File name:

HelloRedService_Setup.exe

Full analysis: https://app.any.run/tasks/6d25bef1-cdfe-4061-9cda-17161723d30e
Verdict: Malicious activity
Analysis date: May 28, 2025, 20:54:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:

A64BDDA36A8B6ED67A0990E6778F9D45

SHA1:

029468E8CCBCEBACD5735D762B68DD6D43A470BE

SHA256:

9546932AE31A7E6484C2BECBE8084642ADFD6433EF40F1A6E95A39ECAA1AF6EE

SSDEEP:

24576:TuhM0wq9ZKk6k/p1z3qqKaA+CKQbe0k93Weg7Pbs:YM0wq9ZV6kbqqKaATKQbe0k93Weg7Pbs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the date of Windows installation

      • HelloRedService_Setup.exe (PID: 7420)

    • Reads security settings of Internet Explorer

      • HelloRedService_Setup.exe (PID: 7420)

    • Drops a system driver (possible attempt to evade defenses)

      • HelloRedService_Setup.exe (PID: 7420)

    • Executable content was dropped or overwritten

      • HelloRedService_Setup.exe (PID: 7420)

    • Starts CMD.EXE for commands execution

      • HelloRedService_Setup.exe (PID: 7420)

    • Executing commands from ".cmd" file

      • HelloRedService_Setup.exe (PID: 7420)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 7536)

    • Stops a currently running service

      • sc.exe (PID: 7612)

    • Windows service management via SC.EXE

      • sc.exe (PID: 7648)
      • sc.exe (PID: 7688)
      • sc.exe (PID: 7708)

    • Creates a new Windows service

      • sc.exe (PID: 7668)

    • Executes as Windows Service

      • red.exe (PID: 7724)

  • INFO

    • Reads the computer name

      • HelloRedService_Setup.exe (PID: 7420)
      • red.exe (PID: 7724)

    • The sample compiled with english language support

      • HelloRedService_Setup.exe (PID: 7420)

    • Process checks computer location settings

      • HelloRedService_Setup.exe (PID: 7420)

    • Checks supported languages

      • HelloRedService_Setup.exe (PID: 7420)
      • red.exe (PID: 7724)

    • Reads the machine GUID from the registry

      • red.exe (PID: 7724)

    • Manual execution by a user

      • Taskmgr.exe (PID: 8112)
      • Taskmgr.exe (PID: 8160)
      • firefox.exe (PID: 7424)

    • Application launched itself

      • firefox.exe (PID: 7640)
      • firefox.exe (PID: 7424)

