Malware analysis http://79.133.51.146:3254/ Malicious activity

Add for printing

URL:	http://79.133.51.146:3254/
Full analysis:	https://app.any.run/tasks/0e79f3f0-ad48-4112-a547-1315dffc6700
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	November 10, 2023, 11:32:23
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	loader
Indicators:
SHA1:	939AF5002EF326F47F35D026A538BCA6178ACDE8
SHA256:	4D346FFD5F9BE64A29870574D13A5608E47CEB20DA77B4F332D2570D1AED3689
SSDEEP:	3:N1KSLKgRhs:CSNHs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Run PowerShell with an invisible window
  - powershell.exe (PID: 1452)
- Drops the executable file immediately after the start
  - powershell.exe (PID: 1452)
  - MicrosoftEdgeWebview2Setup.exe (PID: 3208)
  - MicrosoftEdgeUpdate.exe (PID: 3576)
  - MicrosoftEdge_X64_109.0.1518.140.exe (PID: 4480)
  - msiexec.exe (PID: 3960)
  - setup.exe (PID: 4500)
- The DLL Hijacking
  - msedgewebview2.exe (PID: 4984)
  - msedgewebview2.exe (PID: 1200)
  - msedgewebview2.exe (PID: 2188)
  - msedgewebview2.exe (PID: 4656)
SUSPICIOUS
- Starts POWERSHELL.EXE for commands execution
  - msiexec.exe (PID: 3960)
- The process bypasses the loading of PowerShell profile settings
  - msiexec.exe (PID: 3960)
- Request a resource from the Internet using PowerShell's cmdlet
  - msiexec.exe (PID: 3960)
- Reads the Internet Settings
  - powershell.exe (PID: 1452)
  - MicrosoftEdgeUpdate.exe (PID: 2852)
  - MicrosoftEdgeUpdate.exe (PID: 3908)
  - MicrosoftEdgeUpdate.exe (PID: 4576)
  - msedgewebview2.exe (PID: 4820)
  - msedgewebview2.exe (PID: 4180)
- Process drops legitimate windows executable
  - powershell.exe (PID: 1452)
  - MicrosoftEdgeWebview2Setup.exe (PID: 3208)
  - MicrosoftEdgeUpdate.exe (PID: 3576)
  - MicrosoftEdge_X64_109.0.1518.140.exe (PID: 4480)
  - setup.exe (PID: 4500)
- Starts itself from another location
  - MicrosoftEdgeUpdate.exe (PID: 3576)
- Creates/Modifies COM task schedule object
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2756)
  - MicrosoftEdgeUpdate.exe (PID: 2396)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3200)
- Reads settings of System Certificates
  - MicrosoftEdgeUpdate.exe (PID: 2852)
  - MicrosoftEdgeUpdate.exe (PID: 3908)
  - MicrosoftEdgeUpdate.exe (PID: 4576)
  - msedgewebview2.exe (PID: 4820)
  - DLL Injector.exe (PID: 4796)
  - DLL Injector.exe (PID: 2716)
  - msedgewebview2.exe (PID: 4180)
- Checks Windows Trust Settings
  - MicrosoftEdgeUpdate.exe (PID: 2852)
  - MicrosoftEdgeUpdate.exe (PID: 3908)
  - MicrosoftEdgeUpdate.exe (PID: 4576)
- The Powershell connects to the Internet
  - powershell.exe (PID: 1452)
- Unusual connection from system programs
  - powershell.exe (PID: 1452)
- Reads security settings of Internet Explorer
  - MicrosoftEdgeUpdate.exe (PID: 2852)
  - MicrosoftEdgeUpdate.exe (PID: 3908)
  - MicrosoftEdgeUpdate.exe (PID: 4576)
- Executes as Windows Service
  - VSSVC.exe (PID: 4060)
- Powershell scripting: start process
  - msiexec.exe (PID: 3960)
- Application launched itself
  - MicrosoftEdgeUpdate.exe (PID: 3908)
  - msedgewebview2.exe (PID: 4820)
  - msedgewebview2.exe (PID: 4180)
INFO
- The process uses the downloaded file
  - firefox.exe (PID: 988)
- Application launched itself
  - firefox.exe (PID: 988)
- Checks supported languages
  - msiexec.exe (PID: 3960)
  - msiexec.exe (PID: 4016)
  - MicrosoftEdgeWebview2Setup.exe (PID: 3208)
  - MicrosoftEdgeUpdate.exe (PID: 3576)
  - MicrosoftEdgeUpdate.exe (PID: 2396)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2756)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3200)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2300)
  - MicrosoftEdgeUpdate.exe (PID: 2852)
