Malware analysis https://www.ittf.com/windows-10-activator/ Malicious activity

Add for printing

URL:	https://www.ittf.com/windows-10-activator/
Full analysis:	https://app.any.run/tasks/2b6183da-7027-4a08-acae-6429b9f34a02
Verdict:	Malicious activity
Threats:	HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	December 04, 2024, 14:01:27
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	hijackloader loader
Indicators:
MD5:	4B42A992F6783C38BE41FAB7C17BFA39
SHA1:	F0B901C2ACB77242681BE3781080968161FF0559
SHA256:	9C9080D4C49D55FC4C4B557E79291B149A4A6808A22BB0C28C3EEC2084192364
SSDEEP:	3:N8DSLqBEGqW:2OLmvD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Executing a file with an untrusted certificate
  - Setup.exe (PID: 7576)
  - Setup.exe (PID: 8164)
- HIJACKLOADER has been detected (YARA)
  - Setup.exe (PID: 7576)
  - Setup.exe (PID: 8164)
SUSPICIOUS
- Application launched itself
  - WinRAR.exe (PID: 7324)
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 7412)
  - Setup.exe (PID: 7576)
- Executable content was dropped or overwritten
  - Setup.exe (PID: 7576)
- Executes application which crashes
  - msiexec.exe (PID: 7784)
  - msiexec.exe (PID: 3032)
- Starts application with an unusual extension
  - Setup.exe (PID: 8164)
  - Setup.exe (PID: 7576)
INFO
- Executable content was dropped or overwritten
  - firefox.exe (PID: 7000)
  - WinRAR.exe (PID: 7412)
- Application launched itself
  - firefox.exe (PID: 6956)
  - firefox.exe (PID: 7000)
- Manual execution by a user
  - Setup.exe (PID: 7576)
  - Setup.exe (PID: 8164)
  - WinRAR.exe (PID: 7324)
- Reads the computer name
  - Setup.exe (PID: 7576)
- Reads security settings of Internet Explorer
  - msiexec.exe (PID: 3032)
  - msiexec.exe (PID: 7784)
- Reads the software policy settings
  - msiexec.exe (PID: 3032)
- Checks proxy server information
  - msiexec.exe (PID: 7784)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

159

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1348

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5028 -childID 9 -isForBrowser -prefsHandle 5236 -prefMapHandle 5880 -prefsLen 32166 -prefMapSize 244583 -jsInitHandle 1368 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc56921c-9aab-473f-842a-662573a159a9} 7000 "\\.\pipe\gecko-crash-server-pipe.7000" 1fdb9867bd0 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140.dll

1704

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

more.com

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2292

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 8 -isForBrowser -prefsHandle 4004 -prefMapHandle 5608 -prefsLen 32166 -prefMapSize 244583 -jsInitHandle 1368 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c232ba8d-89c2-4d3c-a2b5-94cf71ba8d0a} 7000 "\\.\pipe\gecko-crash-server-pipe.7000" 1fdbad1df50 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll

2776

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 10 -isForBrowser -prefsHandle 5908 -prefMapHandle 5912 -prefsLen 32166 -prefMapSize 244583 -jsInitHandle 1368 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dec8cf87-b754-4e8e-9582-b38304e93521} 7000 "\\.\pipe\gecko-crash-server-pipe.7000" 1fdb99d4a10 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\bcrypt.dll

2788

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6104 -childID 12 -isForBrowser -prefsHandle 6128 -prefMapHandle 5644 -prefsLen 32166 -prefMapSize 244583 -jsInitHandle 1368 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a230944-81d6-4f7d-9771-c2d4b5bab629} 7000 "\\.\pipe\gecko-crash-server-pipe.7000" 1fdbd41e4d0 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll

2828

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4136 -childID 2 -isForBrowser -prefsHandle 4188 -prefMapHandle 2624 -prefsLen 36588 -prefMapSize 244583 -jsInitHandle 1368 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c917624-59b3-4d63-a6c7-28446fd6fc4c} 7000 "\\.\pipe\gecko-crash-server-pipe.7000" 1fdb64c74d0 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140_1.dll

3032

C:\WINDOWS\SysWOW64\msiexec.exe

C:\Windows\SysWOW64\msiexec.exe

more.com

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

3221226505

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\appdata\local\temp\ecjiloufxfp
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

3820

C:\WINDOWS\SysWOW64\WerFault.exe -u -p 3032 -s 1740

C:\Windows\SysWOW64\WerFault.exe

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

3836

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5140 -childID 4 -isForBrowser -prefsHandle 5088 -prefMapHandle 5156 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1368 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a463b5a-968b-46fc-8b48-42fdebf70b49} 7000 "\\.\pipe\gecko-crash-server-pipe.7000" 1fdb8471150 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

4204

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6780 -childID 17 -isForBrowser -prefsHandle 6788 -prefMapHandle 6800 -prefsLen 32166 -prefMapSize 244583 -jsInitHandle 1368 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f396b5bb-43b7-482d-baaa-a89df957c294} 7000 "\\.\pipe\gecko-crash-server-pipe.7000" 1fdb9e85150 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll

Add for printing

Total events

34 941

Read events

34 897

Write events

Delete events

Modification events


(PID) Process:	(7000) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe
Value: 0
(PID) Process:	(7324) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(7324) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(7324) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(7324) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Downloads\S3tup l№staLL3R.zip
(PID) Process:	(7324) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(7324) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(7324) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(7324) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(7412) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0

Add for printing

Executable files

Suspicious files

245

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7000	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin		—
		MD5:—	SHA256:—
7000	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.bin		binary
		MD5:297E88D7CEB26E549254EC875649F4EB	SHA256:8B75D4FB1845BAA06122888D11F6B65E6A36B140C54A72CC13DF390FD7C95702
7000	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.js		text
		MD5:3BA86FB4777FE23ACDD6DABACA21EBDC	SHA256:1767575FE68D2AC71567AEFF47416A800D86A34D423E568935F47A82737DCF8D
7000	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite		—
		MD5:—	SHA256:—
7000	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\protections.sqlite-journal		binary
		MD5:D4E6F8ED00E5CBB232D91A79CEE6CECA	SHA256:783B0A75BC5B470407A91F4C22A7C2E466D72156BF7A10EF8FCBEF97D3830EA3
7000	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\SiteSecurityServiceState.bin		binary
		MD5:0DE7863814B22CF03A355448B0C45936	SHA256:84AF2FD5C800C1AB44B962EFBC158DFA8B65C141408AC63257100D52E983CD8F
7000	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs.js		text
		MD5:3BA86FB4777FE23ACDD6DABACA21EBDC	SHA256:1767575FE68D2AC71567AEFF47416A800D86A34D423E568935F47A82737DCF8D
7000	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal		binary
		MD5:72B69DD7F98495770B40F2557BA8FB93	SHA256:17AA753DA483C1BFA3A0F857901E99680FE81EB70925C5F29572567A06495F21
7000	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cert9.db		binary
		MD5:2E73AB517E4BDCD950D502CFB7CAA194	SHA256:838C8E4EB67CB6B385425CBAAD5D5830B7941AE5818911874FACA88E9033A322
7000	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmp		binary
		MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A	SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

216

DNS requests

244

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7000	firefox.exe	POST	200	192.229.221.95:80	http://ocsp.digicert.com/	unknown	—	—	unknown
5064	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	unknown
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	unknown
7000	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	—	—	unknown
7000	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	unknown	—	—	unknown
7000	firefox.exe	POST	200	142.250.186.35:80	http://o.pki.goog/wr2	unknown	—	—	unknown
7000	firefox.exe	POST	—	184.24.77.62:80	http://r11.o.lencr.org/	unknown	—	—	unknown
7000	firefox.exe	POST	200	184.24.77.48:80	http://r10.o.lencr.org/	unknown	—	—	unknown
7000	firefox.exe	POST	200	184.24.77.48:80	http://r10.o.lencr.org/	unknown	—	—	unknown
7000	firefox.exe	POST	200	184.24.77.48:80	http://r10.o.lencr.org/	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	unknown
5064	SearchApp.exe	104.126.37.131:443	www.bing.com	Akamai International B.V.	DE	unknown
1176	svchost.exe	40.126.31.67:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5064	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	unknown
1176	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	unknown
7000	firefox.exe	104.26.13.87:443	www.ittf.com	CLOUDFLARENET	US	unknown
7000	firefox.exe	34.107.221.82:80	detectportal.firefox.com	GOOGLE	US	unknown
7000	firefox.exe	216.58.206.42:443	safebrowsing.googleapis.com	—	—	unknown
7000	firefox.exe	34.117.188.166:443	contile.services.mozilla.com	—	—	unknown
7000	firefox.exe	184.24.77.52:80	r11.o.lencr.org	Akamai International B.V.	DE	unknown

DNS requests

Domain	IP	Reputation
www.bing.com	104.126.37.131 104.126.37.139 104.126.37.145 104.126.37.130 104.126.37.144 104.126.37.123 104.126.37.128 104.126.37.137 104.126.37.136	unknown
login.live.com	40.126.31.67 20.190.159.64 20.190.159.73 20.190.159.75 40.126.31.69 40.126.31.71 20.190.159.0 20.190.159.2	unknown
ocsp.digicert.com	192.229.221.95	unknown
detectportal.firefox.com	34.107.221.82	unknown
www.ittf.com	104.26.13.87 104.26.12.87 172.67.71.67 2606:4700:20::681a:c57 2606:4700:20::681a:d57 2606:4700:20::ac43:4743	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	unknown
contile.services.mozilla.com	34.117.188.166	unknown
ipv4only.arpa	192.0.0.171 192.0.0.170	unknown
example.org	93.184.215.14	unknown
spocs.getpocket.com	34.117.188.166	unknown

Threats

PID	Process	Class	Message
2192	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
2192	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
2192	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
2192	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
2192	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
7000	firefox.exe	Misc activity	ET INFO File Sharing Domain Observed in TLS SNI (mega .nz)
2192	svchost.exe	Misc activity	ET INFO File Sharing Related Domain in DNS Lookup (mega .nz)
2192	svchost.exe	Misc activity	ET INFO File Sharing Related Domain in DNS Lookup (mega .nz)
2192	svchost.exe	Misc activity	ET INFO File Sharing Related Domain in DNS Lookup (mega .nz)

4 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

https://www.ittf.com/windows-10-activator/

4B42A992F6783C38BE41FAB7C17BFA39

F0B901C2ACB77242681BE3781080968161FF0559

9C9080D4C49D55FC4C4B557E79291B149A4A6808A22BB0C28C3EEC2084192364

3:N8DSLqBEGqW:2OLmvD

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

HIJACKLOADER has been detected (YARA)

SUSPICIOUS

Application launched itself

Process drops legitimate windows executable

Executable content was dropped or overwritten

Executes application which crashes

Starts application with an unusual extension

INFO

Executable content was dropped or overwritten

Application launched itself

Manual execution by a user

Reads the computer name

Reads security settings of Internet Explorer

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings