URL:

https://mega.nz/#!Ylpj3LYY!yC5N06zT2Wxl3CnHbgtsA5-3Fp3rDKN5VTCu-J8M8dA

Full analysis: https://app.any.run/tasks/7de729a5-7fe4-42ad-b008-b67ee0d12473
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: March 02, 2019, 21:36:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
wannacry
wannacryptor
Indicators:
MD5:

C156DBE1A3F718A4DC4BC9832D9096F5

SHA1:

DAF76B7A537D3A18A13838A7B902C469BC10D768

SHA256:

008D896691ADD86B5A9731D699BB2257B9FB0DAE1AA57A55B4DBE7C9DE0E73F4

SSDEEP:

3:N8X/iGEYVuSVcOdYrWZlW3kwDk:299pdvuUwDk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

    • Dropped file may contain instructions of ransomware

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)

    • Writes file to Word startup folder

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)

    • Modifies files in Chrome extension folder

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)

    • WannaCry Ransomware was detected

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)
      • cmd.exe (PID: 3816)

    • Loads dropped or rewritten executable

      • taskhsvc.exe (PID: 2976)
      • SearchProtocolHost.exe (PID: 3928)

    • Deletes shadow copies

      • cmd.exe (PID: 3028)

    • Actions looks like stealing of personal data

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)
      • drpbx.exe (PID: 2164)

    • Changes the autorun value in the registry

      • reg.exe (PID: 1520)
      • jigsaw.exe (PID: 3412)

    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 3028)

    • Loads the Task Scheduler COM API

      • wbengine.exe (PID: 1936)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2084)
      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)
      • @[email protected] (PID: 3636)
      • jigsaw.exe (PID: 3412)

    • Uses ATTRIB.EXE to modify file attributes

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)

    • Uses ICACLS.EXE to modify access control list

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)

    • Starts CMD.EXE for commands execution

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)
      • @[email protected] (PID: 2272)

    • Creates files like Ransomware instruction

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)
      • drpbx.exe (PID: 2164)

    • Creates files in the program directory

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)
      • drpbx.exe (PID: 2164)

    • Creates files in the user directory

      • taskhsvc.exe (PID: 2976)
      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)
      • jigsaw.exe (PID: 3412)
      • drpbx.exe (PID: 2164)

    • Connects to unusual port

      • taskhsvc.exe (PID: 2976)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3500)

    • Creates files in the Windows directory

      • wbadmin.exe (PID: 2700)

    • Low-level read access rights to disk partition

      • wbengine.exe (PID: 1936)
      • vds.exe (PID: 1932)

    • Starts itself from another location

      • jigsaw.exe (PID: 3412)

  • INFO

    • Reads CPU info

      • firefox.exe (PID: 2844)
      • firefox.exe (PID: 2408)
      • firefox.exe (PID: 3244)
      • firefox.exe (PID: 3832)
      • firefox.exe (PID: 2980)
      • firefox.exe (PID: 3572)

    • Application launched itself

      • firefox.exe (PID: 2844)

    • Dropped object may contain Bitcoin addresses

      • firefox.exe (PID: 2844)
      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)
      • taskhsvc.exe (PID: 2976)
      • drpbx.exe (PID: 2164)

    • Dropped object may contain TOR URL's

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)

    • Dropped object may contain URL to Tor Browser

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)

    • Creates files in the user directory

      • firefox.exe (PID: 2844)

    • Reads settings of System Certificates

      • firefox.exe (PID: 2844)

    • Modifies the open verb of a shell class

      • rundll32.exe (PID: 1920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
103
Monitored processes
47
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start firefox.exe firefox.exe firefox.exe firefox.exe firefox.exe firefox.exe winrar.exe #WANNACRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe attrib.exe no specs icacls.exe no specs taskdl.exe no specs cmd.exe no specs @[email protected] #WANNACRY cmd.exe no specs @[email protected] no specs taskhsvc.exe searchprotocolhost.exe no specs cmd.exe vssadmin.exe no specs vssvc.exe no specs taskdl.exe no specs @[email protected] no specs cmd.exe no specs reg.exe wmic.exe no specs bcdedit.exe no specs bcdedit.exe no specs wbadmin.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs taskdl.exe no specs @[email protected] no specs taskdl.exe no specs @[email protected] no specs winrar.exe no specs jigsaw.exe drpbx.exe taskdl.exe no specs @[email protected] no specs rundll32.exe no specs notepad.exe no specs taskdl.exe no specs @[email protected] no specs notepad.exe no specs taskdl.exe no specs @[email protected] no specs