  - MicrosoftEdgeUpdate.exe (PID: 2756)
  - MicrosoftEdgeUpdate.exe (PID: 3908)
  - MicrosoftEdge_X64_109.0.1518.140.exe (PID: 4480)
  - setup.exe (PID: 4500)
  - MicrosoftEdgeUpdate.exe (PID: 4576)
  - DLL Injector.exe (PID: 4796)
  - msedgewebview2.exe (PID: 4820)
  - msedgewebview2.exe (PID: 4840)
  - msedgewebview2.exe (PID: 4992)
  - msedgewebview2.exe (PID: 4984)
  - msedgewebview2.exe (PID: 5004)
  - msedgewebview2.exe (PID: 2316)
  - msedgewebview2.exe (PID: 4180)
  - DLL Injector.exe (PID: 2716)
  - x64_DLL_Injector.exe (PID: 2264)
  - msedgewebview2.exe (PID: 1200)
  - msedgewebview2.exe (PID: 4516)
  - msedgewebview2.exe (PID: 2188)
  - msedgewebview2.exe (PID: 4540)
  - msedgewebview2.exe (PID: 4572)
  - msedgewebview2.exe (PID: 4656)
  - msedgewebview2.exe (PID: 3560)
- Reads the computer name
  - msiexec.exe (PID: 3960)
  - MicrosoftEdgeUpdate.exe (PID: 3576)
  - MicrosoftEdgeUpdate.exe (PID: 2396)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2300)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2756)
  - MicrosoftEdgeUpdate.exe (PID: 2852)
  - MicrosoftEdgeUpdate.exe (PID: 2756)
  - MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3200)
  - MicrosoftEdgeUpdate.exe (PID: 3908)
  - MicrosoftEdge_X64_109.0.1518.140.exe (PID: 4480)
  - setup.exe (PID: 4500)
  - msiexec.exe (PID: 4016)
  - MicrosoftEdgeUpdate.exe (PID: 4576)
  - DLL Injector.exe (PID: 4796)
  - msedgewebview2.exe (PID: 4820)
  - msedgewebview2.exe (PID: 4992)
  - msedgewebview2.exe (PID: 4984)
  - DLL Injector.exe (PID: 2716)
  - msedgewebview2.exe (PID: 1200)
  - msedgewebview2.exe (PID: 2188)
  - msedgewebview2.exe (PID: 4516)
  - msedgewebview2.exe (PID: 4656)
  - msedgewebview2.exe (PID: 4180)
- Connects to unusual port
  - firefox.exe (PID: 988)
- Manual execution by a user
  - msiexec.exe (PID: 3928)
  - DLL Injector.exe (PID: 4796)
  - DLL Injector.exe (PID: 2716)
- Reads the machine GUID from the registry
  - msiexec.exe (PID: 3960)
  - MicrosoftEdgeUpdate.exe (PID: 3576)
  - MicrosoftEdgeUpdate.exe (PID: 2756)
  - MicrosoftEdgeUpdate.exe (PID: 3908)
  - MicrosoftEdgeUpdate.exe (PID: 2852)
  - msiexec.exe (PID: 4016)
  - MicrosoftEdgeUpdate.exe (PID: 4576)
  - msedgewebview2.exe (PID: 4820)
  - DLL Injector.exe (PID: 4796)
  - DLL Injector.exe (PID: 2716)
  - msedgewebview2.exe (PID: 4180)
- Drops the executable file immediately after the start
  - msiexec.exe (PID: 3928)
  - firefox.exe (PID: 988)
- The executable file from the user directory is run by the Powershell process
  - MicrosoftEdgeWebview2Setup.exe (PID: 3208)
- Create files in a temporary directory
  - MicrosoftEdgeWebview2Setup.exe (PID: 3208)
  - MicrosoftEdgeUpdate.exe (PID: 3576)
  - MicrosoftEdgeUpdate.exe (PID: 2852)
  - msiexec.exe (PID: 3960)
  - MicrosoftEdgeUpdate.exe (PID: 4576)
  - msedgewebview2.exe (PID: 4820)
  - msedgewebview2.exe (PID: 4180)
- Reads Environment values
  - MicrosoftEdgeUpdate.exe (PID: 2852)
  - MicrosoftEdgeUpdate.exe (PID: 4576)
- Checks proxy server information
  - MicrosoftEdgeUpdate.exe (PID: 2852)
  - MicrosoftEdgeUpdate.exe (PID: 4576)
- Creates files or folders in the user directory
  - MicrosoftEdgeUpdate.exe (PID: 3908)
  - MicrosoftEdge_X64_109.0.1518.140.exe (PID: 4480)
  - setup.exe (PID: 4500)
  - MicrosoftEdgeUpdate.exe (PID: 3576)
  - msedgewebview2.exe (PID: 4820)
  - msedgewebview2.exe (PID: 4840)
  - msedgewebview2.exe (PID: 4992)
  - msedgewebview2.exe (PID: 4180)
- Process checks computer location settings
  - msedgewebview2.exe (PID: 4820)
  - msedgewebview2.exe (PID: 2316)
  - msedgewebview2.exe (PID: 4572)
  - msedgewebview2.exe (PID: 4180)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

284

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="988.1.1054295105\12232237" -parentBuildID 20230710165010 -prefsHandle 1412 -prefMapHandle 1408 -prefsLen 29857 -prefMapSize 244187 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fad5e577-7212-4de1-a941-da67fce30ed0} 988 "\\.\pipe\gecko-crash-server-pipe.988" 1424 fad1358 socket

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

944

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="988.14.844943906\1754019770" -childID 13 -isForBrowser -prefsHandle 3912 -prefMapHandle 8200 -prefsLen 31109 -prefMapSize 244187 -jsInitHandle 860 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {444dbcae-6845-47de-a916-4bdad73b941d} 988 "\\.\pipe\gecko-crash-server-pipe.988" 604 19755558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

988

"C:\Program Files\Mozilla Firefox\firefox.exe" "http://79.133.51.146:3254/"

C:\Program Files\Mozilla Firefox\firefox.exe

explorer.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

1200

"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\109.0.1518.140\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\net.dllinjector\EBWebView" --webview-exe-name="DLL Injector.exe" --webview-exe-version=2.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1328 --field-trial-handle=1196,i,7362940157907465865,5735521551306703017,131072 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:2

C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\109.0.1518.140\msedgewebview2.exe

—

msedgewebview2.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge WebView2

Exit code:

Version:

109.0.1518.140

Modules

Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\109.0.1518.140\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\109.0.1518.140\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1452

powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

2188

"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\109.0.1518.140\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\net.dllinjector\EBWebView" --webview-exe-name="DLL Injector.exe" --webview-exe-version=2.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1204 --field-trial-handle=1248,i,5608178396342470638,17871505334622472168,131072 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:2

C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\109.0.1518.140\msedgewebview2.exe

—

msedgewebview2.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge WebView2

Exit code:

Version:

109.0.1518.140

Modules

Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\109.0.1518.140\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\109.0.1518.140\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

2264

"./resources/x64_DLL_Injector.exe" C:\Users\admin\Downloads\Lightshot.dll 284

C:\Program Files (x86)\DLL Injector\resources\x64_DLL_Injector.exe

—

DLL Injector.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\program files (x86)\dll injector\resources\x64_dll_injector.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll

2264

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="988.13.357251492\1378663719" -childID 12 -isForBrowser -prefsHandle 4396 -prefMapHandle 4308 -prefsLen 31109 -prefMapSize 244187 -jsInitHandle 860 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f170665a-b515-4d6c-864b-e96e3fb77df0} 988 "\\.\pipe\gecko-crash-server-pipe.988" 2772 1d61c458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

