File name:

Product list.exe

Full analysis: https://app.any.run/tasks/3ee593a7-6967-4676-bf1a-af36f9a60f51
Verdict: Malicious activity
Threats:

PureLogs is a stealer that collects a wide range of data from infected systems, including browser data, crypto wallets, PC configuration details, etc. It is delivered by PureCrypter, another malware that belongs to the Pure malware family. PureLogs is distributed based on a subscription model, allowing any threat actor to utilize it in their attacks.

Malware Trends Tracker     >>>
Analysis date: March 25, 2025, 00:47:11
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
auto
purelogs
stealer
telegram
exfiltration
autorun-download
advancedinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

5FF5EE5D7C461D27B1F1785EDAD4C710

SHA1:

891459A18B55A55739916D35CB30745B478886DB

SHA256:

C8675A4A1D2C97F36CBA998D3404CAF5F08CD559356F3CC6D2004FB31A602E9D

SSDEEP:

98304:3CNXFFLQTrOO+eGV3nMDPfXlutBNy0bFX0BgYNVFb0yCmsPiWsFZSOwfVGQFGKKW:P4Gtih8aU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • STEALER has been found (auto)

      • Product list.exe (PID: 2560)

    • Steals credentials from Web Browsers

      • Product list.exe (PID: 2560)
      • Product list.exe (PID: 728)

    • Actions looks like stealing of personal data

      • Product list.exe (PID: 2560)
      • certutil.exe (PID: 5228)
      • HTTPDebuggerSvc.exe (PID: 7652)
      • Product list.exe (PID: 728)

    • Changes the autorun value in the registry

      • Product list.exe (PID: 2560)
      • Product list.exe (PID: 728)

  • SUSPICIOUS

    • Reads the BIOS version

      • Product list.exe (PID: 2560)
      • Product list.exe (PID: 728)

    • The process connected to a server suspected of theft

      • Product list.exe (PID: 2560)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Product list.exe (PID: 2560)
      • Product list.exe (PID: 728)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 4012)

    • Executes as Windows Service

      • VSSVC.exe (PID: 7844)
      • HTTPDebuggerSvc.exe (PID: 7652)

    • Detects AdvancedInstaller (YARA)

      • msiexec.exe (PID: 6208)
      • msiexec.exe (PID: 4012)

    • Reads security settings of Internet Explorer

      • ShellExperienceHost.exe (PID: 7452)
      • msiexec.exe (PID: 3156)
      • HTTPDebuggerUI.exe (PID: 3024)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 4012)
      • HTTPDebuggerSvc.exe (PID: 7652)

    • Creates/Modifies COM task schedule object

      • msiexec.exe (PID: 7944)

    • Executable content was dropped or overwritten

      • HTTPDebuggerSvc.exe (PID: 7652)

    • Creates files in the driver directory

      • HTTPDebuggerSvc.exe (PID: 7652)

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 4012)

    • Reads Microsoft Outlook installation path

      • HTTPDebuggerUI.exe (PID: 3024)

    • Adds/modifies Windows certificates

      • HTTPDebuggerSvc.exe (PID: 7652)

    • Reads Internet Explorer settings

      • HTTPDebuggerUI.exe (PID: 3024)

  • INFO

    • Checks supported languages

      • Product list.exe (PID: 2560)
      • msiexec.exe (PID: 4012)
      • msiexec.exe (PID: 3884)
      • ShellExperienceHost.exe (PID: 7452)
      • HTTPDebuggerSvc.exe (PID: 7652)
      • HTTPDebuggerSvc.exe (PID: 5384)
      • msiexec.exe (PID: 3156)
      • HTTPDebuggerUI.exe (PID: 3024)
      • certutil.exe (PID: 5228)
      • Product list.exe (PID: 728)

    • Reads the computer name

      • Product list.exe (PID: 2560)
      • msiexec.exe (PID: 4012)
      • msiexec.exe (PID: 3884)
      • ShellExperienceHost.exe (PID: 7452)
      • msiexec.exe (PID: 3156)
      • HTTPDebuggerSvc.exe (PID: 7652)
      • HTTPDebuggerSvc.exe (PID: 5384)
      • certutil.exe (PID: 5228)
      • Product list.exe (PID: 728)
      • HTTPDebuggerUI.exe (PID: 3024)

    • Creates files or folders in the user directory

      • Product list.exe (PID: 2560)
      • explorer.exe (PID: 5492)
      • BackgroundTransferHost.exe (PID: 4112)
      • HTTPDebuggerUI.exe (PID: 3024)
      • Product list.exe (PID: 728)

    • Create files in a temporary directory

      • Product list.exe (PID: 2560)
      • Product list.exe (PID: 728)

    • Reads the machine GUID from the registry

      • Product list.exe (PID: 2560)
      • msiexec.exe (PID: 4012)
      • HTTPDebuggerSvc.exe (PID: 7652)
      • HTTPDebuggerSvc.exe (PID: 5384)
      • HTTPDebuggerUI.exe (PID: 3024)
      • Product list.exe (PID: 728)

    • Reads Environment values

      • Product list.exe (PID: 2560)
      • Product list.exe (PID: 728)

    • Disables trace logs

      • Product list.exe (PID: 2560)
      • Product list.exe (PID: 728)

    • Checks proxy server information

      • Product list.exe (PID: 2560)
      • BackgroundTransferHost.exe (PID: 4112)
      • explorer.exe (PID: 5492)
      • HTTPDebuggerUI.exe (PID: 3024)
      • slui.exe (PID: 5436)
      • Product list.exe (PID: 728)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5492)
      • BackgroundTransferHost.exe (PID: 7788)
      • BackgroundTransferHost.exe (PID: 4112)
      • BackgroundTransferHost.exe (PID: 7872)
      • BackgroundTransferHost.exe (PID: 7656)
      • BackgroundTransferHost.exe (PID: 7432)
      • msiexec.exe (PID: 6208)

    • Reads the software policy settings

      • Product list.exe (PID: 2560)
      • BackgroundTransferHost.exe (PID: 4112)
      • explorer.exe (PID: 5492)
      • msiexec.exe (PID: 6208)
      • msiexec.exe (PID: 4012)
      • slui.exe (PID: 4920)
      • HTTPDebuggerUI.exe (PID: 3024)
      • slui.exe (PID: 5436)
      • Product list.exe (PID: 728)

    • Manual execution by a user

      • firefox.exe (PID: 7872)

    • Application launched itself

      • firefox.exe (PID: 7872)
      • firefox.exe (PID: 7896)

    • Reads Microsoft Office registry keys

      • explorer.exe (PID: 5492)

    • Autorun file from Downloads

      • firefox.exe (PID: 7896)

    • Manages system restore points

      • SrTasks.exe (PID: 872)

    • The sample compiled with english language support

      • msiexec.exe (PID: 4012)
      • msiexec.exe (PID: 6208)
      • HTTPDebuggerSvc.exe (PID: 7652)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4012)
      • msiexec.exe (PID: 6208)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 4012)

    • Process checks computer location settings

      • msiexec.exe (PID: 3156)

    • Local mutex for internet shortcut management

      • explorer.exe (PID: 5492)

    • Creates files in the program directory

      • HTTPDebuggerSvc.exe (PID: 7652)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:11:19 16:57:30+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware
PEType: PE32+
LinkerVersion: 48
CodeSize: 203776
InitializedDataSize: 1536
UninitializedDataSize: -
EntryPoint: 0x7a6058
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: Linq4you
FileVersion: 1.0.0.0
InternalName: Linq4me.exe
LegalCopyright: Copyright © 2011
LegalTrademarks: -
OriginalFileName: Linq4me.exe
ProductName: Linq4you
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
184
Monitored processes
42
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start product list.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe backgroundtransferhost.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs backgroundtransferhost.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs explorer.exe msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs slui.exe srtasks.exe no specs conhost.exe no specs msiexec.exe no specs shellexperiencehost.exe no specs msiexec.exe no specs httpdebuggersvc.exe httpdebuggersvc.exe no specs httpdebuggerui.exe certutil.exe rundll32.exe no specs product list.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
664"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4996 -childID 3 -isForBrowser -prefsHandle 4988 -prefMapHandle 4984 -prefsLen 31251 -prefMapSize 244583 -jsInitHandle 1544 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83b21ad5-c9fa-45f9-a4f7-6defc608ed2a} 7896 "\\.\pipe\gecko-crash-server-pipe.7896" 279b8bfed90 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
728"C:\Users\admin\AppData\Local\Temp\Product list.exe" C:\Users\admin\AppData\Local\Temp\Product list.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Linq4you
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\product list.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
872C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2560"C:\Users\admin\AppData\Local\Temp\Product list.exe" C:\Users\admin\AppData\Local\Temp\Product list.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Linq4you
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\product list.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3024"C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerUI.exe" C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerUI.exe
msiexec.exe
User:
admin
Company:
HttpDebugger.com
Integrity Level:
MEDIUM
Description:
HTTP Debugger
Version:
9.0.0.12
Modules
Images
c:\program files (x86)\httpdebuggerpro\httpdebuggerui.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\version.dll
3156C:\Windows\syswow64\MsiExec.exe -Embedding 5647269939F29AD1351CD486C74E9CE8 CC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
3192"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6196 -childID 9 -isForBrowser -prefsHandle 5856 -prefMapHandle 5192 -prefsLen 31374 -prefMapSize 244583 -jsInitHandle 1544 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a24f03e-3bb4-4ff7-873d-4d636b12bc2c} 7896 "\\.\pipe\gecko-crash-server-pipe.7896" 279bd13f4d0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp140.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
3240"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4368 -childID 2 -isForBrowser -prefsHandle 4304 -prefMapHandle 4360 -prefsLen 36588 -prefMapSize 244583 -jsInitHandle 1544 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88ca9068-c27e-4d1b-8542-e88698f47548} 7896 "\\.\pipe\gecko-crash-server-pipe.7896" 279b7d2d850 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
3884C:\Windows\syswow64\MsiExec.exe -Embedding 532B04BA51A37AF9CAF3993117B6FDBDC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
4012C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
63 798
Read events
63 317
Write events
452
Delete events
29

Modification events

(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000007000650072005D00
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:00000000000802DA
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:(2560) Product list.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Product list_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2560) Product list.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Product list_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2560) Product list.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Product list_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2560) Product list.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Product list_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2560) Product list.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Product list_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2560) Product list.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Product list_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2560) Product list.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Product list_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2560) Product list.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:AppName
Value:
C:\Users\admin\AppData\Local\Temp\Product list.exe
Executable files
28
Suspicious files
250
Text files
30
Unknown types
1

Dropped files

PID
Process
Filename
Type
7896firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
7896firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:297E88D7CEB26E549254EC875649F4EB
SHA256:8B75D4FB1845BAA06122888D11F6B65E6A36B140C54A72CC13DF390FD7C95702
7896firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
2560Product list.exeC:\Users\admin\AppData\Local\Temp\tmpD46A.tmp.datbinary
MD5:29A644B1F0D96166A05602FE27B3F4AD
SHA256:BF96902FEB97E990A471492F78EE8386BCF430D66BDAEFDEAFBF912C8CF7CE46
5492explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
2560Product list.exeC:\Users\admin\AppData\Local\Temp\tmpD42A.tmp.datbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
7896firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
7896firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-child-current.binbinary
MD5:C95DDC2B1A525D1A243E4C294DA2F326
SHA256:3A5919E086BFB31E36110CF636D2D5109EB51F2C410B107F126126AB25D67363
2560Product list.exeC:\Users\admin\AppData\Local\Temp\tmpD5A3.tmp.datbinary
MD5:0FF3BCDD0BE077B9EB8194B5C09F453C
SHA256:225D669E47EB14D8C969799C92AAEF27B66CD984872EA09284E48DB46521E651
2560Product list.exeC:\Users\admin\AppData\Local\Temp\tmpD5B4.tmp.datbinary
MD5:0FF3BCDD0BE077B9EB8194B5C09F453C
SHA256:225D669E47EB14D8C969799C92AAEF27B66CD984872EA09284E48DB46521E651
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
63
TCP/UDP connections
163
DNS requests
169
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
88.221.110.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7896
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
7896
firefox.exe
POST
142.250.185.99:80
http://o.pki.goog/s/wr3/UTA
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5164
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7896
firefox.exe
POST
200
142.250.185.99:80
http://o.pki.goog/s/wr3/cgo
unknown
whitelisted
7896
firefox.exe
POST
200
2.19.120.159:80
http://r11.o.lencr.org/
unknown
whitelisted
7896
firefox.exe
POST
200
2.16.202.121:80
http://r10.o.lencr.org/
unknown
whitelisted
7896
firefox.exe
POST
200
2.16.202.121:80
http://r10.o.lencr.org/
unknown
whitelisted
7896
firefox.exe
POST
200
2.16.202.121:80
http://r10.o.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
88.221.110.114:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
20.190.159.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5496
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
20.198.162.78:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
SG
whitelisted
2560
Product list.exe
149.154.167.220:443
api.telegram.org
Telegram Messenger Inc
GB
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5164
backgroundTaskHost.exe
20.31.169.57:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 88.221.110.114
  • 88.221.110.122
whitelisted
login.live.com
  • 20.190.159.128
  • 40.126.31.73
  • 20.190.159.131
  • 20.190.159.4
  • 40.126.31.67
  • 40.126.31.3
  • 20.190.159.73
  • 40.126.31.129
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 184.30.131.245
whitelisted
client.wns.windows.com
  • 20.198.162.78
  • 40.113.110.67
whitelisted
api.telegram.org
  • 149.154.167.220
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
2560
Product list.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
2560
Product list.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
2560
Product list.exe
Successful Credential Theft Detected
STEALER [ANY.RUN] Attempt to exfiltrate via Telegram
728
Product list.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
728
Product list.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Product list.exe