File name:

new 1.txt

Full analysis: https://app.any.run/tasks/29ea7142-fa3f-44da-affa-8e30b345d120
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: December 14, 2018, 04:29:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
adware
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

80818856A7CADF68456337B17B1C318D

SHA1:

5C8B8175C75D9F02FD0889CD6D958ED452F14D16

SHA256:

8E5DE01820734FE46F2161B81123246472AD835B568CAD6109877172C2BEFBBF

SSDEEP:

3:0Z3:0t

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • firefox.exe (PID: 4020)
      • ReimageRepair.exe (PID: 3172)
      • ProtectorUpdater.exe (PID: 3060)

    • Application was dropped or rewritten from another process

      • ReimageRepair.exe (PID: 3172)
      • ReimageRepair.exe (PID: 2972)
      • ns47ED.tmp (PID: 3416)
      • sqlite3.exe (PID: 2684)
      • ns4976.tmp (PID: 3936)
      • sqlite3.exe (PID: 3084)
      • ns4655.tmp (PID: 2840)
      • sqlite3.exe (PID: 3004)
      • sqlite3.exe (PID: 3884)
      • sqlite3.exe (PID: 3364)
      • sqlite3.exe (PID: 3952)
      • sqlite3.exe (PID: 2760)
      • sqlite3.exe (PID: 2776)
      • sqlite3.exe (PID: 3948)
      • ns4B7B.tmp (PID: 3900)
      • ns5196.tmp (PID: 2888)
      • ns9A29.tmp (PID: 3752)
      • nsA6AD.tmp (PID: 3832)
      • nsAC5B.tmp (PID: 3296)
      • sqlite3.exe (PID: 2896)
      • sqlite3.exe (PID: 3400)
      • sqlite3.exe (PID: 3956)
      • nsB44E.tmp (PID: 348)
      • nsB9FC.tmp (PID: 3368)
      • nsC017.tmp (PID: 3384)
      • ReimagePackage.exe (PID: 3108)
      • nsCCF9.tmp (PID: 3076)
      • nsD2A7.tmp (PID: 3540)
      • lzma.exe (PID: 2252)
      • nsE48B.tmp (PID: 2368)
      • lzma.exe (PID: 924)
      • nsE0D1.tmp (PID: 3460)
      • nsE70D.tmp (PID: 2900)
      • nsF594.tmp (PID: 2084)
      • nsB288.tmp (PID: 2468)
      • UniProtectorPackage.exe (PID: 2384)
      • ns17FC.tmp (PID: 3600)
      • ns1DAA.tmp (PID: 2092)
      • ns29B1.tmp (PID: 2812)
      • ReiGuard.exe (PID: 1340)
      • ReiSystem.exe (PID: 3192)
      • Reimage.exe (PID: 2268)
      • ReiGuard.exe (PID: 2520)
      • ProtectorUpdater.exe (PID: 3060)
      • nsFFC0.tmp (PID: 2380)

    • Connects to CnC server

      • firefox.exe (PID: 4020)
      • ReimageRepair.exe (PID: 3172)
      • ReimagePackage.exe (PID: 3108)

    • Loads dropped or rewritten executable

      • ReimageRepair.exe (PID: 3172)
      • ReimagePackage.exe (PID: 3108)
      • regsvr32.exe (PID: 2072)
      • ProtectorUpdater.exe (PID: 3060)
      • regsvr32.exe (PID: 2836)
      • UniProtectorPackage.exe (PID: 2384)
      • Reimage.exe (PID: 2268)

    • Registers / Runs the DLL via REGSVR32.EXE

      • ReimageRepair.exe (PID: 3172)
      • ReimagePackage.exe (PID: 3108)

    • Uses TASKLIST.EXE to search for antiviruses

      • cmd.exe (PID: 2560)
      • cmd.exe (PID: 2576)

    • Uses TASKLIST.EXE to search for security tools

      • cmd.exe (PID: 2436)
      • cmd.exe (PID: 3768)
      • cmd.exe (PID: 2132)
      • cmd.exe (PID: 2852)

    • Loads the Task Scheduler COM API

      • ReiGuard.exe (PID: 1340)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 4020)
      • ReimageRepair.exe (PID: 3172)
      • ReimagePackage.exe (PID: 3108)
      • lzma.exe (PID: 2252)
      • lzma.exe (PID: 924)
      • UniProtectorPackage.exe (PID: 2384)
      • ProtectorUpdater.exe (PID: 3060)

    • Creates files in the Windows directory

      • ReimageRepair.exe (PID: 3172)

    • Reads the cookies of Google Chrome

      • sqlite3.exe (PID: 3952)
      • sqlite3.exe (PID: 3004)
      • sqlite3.exe (PID: 2776)
      • sqlite3.exe (PID: 3884)
      • sqlite3.exe (PID: 3084)
      • sqlite3.exe (PID: 3948)
      • sqlite3.exe (PID: 3400)
      • sqlite3.exe (PID: 3956)

    • Reads the cookies of Mozilla Firefox

      • sqlite3.exe (PID: 2684)
      • sqlite3.exe (PID: 2760)
      • sqlite3.exe (PID: 3364)
      • sqlite3.exe (PID: 2896)

    • Starts application with an unusual extension

      • ReimageRepair.exe (PID: 3172)
      • ReimagePackage.exe (PID: 3108)
      • ProtectorUpdater.exe (PID: 3060)
      • UniProtectorPackage.exe (PID: 2384)

    • Starts CMD.EXE for commands execution

      • ns4655.tmp (PID: 2840)
      • ns4976.tmp (PID: 3936)
      • ns47ED.tmp (PID: 3416)
      • ns9A29.tmp (PID: 3752)
      • ns4B7B.tmp (PID: 3900)
      • ns5196.tmp (PID: 2888)
      • nsA6AD.tmp (PID: 3832)
      • nsAC5B.tmp (PID: 3296)
      • nsB288.tmp (PID: 2468)
      • nsB44E.tmp (PID: 348)
      • nsB9FC.tmp (PID: 3368)
      • nsC017.tmp (PID: 3384)
      • nsD2A7.tmp (PID: 3540)
      • nsCCF9.tmp (PID: 3076)
      • nsE70D.tmp (PID: 2900)
      • ns17FC.tmp (PID: 3600)
      • ns1DAA.tmp (PID: 2092)
      • nsFFC0.tmp (PID: 2380)

    • Creates COM task schedule object

      • regsvr32.exe (PID: 3984)
      • regsvr32.exe (PID: 2072)

    • Uses TASKLIST.EXE to query information about running processes

      • cmd.exe (PID: 3400)
      • cmd.exe (PID: 3332)
      • cmd.exe (PID: 3444)
      • cmd.exe (PID: 2328)
      • cmd.exe (PID: 2628)
      • cmd.exe (PID: 2536)
      • cmd.exe (PID: 2352)
      • cmd.exe (PID: 3476)

    • Creates a software uninstall entry

      • ReimageRepair.exe (PID: 3172)
      • ReimagePackage.exe (PID: 3108)

    • Creates files in the program directory

      • ReimagePackage.exe (PID: 3108)
      • lzma.exe (PID: 924)
      • lzma.exe (PID: 2252)
      • ProtectorUpdater.exe (PID: 3060)
      • UniProtectorPackage.exe (PID: 2384)
      • ReiGuard.exe (PID: 1340)
      • ReiGuard.exe (PID: 2520)

    • Creates files in the user directory

      • ReiGuard.exe (PID: 1340)
      • Reimage.exe (PID: 2268)

    • Reads internet explorer settings

      • Reimage.exe (PID: 2268)

    • Reads Internet Cache Settings

      • Reimage.exe (PID: 2268)

  • INFO

    • Reads CPU info

      • firefox.exe (PID: 3016)
      • firefox.exe (PID: 4020)
      • firefox.exe (PID: 3624)
      • firefox.exe (PID: 2636)

    • Creates files in the user directory

      • firefox.exe (PID: 4020)

    • Reads settings of System Certificates

      • firefox.exe (PID: 4020)

    • Application launched itself

      • firefox.exe (PID: 4020)

    • Dropped object may contain Bitcoin addresses

      • Reimage.exe (PID: 2268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
85
Malicious processes
10
Suspicious processes
24

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start notepad.exe no specs firefox.exe firefox.exe firefox.exe firefox.exe reimagerepair.exe no specs reimagerepair.exe ns4655.tmp no specs cmd.exe no specs sqlite3.exe no specs sqlite3.exe no specs sqlite3.exe no specs ns47ed.tmp no specs cmd.exe no specs sqlite3.exe no specs sqlite3.exe no specs sqlite3.exe no specs ns4976.tmp no specs cmd.exe no specs sqlite3.exe no specs sqlite3.exe no specs sqlite3.exe no specs ns4b7b.tmp no specs cmd.exe no specs tasklist.exe no specs ns5196.tmp no specs cmd.exe no specs tasklist.exe no specs regsvr32.exe no specs ns9a29.tmp no specs cmd.exe no specs tasklist.exe no specs nsa6ad.tmp no specs cmd.exe no specs tasklist.exe no specs nsac5b.tmp no specs cmd.exe no specs tasklist.exe no specs nsb288.tmp no specs cmd.exe no specs sqlite3.exe no specs sqlite3.exe no specs sqlite3.exe no specs nsb44e.tmp no specs cmd.exe no specs tasklist.exe no specs nsb9fc.tmp no specs cmd.exe no specs tasklist.exe no specs nsc017.tmp no specs cmd.exe no specs tasklist.exe no specs reimagepackage.exe nsccf9.tmp no specs cmd.exe no specs tasklist.exe no specs nsd2a7.tmp no specs cmd.exe no specs tasklist.exe no specs nse0d1.tmp no specs lzma.exe nse48b.tmp no specs lzma.exe nse70d.tmp no specs cmd.exe no specs tasklist.exe no specs regsvr32.exe no specs regsvr32.exe no specs nsf594.tmp no specs protectorupdater.exe nsffc0.tmp no specs cmd.exe no specs tasklist.exe no specs uniprotectorpackage.exe ns17fc.tmp no specs cmd.exe no specs tasklist.exe no specs ns1daa.tmp no specs cmd.exe no specs tasklist.exe no specs ns29b1.tmp no specs reiguard.exe reiguard.exe reisystem.exe reimage.exe

Process information

PID
CMD
Path
Indicators
Parent process
348"C:\Users\admin\AppData\Local\Temp\nso44EC.tmp\nsB44E.tmp" cmd /C tasklist /FI "IMAGENAME eq Wireshark.exe" > C:\Users\admin\AppData\Local\Temp\IsProcessActive.txtC:\Users\admin\AppData\Local\Temp\nso44EC.tmp\nsB44E.tmpReimageRepair.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nso44ec.tmp\nsb44e.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
924"C:\Program Files\Reimage\Reimage Repair\lzma.exe" "d" "C:\Program Files\Reimage\Reimage Repair\REI_Engine.lza" "C:\Program Files\Reimage\Reimage Repair\REI_Engine.dll"C:\Program Files\Reimage\Reimage Repair\lzma.exe
nsE48B.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\reimage\reimage repair\lzma.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
1340"C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe" -installC:\Program Files\Reimage\Reimage Protector\ReiGuard.exe
ns29B1.tmp
User:
admin
Company:
Reimage®
Integrity Level:
HIGH
Description:
Reimage Real Time Protection
Exit code:
0
Version:
2.0.2.3
Modules
Images
c:\program files\reimage\reimage protector\reiguard.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1488tasklist /FI "IMAGENAME eq Fiddler.exe" C:\Windows\system32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\tasklist.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1764tasklist /FI "IMAGENAME eq ReiProtectorM.exe" C:\Windows\system32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\tasklist.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2072regsvr32 /s "C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll"C:\Windows\system32\regsvr32.exeReimagePackage.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2084"C:\Users\admin\AppData\Local\Temp\nsbCAD5.tmp\nsF594.tmp" "C:\Users\admin\AppData\Local\Temp\nsbCAD5.tmp\ProtectorUpdater.exe" /S /MinorSessionID=5d62e21dd26b4a618f44ecf229 /SessionID=4baa214c-f523-44a0-94fd-e5c526408e1a /TrackID=5859206436 /AgentLogLocation=C:\rei\Results\Agent /CflLocation=C:\rei\cfl.rei /Install=True /DownloaderVersion=1542 /Iav=FalseC:\Users\admin\AppData\Local\Temp\nsbCAD5.tmp\nsF594.tmpReimagePackage.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsbcad5.tmp\nsf594.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2092"C:\Users\admin\AppData\Local\Temp\nsm178E.tmp\ns1DAA.tmp" cmd /C tasklist /FI "IMAGENAME eq ReiProtectorM.exe" > C:\Users\admin\AppData\Local\Temp\IsProcessActive.txtC:\Users\admin\AppData\Local\Temp\nsm178E.tmp\ns1DAA.tmpUniProtectorPackage.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsm178e.tmp\ns1daa.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
2132cmd /C tasklist /FI "IMAGENAME eq smsniff.exe" > C:\Users\admin\AppData\Local\Temp\IsProcessActive.txtC:\Windows\system32\cmd.exensC017.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2172cmd /c ""C:\Users\admin\AppData\Local\Temp\FF.bat" > C:\Users\admin\AppData\Local\Temp\FF.txt"C:\Windows\system32\cmd.exens4976.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
2 100
Read events
1 761
Write events
264
Delete events
75

Modification events

(PID) Process:(4020) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(4020) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(4020) firefox.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4020) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(4020) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3172) ReimageRepair.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ReimageRepair_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3172) ReimageRepair.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ReimageRepair_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3172) ReimageRepair.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ReimageRepair_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3172) ReimageRepair.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ReimageRepair_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3172) ReimageRepair.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ReimageRepair_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
Executable files
83
Suspicious files
124
Text files
178
Unknown types
69

Dropped files

PID
Process
Filename
Type
4020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
4020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
4020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
4020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
MD5:
SHA256:
4020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm
MD5:
SHA256:
4020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm
MD5:
SHA256:
4020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm
MD5:
SHA256:
4020firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-badbinurl-proto.metadata
MD5:
SHA256:
4020firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-badbinurl-proto.pset
MD5:
SHA256:
4020firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.binbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
132
TCP/UDP connections
79
DNS requests
159
Threats
39

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4020
firefox.exe
GET
503
172.217.168.228:80
http://www.google.com/sorry/index?continue=http://www.google.com/dp/ads%3Fmax_radlink_len%3D60%26r%3Dm%26client%3Ddp-bodis30_3ph%26channel%3Dpid-bodis-gcontrol40%252Cpid-bodis-gcontrol104%26hl%3Den%26adsafe%3Dlow%26type%3D3%26optimize_terms%3Don%26terms%3Dfannie%2520mae%2520home%2520loans%252Cfannie%2520mae%2520home%2520application%252Cfannie%2520mae%2520refinance%252Cfannie%2520mae%2520loan%2520rates%252Cfannie%2520mae%2520and%2520freddie%2520mac%252Cfannie%2520mae%2520financial%2520aid%252Chome%2520down%2520payment%2520assistance%26swp%3Das-drid-2561634113391178%26uiopt%3Dfalse%26oe%3DUTF-8%26ie%3DUTF-8%26fexp%3D21404%252C17300002%26format%3Dr7%26num%3D0%26output%3Dafd_ads%26domain_name%3Dwww.fanneemae.com%26v%3D3%26adext%3Das1%252Csr1%26bsl%3D8%26u_his%3D2%26u_tz%3D0%26dt%3D1544761802997%26u_w%3D1280%26u_h%3D720%26biw%3D1264%26bih%3D585%26psw%3D1264%26psh%3D900%26frm%3D0%26uio%3Dff6fa6st24sa11lt30as1sl1sr1-%26jsv%3D10546%26rurl%3Dhttp%253A%252F%252Fwww.fanneemae.com%252F&hl=en&q=EgS55n2MGMvjzOAFIhkA8aeDS3yQtGwnxf6S0WhpIdRO2kobVLLoMgFy
US
5.22 Kb
malicious
4020
firefox.exe
GET
301
52.73.222.18:80
http://fannemae.com/
US
html
192 b
malicious
4020
firefox.exe
GET
200
199.59.242.151:80
http://www.fanneemae.com/glp?r=&u=http%3A%2F%2Fwww.fanneemae.com%2F&rw=1280&rh=720&ww=1280&wh=585
US
text
15.0 Kb
malicious
4020
firefox.exe
GET
302
172.217.168.228:80
http://www.google.com/dp/ads?max_radlink_len=60&r=m&client=dp-bodis30_3ph&channel=pid-bodis-gcontrol40%2Cpid-bodis-gcontrol104&hl=en&adsafe=low&type=3&optimize_terms=on&terms=fannie%20mae%20home%20loans%2Cfannie%20mae%20home%20application%2Cfannie%20mae%20refinance%2Cfannie%20mae%20loan%20rates%2Cfannie%20mae%20and%20freddie%20mac%2Cfannie%20mae%20financial%20aid%2Chome%20down%20payment%20assistance&swp=as-drid-2561634113391178&uiopt=false&oe=UTF-8&ie=UTF-8&fexp=21404%2C17300002&format=r7&num=0&output=afd_ads&domain_name=www.fanneemae.com&v=3&adext=as1%2Csr1&bsl=8&u_his=2&u_tz=0&dt=1544761802997&u_w=1280&u_h=720&biw=1264&bih=585&psw=1264&psh=900&frm=0&uio=ff6fa6st24sa11lt30as1sl1sr1-&jsv=10546&rurl=http%3A%2F%2Fwww.fanneemae.com%2F
US
html
1.23 Kb
malicious
4020
firefox.exe
GET
404
199.59.242.151:80
http://www.fanneemae.com/favicon.ico
US
html
3.84 Kb
malicious
4020
firefox.exe
GET
200
172.217.168.228:80
http://www.google.com/adsense/domains/caf.js
US
text
52.7 Kb
malicious
4020
firefox.exe
POST
200
216.58.215.238:80
http://ocsp.pki.goog/GTSGIAG3
US
der
463 b
whitelisted
4020
firefox.exe
GET
200
172.217.168.17:80
http://survey.g.doubleclick.net/async_survey?site=kv4ic6olrzkr6
US
text
17.7 Kb
whitelisted
4020
firefox.exe
POST
200
216.58.215.238:80
http://ocsp.pki.goog/GTSGIAG3
US
der
463 b
whitelisted
4020
firefox.exe
POST
200
216.58.215.238:80
http://ocsp.pki.goog/GTSGIAG3
US
der
463 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4020
firefox.exe
52.89.32.107:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
4020
firefox.exe
2.16.186.112:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
4020
firefox.exe
34.216.156.21:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
4020
firefox.exe
52.222.159.239:443
snippets.cdn.mozilla.net
Amazon.com, Inc.
US
unknown
4020
firefox.exe
52.73.222.18:80
fannemae.com
Amazon.com, Inc.
US
unknown
4020
firefox.exe
216.58.215.238:80
ocsp.pki.goog
Google Inc.
US
whitelisted
4020
firefox.exe
70.40.222.168:80
25t.net
Unified Layer
US
unknown
4020
firefox.exe
199.59.242.151:80
www.fanneemae.com
Bodis, LLC
US
malicious
4020
firefox.exe
216.58.215.227:80
www.gstatic.com
Google Inc.
US
whitelisted
4020
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
detectportal.firefox.com
  • 2.16.186.112
  • 2.16.186.50
whitelisted
search.services.mozilla.com
  • 52.89.32.107
  • 34.216.89.123
  • 52.27.184.151
whitelisted
a1089.dscd.akamai.net
  • 2.16.186.50
  • 2.16.186.112
whitelisted
search.r53-2.services.mozilla.com
  • 52.27.184.151
  • 34.216.89.123
  • 52.89.32.107
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
cs9.wac.phicdn.net
  • 93.184.220.29
whitelisted
tiles.services.mozilla.com
  • 34.216.156.21
  • 34.208.7.98
  • 34.215.13.51
  • 34.209.108.219
  • 52.10.130.148
  • 52.34.107.172
  • 52.37.207.140
  • 52.39.131.77
whitelisted
tiles.r53-2.services.mozilla.com
  • 52.39.131.77
  • 52.37.207.140
  • 52.34.107.172
  • 52.10.130.148
  • 34.209.108.219
  • 34.215.13.51
  • 34.208.7.98
  • 34.216.156.21
whitelisted
snippets.cdn.mozilla.net
  • 52.222.159.239
whitelisted
drcwo519tnci7.cloudfront.net
  • 52.222.159.239
shared

Threats

PID
Process
Class
Message
4020
firefox.exe
A Network Trojan was detected
SC WORM Worm:Win32/Esfury - C&C checkin
4020
firefox.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4020
firefox.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3172
ReimageRepair.exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
3172
ReimageRepair.exe
Misc activity
SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
3172
ReimageRepair.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.Reimage Check-in
3172
ReimageRepair.exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
3172
ReimageRepair.exe
Misc activity
SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
3172
ReimageRepair.exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
3172
ReimageRepair.exe
Misc activity
SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
new 1.txt