URL:

https://1drv.ms/u/s!AqIAiP7cEZKsgQRZoY0ncOHXbZQi

Full analysis: https://app.any.run/tasks/c5cdcf4d-6817-4600-b3e2-6aab65b4d642
Verdict: Malicious activity
Threats:

Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.

Malware Trends Tracker     >>>
Analysis date: January 23, 2019, 10:11:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adwind
trojan
Indicators:
MD5:

5E02AC4EFEE8B5089156DAE6286DE672

SHA1:

5628BB9C2DBEB5C14F2D162F23227460BCD55B92

SHA256:

5D684BB448AE0284EC1E6C7B718E35D104F696DEA02BDBC183E3219F134EE338

SSDEEP:

3:N8qDLIWKfXSZWuM:2qXy3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • AdWind was detected

      • java.exe (PID: 1688)
      • java.exe (PID: 3340)

    • Loads dropped or rewritten executable

      • javaw.exe (PID: 4052)
      • svchost.exe (PID: 820)
      • java.exe (PID: 1688)
      • javaw.exe (PID: 3268)
      • explorer.exe (PID: 2028)
      • java.exe (PID: 3340)

    • Application was dropped or rewritten from another process

      • java.exe (PID: 1688)
      • javaw.exe (PID: 4052)
      • java.exe (PID: 3340)
      • javaw.exe (PID: 3268)

    • Changes the autorun value in the registry

      • reg.exe (PID: 2388)

    • UAC/LUA settings modification

      • regedit.exe (PID: 3568)

    • Turns off system restore

      • regedit.exe (PID: 3568)

    • Uses TASKKILL.EXE to kill security tools

      • javaw.exe (PID: 3268)

    • Changes Image File Execution Options

      • regedit.exe (PID: 3568)

  • SUSPICIOUS

    • Executes JAVA applets

      • javaw.exe (PID: 4052)
      • explorer.exe (PID: 2028)

    • Starts CMD.EXE for commands execution

      • javaw.exe (PID: 4052)
      • java.exe (PID: 1688)
      • java.exe (PID: 3340)
      • javaw.exe (PID: 3268)

    • Creates files in the user directory

      • javaw.exe (PID: 4052)
      • xcopy.exe (PID: 3684)

    • Executes scripts

      • cmd.exe (PID: 3932)
      • cmd.exe (PID: 3180)
      • cmd.exe (PID: 3892)
      • cmd.exe (PID: 3848)
      • cmd.exe (PID: 3352)
      • cmd.exe (PID: 3328)
      • cmd.exe (PID: 2948)
      • cmd.exe (PID: 4004)

    • Executable content was dropped or overwritten

      • xcopy.exe (PID: 3684)

    • Uses ATTRIB.EXE to modify file attributes

      • javaw.exe (PID: 4052)

    • Uses REG.EXE to modify Windows registry

      • javaw.exe (PID: 4052)

    • Starts itself from another location

      • javaw.exe (PID: 4052)

    • Connects to unusual port

      • javaw.exe (PID: 3268)

    • Uses TASKKILL.EXE to kill process

      • javaw.exe (PID: 3268)

  • INFO

    • Reads CPU info

      • firefox.exe (PID: 2624)
      • firefox.exe (PID: 3940)
      • firefox.exe (PID: 3472)
      • firefox.exe (PID: 2992)
      • firefox.exe (PID: 3752)

    • Application launched itself

      • firefox.exe (PID: 2992)

    • Dropped object may contain Bitcoin addresses

      • firefox.exe (PID: 2992)

    • Creates files in the user directory

      • firefox.exe (PID: 2992)

    • Reads settings of System Certificates

      • firefox.exe (PID: 2992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
473
Monitored processes
230
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start firefox.exe firefox.exe firefox.exe firefox.exe winrar.exe no specs firefox.exe javaw.exe no specs java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs xcopy.exe cmd.exe no specs cscript.exe no specs svchost.exe no specs explorer.exe no specs reg.exe attrib.exe no specs attrib.exe no specs javaw.exe java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cmd.exe no specs cscript.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs taskkill.exe no specs cmd.exe no specs regedit.exe no specs regedit.exe no specs regedit.exe taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120taskkill /IM FortiTray.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\winsta.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\imm32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\netapi32.dll
120taskkill /IM SDFSSvc.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
184taskkill /IM nanosvc.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
252taskkill /IM K7FWSrvc.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\taskkill.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
336taskkill /IM fssm32.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
460taskkill /IM psview.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
612taskkill /IM GDScan.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
692taskkill /IM PtSvcHost.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\gdi32.dll
692taskkill /IM FortiFW.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\winsta.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\imm32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\netapi32.dll
820C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\System32\svchost.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
3 513
Read events
3 241
Write events
272
Delete events
0

