URL:

https://autoload.bank.ecitic.com/newheb/ZXYHSetup.exe

Full analysis: https://app.any.run/tasks/0fc33512-8b22-49dc-a872-2bb422360661
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 01, 2024, 21:24:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
qrcode
loader
Indicators:
MD5:

E766A2A5D6612653E8E17AFA97A68791

SHA1:

EF23248236923D817FCF80EBA62787F2682F545C

SHA256:

602BB38EF3B3B81525E8DC39B2B99AC1D9F6B194772D5E6070BB27A59D772221

SSDEEP:

3:N8bozELkFENAHK1ARQVkA:2EzBXRQaA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates a writable file in the system directory

      • CNCBGuardReg.exe (PID: 3816)
      • CNCBSecPkg.tmp (PID: 3316)
      • CNCBPayCtl.tmp (PID: 3616)
      • regsvr32.exe (PID: 1936)

    • Registers / Runs the DLL via REGSVR32.EXE

      • CNCBSecPkg.tmp (PID: 3316)
      • CNCBPayCtl.tmp (PID: 3616)

    • Runs injected code in another process

      • ZXYHebankassit.exe (PID: 2452)
      • CNCBPayCtl.tmp (PID: 3616)

    • Actions looks like stealing of personal data

      • ZXYHebankassit.exe (PID: 2452)

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • ZXYHebankassit.exe (PID: 2452)

    • Reads the Internet Settings

      • ZXYHebankassit.exe (PID: 2452)

    • The process creates files with name similar to system file names

      • ZXYHSetup.exe (PID: 752)

    • Reads Internet Explorer settings

      • ZXYHebankassit.exe (PID: 2452)

    • Searches for installed software

      • ZXYHebankassit.exe (PID: 2452)
      • CNCBPayCtl.tmp (PID: 3616)

    • Reads settings of System Certificates

      • ZXYHebankassit.exe (PID: 2452)

    • Checks Windows Trust Settings

      • ZXYHebankassit.exe (PID: 2452)

    • Uses TASKKILL.EXE to kill Browsers

      • ZXYHebankassit.exe (PID: 2452)

    • Uses TASKKILL.EXE to kill process

      • ZXYHebankassit.exe (PID: 2452)

    • Reads the Windows owner or organization settings

      • CNCBSecPkg.tmp (PID: 3316)
      • CNCBPayCtl.tmp (PID: 3616)

    • Drops a system driver (possible attempt to evade defenses)

      • CNCBSecPkg.tmp (PID: 3316)
      • regsvr32.exe (PID: 1936)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 3428)
      • regsvr32.exe (PID: 2988)

    • Changes internet zones settings

      • ZXYHebankassit.exe (PID: 2452)

    • Detected use of alternative data streams (AltDS)

      • ZXYHSetup.exe (PID: 752)

  • INFO

    • Checks supported languages

      • ZXYHSetup.exe (PID: 752)
      • CNCBGuardReg.exe (PID: 3816)
      • CNCBSecPkg.exe (PID: 3404)
      • CNCBSecPkg.tmp (PID: 3316)
      • CNCBPayCtl.exe (PID: 3612)
      • CNCBPayCtl.tmp (PID: 3616)
      • CITICpibankcersafebox.exe (PID: 2572)
      • CNCBWebBatchTool.exe (PID: 2480)
      • ZXYHebankassit.exe (PID: 2452)
      • CNCBSafeComponent_20231208.exe (PID: 2384)
      • CITICEditIE_20220816.exe (PID: 1192)

    • The process uses the downloaded file

      • firefox.exe (PID: 2184)

    • Application launched itself

      • firefox.exe (PID: 1692)
      • firefox.exe (PID: 2184)

    • Creates files or folders in the user directory

      • ZXYHebankassit.exe (PID: 2452)
      • ZXYHSetup.exe (PID: 752)

    • Reads the computer name

      • ZXYHSetup.exe (PID: 752)
      • CNCBSecPkg.tmp (PID: 3316)
      • CNCBGuardReg.exe (PID: 3816)
      • CNCBPayCtl.tmp (PID: 3616)
      • ZXYHebankassit.exe (PID: 2452)
      • CNCBSafeComponent_20231208.exe (PID: 2384)
      • CITICEditIE_20220816.exe (PID: 1192)

    • Drops the executable file immediately after the start

      • firefox.exe (PID: 2184)
      • ZXYHebankassit.exe (PID: 2452)
      • CNCBSecPkg.exe (PID: 3404)
      • CNCBSecPkg.tmp (PID: 3316)
      • CNCBPayCtl.exe (PID: 3612)
      • CNCBPayCtl.tmp (PID: 3616)
      • regsvr32.exe (PID: 1936)
      • CITICpibankcersafebox.exe (PID: 2572)
      • ZXYHSetup.exe (PID: 752)
      • CNCBWebBatchTool.exe (PID: 2480)
      • CNCBSafeComponent_20231208.exe (PID: 2384)
      • CITICEditIE_20220816.exe (PID: 1192)

    • Create files in a temporary directory

      • ZXYHSetup.exe (PID: 752)
      • CNCBSecPkg.exe (PID: 3404)
      • CNCBSecPkg.tmp (PID: 3316)
      • CNCBPayCtl.exe (PID: 3612)
      • CNCBPayCtl.tmp (PID: 3616)
      • CNCBWebBatchTool.exe (PID: 2480)
      • CITICpibankcersafebox.exe (PID: 2572)
      • CNCBSafeComponent_20231208.exe (PID: 2384)
      • CITICEditIE_20220816.exe (PID: 1192)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • ZXYHSetup.exe (PID: 752)
      • CNCBSafeComponent_20231208.exe (PID: 2384)
      • CITICEditIE_20220816.exe (PID: 1192)

    • Connects to unusual port

      • ZXYHSetup.exe (PID: 752)
      • ZXYHebankassit.exe (PID: 2452)

    • Checks proxy server information

      • ZXYHebankassit.exe (PID: 2452)

    • Reads product name

      • ZXYHebankassit.exe (PID: 2452)

    • Reads Environment values

      • ZXYHebankassit.exe (PID: 2452)

    • Reads the machine GUID from the registry

      • ZXYHebankassit.exe (PID: 2452)
      • CNCBGuardReg.exe (PID: 3816)
      • CNCBPayCtl.tmp (PID: 3616)

    • Creates files in the program directory

      • ZXYHebankassit.exe (PID: 2452)
      • CNCBSecPkg.tmp (PID: 3316)
      • CNCBPayCtl.tmp (PID: 3616)
      • ZXYHSetup.exe (PID: 752)
      • CNCBSafeComponent_20231208.exe (PID: 2384)
      • CITICEditIE_20220816.exe (PID: 1192)

    • Process drops legitimate windows executable

      • CNCBSecPkg.tmp (PID: 3316)
      • CNCBPayCtl.tmp (PID: 3616)

    • Process requests binary or script from the Internet

      • ZXYHebankassit.exe (PID: 2452)

    • Creates files in the driver directory

      • regsvr32.exe (PID: 1936)

    • Application was injected by another process

      • regsvr32.exe (PID: 1848)
      • regsvr32.exe (PID: 1544)
      • CITICpibankcersafebox.exe (PID: 2572)
      • CNCBWebBatchTool.exe (PID: 2480)
      • CITICEditIE_20220816.exe (PID: 1192)
      • CNCBSafeComponent_20231208.exe (PID: 2384)

    • Creates a software uninstall entry

      • CNCBPayCtl.tmp (PID: 3616)

    • Process drops legitimate windows executable (CertUtil.exe)

      • CNCBSafeComponent_20231208.exe (PID: 2384)

    • The process creates files with name similar to system file names

      • CNCBSafeComponent_20231208.exe (PID: 2384)
      • CITICEditIE_20220816.exe (PID: 1192)

    • Reads the Internet Settings

      • CNCBSafeComponent_20231208.exe (PID: 2384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
198
Monitored processes
58
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start inject inject inject inject inject inject firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs zxyhsetup.exe no specs zxyhsetup.exe zxyhebankassit.exe taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs firefox.exe no specs cncbsecpkg.exe no specs cncbsecpkg.tmp no specs cncbguardreg.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs cncbpayctl.exe no specs cncbpayctl.tmp regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe regsvr32.exe citicpibankcersafebox.exe cncbwebbatchtool.exe cncbsafecomponent_20231208.exe citiceditie_20220816.exe

