URL:

https://bazaar.abuse.ch/download/7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7/

Full analysis: https://app.any.run/tasks/254f7b9f-3c87-475a-8dcc-aab1f3d15994
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: May 17, 2025, 09:25:45
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
auto
digitalpulse
adware
pastebin
delphi
inno
installer
Indicators:
MD5:

0AC7F5B23AD9CBC3038A20BD194496B4

SHA1:

8CA3D83FCEFA1ABCC5DC22AAAD099DD2182A5174

SHA256:

75984F7ABCF28BA1F6490A67CA2D3784482EA52DF28EC455FFEC5E752EEB8C90

SSDEEP:

3:N8N0uDWB4SLGucqHjpr7UHCQYnWIBVXRvXEDSK:23GfLNztDQYnWIBVVUD5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ADWARE has been found (auto)

      • firefox.exe (PID: 7312)
      • WinRAR.exe (PID: 8976)

    • Executing a file with an untrusted certificate

      • 5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08.exe (PID: 1348)
      • 5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08.exe (PID: 7188)

    • Changes Windows Defender settings

      • 5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08.exe (PID: 7188)

    • Adds path to the Windows Defender exclusion list

      • 5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08.exe (PID: 7188)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.exe (PID: 5136)
      • 7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.exe (PID: 7212)
      • 7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.tmp (PID: 4688)
      • 7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.exe (PID: 8340)
      • 7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.exe (PID: 8888)
      • 7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.tmp (PID: 3008)

    • Starts POWERSHELL.EXE for commands execution

      • 5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08.exe (PID: 7188)

    • Script adds exclusion path to Windows Defender

      • 5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08.exe (PID: 7188)

    • Drops 7-zip archiver for unpacking

      • WinRAR.exe (PID: 6416)

  • INFO

    • Application launched itself

      • firefox.exe (PID: 7292)
      • firefox.exe (PID: 7312)

    • Reads the software policy settings

      • slui.exe (PID: 7284)

    • The sample compiled with english language support

      • firefox.exe (PID: 7312)
      • WinRAR.exe (PID: 8976)
      • WinRAR.exe (PID: 6416)

    • Manual execution by a user

      • WinRAR.exe (PID: 8976)
      • 5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08.exe (PID: 1348)
      • 5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08.exe (PID: 7188)
      • 8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe (PID: 8436)
      • 8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe (PID: 6392)
      • 7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.exe (PID: 5136)
      • d93ea0680d85088ea784e5eb3ab1d0bbb220e7500d8b4e3cc760a00ed7040a47.exe (PID: 7144)
      • 7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.exe (PID: 8340)
      • d93ea0680d85088ea784e5eb3ab1d0bbb220e7500d8b4e3cc760a00ed7040a47.exe (PID: 7148)
      • d93ea0680d85088ea784e5eb3ab1d0bbb220e7500d8b4e3cc760a00ed7040a47.exe (PID: 7932)
      • WinRAR.exe (PID: 6416)
      • 7zFM.exe (PID: 8104)
      • d93ea0680d85088ea784e5eb3ab1d0bbb220e7500d8b4e3cc760a00ed7040a47.exe (PID: 7872)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 8976)
      • WinRAR.exe (PID: 6416)

    • Compiled with Borland Delphi (YARA)

      • 7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.exe (PID: 5136)

    • The sample compiled with russian language support

      • WinRAR.exe (PID: 6416)

    • Detects InnoSetup installer (YARA)

      • 7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.exe (PID: 5136)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
177
Monitored processes
41
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start firefox.exe no specs #ADWARE firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs sppextcomobj.exe no specs slui.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs slui.exe rundll32.exe no specs #ADWARE winrar.exe 5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08.exe no specs 5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08.exe 8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe no specs 8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe 7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.exe ngentask.exe 7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.tmp no specs powershell.exe no specs conhost.exe no specs caspol.exe 7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.exe 7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.tmp d93ea0680d85088ea784e5eb3ab1d0bbb220e7500d8b4e3cc760a00ed7040a47.exe no specs d93ea0680d85088ea784e5eb3ab1d0bbb220e7500d8b4e3cc760a00ed7040a47.exe 7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.exe 7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.tmp no specs 7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.exe 7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.tmp winrar.exe 7zfm.exe no specs d93ea0680d85088ea784e5eb3ab1d0bbb220e7500d8b4e3cc760a00ed7040a47.exe no specs d93ea0680d85088ea784e5eb3ab1d0bbb220e7500d8b4e3cc760a00ed7040a47.exe

Process information

PID
CMD
Path
Indicators
Parent process
664"C:\Users\admin\AppData\Local\Temp\is-952R9.tmp\7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.tmp" /SL5="$B0290,2422026,832512,C:\Users\admin\Desktop\7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.exe" C:\Users\admin\AppData\Local\Temp\is-952R9.tmp\7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.tmp7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
2
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-952r9.tmp\7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
720"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4364 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 4464 -prefMapHandle 4704 -prefsLen 36588 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c57d9937-e803-4f04-838b-f6932248a3d9} 7312 "\\.\pipe\gecko-crash-server-pipe.7312" 22b094b2710 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
1
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140_1.dll
1348"C:\Users\admin\Desktop\5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08.exe" C:\Users\admin\Desktop\5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08.exeexplorer.exe
User:
admin
Company:
iWEBehewIX
Integrity Level:
MEDIUM
Description:
ETeZieU uxECoHEjIEu iPOxEaoIeQO aDiDU EOoDuei UquvaAiv uVOtUKIXi IyIfAki.
Exit code:
3221226540
Version:
7.83.124.14
Modules
Images
c:\users\admin\desktop\5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
3008"C:\Users\admin\AppData\Local\Temp\is-USKL9.tmp\7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.tmp" /SL5="$9030E,2422026,832512,C:\Users\admin\Desktop\7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.exe" /SPAWNWND=$B02AA /NOTIFYWND=$80340 C:\Users\admin\AppData\Local\Temp\is-USKL9.tmp\7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.tmp
7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
2
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-uskl9.tmp\7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
3192C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
4056"C:\Users\admin\AppData\Local\Temp\is-F2BBK.tmp\7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.tmp" /SL5="$80340,2422026,832512,C:\Users\admin\Desktop\7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.exe" C:\Users\admin\AppData\Local\Temp\is-F2BBK.tmp\7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.tmp7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
2
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-f2bbk.tmp\7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\msvcrt.dll
4188C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4688"C:\Users\admin\AppData\Local\Temp\is-MIP4I.tmp\7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.tmp" /SL5="$B029A,2422026,832512,C:\Users\admin\Desktop\7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.exe" /SPAWNWND=$3026E /NOTIFYWND=$B0290 C:\Users\admin\AppData\Local\Temp\is-MIP4I.tmp\7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.tmp
7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
2
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-mip4i.tmp\7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
5136"C:\Users\admin\Desktop\7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.exe" C:\Users\admin\Desktop\7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
MassTube Plus 1700502 Portable.exe Setup
Exit code:
2
Version:
Modules
Images
c:\users\admin\desktop\7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
6136"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
8765a0a92fa60c2a4d21ca073dcf805f320c2e3d07703b97638b38888fe25d23.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Framework optimization service
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\ngentask.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
28 585
Read events
28 527
Write events
58
Delete events
0

Modification events

(PID) Process:(7312) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(8976) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(8976) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:PswAllArchives
Value:
0
(PID) Process:(8976) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(8976) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(8976) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(8976) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7188) 5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance
Operation:writeName:Enabled
Value:
0
(PID) Process:(7188) 5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths
Operation:writeName:C:\Users\admin\Desktop\5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08.exe
Value:
0
(PID) Process:(6136) ngentask.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ngentask_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
Executable files
19
Suspicious files
200
Text files
131
Unknown types
0

Dropped files

PID
Process
Filename
Type
7312firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
7312firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-child-current.binbinary
MD5:C95DDC2B1A525D1A243E4C294DA2F326
SHA256:3A5919E086BFB31E36110CF636D2D5109EB51F2C410B107F126126AB25D67363
7312firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:297E88D7CEB26E549254EC875649F4EB
SHA256:8B75D4FB1845BAA06122888D11F6B65E6A36B140C54A72CC13DF390FD7C95702
7312firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
7312firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.jsonbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
7312firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
7312firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
7312firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
7312firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.jstext
MD5:A6681E8C430EFC83BCF27572B04B63B6
SHA256:242DCBA1E2225779186CA1CE03A9E763E3A38021F406C077DF0176D07246346D
7312firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
94
DNS requests
142
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7312
firefox.exe
POST
200
2.16.168.117:80
http://r11.o.lencr.org/
unknown
whitelisted
7312
firefox.exe
POST
200
2.16.168.117:80
http://r10.o.lencr.org/
unknown
whitelisted
7312
firefox.exe
POST
200
172.217.16.195:80
http://o.pki.goog/we2
unknown
whitelisted
7312
firefox.exe
POST
200
2.16.168.117:80
http://r10.o.lencr.org/
unknown
whitelisted
7312
firefox.exe
POST
200
172.217.16.195:80
http://o.pki.goog/we2
unknown
whitelisted
7312
firefox.exe
POST
200
172.217.16.195:80
http://o.pki.goog/we2
unknown
whitelisted
7312
firefox.exe
POST
200
172.217.16.195:80
http://o.pki.goog/s/wr3/3H4
unknown
whitelisted
7312
firefox.exe
POST
200
2.16.168.117:80
http://r11.o.lencr.org/
unknown
whitelisted
7312
firefox.exe
POST
200
172.217.16.195:80
http://o.pki.goog/s/wr3/3H4
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
4
System
192.168.100.255:138
whitelisted
7312
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
7312
firefox.exe
151.101.2.49:443
bazaar.abuse.ch
FASTLY
US
whitelisted
7312
firefox.exe
34.36.137.203:443
contile.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
whitelisted
7312
firefox.exe
142.250.185.170:443
safebrowsing.googleapis.com
whitelisted
7312
firefox.exe
34.160.144.191:443
content-signature-2.cdn.mozilla.net
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
google.com
  • 142.250.185.78
whitelisted
bazaar.abuse.ch
  • 151.101.2.49
  • 151.101.194.49
  • 151.101.66.49
  • 151.101.130.49
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
p2.shared.global.fastly.net
  • 151.101.2.49
  • 151.101.194.49
  • 151.101.66.49
  • 151.101.130.49
whitelisted
ipv4only.arpa
  • 192.0.0.170
  • 192.0.0.171
whitelisted
example.org
  • 23.215.0.133
  • 96.7.128.192
  • 23.215.0.132
  • 96.7.128.186
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] hCaptcha Enterprise Challenge
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] hCaptcha Enterprise Challenge
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] hCaptcha Enterprise Challenge
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] hCaptcha Enterprise Challenge
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] hCaptcha Enterprise Challenge
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://bazaar.abuse.ch/download/7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7/