Modification events

(PID) Process:(2028) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:308046O0NS4N39PO
Value:
000000000300000004000000F5200000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF80FBE5745B48D40100000000
(PID) Process:(2028) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:HRZR_PGYFRFFVBA
Value:
000000002D0000003E000000B34B1500090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000F000000E21705007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E006500780065000000D201B0E536027CE43602A532DC75BCE4360294E5360200000000B432DC75F4E536020145DC756A00CA028C00CA02B8ACCA0278E336020001000101000000000100000000000028FCA802C8E53602E0E2BF02A4E53602CAFEBF02A0E33602D4E536026000CA022B0000006A00CA0228FCA802000000008C00CA025CE536020A00CA020000000005000500A823D3016601CA022B0000000F000000F4E53602BCE5360228FCA8021000000074FFA802050017004E1ED301BCE436021600000002000000B8ACCA020400360228FCA80203000000000000000909090009090909000911110000000011000000B8452700B04527000000000000000000000000000000000000000000000000001CE400005A743083D0E336028291F5751CE43602CCB700002E743083E4E33602B69CF575D0B7DD024C060000FCE3360240B3DD0208E43602789CF57511000000B8452700B045270060B3DD026CE40000E67330831CE436028291F5756CE4360220E436022795F57500000000CCB7DD0248E43602CD94F575CCB7DD02F4E4360240B3DD02E194F5750000000040B3DD02F4E4360250E43602090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802
(PID) Process:(2992) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2992) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2992) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2992) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2992) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithProgids
Operation:writeName:WinRAR.ZIP
Value:
(PID) Process:(2028) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
Operation:writeName:a
Value:
firefox.exe
(PID) Process:(2028) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
Operation:writeName:MRUList
Value:
a
(PID) Process:(2084) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
Executable files
110
Suspicious files
268
Text files
232
Unknown types
119

Dropped files

PID
Process
Filename
Type
2992firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
2992firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
2992firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db-journal
MD5:
SHA256:
2992firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
2992firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
MD5:
SHA256:
2992firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm
MD5:
SHA256:
2992firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm
MD5:
SHA256:
2992firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.binbinary
MD5:
SHA256:
2992firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.jstext
MD5:
SHA256:
2992firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.dbsqlite
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
82
DNS requests
117
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2992
firefox.exe
POST
200
172.217.18.163:80
http://ocsp.pki.goog/GTSGIAG3
US
der
463 b
whitelisted
2992
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2992
firefox.exe
POST
200
104.18.24.243:80
http://ocsp.msocsp.com/
US
der
1.79 Kb
whitelisted
2992
firefox.exe
POST
200
93.184.220.29:80
http://ocspx.digicert.com/
US
der
471 b
whitelisted
2992
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2992
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2992
firefox.exe
POST
200
172.217.18.163:80
http://ocsp.pki.goog/GTSGIAG3
US
der
463 b
whitelisted
2992
firefox.exe
GET
200
104.107.216.169:80
http://detectportal.firefox.com/success.txt
NL
text
8 b
whitelisted
2992
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2992
firefox.exe
GET
200
104.107.216.169:80
http://detectportal.firefox.com/success.txt
NL
text
8 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2992
firefox.exe
23.45.97.45:443
r3.res.outlook.com
Akamai International B.V.
NL
whitelisted
2992
firefox.exe
152.199.19.160:443
az725175.vo.msecnd.net
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2992
firefox.exe
40.77.226.250:443
web.vortex.data.microsoft.com
Microsoft Corporation
IE
whitelisted
2992
firefox.exe
52.88.72.192:443
shavar.prod.mozaws.net
Amazon.com, Inc.
US
unknown
2992
firefox.exe
13.107.42.12:443
1drv.ms
Microsoft Corporation
US
suspicious
2992
firefox.exe
52.27.184.151:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
2992
firefox.exe
104.107.216.169:80
detectportal.firefox.com
Akamai International B.V.
NL
whitelisted
2992
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2992
firefox.exe
34.214.85.136:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
2992
firefox.exe
13.107.42.13:443
onedrive.live.com
Microsoft Corporation
US
malicious

DNS requests

Domain
IP
Reputation
detectportal.firefox.com
  • 104.107.216.169
  • 104.107.216.187
  • 2.16.186.112
  • 2.16.186.50
whitelisted
1drv.ms
  • 13.107.42.12
shared
a1089.dscd.akamai.net
  • 104.107.216.187
  • 104.107.216.169
  • 2.16.186.50
  • 2.16.186.112
whitelisted
search.services.mozilla.com
  • 52.27.184.151
  • 52.89.32.107
  • 34.216.89.123
whitelisted
search.r53-2.services.mozilla.com
  • 34.216.89.123
  • 52.89.32.107
  • 52.27.184.151
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
cs9.wac.phicdn.net
  • 93.184.220.29
whitelisted
tiles.services.mozilla.com
  • 34.214.85.136
  • 52.25.70.97
  • 52.26.103.165
  • 34.209.108.219
  • 35.160.41.125
  • 34.215.13.51
  • 34.216.156.21
  • 52.24.236.113
whitelisted
tiles.r53-2.services.mozilla.com
  • 52.24.236.113
  • 34.216.156.21
  • 34.215.13.51
  • 35.160.41.125
  • 34.209.108.219
  • 52.26.103.165
  • 52.25.70.97
  • 34.214.85.136
whitelisted
onedrive.live.com
  • 13.107.42.13
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://1drv.ms/u/s!AqIAiP7cEZKsgQRZoY0ncOHXbZQi