URL:

https://www.toros.co/software.html

Full analysis: https://app.any.run/tasks/0cc386b7-de97-41d4-b7c5-61a08a081919
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: February 17, 2020, 00:14:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
pua
lavasoft
loader
Indicators:
MD5:

B0E12E2B287B885B102FF5CB183C6727

SHA1:

CD8CBF82232B90A8624EDC64438EF683EB03C729

SHA256:

7E00B5EF0EF52877FBC140F8451A26ED2266C9394929781DED78185CF587FDD8

SSDEEP:

3:N8DSL2KW03SIJn:2OLk0rJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • utweb_installer.exe (PID: 1920)
      • GenericSetup.exe (PID: 956)
      • installer.exe (PID: 3000)
      • Carrier.exe (PID: 2000)
      • hzl5kj4g.xyd.exe (PID: 3320)
      • WebCompanionInstaller.exe (PID: 3924)
      • pwvfbixs.or3.exe (PID: 2560)
      • pwvfbixs.or3.exe (PID: 3060)
      • pwvfbixs.or3.exe (PID: 2080)
      • pwvfbixs.or3.exe (PID: 3684)
      • pwvfbixs.or3.exe (PID: 2676)
      • utweb.exe (PID: 2536)
      • utweb.exe (PID: 3864)
      • helper.exe (PID: 3088)
      • utweb.exe (PID: 1156)
      • WebCompanion.exe (PID: 3920)
      • Lavasoft.WCAssistant.WinService.exe (PID: 3032)

    • Loads dropped or rewritten executable

      • GenericSetup.exe (PID: 956)
      • Carrier.exe (PID: 2000)
      • pwvfbixs.or3.exe (PID: 2676)
      • pwvfbixs.or3.exe (PID: 3060)
      • pwvfbixs.or3.exe (PID: 3684)
      • pwvfbixs.or3.exe (PID: 2560)
      • pwvfbixs.or3.exe (PID: 2080)
      • utweb.exe (PID: 3864)
      • utweb.exe (PID: 1156)
      • WebCompanionInstaller.exe (PID: 3924)
      • utweb.exe (PID: 2536)
      • WebCompanion.exe (PID: 3920)

    • LAVASOFT was detected

      • installer.exe (PID: 3000)

    • Changes settings of System certificates

      • WebCompanionInstaller.exe (PID: 3924)
      • GenericSetup.exe (PID: 956)
      • pwvfbixs.or3.exe (PID: 2560)

    • Downloads executable files from the Internet

      • GenericSetup.exe (PID: 956)
      • utweb.exe (PID: 2536)

    • Loads the Task Scheduler COM API

      • GenericSetup.exe (PID: 956)

    • Changes the autorun value in the registry

      • utweb.exe (PID: 2536)
      • WebCompanion.exe (PID: 3920)

    • Changes internet zones settings

      • WebCompanionInstaller.exe (PID: 3924)

  • SUSPICIOUS

    • Creates files in the program directory

      • firefox.exe (PID: 2740)
      • WebCompanionInstaller.exe (PID: 3924)
      • WebCompanion.exe (PID: 3920)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 2740)
      • utweb_installer.exe (PID: 1920)
      • Carrier.exe (PID: 2000)
      • GenericSetup.exe (PID: 956)
      • hzl5kj4g.xyd.exe (PID: 3320)
      • pwvfbixs.or3.exe (PID: 3060)
      • pwvfbixs.or3.exe (PID: 2560)
      • pwvfbixs.or3.exe (PID: 3684)
      • pwvfbixs.or3.exe (PID: 2676)
      • utweb.exe (PID: 2536)
      • WebCompanionInstaller.exe (PID: 3924)

    • Reads the Windows organization settings

      • GenericSetup.exe (PID: 956)

    • Reads Windows owner or organization settings

      • GenericSetup.exe (PID: 956)

    • Reads Environment values

      • GenericSetup.exe (PID: 956)

    • Creates files in the user directory

      • Carrier.exe (PID: 2000)
      • pwvfbixs.or3.exe (PID: 3060)
      • utweb.exe (PID: 2536)
      • WebCompanionInstaller.exe (PID: 3924)

    • Starts CMD.EXE for commands execution

      • GenericSetup.exe (PID: 956)
      • WebCompanionInstaller.exe (PID: 3924)

    • Adds / modifies Windows certificates

      • WebCompanionInstaller.exe (PID: 3924)
      • pwvfbixs.or3.exe (PID: 2560)
      • GenericSetup.exe (PID: 956)

    • Starts itself from another location

      • pwvfbixs.or3.exe (PID: 2560)

    • Reads Internet Cache Settings

      • pwvfbixs.or3.exe (PID: 2560)
      • Carrier.exe (PID: 2000)

    • Application launched itself

      • pwvfbixs.or3.exe (PID: 2560)
      • pwvfbixs.or3.exe (PID: 2676)

    • Creates a software uninstall entry

      • Carrier.exe (PID: 2000)
      • WebCompanionInstaller.exe (PID: 3924)

    • Modifies the open verb of a shell class

      • Carrier.exe (PID: 2000)

    • Executed via Task Scheduler

      • utweb.exe (PID: 2536)

    • Starts Internet Explorer

      • utweb.exe (PID: 2536)

    • Starts SC.EXE for service management

      • WebCompanionInstaller.exe (PID: 3924)

    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 1248)

    • Executed as Windows Service

      • Lavasoft.WCAssistant.WinService.exe (PID: 3032)

    • Searches for installed software

      • GenericSetup.exe (PID: 956)

  • INFO

    • Application launched itself

      • firefox.exe (PID: 2740)
      • iexplore.exe (PID: 348)

    • Reads Internet Cache Settings

      • firefox.exe (PID: 2740)
      • iexplore.exe (PID: 348)
      • iexplore.exe (PID: 1488)
      • iexplore.exe (PID: 3260)
      • iexplore.exe (PID: 4088)

    • Reads CPU info

      • firefox.exe (PID: 2740)

    • Reads settings of System Certificates

      • firefox.exe (PID: 2740)
      • GenericSetup.exe (PID: 956)
      • pwvfbixs.or3.exe (PID: 2560)
      • iexplore.exe (PID: 1488)
      • utweb.exe (PID: 2536)
      • iexplore.exe (PID: 3260)
      • iexplore.exe (PID: 348)

    • Manual execution by user

      • utweb_installer.exe (PID: 1920)
      • utweb.exe (PID: 3864)
      • utweb.exe (PID: 1156)

    • Creates files in the user directory

      • firefox.exe (PID: 2740)
      • iexplore.exe (PID: 1488)
      • iexplore.exe (PID: 3260)

    • Changes internet zones settings

      • iexplore.exe (PID: 348)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1488)
      • iexplore.exe (PID: 3260)

    • Changes settings of System certificates

      • pingsender.exe (PID: 3592)

    • Dropped object may contain Bitcoin addresses

      • WebCompanionInstaller.exe (PID: 3924)