Process information

PID
CMD
Path
Indicators
Parent process
548"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2184.1.1588393253\818686372" -parentBuildID 20230710165010 -prefsHandle 1424 -prefMapHandle 1420 -prefsLen 28600 -prefMapSize 244195 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d285538-c3c1-4b91-b038-e7077f2fd9f5} 2184 "\\.\pipe\gecko-crash-server-pipe.2184" 1436 f269200 socketC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
1
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
568"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2184.5.220510161\1824220629" -childID 4 -isForBrowser -prefsHandle 3888 -prefMapHandle 3796 -prefsLen 29209 -prefMapSize 244195 -jsInitHandle 880 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b48b5068-237f-4554-ad00-b2f57ed46394} 2184 "\\.\pipe\gecko-crash-server-pipe.2184" 3892 18f039b0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
1
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
752"C:\Users\admin\Downloads\ZXYHSetup.exe" C:\Users\admin\Downloads\ZXYHSetup.exe
firefox.exe
User:
admin
Company:
中信银行股份有限公司
Integrity Level:
HIGH
Description:
中信银行网银伴侣
Exit code:
0
Version:
3.2023.1124.1
Modules
Images
c:\users\admin\downloads\zxyhsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
784"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\SecCtl.dll"C:\Windows\System32\regsvr32.exeCNCBPayCtl.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
840"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\Init_Tool_ft.ocx"C:\Windows\System32\regsvr32.exeCNCBSecPkg.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1192"C:\Program Files\ZXYHebankassit\Download\CITICEditIE_20220816.exe" /SC:\Program Files\ZXYHebankassit\Download\CITICEditIE_20220816.exe
User:
admin
Company:
CHINA CITIC BANK
Integrity Level:
HIGH
Description:
中信银行网银密码保护控件
Exit code:
0
Version:
1.0.22.0705
Modules
Images
c:\program files\zxyhebankassit\download\citiceditie_20220816.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
1544"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\CNCB\PayGate_B2C\Bin\CNCBChecker.dll"C:\Windows\System32\regsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1556"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\CITICAP.dll"C:\Windows\System32\regsvr32.exeCNCBSecPkg.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1596"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\CITICEdit.dll"C:\Windows\System32\regsvr32.exeCNCBPayCtl.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1692"C:\Program Files\Mozilla Firefox\firefox.exe" "https://autoload.bank.ecitic.com/newheb/ZXYHSetup.exe"C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
Total events
60 606
Read events
59 279
Write events
1 228
Delete events
99

Modification events

(PID) Process:(1692) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Launcher
Value:
2166C0A101000000
(PID) Process:(2184) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Browser
Value:
044CC1A101000000
(PID) Process:(2184) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry
Value:
0
(PID) Process:(2184) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(2184) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Theme
Value:
1
(PID) Process:(2184) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Enabled
Value:
1
(PID) Process:(2184) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:writeName:C:\Program Files\Mozilla Firefox|DisableTelemetry
Value:
1
(PID) Process:(2184) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:writeName:C:\Program Files\Mozilla Firefox|DisableDefaultBrowserAgent
Value:
0
(PID) Process:(2184) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:writeName:C:\Program Files\Mozilla Firefox|SetDefaultBrowserUserChoice
Value:
1
(PID) Process:(2184) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:writeName:C:\Program Files\Mozilla Firefox|AppLastRunTime
Value:
D14E5F3C23B0D901
Executable files
124
Suspicious files
163
Text files
64
Unknown types
0

Dropped files

PID
Process
Filename
Type
2184firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.jsonbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
2184firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2184firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2184firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2184firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
2184firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.jstext
MD5:60E0DE9E05EC76C749D80F0D15A81B21
SHA256:08252FA62CCCCD316474E20CC7317A6B5C932B2C972234318E8CCDA39EC2EF48
2184firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\glean\db\data.safe.tmpbinary
MD5:1C3C58F7838DDE7F753614D170F110FC
SHA256:81C14432135B2A50DC505904E87781864CA561EFEF9E94BAECA3704D04E6DB3D
2184firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2184firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.jstext
MD5:60E0DE9E05EC76C749D80F0D15A81B21
SHA256:08252FA62CCCCD316474E20CC7317A6B5C932B2C972234318E8CCDA39EC2EF48
2184firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
36
TCP/UDP connections
95
DNS requests
146
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2184
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
text
90 b
unknown
2184
firefox.exe
POST
200
142.250.186.131:80
http://ocsp.pki.goog/gts1c3
unknown
binary
471 b
unknown
2184
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
text
8 b
unknown
2184
firefox.exe
POST
200
184.24.77.54:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
2184
firefox.exe
POST
200
184.24.77.54:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
2184
firefox.exe
POST
200
18.245.65.219:80
http://ocsp.r2m02.amazontrust.com/
unknown
binary
471 b
unknown
2184
firefox.exe
POST
200
142.250.186.131:80
http://ocsp.pki.goog/gts1c3
unknown
binary
471 b
unknown
2184
firefox.exe
POST
200
184.24.77.54:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
2184
firefox.exe
POST
200
184.24.77.54:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
2184
firefox.exe
POST
200
163.181.56.212:80
http://ocsp.dcocsp.cn/
unknown
binary
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2184
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
2184
firefox.exe
142.250.184.234:443
safebrowsing.googleapis.com
whitelisted
2184
firefox.exe
142.250.186.131:80
ocsp.pki.goog
GOOGLE
US
whitelisted
2184
firefox.exe
34.107.243.93:443
push.services.mozilla.com
GOOGLE
US
unknown
2184
firefox.exe
34.117.237.239:443
contile.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
unknown
2184
firefox.exe
34.149.100.209:443
firefox.settings.services.mozilla.com
GOOGLE
US
unknown
2184
firefox.exe
52.4.22.105:443
spocs.getpocket.com
AMAZON-AES
US
unknown

DNS requests

Domain
IP
Reputation
autoload.bank.ecitic.com
  • 163.181.92.232
  • 163.181.92.237
  • 163.181.92.235
  • 163.181.92.234
  • 163.181.92.231
  • 163.181.92.238
  • 163.181.92.233
  • 163.181.92.236
unknown
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
example.org
  • 93.184.216.34
whitelisted
ipv4only.arpa
  • 192.0.0.170
  • 192.0.0.171
whitelisted
contile.services.mozilla.com
  • 34.117.237.239
whitelisted
spocs.getpocket.com
  • 52.4.22.105
  • 3.230.210.204
  • 54.242.204.44
  • 3.226.103.37
shared
proxyserverecs-1736642167.us-east-1.elb.amazonaws.com
  • 52.4.22.105
  • 3.230.210.204
  • 54.242.204.44
  • 3.226.103.37
shared
firefox.settings.services.mozilla.com
  • 34.149.100.209
whitelisted
r3.o.lencr.org
  • 184.24.77.54
  • 184.24.77.56
  • 184.24.77.62
  • 184.24.77.61
  • 184.24.77.48
  • 184.24.77.81
  • 184.24.77.65
  • 184.24.77.82
  • 184.24.77.57
  • 184.24.77.55
  • 184.24.77.46
  • 95.101.54.99
  • 2.16.202.112
  • 95.101.54.107
  • 95.101.54.211
  • 95.101.54.200
  • 2.16.202.121
  • 95.101.54.195
shared

Threats

PID
Process
Class
Message
2452
ZXYHebankassit.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2452
ZXYHebankassit.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2452
ZXYHebankassit.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2452
ZXYHebankassit.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2452
ZXYHebankassit.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2452
ZXYHebankassit.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
ZXYHSetup.exe
Window, size, 640,480
ZXYHSetup.exe
Window, shadowcorner, 14,14,14,14
ZXYHSetup.exe
Window, shadowimage, bk_shadow.png
ZXYHSetup.exe
Window, showshadow, true
ZXYHSetup.exe
Window, caption, 0,0,0,480
ZXYHSetup.exe
Window, sizebox, 0,0,0,0
ZXYHSetup.exe
Window, shadowsize, 14
ZXYHSetup.exe
ImageShow, images, pic1.png
ZXYHSetup.exe
ImageShow, imagecount, 1
ZXYHSetup.exe
ImageShow, width, 640
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://autoload.bank.ecitic.com/newheb/ZXYHSetup.exe