URL:

https://www.mediafire.com/file/xk544eq3xx9hx06/I_D_M_6.42_Build_33.tar/file

Full analysis: https://app.any.run/tasks/cc28d7ef-e607-4a52-81de-21c45ef65e06
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 12:22:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
advancedinstaller
arch-scr
phishing
purecrypter
lumma
stealer
Indicators:
MD5:

9E3D6B8F641E2F72D4E6E306F41ECD2A

SHA1:

892F168F5F9FC1A96C7D7D50E381D8A88877C976

SHA256:

D22C686864CB284482032453D9668FC16E3B301809D5FD5348F2FC04B0E9BD30

SSDEEP:

3:N8DSLw3eGUoR3AlSuh6nxqQIcREXKDIA:2OLw3eGFNXIgEPA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • IDM1.tmp (PID: 7332)
      • IDMan.exe (PID: 5172)
      • Uninstall.exe (PID: 7752)

    • Starts NET.EXE for service management

      • Uninstall.exe (PID: 7752)
      • net.exe (PID: 8236)

    • Changes powershell execution policy (Bypass)

      • msiexec.exe (PID: 8432)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 8468)
      • powershell.exe (PID: 8288)
      • powershell.exe (PID: 8536)
      • powershell.exe (PID: 9132)
      • powershell.exe (PID: 7820)
      • powershell.exe (PID: 8256)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 8288)
      • powershell.exe (PID: 7820)
      • powershell.exe (PID: 8536)
      • powershell.exe (PID: 9132)
      • powershell.exe (PID: 8256)

    • PHISHING has been detected (SURICATA)

      • svchost.exe (PID: 2196)

    • PURECRYPTER has been detected (SURICATA)

      • RegAsm.exe (PID: 1912)
      • MSBuild.exe (PID: 8276)

    • LUMMA has been detected (SURICATA)

      • chrome.exe (PID: 7208)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • Internet Download Manager 6.42 Build 33.exe (PID: 6540)

    • Executable content was dropped or overwritten

      • Internet Download Manager 6.42 Build 33.exe (PID: 6540)
      • IDMan.exe (PID: 5172)
      • rundll32.exe (PID: 1128)
      • drvinst.exe (PID: 3124)
      • powershell.exe (PID: 8468)
      • VC_redist.x64.exe (PID: 8732)
      • VC_redist.x86.exe (PID: 9204)
      • dotNetFx46_Full_setup.exe (PID: 2104)
      • gkonkh.exe (PID: 8980)
      • Value.exe (PID: 8748)
      • RegAsm.exe (PID: 1912)
      • CanReuseTransform.exe (PID: 8912)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6940)
      • cmd.exe (PID: 7732)

    • Starts application with an unusual extension

      • S.exe (PID: 7084)

    • Starts CMD.EXE for commands execution

      • Internet Download Manager 6.42 Build 33.exe (PID: 6540)
      • cmd.exe (PID: 8792)
      • cmd.exe (PID: 8840)

    • Executing commands from a ".bat" file

      • Internet Download Manager 6.42 Build 33.exe (PID: 6540)
      • cmd.exe (PID: 8840)
      • cmd.exe (PID: 8792)

    • Uses RUNDLL32.EXE to load library

      • Uninstall.exe (PID: 7752)

    • There is functionality for taking screenshot (YARA)

      • Internet Download Manager 6.42 Build 33.exe (PID: 6540)
      • VC_redist.x64.exe (PID: 8732)

    • Drops a system driver (possible attempt to evade defenses)

      • rundll32.exe (PID: 1128)
      • drvinst.exe (PID: 3124)

    • Detects AdvancedInstaller (YARA)

      • Internet Download Manager 6.42 Build 33.exe (PID: 6540)
      • msiexec.exe (PID: 7516)
      • msiexec.exe (PID: 7560)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 8432)

    • The process hide an interactive prompt from the user

      • msiexec.exe (PID: 8432)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 8432)

    • The process executes Powershell scripts

      • msiexec.exe (PID: 8432)

    • Application launched itself

      • cmd.exe (PID: 8792)
      • cmd.exe (PID: 8840)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 8792)
      • cmd.exe (PID: 8840)

    • The process executes via Task Scheduler

      • powershell.exe (PID: 8288)
      • powershell.exe (PID: 7820)
      • Value.exe (PID: 8748)
      • powershell.exe (PID: 8536)
      • Value.exe (PID: 4812)
      • CanReuseTransform.exe (PID: 8912)
      • powershell.exe (PID: 9132)
      • powershell.exe (PID: 8256)
      • CanReuseTransform.exe (PID: 6980)

    • Connects to unusual port

      • RegAsm.exe (PID: 1912)
      • MSBuild.exe (PID: 8276)

    • Contacting a server suspected of hosting an CnC

      • RegAsm.exe (PID: 1912)
      • MSBuild.exe (PID: 8276)
      • chrome.exe (PID: 7208)

  • INFO

    • Manual execution by a user

      • Internet Download Manager 6.42 Build 33.exe (PID: 6404)
      • WinRAR.exe (PID: 5176)
      • Internet Download Manager 6.42 Build 33.exe (PID: 6540)

    • Application launched itself

      • firefox.exe (PID: 300)
      • firefox.exe (PID: 2140)
      • chrome.exe (PID: 7288)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5176)
      • msiexec.exe (PID: 7516)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 5176)
      • Internet Download Manager 6.42 Build 33.exe (PID: 6540)
      • msiexec.exe (PID: 7516)
      • drvinst.exe (PID: 3124)
      • rundll32.exe (PID: 1128)
      • IDMan.exe (PID: 5172)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
295
Monitored processes
156
Malicious processes
11
Suspicious processes
10

Behavior graph

Click at the process to see the details
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs sppextcomobj.exe no specs slui.exe firefox.exe no specs #PHISHING svchost.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs rundll32.exe no specs winrar.exe internet download manager 6.42 build 33.exe no specs internet download manager 6.42 build 33.exe msiexec.exe slui.exe msiexec.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs s.exe no specs idm1.tmp no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs idmbroker.exe no specs regsvr32.exe no specs idman.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs uninstall.exe no specs rundll32.exe drvinst.exe drvinst.exe no specs runonce.exe no specs grpconv.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs regsvr32.exe no specs regsvr32.exe no specs msiexec.exe no specs powershell.exe conhost.exe no specs vc_redist.x64.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs cmd.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs cmd.exe no specs info.exe conhost.exe no specs vc_redist.x86.exe powershell.exe no specs conhost.exe no specs dotnetfx46_full_setup.exe powershell.exe no specs conhost.exe no specs value.exe powershell.exe no specs conhost.exe no specs value.exe no specs #PURECRYPTER regasm.exe canreusetransform.exe gkonkh.exe info.exe conhost.exe no specs vc_redist.x86.exe no specs powershell.exe no specs conhost.exe no specs dotnetfx46_full_setup.exe no specs #PURECRYPTER msbuild.exe chrome.exe chrome.exe no specs powershell.exe no specs conhost.exe no specs canreusetransform.exe no specs #LUMMA chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.mediafire.com/file/xk544eq3xx9hx06/I_D_M_6.42_Build_33.tar/file"C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\windows\system32\bcrypt.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
632"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --use-angle=swiftshader-webgl --use-gl=angle --mute-audio --user-data-dir="C:\WINDOWS\system32\config\systemprofile\AppData\Local\Google\Chrome\dpjek" --no-appcompat-clear --mojo-platform-channel-handle=5008 --field-trial-handle=2132,i,1066321931116406911,14265469585694630929,262144 --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
680"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --mute-audio --user-data-dir="C:\WINDOWS\system32\config\systemprofile\AppData\Local\Google\Chrome\dpjek" --no-appcompat-clear --mojo-platform-channel-handle=6248 --field-trial-handle=2132,i,1066321931116406911,14265469585694630929,262144 --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
840"C:\Windows\System32\grpconv.exe" -oC:\Windows\System32\grpconv.exerunonce.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Progman Group Converter
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\grpconv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
928"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --use-angle=swiftshader-webgl --use-gl=angle --mute-audio --user-data-dir="C:\WINDOWS\system32\config\systemprofile\AppData\Local\Google\Chrome\dpjek" --no-appcompat-clear --mojo-platform-channel-handle=4568 --field-trial-handle=2132,i,1066321931116406911,14265469585694630929,262144 --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
976"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"C:\Windows\SysWOW64\regsvr32.exeIDMan.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1128"C:\WINDOWS\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Internet Download Manager\idmwfp.infC:\Windows\System32\rundll32.exe
Uninstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
1676"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\WINDOWS\system32\config\systemprofile\AppData\Local\Google\Chrome\dpjek" --no-appcompat-clear --autoplay-policy=no-user-gesture-required --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5864 --field-trial-handle=2132,i,1066321931116406911,14265469585694630929,262144 --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
Value.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2040"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6256 -childID 10 -isForBrowser -prefsHandle 6316 -prefMapHandle 6312 -prefsLen 31324 -prefMapSize 244583 -jsInitHandle 1400 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66009f9a-cf61-4bc3-8d07-a7be4b62b60a} 2140 "\\.\pipe\gecko-crash-server-pipe.2140" 2458da8e4d0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
Total events
86 325
Read events
85 547
Write events
606
Delete events
172

Modification events

(PID) Process:(2140) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(5176) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:15
Value:
(PID) Process:(5176) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:14
Value:
(PID) Process:(5176) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:13
Value:
(PID) Process:(5176) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:12
Value:
(PID) Process:(5176) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:11
Value:
(PID) Process:(5176) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:10
Value:
(PID) Process:(5176) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:9
Value:
(PID) Process:(5176) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:8
Value:
(PID) Process:(5176) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:7
Value:
Executable files
51
Suspicious files
740
Text files
214
Unknown types
11

Dropped files

PID
Process
Filename
Type
2140firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
2140firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-child-current.binbinary
MD5:C95DDC2B1A525D1A243E4C294DA2F326
SHA256:3A5919E086BFB31E36110CF636D2D5109EB51F2C410B107F126126AB25D67363
2140firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2140firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2140firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
2140firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
2140firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.jsonbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
2140firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs.jstext
MD5:A83B738A2425630C9C7EC6790FF6A668
SHA256:9C14FB8F0BBCCA1CF3C10FA0E2A4A06FACFCE4CFA6362E608B0C9448D58A0C69
2140firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\SiteSecurityServiceState.binbinary
MD5:4D6BEE777EF94ED622897C0C6B9EC0AF
SHA256:AA07E227121171B851F7202696A0C00ACB3390A7B8FC222EC81D44FAAD5B9F2C
2140firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.jstext
MD5:A83B738A2425630C9C7EC6790FF6A668
SHA256:9C14FB8F0BBCCA1CF3C10FA0E2A4A06FACFCE4CFA6362E608B0C9448D58A0C69
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
82
TCP/UDP connections
331
DNS requests
387
Threats
27

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2140
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
2140
firefox.exe
POST
200
2.16.168.117:80
http://r11.o.lencr.org/
unknown
whitelisted
2140
firefox.exe
POST
200
95.101.54.107:80
http://r10.o.lencr.org/
unknown
whitelisted
2140
firefox.exe
POST
200
142.250.186.131:80
http://o.pki.goog/we2
unknown
whitelisted
2140
firefox.exe
POST
142.250.186.131:80
http://o.pki.goog/we2
unknown
whitelisted
2140
firefox.exe
POST
200
2.16.168.117:80
http://r11.o.lencr.org/
unknown
whitelisted
2140
firefox.exe
POST
200
142.250.186.131:80
http://o.pki.goog/s/wr3/FIY
unknown
whitelisted
2140
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2104
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2140
firefox.exe
34.36.137.203:443
contile.services.mozilla.com
whitelisted
2140
firefox.exe
104.17.151.117:443
www.mediafire.com
CLOUDFLARENET
whitelisted
2140
firefox.exe
142.250.186.106:443
safebrowsing.googleapis.com
whitelisted
2140
firefox.exe
34.107.243.93:443
push.services.mozilla.com
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.16.253.202
whitelisted
google.com
  • 142.250.184.238
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
www.mediafire.com
  • 104.17.151.117
  • 104.17.150.117
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
contile.services.mozilla.com
  • 34.36.137.203
whitelisted
content-signature-2.cdn.mozilla.net
  • 34.160.144.191
whitelisted
prod.content-signature-chains.prod.webservices.mozgcp.net
  • 34.160.144.191
  • 2600:1901:0:92a9::
whitelisted
spocs.getpocket.com
  • 34.36.137.203
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
2196
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
2196
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
2196
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
8468
powershell.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.crabdance .com Domain
Process
Message
chrome.exe
RecursiveDirectoryCreate( C:\WINDOWS\system32\config\systemprofile\AppData\Local directory exists )
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.mediafire.com/file/xk544eq3xx9hx06/I_D_M_6.42_Build_33.tar/file