    • Adds / modifies Windows certificates

      • pingsender.exe (PID: 3592)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 348)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
94
Monitored processes
37
Malicious processes
14
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe firefox.exe utweb_installer.exe #LAVASOFT installer.exe genericsetup.exe cmd.exe no specs carrier.exe cmd.exe no specs hzl5kj4g.xyd.exe webcompanioninstaller.exe cmd.exe no specs pwvfbixs.or3.exe pwvfbixs.or3.exe pwvfbixs.or3.exe no specs pwvfbixs.or3.exe pwvfbixs.or3.exe utweb.exe utweb.exe no specs iexplore.exe iexplore.exe pingsender.exe helper.exe utweb.exe no specs iexplore.exe sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs netsh.exe no specs webcompanion.exe iexplore.exe no specs lavasoft.wcassistant.winservice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
348"C:\Program Files\Internet Explorer\iexplore.exe" https://utweb.trontv.com/gui/index.html?v=1.0.8.2419&firstrun=1&localauth=localapi6b9565b08eb2088f:C:\Program Files\Internet Explorer\iexplore.exe
utweb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
540"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.0.1341437325\876402343" -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 1156 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
1
Version:
68.0.1
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
944"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.3.702834255\710548357" -childID 1 -isForBrowser -prefsHandle 1724 -prefMapHandle 1360 -prefsLen 1 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 1744 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
68.0.1
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
956"C:\Users\admin\AppData\Local\Temp\7zS0878E7F9\GenericSetup.exe" C:\Users\admin\AppData\Local\Temp\7zS0878E7F9\GenericSetup.exe C:\Users\admin\AppData\Local\Temp\7zS0878E7F9\GenericSetup.exe
installer.exe
User:
admin
Company:
adaware
Integrity Level:
HIGH
Description:
uTorrent Web
Exit code:
0
Version:
2.8.3.1997
Modules
Images
c:\users\admin\appdata\local\temp\7zs0878e7f9\genericsetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1156"C:\Users\admin\AppData\Roaming\uTorrent Web\utweb.exe" "C:\Users\admin\Downloads\BlueStacks.App.Player.4.140.12.1002.torrent" /SHELLASSOCC:\Users\admin\AppData\Roaming\uTorrent Web\utweb.exeexplorer.exe
User:
admin
Company:
BitTorrent Inc.
Integrity Level:
MEDIUM
Description:
µTorrent Web
Exit code:
0
Version:
1.0.8.2419
Modules
Images
c:\users\admin\appdata\roaming\utorrent web\utweb.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\version.dll
1248"C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=EveryoneC:\Windows\System32\cmd.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1488"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:348 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
1632"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.13.1641941694\370028539" -childID 2 -isForBrowser -prefsHandle 2788 -prefMapHandle 2792 -prefsLen 5996 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 2804 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
68.0.1
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
1748"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2740.27.501104030\860429524" -childID 4 -isForBrowser -prefsHandle 7676 -prefMapHandle 7640 -prefsLen 8855 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2740 "\\.\pipe\gecko-crash-server-pipe.2740" 7664 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
68.0.1
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
1828"sc.exe" Create "WCAssistantService" binPath= "C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= autoC:\Windows\system32\sc.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
Total events
12 259
Read events
10 638
Write events
1 617
Delete events
4

Modification events

(PID) Process:(2880) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Launcher
Value:
C8B3DEED08000000
(PID) Process:(2740) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Browser
Value:
EF9DE2ED08000000
(PID) Process:(2740) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry
Value:
1
(PID) Process:(2740) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2740) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000A1000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2740) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2740) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2740) firefox.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3000) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3000) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
120
Suspicious files
434
Text files
444
Unknown types
309

Dropped files

PID
Process
Filename
Type
2740firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin
MD5:
SHA256:
2740firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
2740firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
2740firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm
MD5:
SHA256:
2740firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
MD5:
SHA256:
2740firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm
MD5:
SHA256:
2740firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp
MD5:
SHA256:
2740firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.jstext
MD5:
SHA256:
2740firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\entries\2FE30A136061CE216700B17261AF416DCCB84932binary
MD5:
SHA256:
2740firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.binbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
217
TCP/UDP connections
2 080
DNS requests
404
Threats
41

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2740
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2740
firefox.exe
POST
200
151.139.128.14:80
http://ocsp.sectigo.com/
US
der
471 b
whitelisted
2740
firefox.exe
POST
200
216.58.207.67:80
http://ocsp.pki.goog/gts1o1
US
der
472 b
whitelisted
2740
firefox.exe
GET
200
5.196.88.214:80
http://lostpix.com/thumbs/2018-04/23/nv1m7wv6om10iml3z51shw1ht.jpg
FR
image
42.0 Kb
whitelisted
2740
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
279 b
whitelisted
2740
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2740
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2740
firefox.exe
POST
200
151.139.128.14:80
http://ocsp.comodoca.com/
US
der
472 b
whitelisted
2740
firefox.exe
GET
200
2.16.106.209:80
http://detectportal.firefox.com/success.txt
unknown
text
8 b
whitelisted
2740
firefox.exe
POST
200
151.139.128.14:80
http://ocsp.sectigo.com/
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2740
firefox.exe
52.32.41.227:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
2740
firefox.exe
143.204.202.20:443
snippets.cdn.mozilla.net
US
suspicious
2740
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2740
firefox.exe
209.197.3.24:443
code.jquery.com
Highwinds Network Group, Inc.
US
malicious
2740
firefox.exe
172.217.18.106:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2740
firefox.exe
34.213.211.99:443
push.services.mozilla.com
Amazon.com, Inc.
US
unknown
2740
firefox.exe
142.91.159.207:443
ravalynn.pw
NL
suspicious
2740
firefox.exe
192.0.73.2:443
www.gravatar.com
Automattic, Inc
US
whitelisted
2740
firefox.exe
216.58.207.67:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2740
firefox.exe
143.204.202.13:443
firefox.settings.services.mozilla.com
US
suspicious

DNS requests

Domain
IP
Reputation
detectportal.firefox.com
  • 2.16.106.209
  • 2.16.106.152
whitelisted
a1089.dscd.akamai.net
  • 2.16.106.152
  • 2.16.106.209
whitelisted
search.services.mozilla.com
  • 35.162.131.99
  • 52.11.214.96
  • 54.148.178.170
whitelisted
search.r53-2.services.mozilla.com
  • 54.148.178.170
  • 52.11.214.96
  • 35.162.131.99
whitelisted
www.toros.co
  • 104.27.179.45
  • 104.27.178.45
unknown
push.services.mozilla.com
  • 34.213.211.99
whitelisted
autopush.prod.mozaws.net
  • 34.213.211.99
whitelisted
tiles.services.mozilla.com
  • 52.32.41.227
  • 35.163.175.48
whitelisted
tiles.r53-2.services.mozilla.com
  • 35.163.175.48
  • 52.32.41.227
whitelisted
snippets.cdn.mozilla.net
  • 143.204.202.20
  • 143.204.202.50
  • 143.204.202.48
  • 143.204.202.128
whitelisted

Threats

PID
Process
Class
Message
1052
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
1052
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .cloud TLD
1052
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .cloud TLD
1052
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
1052
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
1052
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
3000
installer.exe
A Network Trojan was detected
ET MALWARE Lavasoft PUA/Adware Client Install
956
GenericSetup.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
956
GenericSetup.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
956
GenericSetup.exe
Misc activity
ET INFO EXE - Served Attached HTTP
Process
Message
WebCompanionInstaller.exe
Detecting windows culture
WebCompanionInstaller.exe
2/17/2020 12:18:52 AM :-> Starting installer 4.9.2182.4042 with: .\WebCompanionInstaller.exe --partner=BT170603 --version=4.9.2182.4042 --prod --silent --search=7 --homepage=11 --partner=BT170603, Run as admin: True
WebCompanionInstaller.exe
Preparing for installing Web Companion
WebCompanionInstaller.exe
2/17/2020 12:18:53 AM :-> Machine Id and Install Id has been generated
WebCompanionInstaller.exe
2/17/2020 12:18:53 AM :-> Generating Machine and Install Id ...
WebCompanionInstaller.exe
2/17/2020 12:18:53 AM :-> Checking prerequisites ...
WebCompanionInstaller.exe
2/17/2020 12:18:53 AM :-> Antivirus not detected
WebCompanionInstaller.exe
2/17/2020 12:18:54 AM :-> vm_check False
WebCompanionInstaller.exe
2/17/2020 12:18:54 AM :-> reg_check :False
WebCompanionInstaller.exe
2/17/2020 12:18:54 AM :-> Installed .Net framework is V40
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.toros.co/software.html