrity Level:
HIGH
Description:
TweakBit PCRepairKit Installation File
Exit code:
0
Version:
1.x
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\lh043oam\pc-repair-kit-setup[1].exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2220"C:\Program Files\TweakBit\PCRepairKit\PCRepairKit.exe" /Install /Language:"ENU" /AutoStart /SendInfoC:\Program Files\TweakBit\PCRepairKit\PCRepairKit.exe
pc-repair-kit-setup[1].tmp
User:
admin
Company:
TweakBit
Integrity Level:
HIGH
Description:
PC Repair Kit
Exit code:
0
Version:
1.8.4.16
Modules
Images
c:\program files\tweakbit\pcrepairkit\pcrepairkit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\program files\tweakbit\pcrepairkit\rtl160.bpl
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2260"C:\Program Files\TweakBit\PCRepairKit\PCRepairKit.exe" /FromInstallerC:\Program Files\TweakBit\PCRepairKit\PCRepairKit.exe
pc-repair-kit-setup[1].tmp
User:
admin
Company:
TweakBit
Integrity Level:
HIGH
Description:
PC Repair Kit
Exit code:
0
Version:
1.8.4.16
Modules
Images
c:\program files\tweakbit\pcrepairkit\pcrepairkit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\tweakbit\pcrepairkit\rtl160.bpl
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
12 626
Read events
12 140
Write events
472
Delete events
14

Modification events

(PID) Process:(2940) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2940) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(2940) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(2940) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(2940) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(2720) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:writeName:2940-13214912875090875
Value:
259
(PID) Process:(2940) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(2940) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(2940) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:delete valueName:1512-13197841398593750
Value:
0
(PID) Process:(2940) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
Executable files
105
Suspicious files
76
Text files
440
Unknown types
45

Dropped files

PID
Process
Filename
Type
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\7dc180ba-6c54-4518-84a2-a4d255e5334d.tmp
MD5:
SHA256:
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000020.dbtmp
MD5:
SHA256:
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RFf13cd.TMPtext
MD5:
SHA256:
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:
SHA256:
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old
MD5:
SHA256:
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RFf143a.TMPtext
MD5:
SHA256:
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.oldtext
MD5:
SHA256:
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old~RFf14c7.TMPtext
MD5:
SHA256:
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
MD5:
SHA256:
3556chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pmabinary
MD5:B59113C2DCD2D346F31A64F231162ADA
SHA256:1D97C69AEA85D3B06787458EA47576B192CE5C5DB9940E5EAA514FF977CE2DC2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
144
DNS requests
77
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2136
chrome.exe
GET
301
104.18.59.136:80
http://www.freevpn.win/
US
malicious
3928
iexplore.exe
GET
200
149.56.19.59:80
http://dynamicdownloads.tweakbit.com/prk/st/def/pc-repair-kit-setup
CA
executable
16.3 Mb
whitelisted
GET
200
92.122.244.34:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
FR
der
1.37 Kb
whitelisted
2136
chrome.exe
GET
302
216.58.207.142:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
510 b
whitelisted
GET
200
92.122.244.64:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgNpWFtWBAvYDGvtw1760Zgjzg%3D%3D
FR
der
527 b
whitelisted
2136
chrome.exe
GET
302
216.58.207.142:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
515 b
whitelisted
2908
pc-repair-kit-setup[1].tmp
POST
200
172.217.22.206:80
http://www.google-analytics.com/collect
US
image
35 b
whitelisted
2908
pc-repair-kit-setup[1].tmp
POST
200
172.217.22.206:80
http://www.google-analytics.com/collect
US
image
35 b
whitelisted
2136
chrome.exe
GET
200
74.125.100.71:80
http://r2---sn-5hne6nsz.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=185.107.47.171&mm=28&mn=sn-5hne6nsz&ms=nvh&mt=1570439233&mv=m&mvi=1&pl=23&shardbypass=yes
US
crx
293 Kb
whitelisted
2908
pc-repair-kit-setup[1].tmp
POST
200
172.217.22.206:80
http://www.google-analytics.com/collect
US
image
35 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2136
chrome.exe
216.58.207.163:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2136
chrome.exe
104.18.59.136:80
www.freevpn.win
Cloudflare Inc
US
suspicious
2136
chrome.exe
172.217.22.227:443
fonts.gstatic.com
Google Inc.
US
whitelisted
2136
chrome.exe
104.18.59.136:443
www.freevpn.win
Cloudflare Inc
US
suspicious
2136
chrome.exe
104.19.197.151:443
cdnjs.cloudflare.com
Cloudflare Inc
US
shared
2136
chrome.exe
51.77.64.70:443
pro.ip-api.com
GB
suspicious
2136
chrome.exe
172.217.22.206:443
clients2.google.com
Google Inc.
US
whitelisted
2136
chrome.exe
216.58.207.142:80
redirector.gvt1.com
Google Inc.
US
whitelisted
2136
chrome.exe
216.58.207.132:443
www.google.com
Google Inc.
US
whitelisted
2136
chrome.exe
172.217.22.205:443
accounts.google.com
Google Inc.
US
unknown

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 216.58.207.163
whitelisted
www.freevpn.win
  • 104.18.59.136
malicious
accounts.google.com
  • 172.217.22.205
shared
www.google.com
  • 216.58.207.132
  • 172.217.22.196
malicious
fonts.googleapis.com
  • 216.58.207.170
whitelisted
cdnjs.cloudflare.com
  • 104.19.197.151
whitelisted
fonts.gstatic.com
  • 172.217.22.227
whitelisted
pro.ip-api.com
  • 51.77.64.70
shared
ssl.gstatic.com
  • 216.58.207.163
whitelisted
clients2.google.com
  • 172.217.22.206
whitelisted

Threats

PID
Process
Class
Message
1072
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
1072
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
1072
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
1072
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
1072
svchost.exe
Potentially Bad Traffic
ET DNS Query for .to TLD
2260
PCRepairKit.exe
Misc activity
ADWARE [PTsecurity] PUP.Tweakbit External IP with minimal header
1 ETPRO signatures available at the full report
Process
Message
freevpn_setup.exe
ExecShellAsUser: DLL_PROCESS_ATTACH
freevpn_setup.exe
ExecShellAsUser: got desktop
freevpn_setup.exe
ExecShellAsUser: elevated process detected
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.freevpn.win