    • Reads security settings of Internet Explorer

      • Taskmgr.exe (PID: 8160)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:05:12 10:17:07+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.33
CodeSize: 288768
InitializedDataSize: 127488
UninitializedDataSize: -
EntryPoint: 0x32ee0
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
162
Monitored processes
30
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start helloredservice_setup.exe cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs red.exe no specs sppextcomobj.exe no specs slui.exe no specs taskmgr.exe no specs taskmgr.exe firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs system firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs helloredservice_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4System
[System Process]
User:
SYSTEM
Integrity Level:
SYSTEM
732"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6096 -childID 8 -isForBrowser -prefsHandle 6100 -prefMapHandle 6104 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1440 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdd84184-2e95-45b7-8cd5-91e1002a0109} 7640 "\\.\pipe\gecko-crash-server-pipe.7640" 18e3b01f150 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1228"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2156 -parentBuildID 20240213221259 -prefsHandle 2148 -prefMapHandle 2144 -prefsLen 31031 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fed52d4-fd62-44d0-84e3-3ca26546ec37} 7640 "\\.\pipe\gecko-crash-server-pipe.7640" 18e25283110 socketC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140.dll
2284"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4304 -childID 2 -isForBrowser -prefsHandle 4296 -prefMapHandle 4292 -prefsLen 36588 -prefMapSize 244583 -jsInitHandle 1440 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {deb68d57-903a-4884-b75d-0dc9ce3e3a62} 7640 "\\.\pipe\gecko-crash-server-pipe.7640" 18e393f6a10 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2980"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5336 -childID 5 -isForBrowser -prefsHandle 5516 -prefMapHandle 5520 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1440 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ed3c995-2e90-4fc7-9d58-1ffda04da01b} 7640 "\\.\pipe\gecko-crash-server-pipe.7640" 18e3cc9c850 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
4220"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2752 -childID 1 -isForBrowser -prefsHandle 2744 -prefMapHandle 2740 -prefsLen 31447 -prefMapSize 244583 -jsInitHandle 1440 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e0b25c3-2190-458e-bc56-c03c7fd3d1ca} 7640 "\\.\pipe\gecko-crash-server-pipe.7640" 18e36e41f50 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140.dll
4452"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5772 -childID 6 -isForBrowser -prefsHandle 5744 -prefMapHandle 5436 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1440 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2f28195-786e-40fc-92ae-5b220d7d5d80} 7640 "\\.\pipe\gecko-crash-server-pipe.7640" 18e38b45a10 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140.dll
5592"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4960 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 4944 -prefMapHandle 4844 -prefsLen 36588 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {feafb7a6-bef3-4ee9-aa8d-224dd453c58a} 7640 "\\.\pipe\gecko-crash-server-pipe.7640" 18e3bfd7510 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\bcrypt.dll
5720"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 3 -isForBrowser -prefsHandle 5340 -prefMapHandle 5344 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1440 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb2edf0a-0f13-4e14-a339-749fe3d8117e} 7640 "\\.\pipe\gecko-crash-server-pipe.7640" 18e3cc9c150 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
6208"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5472 -childID 4 -isForBrowser -prefsHandle 5464 -prefMapHandle 5460 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1440 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc6fa332-932f-41b9-b97b-87a92df4abba} 7640 "\\.\pipe\gecko-crash-server-pipe.7640" 18e3cc9c310 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
Total events
17 841
Read events
17 835
Write events
5
Delete events
1

Modification events

(PID) Process:(7724) red.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\WinDivert
Operation:writeName:EventMessageFile
Value:
C:\HelloRed\RedService\x86_64\WinDivert64.sys
(PID) Process:(7724) red.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\WinDivert
Operation:writeName:TypesSupported
Value:
7
(PID) Process:(8160) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:delete valueName:Preferences
Value:
(PID) Process:(8160) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:writeName:Preferences
Value:
0D00000060000000600000006800000068000000E3010000DC010000000001000000008000000080D8010080DF010080000100016B00000034000000130300008C020000E80300000000000000000000000000000F000000010000000000000058AA043AF67F00000000000000000000000000002E0100001E0000008990000000000000FF00000001015002000000000D0000000000000098AA043AF67F00000000000000000000FFFFFFFF960000001E0000008B900000010000000000000000101001000000000300000000000000B0AA043AF67F00000000000000000000FFFFFFFF780000001E0000008C900000020000000000000001021200000000000400000000000000C8AA043AF67F00000000000000000000FFFFFFFF960000001E0000008D900000030000000000000000011001000000000200000000000000E8AA043AF67F00000000000000000000FFFFFFFF320000001E0000008A90000004000000000000000008200100000000050000000000000000AB043AF67F00000000000000000000FFFFFFFFC80000001E0000008E90000005000000000000000001100100000000060000000000000028AB043AF67F00000000000000000000FFFFFFFF040100001E0000008F90000006000000000000000001100100000000070000000000000050AB043AF67F00000000000000000000FFFFFFFF49000000490000009090000007000000000000000004250000000000080000000000000080AA043AF67F00000000000000000000FFFFFFFF49000000490000009190000008000000000000000004250000000000090000000000000070AB043AF67F00000000000000000000FFFFFFFF490000004900000092900000090000000000000000042508000000000A0000000000000088AB043AF67F00000000000000000000FFFFFFFF4900000049000000939000000A0000000000000000042508000000000B00000000000000A8AB043AF67F00000000000000000000FFFFFFFF490000004900000039A000000B0000000000000000042509000000001C00000000000000C8AB043AF67F00000000000000000000FFFFFFFFC8000000490000003AA000000C0000000000000000011009000000001D00000000000000F0AB043AF67F00000000000000000000FFFFFFFF64000000490000004CA000000D0000000000000000021508000000001E0000000000000010AC043AF67F00000000000000000000FFFFFFFF64000000490000004DA000000E000000000000000002150800000000030000000A000000010000000000000058AA043AF67F0000000000000000000000000000D70000001E0000008990000000000000FF00000001015002000000000400000000000000C8AA043AF67F0000000000000000000001000000960000001E0000008D900000010000000000000001011000000000000300000000000000B0AA043AF67F00000000000000000000FFFFFFFF640000001E0000008C900000020000000000000000021000000000000C0000000000000040AC043AF67F0000000000000000000003000000640000001E00000094900000030000000000000001021000000000000D0000000000000068AC043AF67F00000000000000000000FFFFFFFF640000001E00000095900000040000000000000000011001000000000E0000000000000090AC043AF67F0000000000000000000005000000320000001E00000096900000050000000000000001042001000000000F00000000000000B8AC043AF67F0000000000000000000006000000320000001E00000097900000060000000000000001042001000000001000000000000000D8AC043AF67F0000000000000000000007000000460000001E00000098900000070000000000000001011001000000001100000000000000F8AC043AF67F00000000000000000000FFFFFFFF640000001E0000009990000008000000000000000001100100000000060000000000000028AB043AF67F0000000000000000000009000000040100001E0000008F9000000900000000000000010110010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000B000000010000000000000058AA043AF67F0000000000000000000000000000D70000001E0000009E90000000000000FF0000000101500200000000120000000000000020AD043AF67F00000000000000000000FFFFFFFF2D0000001E0000009B90000001000000000000000004200100000000140000000000000040AD043AF67F00000000000000000000FFFFFFFF640000001E0000009D90000002000000000000000001100100000000130000000000000068AD043AF67F00000000000000000000FFFFFFFF640000001E0000009C900000030000000000000000011001000000000300000000000000B0AA043AF67F00000000000000000000FFFFFFFF640000001E0000008C90000004000000000000000102100000000000070000000000000050AB043AF67F000000000000000000000500000049000000490000009090000005000000000000000104210000000000080000000000000080AA043AF67F000000000000000000000600000049000000490000009190000006000000000000000104210000000000090000000000000070AB043AF67F0000000000000000000007000000490000004900000092900000070000000000000001042108000000000A0000000000000088AB043AF67F0000000000000000000008000000490000004900000093900000080000000000000001042108000000000B00000000000000A8AB043AF67F0000000000000000000009000000490000004900000039A00000090000000000000001042109000000001C00000000000000C8AB043AF67F000000000000000000000A00000064000000490000003AA000000A00000000000000000110090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000008000000010000000000000058AA043AF67F0000000000000000000000000000C60000001E000000B090000000000000FF0000000101500200000000150000000000000088AD043AF67F00000000000000000000FFFFFFFF6B0000001E000000B1900000010000000000000000042500000000001600000000000000B8AD043AF67F00000000000000000000FFFFFFFF6B0000001E000000B2900000020000000000000000042500000000001800000000000000E0AD043AF67F00000000000000000000FFFFFFFF6B0000001E000000B490000003000000000000000004250000000000170000000000000008AE043AF67F00000000000000000000FFFFFFFF6B0000001E000000B390000004000000000000000004250000000000190000000000000040AE043AF67F00000000000000000000FFFFFFFFA00000001E000000B5900000050000000000000000042001000000001A0000000000000070AE043AF67F00000000000000000000FFFFFFFF7D0000001E000000B6900000060000000000000000042001000000001B00000000000000A0AE043AF67F00000000000000000000FFFFFFFF7D0000001E000000B790000007000000000000000004200100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA00000000000000000000000000000000000000000000009D200000200000009100000064000000320000006400000050000000320000003200000028000000500000003C0000005000000050000000320000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C00000050000000500000009700000032000000780000003200000050000000500000005000000050000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA000000000000000000000000000000000000009D200000200000009100000064000000320000009700000050000000320000003200000028000000500000003C000000500000005000000032000000500000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C0000005000000064000000780000003200000078000000780000003200000050000000500000005000000050000000C8000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C0000002D0000002E0000002F00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000030000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000
(PID) Process:(7640) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
Executable files
7
Suspicious files
147
Text files
16
Unknown types
222

Dropped files

PID
Process
Filename
Type
7640firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
7420HelloRedService_Setup.exeC:\HelloRed\RedService\remove.cmdtext
MD5:82944EFABDDE76AC4193C1895EB6701B
SHA256:24C25093BD41C8B345EFB90574F17582AB2C38DF8539AD8C4AF05A4D04258EFA
7420HelloRedService_Setup.exeC:\HelloRed\RedService\x86\red.exeexecutable
MD5:ED341366540D0703B8E3B2EB7EE668E2
SHA256:7419DA3ED5FED4232F1D7198E9AD978459BF67E8968A56E5931AF27FAC6F684B
7420HelloRedService_Setup.exeC:\HelloRed\RedService\x86\WinDivert.dllexecutable
MD5:1CB0EFD60883B5637B31BF46C34AE199
SHA256:625FFDD95BFABFF32D0E8A95BEABCD303C01C8BBA73B90402D4E84D6E15DD8E5
7420HelloRedService_Setup.exeC:\HelloRed\RedService\x86\WinDivert64.sysexecutable
MD5:6A33620DE63BCCAF5E5314EE49CD58FB
SHA256:E69B5BA3F0CD6CFB2983E442636E7F0B342B61B15264B0328317D4559C82CF50
7420HelloRedService_Setup.exeC:\HelloRed\RedService\x86_64\WinDivert64.sysexecutable
MD5:6A33620DE63BCCAF5E5314EE49CD58FB
SHA256:E69B5BA3F0CD6CFB2983E442636E7F0B342B61B15264B0328317D4559C82CF50
7420HelloRedService_Setup.exeC:\HelloRed\RedService\x86_64\red.exeexecutable
MD5:82683648B53FEF23E3B7A8ED8D0BD69F
SHA256:17F596635E0DA3601B54D57AE49DB25BB52198D5AEEE9B424BFA86AB95058C73
7640firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
7640firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
7640firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.jstext
MD5:BAD72880A24CF8555259AF63DDFAAB46
SHA256:18E63AF7A89F072E60DCB0F6172ECCB6BFAEFCAC5C54FBD844B021B21A0323FF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
189
DNS requests
6
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5796
svchost.exe
GET
200
23.48.23.161:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2064
SIHClient.exe
GET
200
23.52.185.219:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5796
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7640
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
7640
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
7640
firefox.exe
POST
200
2.16.103.27:80
http://r11.o.lencr.org/
unknown
whitelisted
7640
firefox.exe
POST
200
142.250.74.35:80
http://o.pki.goog/s/wr3/FIY
unknown
whitelisted
7640
firefox.exe
POST
200
2.16.103.27:80
http://r11.o.lencr.org/
unknown
whitelisted
7640
firefox.exe
POST
200
2.19.204.139:80
http://r10.o.lencr.org/
unknown
whitelisted
7640
firefox.exe
POST
200
2.19.204.139:80
http://r10.o.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
672
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5496
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5796
svchost.exe
23.48.23.161:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5796
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5496
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5796
svchost.exe
51.11.168.232:443
MICROSOFT-CORP-MSN-AS-BLOCK
GB
unknown
4
System
77.88.8.8:1253
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.48.23.161
  • 23.48.23.141
  • 23.48.23.183
  • 23.48.23.189
  • 23.48.23.134
  • 23.48.23.173
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted

Threats

PID
Process
Class
Message
4
System
Potentially Bad Traffic
ET INFO Non Standard Port DNS Query to google .com (udp)
4
System
Potentially Bad Traffic
ET INFO Non Standard Port DNS Query to google .com (udp)
4
System
Potentially Bad Traffic
ET INFO Non Standard Port DNS Query to google .com (udp)
4
System
Potentially Bad Traffic
ET INFO Non Standard Port DNS Query to google .com (udp)
4
System
Potentially Bad Traffic
ET INFO Non Standard Port DNS Query to google .com (udp)
4
System
Potentially Bad Traffic
ET INFO Non Standard Port DNS Query to google .com (udp)
4
System
Potentially Bad Traffic
ET INFO Non Standard Port DNS Query to google .com (udp)
4
System
Potentially Bad Traffic
ET INFO Non Standard Port DNS Query to google .com (udp)
4
System
Potentially Bad Traffic
ET INFO Non Standard Port DNS Query to google .com (udp)
4
System
Potentially Bad Traffic
ET INFO Non Standard Port DNS Query to google .com (udp)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HelloRedService_Setup.exe