Process information

PID
CMD
Path
Indicators
Parent process
232taskdl.exeC:\Users\admin\Desktop\taskdl.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
SQL Client Configuration Utility EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\desktop\taskdl.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp60.dll
c:\windows\system32\msvcrt.dll
280vssadmin delete shadows /all /quiet C:\Windows\system32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
312icacls . /grant Everyone:F /T /C /QC:\Windows\system32\icacls.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
504bcdedit /set {default} recoveryenabled no C:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1288bcdedit /set {default} bootstatuspolicy ignoreallfailures C:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1348"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\@[email protected]C:\Windows\system32\NOTEPAD.EXErundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1520reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "yyibsxxiapw107" /t REG_SZ /d "\"C:\Users\admin\Desktop\tasksche.exe\"" /fC:\Windows\system32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1668C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1920"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\@[email protected]C:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msvcp60.dll
c:\windows\system32\kernel32.dll
c:\users\admin\desktop\taskdl.exe
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1920taskdl.exeC:\Users\admin\Desktop\taskdl.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
SQL Client Configuration Utility EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\desktop\taskdl.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp60.dll
c:\windows\system32\msvcrt.dll
Total events
3 560
Read events
3 392
Write events
168
Delete events
0

Modification events

(PID) Process:(2844) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2844) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2844) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2844) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2844) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithProgids
Operation:writeName:WinRAR.ZIP
Value:
(PID) Process:(2084) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2084) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2084) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2084) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Ransomware.WannaCry.zip
(PID) Process:(2084) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
Executable files
20
Suspicious files
889
Text files
580
Unknown types
169

Dropped files

PID
Process
Filename
Type
2844firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
2844firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
2844firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
2844firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
MD5:
SHA256:
2844firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm
MD5:
SHA256:
2844firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.binbinary
MD5:
SHA256:
2844firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.jstext
MD5:
SHA256:
2844firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db-journal
MD5:
SHA256:
2844firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-track-digest256.sbstorebinary
MD5:
SHA256:
2844firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\block-flash-digest256.sbstorebinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
89
DNS requests
165
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2844
firefox.exe
POST
200
92.122.244.56:80
http://ocsp.int-x3.letsencrypt.org/
FR
der
527 b
whitelisted
2844
firefox.exe
POST
200
92.122.244.56:80
http://ocsp.int-x3.letsencrypt.org/
FR
der
527 b
whitelisted
2844
firefox.exe
POST
200
72.21.91.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2844
firefox.exe
POST
200
88.221.144.8:80
http://ocsp.comodoca.com/
IT
der
471 b
whitelisted
2844
firefox.exe
POST
200
72.21.91.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2844
firefox.exe
POST
200
72.21.91.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2844
firefox.exe
POST
200
72.21.91.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2844
firefox.exe
POST
200
172.217.168.227:80
http://ocsp.pki.goog/GTSGIAG3
US
der
463 b
whitelisted
2844
firefox.exe
POST
200
172.217.168.227:80
http://ocsp.pki.goog/GTSGIAG3
US
der
463 b
whitelisted
2844
firefox.exe
POST
200
88.221.144.8:80
http://ocsp.comodoca.com/
IT
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2844
firefox.exe
52.88.150.81:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
2844
firefox.exe
89.44.169.135:443
mega.nz
Datacenter Luxembourg S.A.
LU
suspicious
2844
firefox.exe
52.25.70.97:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
2844
firefox.exe
72.21.91.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2844
firefox.exe
89.44.169.132:443
eu.static.mega.co.nz
Datacenter Luxembourg S.A.
LU
suspicious
2844
firefox.exe
216.58.212.170:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2844
firefox.exe
92.122.244.56:80
ocsp.int-x3.letsencrypt.org
GTT Communications Inc.
FR
unknown
2844
firefox.exe
88.221.144.128:80
detectportal.firefox.com
Akamai International B.V.
IT
whitelisted
2844
firefox.exe
31.216.147.133:443
g.api.mega.co.nz
Datacenter Luxembourg S.A.
LU
unknown
2844
firefox.exe
52.33.113.226:443
shavar.services.mozilla.com
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
detectportal.firefox.com
  • 88.221.144.128
whitelisted
mega.nz
  • 89.44.169.135
whitelisted
search.services.mozilla.com
  • 52.88.150.81
whitelisted
ocsp.int-x3.letsencrypt.org
  • 92.122.244.56
whitelisted
tiles.services.mozilla.com
  • 52.25.70.97
whitelisted
ocsp.digicert.com
  • 72.21.91.29
whitelisted
safebrowsing.googleapis.com
  • 216.58.212.170
whitelisted
eu.static.mega.co.nz
  • 89.44.169.132
shared
ocsp.comodoca.com
  • 88.221.144.8
whitelisted
ocsp.pki.goog
  • 172.217.168.227
whitelisted

Threats

PID
Process
Class
Message
Misc Attack
ET TOR Known Tor Exit Node Traffic group 24
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 25
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 585
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 576
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 635
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://mega.nz/#!Ylpj3LYY!yC5N06zT2Wxl3CnHbgtsA5-3Fp3rDKN5VTCu-J8M8dA