2300

"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe" /user

C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe

—

MicrosoftEdgeUpdate.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge Update COM Registration Helper

Exit code:

Version:

1.3.181.5

Modules

Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.181.5\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2316

"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\109.0.1518.140\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\net.dllinjector\EBWebView" --webview-exe-name="DLL Injector.exe" --webview-exe-version=2.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --mojo-platform-channel-handle=2168 --field-trial-handle=1196,i,7362940157907465865,5735521551306703017,131072 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:1

C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\109.0.1518.140\msedgewebview2.exe

—

msedgewebview2.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge WebView2

Exit code:

Version:

109.0.1518.140

Modules

Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\109.0.1518.140\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\109.0.1518.140\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

35 858

Read events

32 688

Write events

3 120

Delete events

Modification events


(PID) Process:	(988) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Browser
Value: 0000000000000000
(PID) Process:	(988) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Telemetry
Value: 1
(PID) Process:	(988) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\DllPrefetchExperiment
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe
Value: 0
(PID) Process:	(988) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Theme
Value: 1
(PID) Process:	(988) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Enabled
Value: 1
(PID) Process:	(988) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\|DisableTelemetry
Value: 0
(PID) Process:	(988) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\|DisableDefaultBrowserAgent
Value: 0
(PID) Process:	(988) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\|SetDefaultBrowserUserChoice
Value: 1
(PID) Process:	(988) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\|AppLastRunTime
Value: F8B731ACA1C5D901
(PID) Process:	(988) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0

Add for printing

Executable files

217

Suspicious files

651

Text files

127

Unknown types

Dropped files

PID	Process	Filename		Type
988	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\cookies.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
988	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
988	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\sessionCheckpoints.json		binary
		MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A	SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
988	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\sessionCheckpoints.json.tmp		binary
		MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A	SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
988	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\nltxvmn2.default\cache2\entries\1BFE03C3D1AD9F715AE3371A4CCFB1C9C99480B3		compressed
		MD5:C678F9AA75693F98330165E0C2396E99	SHA256:2F741FDB68980BBE052FC7DEEBE7F2213AC7A2ED6C947012598DB4A8E0E65044
988	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal		binary
		MD5:880CC60B31D18FFCE1FE7DE241037825	SHA256:F1D84B94282EA223703C12468DFFDCABAD967CC64827B66C65081D2BDB69B28E
988	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
988	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\nltxvmn2.default\cache2\entries\CBAE2F2777C57A6052043208FB3C80F2795DCE9B		compressed
		MD5:8F1CA20E6ECA80276B9832578C6C728F	SHA256:75928272184AD4A8A23155159D726FE4DADB26FB472C4C4B552778B34E91BEC8
988	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\nltxvmn2.default\cache2\doomed\11933		compressed
		MD5:58BF90C279D403DC2DFB9B9DF37D9B81	SHA256:4A922FE9DF274368DBD30EC32F033BC5404E868AE1F512F6CFB291D7A4D781C5
988	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\nltxvmn2.default\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F		compressed
		MD5:C8CA48F9F3C997FBC0A8B847E13382BB	SHA256:DD3B7E60DD69F5B984C4B00F2BD8DF73CCC80AC4743FB83399A9690279CC7BE1

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

123

DNS requests

198

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
988	firefox.exe	GET	—	79.133.51.146:3254	http://79.133.51.146:3254/favicon.ico	unknown	—	—	unknown
988	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	text	90 b	unknown
988	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	unknown	text	8 b	unknown
988	firefox.exe	POST	—	184.24.77.48:80	http://r3.o.lencr.org/	unknown	—	—	unknown
988	firefox.exe	GET	200	79.133.51.146:3254	http://79.133.51.146:3254/	unknown	html	2.84 Kb	unknown
988	firefox.exe	GET	200	79.133.51.146:3254	http://79.133.51.146:3254/~img41	unknown	image	566 b	unknown
988	firefox.exe	GET	200	79.133.51.146:3254	http://79.133.51.146:3254/?mode=section&id=style.css	unknown	text	12.6 Kb	unknown
988	firefox.exe	POST	200	184.24.77.48:80	http://r3.o.lencr.org/	unknown	binary	503 b	unknown
988	firefox.exe	GET	200	79.133.51.146:3254	http://79.133.51.146:3254/?mode=section&id=lib.js	unknown	html	6.57 Kb	unknown
988	firefox.exe	POST	200	142.250.185.227:80	http://ocsp.pki.goog/gts1c3	unknown	binary	472 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
1956	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
988	firefox.exe	79.133.51.146:3254	—	diva-e Datacenters GmbH	DE	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
988	firefox.exe	34.107.221.82:80	detectportal.firefox.com	GOOGLE	US	whitelisted
988	firefox.exe	34.117.237.239:443	contile.services.mozilla.com	GOOGLE-CLOUD-PLATFORM	US	unknown
988	firefox.exe	34.233.246.195:443	spocs.getpocket.com	AMAZON-AES	US	unknown
988	firefox.exe	172.217.16.202:443	safebrowsing.googleapis.com	—	—	whitelisted
988	firefox.exe	34.160.144.191:443	content-signature-2.cdn.mozilla.net	GOOGLE	US	unknown
988	firefox.exe	184.24.77.48:80	r3.o.lencr.org	Akamai International B.V.	DE	unknown

DNS requests

Domain	IP	Reputation
detectportal.firefox.com	34.107.221.82	whitelisted
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	whitelisted
contile.services.mozilla.com	34.117.237.239	whitelisted
example.org	93.184.216.34	whitelisted
ipv4only.arpa	192.0.0.170 192.0.0.171	whitelisted
spocs.getpocket.com	34.233.246.195 34.205.223.217 18.235.78.81 3.214.21.201	shared
proxyserverecs-1736642167.us-east-1.elb.amazonaws.com	34.233.246.195 34.205.223.217 3.214.21.201 18.235.78.81	shared
r3.o.lencr.org	184.24.77.48 184.24.77.67 184.24.77.79 184.24.77.46 184.24.77.54 184.24.77.47 184.24.77.81 184.24.77.57 184.24.77.74 184.24.77.61 184.24.77.71 184.24.77.72 184.24.77.53 184.24.77.58 184.24.77.82	shared
content-signature-2.cdn.mozilla.net	34.160.144.191	whitelisted
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191 2600:1901:0:92a9::	whitelisted

Threats

PID	Process	Class	Message
988	firefox.exe	A Network Trojan was detected	ET HUNTING Rejetto HTTP File Sever Response
988	firefox.exe	Potentially Bad Traffic	ET INFO Dotted Quad Host DLL Request
988	firefox.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
988	firefox.exe	Misc activity	ET INFO EXE - Served Attached HTTP
884	svchost.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

Add for printing

Process	Message
msedgewebview2.exe	RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\net.dllinjector directory exists )
msedgewebview2.exe	RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\net.dllinjector\EBWebView directory exists )

General Info

http://79.133.51.146:3254/

939AF5002EF326F47F35D026A538BCA6178ACDE8

4D346FFD5F9BE64A29870574D13A5608E47CEB20DA77B4F332D2570D1AED3689

3:N1KSLKgRhs:CSNHs

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Run PowerShell with an invisible window

Drops the executable file immediately after the start

The DLL Hijacking

SUSPICIOUS

Starts POWERSHELL.EXE for commands execution

The process bypasses the loading of PowerShell profile settings

Request a resource from the Internet using PowerShell's cmdlet

Reads the Internet Settings

Process drops legitimate windows executable

Starts itself from another location

Creates/Modifies COM task schedule object

Reads settings of System Certificates

Checks Windows Trust Settings

The Powershell connects to the Internet

Unusual connection from system programs

Reads security settings of Internet Explorer

Executes as Windows Service

Powershell scripting: start process

Application launched itself

INFO

The process uses the downloaded file

Application launched itself

Checks supported languages

Reads the computer name

Connects to unusual port

Manual execution by a user

Reads the machine GUID from the registry

Drops the executable file immediately after the start

The executable file from the user directory is run by the Powershell process

Create files in a temporary directory

Reads Environment values

Checks proxy server information

Creates files or folders in the user directory

Process checks computer location settings

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats