analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

new 1.txt

Full analysis: https://app.any.run/tasks/29ea7142-fa3f-44da-affa-8e30b345d120
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 14, 2018, 04:29:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
adware
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

80818856A7CADF68456337B17B1C318D

SHA1:

5C8B8175C75D9F02FD0889CD6D958ED452F14D16

SHA256:

8E5DE01820734FE46F2161B81123246472AD835B568CAD6109877172C2BEFBBF

SSDEEP:

3:0Z3:0t

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ReimageRepair.exe (PID: 2972)
      • ReimageRepair.exe (PID: 3172)
      • ns47ED.tmp (PID: 3416)
      • sqlite3.exe (PID: 3952)
      • sqlite3.exe (PID: 2684)
      • sqlite3.exe (PID: 3004)
      • ns4976.tmp (PID: 3936)
      • sqlite3.exe (PID: 2776)
      • ns4655.tmp (PID: 2840)
      • sqlite3.exe (PID: 3364)
      • sqlite3.exe (PID: 3884)
      • sqlite3.exe (PID: 2760)
      • sqlite3.exe (PID: 3948)
      • ns9A29.tmp (PID: 3752)
      • ns5196.tmp (PID: 2888)
      • sqlite3.exe (PID: 3084)
      • ns4B7B.tmp (PID: 3900)
      • nsB288.tmp (PID: 2468)
      • nsA6AD.tmp (PID: 3832)
      • sqlite3.exe (PID: 3400)
      • nsAC5B.tmp (PID: 3296)
      • sqlite3.exe (PID: 2896)
      • nsB9FC.tmp (PID: 3368)
      • nsC017.tmp (PID: 3384)
      • ReimagePackage.exe (PID: 3108)
      • sqlite3.exe (PID: 3956)
      • nsB44E.tmp (PID: 348)
      • nsCCF9.tmp (PID: 3076)
      • nsD2A7.tmp (PID: 3540)
      • nsE70D.tmp (PID: 2900)
      • nsE0D1.tmp (PID: 3460)
      • lzma.exe (PID: 924)
      • nsE48B.tmp (PID: 2368)
      • lzma.exe (PID: 2252)
      • ProtectorUpdater.exe (PID: 3060)
      • nsFFC0.tmp (PID: 2380)
      • UniProtectorPackage.exe (PID: 2384)
      • nsF594.tmp (PID: 2084)
      • ns17FC.tmp (PID: 3600)
      • ReiSystem.exe (PID: 3192)
      • ReiGuard.exe (PID: 1340)
      • ns1DAA.tmp (PID: 2092)
      • Reimage.exe (PID: 2268)
      • ns29B1.tmp (PID: 2812)
      • ReiGuard.exe (PID: 2520)

    • Downloads executable files from the Internet

      • firefox.exe (PID: 4020)
      • ReimageRepair.exe (PID: 3172)
      • ProtectorUpdater.exe (PID: 3060)

    • Connects to CnC server

      • firefox.exe (PID: 4020)
      • ReimageRepair.exe (PID: 3172)
      • ReimagePackage.exe (PID: 3108)

    • Loads dropped or rewritten executable

      • ReimageRepair.exe (PID: 3172)
      • ReimagePackage.exe (PID: 3108)
      • ProtectorUpdater.exe (PID: 3060)
      • regsvr32.exe (PID: 2072)
      • regsvr32.exe (PID: 2836)
      • UniProtectorPackage.exe (PID: 2384)
      • Reimage.exe (PID: 2268)

    • Registers / Runs the DLL via REGSVR32.EXE

      • ReimageRepair.exe (PID: 3172)
      • ReimagePackage.exe (PID: 3108)

    • Uses TASKLIST.EXE to search for antiviruses

      • cmd.exe (PID: 2560)
      • cmd.exe (PID: 2576)

    • Uses TASKLIST.EXE to search for security tools

      • cmd.exe (PID: 2436)
      • cmd.exe (PID: 3768)
      • cmd.exe (PID: 2852)
      • cmd.exe (PID: 2132)

    • Loads the Task Scheduler COM API

      • ReiGuard.exe (PID: 1340)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 4020)
      • ReimageRepair.exe (PID: 3172)
      • ReimagePackage.exe (PID: 3108)
      • lzma.exe (PID: 2252)
      • lzma.exe (PID: 924)
      • ProtectorUpdater.exe (PID: 3060)
      • UniProtectorPackage.exe (PID: 2384)

    • Starts application with an unusual extension

      • ReimageRepair.exe (PID: 3172)
      • ReimagePackage.exe (PID: 3108)
      • ProtectorUpdater.exe (PID: 3060)
      • UniProtectorPackage.exe (PID: 2384)

    • Creates files in the Windows directory

      • ReimageRepair.exe (PID: 3172)

    • Reads the cookies of Mozilla Firefox

      • sqlite3.exe (PID: 2684)
      • sqlite3.exe (PID: 2760)
      • sqlite3.exe (PID: 3364)
      • sqlite3.exe (PID: 2896)

    • Reads the cookies of Google Chrome

      • sqlite3.exe (PID: 3004)
      • sqlite3.exe (PID: 3952)
      • sqlite3.exe (PID: 3884)
      • sqlite3.exe (PID: 2776)
      • sqlite3.exe (PID: 3084)
      • sqlite3.exe (PID: 3948)
      • sqlite3.exe (PID: 3400)
      • sqlite3.exe (PID: 3956)

    • Starts CMD.EXE for commands execution

      • ns4655.tmp (PID: 2840)
      • ns47ED.tmp (PID: 3416)
      • ns4976.tmp (PID: 3936)
      • ns5196.tmp (PID: 2888)
      • ns4B7B.tmp (PID: 3900)
      • ns9A29.tmp (PID: 3752)
      • nsAC5B.tmp (PID: 3296)
      • nsA6AD.tmp (PID: 3832)
      • nsB288.tmp (PID: 2468)
      • nsB9FC.tmp (PID: 3368)
      • nsB44E.tmp (PID: 348)
      • nsC017.tmp (PID: 3384)
      • nsD2A7.tmp (PID: 3540)
      • nsCCF9.tmp (PID: 3076)
      • nsE70D.tmp (PID: 2900)
      • nsFFC0.tmp (PID: 2380)
      • ns17FC.tmp (PID: 3600)
      • ns1DAA.tmp (PID: 2092)

    • Uses TASKLIST.EXE to query information about running processes

      • cmd.exe (PID: 3332)
      • cmd.exe (PID: 3400)
      • cmd.exe (PID: 3444)
      • cmd.exe (PID: 2328)
      • cmd.exe (PID: 2628)
      • cmd.exe (PID: 2536)
      • cmd.exe (PID: 3476)
      • cmd.exe (PID: 2352)

    • Creates COM task schedule object

      • regsvr32.exe (PID: 3984)
      • regsvr32.exe (PID: 2072)

    • Creates a software uninstall entry

      • ReimageRepair.exe (PID: 3172)
      • ReimagePackage.exe (PID: 3108)

    • Creates files in the program directory

      • lzma.exe (PID: 2252)
      • lzma.exe (PID: 924)
      • ReimagePackage.exe (PID: 3108)
      • ProtectorUpdater.exe (PID: 3060)
      • UniProtectorPackage.exe (PID: 2384)
      • ReiGuard.exe (PID: 2520)
      • ReiGuard.exe (PID: 1340)

    • Creates files in the user directory

      • ReiGuard.exe (PID: 1340)
      • Reimage.exe (PID: 2268)

    • Reads internet explorer settings

      • Reimage.exe (PID: 2268)

    • Reads Internet Cache Settings

      • Reimage.exe (PID: 2268)

  • INFO

    • Reads CPU info

      • firefox.exe (PID: 2636)
      • firefox.exe (PID: 4020)
      • firefox.exe (PID: 3016)
      • firefox.exe (PID: 3624)

    • Reads settings of System Certificates

      • firefox.exe (PID: 4020)

    • Application launched itself

      • firefox.exe (PID: 4020)

    • Creates files in the user directory

      • firefox.exe (PID: 4020)

    • Dropped object may contain Bitcoin addresses

      • Reimage.exe (PID: 2268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
85
Malicious processes
10
Suspicious processes
24

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start notepad.exe no specs firefox.exe firefox.exe firefox.exe firefox.exe reimagerepair.exe no specs reimagerepair.exe ns4655.tmp no specs cmd.exe no specs sqlite3.exe no specs sqlite3.exe no specs sqlite3.exe no specs ns47ed.tmp no specs cmd.exe no specs sqlite3.exe no specs sqlite3.exe no specs sqlite3.exe no specs ns4976.tmp no specs cmd.exe no specs sqlite3.exe no specs sqlite3.exe no specs sqlite3.exe no specs ns4b7b.tmp no specs cmd.exe no specs tasklist.exe no specs ns5196.tmp no specs cmd.exe no specs tasklist.exe no specs regsvr32.exe no specs ns9a29.tmp no specs cmd.exe no specs tasklist.exe no specs nsa6ad.tmp no specs cmd.exe no specs tasklist.exe no specs nsac5b.tmp no specs cmd.exe no specs tasklist.exe no specs nsb288.tmp no specs cmd.exe no specs sqlite3.exe no specs sqlite3.exe no specs sqlite3.exe no specs nsb44e.tmp no specs cmd.exe no specs tasklist.exe no specs nsb9fc.tmp no specs cmd.exe no specs tasklist.exe no specs nsc017.tmp no specs cmd.exe no specs tasklist.exe no specs reimagepackage.exe nsccf9.tmp no specs cmd.exe no specs tasklist.exe no specs nsd2a7.tmp no specs cmd.exe no specs tasklist.exe no specs nse0d1.tmp no specs lzma.exe nse48b.tmp no specs lzma.exe nse70d.tmp no specs cmd.exe no specs tasklist.exe no specs regsvr32.exe no specs regsvr32.exe no specs nsf594.tmp no specs protectorupdater.exe nsffc0.tmp no specs cmd.exe no specs tasklist.exe no specs uniprotectorpackage.exe ns17fc.tmp no specs cmd.exe no specs tasklist.exe no specs ns1daa.tmp no specs cmd.exe no specs tasklist.exe no specs ns29b1.tmp no specs reiguard.exe reiguard.exe reisystem.exe reimage.exe

Process information

PID
CMD
Path
Indicators
Parent process
2804"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\new 1.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4020"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
61.0.2
3624"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4020.0.194107319\1281099046" -childID 1 -isForBrowser -prefsHandle 1332 -prefsLen 8309 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 4020 "\\.\pipe\gecko-crash-server-pipe.4020" 1432 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
2636"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4020.6.1035511051\1302626400" -childID 2 -isForBrowser -prefsHandle 2416 -prefsLen 11442 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 4020 "\\.\pipe\gecko-crash-server-pipe.4020" 2504 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
3016"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4020.12.1551129682\1183777204" -childID 3 -isForBrowser -prefsHandle 3060 -prefsLen 11808 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 4020 "\\.\pipe\gecko-crash-server-pipe.4020" 3072 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
2972"C:\Users\admin\Downloads\ReimageRepair.exe" C:\Users\admin\Downloads\ReimageRepair.exefirefox.exe
User:
admin
Company:
Reimage
Integrity Level:
MEDIUM
Description:
Reimage Downloader
Exit code:
3221226540
Version:
1.542
3172"C:\Users\admin\Downloads\ReimageRepair.exe" C:\Users\admin\Downloads\ReimageRepair.exe
firefox.exe
User:
admin
Company:
Reimage
Integrity Level:
HIGH
Description:
Reimage Downloader
Exit code:
2
Version:
1.542
2840"C:\Users\admin\AppData\Local\Temp\nso44EC.tmp\ns4655.tmp" "C:\Users\admin\AppData\Local\Temp\FF.bat" > C:\Users\admin\AppData\Local\Temp\FF.txtC:\Users\admin\AppData\Local\Temp\nso44EC.tmp\ns4655.tmpReimageRepair.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2256cmd /c ""C:\Users\admin\AppData\Local\Temp\FF.bat" > C:\Users\admin\AppData\Local\Temp\FF.txt"C:\Windows\system32\cmd.exens4655.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2684"C:\Users\admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_trackid';"C:\Users\admin\AppData\Local\Temp\sqlite3.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Total events
2 100
Read events
1 761
Write events
0
Delete events
0

Modification events

No data
Executable files
83
Suspicious files
124
Text files
178
Unknown types
69

Dropped files

PID
Process
Filename
Type
4020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
4020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
4020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
4020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
MD5:
SHA256:
4020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm
MD5:
SHA256:
4020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm
MD5:
SHA256:
4020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm
MD5:
SHA256:
4020firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-badbinurl-proto.metadata
MD5:
SHA256:
4020firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-badbinurl-proto.pset
MD5:
SHA256:
4020firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.binbinary
MD5:707C12070C52E55C2A996AC15E219B95
SHA256:6C5410C655C8EFC48D123ABE708C8940A4218072C0DAF85E03AB45DA6D2CE6B9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
132
TCP/UDP connections
79
DNS requests
159
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4020
firefox.exe
GET
199.59.242.151:80
http://www.fanneemae.com/favicon.ico
US
malicious
4020
firefox.exe
GET
503
172.217.168.228:80
http://www.google.com/sorry/index?continue=http://www.google.com/dp/ads%3Fmax_radlink_len%3D60%26r%3Dm%26client%3Ddp-bodis30_3ph%26channel%3Dpid-bodis-gcontrol40%252Cpid-bodis-gcontrol104%26hl%3Den%26adsafe%3Dlow%26type%3D3%26optimize_terms%3Don%26terms%3Dfannie%2520mae%2520home%2520loans%252Cfannie%2520mae%2520home%2520application%252Cfannie%2520mae%2520refinance%252Cfannie%2520mae%2520loan%2520rates%252Cfannie%2520mae%2520and%2520freddie%2520mac%252Cfannie%2520mae%2520financial%2520aid%252Chome%2520down%2520payment%2520assistance%26swp%3Das-drid-2561634113391178%26uiopt%3Dfalse%26oe%3DUTF-8%26ie%3DUTF-8%26fexp%3D21404%252C17300002%26format%3Dr7%26num%3D0%26output%3Dafd_ads%26domain_name%3Dwww.fanneemae.com%26v%3D3%26adext%3Das1%252Csr1%26bsl%3D8%26u_his%3D2%26u_tz%3D0%26dt%3D1544761802997%26u_w%3D1280%26u_h%3D720%26biw%3D1264%26bih%3D585%26psw%3D1264%26psh%3D900%26frm%3D0%26uio%3Dff6fa6st24sa11lt30as1sl1sr1-%26jsv%3D10546%26rurl%3Dhttp%253A%252F%252Fwww.fanneemae.com%252F&hl=en&q=EgS55n2MGMvjzOAFIhkA8aeDS3yQtGwnxf6S0WhpIdRO2kobVLLoMgFy
US
5.22 Kb
whitelisted
4020
firefox.exe
GET
301
52.73.222.18:80
http://fannemae.com/
US
html
192 b
malicious
4020
firefox.exe
GET
302
70.40.222.168:80
http://25t.net/dnimport/brx/index_f5.php?d=fanneemae.com
US
binary
20 b
unknown
4020
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
4020
firefox.exe
GET
200
172.217.168.228:80
http://www.google.com/adsense/domains/caf.js
US
text
52.7 Kb
whitelisted
4020
firefox.exe
GET
302
172.217.168.228:80
http://www.google.com/dp/ads?max_radlink_len=60&r=m&client=dp-bodis30_3ph&channel=pid-bodis-gcontrol40%2Cpid-bodis-gcontrol104&hl=en&adsafe=low&type=3&optimize_terms=on&terms=fannie%20mae%20home%20loans%2Cfannie%20mae%20home%20application%2Cfannie%20mae%20refinance%2Cfannie%20mae%20loan%20rates%2Cfannie%20mae%20and%20freddie%20mac%2Cfannie%20mae%20financial%20aid%2Chome%20down%20payment%20assistance&swp=as-drid-2561634113391178&uiopt=false&oe=UTF-8&ie=UTF-8&fexp=21404%2C17300002&format=r7&num=0&output=afd_ads&domain_name=www.fanneemae.com&v=3&adext=as1%2Csr1&bsl=8&u_his=2&u_tz=0&dt=1544761802997&u_w=1280&u_h=720&biw=1264&bih=585&psw=1264&psh=900&frm=0&uio=ff6fa6st24sa11lt30as1sl1sr1-&jsv=10546&rurl=http%3A%2F%2Fwww.fanneemae.com%2F
US
html
1.23 Kb
whitelisted
4020
firefox.exe
GET
200
199.59.242.151:80
http://www.fanneemae.com/px.gif?ch=2&rn=9.54130594448226
US
image
42 b
malicious
4020
firefox.exe
GET
200
2.16.186.112:80
http://detectportal.firefox.com/success.txt
unknown
text
8 b
whitelisted
4020
firefox.exe
POST
200
216.58.215.238:80
http://ocsp.pki.goog/GTSGIAG3
US
der
463 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4020
firefox.exe
52.73.222.18:80
fannemae.com
Amazon.com, Inc.
US
unknown
4020
firefox.exe
52.222.159.239:443
snippets.cdn.mozilla.net
Amazon.com, Inc.
US
unknown
4020
firefox.exe
52.89.32.107:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
4020
firefox.exe
34.216.156.21:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
4020
firefox.exe
216.58.215.238:80
ocsp.pki.goog
Google Inc.
US
whitelisted
4020
firefox.exe
70.40.222.168:80
25t.net
Unified Layer
US
unknown
4020
firefox.exe
172.217.168.10:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
4020
firefox.exe
199.59.242.151:80
www.fanneemae.com
Bodis, LLC
US
malicious
4020
firefox.exe
2.16.186.112:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
4020
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
detectportal.firefox.com
  • 2.16.186.112
  • 2.16.186.50
whitelisted
search.services.mozilla.com
  • 52.89.32.107
  • 34.216.89.123
  • 52.27.184.151
whitelisted
a1089.dscd.akamai.net
  • 2.16.186.50
  • 2.16.186.112
whitelisted
search.r53-2.services.mozilla.com
  • 52.27.184.151
  • 34.216.89.123
  • 52.89.32.107
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
cs9.wac.phicdn.net
  • 93.184.220.29
whitelisted
tiles.services.mozilla.com
  • 34.216.156.21
  • 34.208.7.98
  • 34.215.13.51
  • 34.209.108.219
  • 52.10.130.148
  • 52.34.107.172
  • 52.37.207.140
  • 52.39.131.77
whitelisted
tiles.r53-2.services.mozilla.com
  • 52.39.131.77
  • 52.37.207.140
  • 52.34.107.172
  • 52.10.130.148
  • 34.209.108.219
  • 34.215.13.51
  • 34.208.7.98
  • 34.216.156.21
whitelisted
snippets.cdn.mozilla.net
  • 52.222.159.239
whitelisted
drcwo519tnci7.cloudfront.net
  • 52.222.159.239
shared

Threats

PID
Process
Class
Message
4020
firefox.exe
A Network Trojan was detected
SC WORM Worm:Win32/Esfury - C&C checkin
4020
firefox.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4020
firefox.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3172
ReimageRepair.exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
3172
ReimageRepair.exe
Misc activity
SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
3172
ReimageRepair.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.Reimage Check-in
3172
ReimageRepair.exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
3172
ReimageRepair.exe
Misc activity
SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
3172
ReimageRepair.exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
3172
ReimageRepair.exe
Misc activity
SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
new 1.txt