URL: | https://google.com |
Full analysis: | https://app.any.run/tasks/eb472915-0c63-4b4a-8017-294f9834e87f |
Verdict: | Malicious activity |
Analysis date: | June 27, 2022, 13:16:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 99999EBCFDB78DF077AD2727FD00969F |
SHA1: | 72FE95C5576EC634E214814A32AB785568EDA76A |
SHA256: | 05046F26C83E8C88B3DDAB2EAB63D0D16224AC1E564535FC75CDCEEE47A0938D |
SSDEEP: | 3:N8r3uK:2LuK |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2956 | "C:\Program Files\Mozilla Firefox\firefox.exe" "https://google.com" | C:\Program Files\Mozilla Firefox\firefox.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
3520 | "C:\Program Files\Mozilla Firefox\firefox.exe" https://google.com | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 83.0 Modules
| |||||||||||||||
3896 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.0.232687424\1483323877" -parentBuildID 20201112153044 -prefsHandle 1132 -prefMapHandle 1124 -prefsLen 1 -prefMapSize 238726 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 1204 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 83.0 Modules
| |||||||||||||||
764 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.6.425091645\1377318254" -childID 1 -isForBrowser -prefsHandle 2472 -prefMapHandle 2468 -prefsLen 245 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 2484 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
964 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.13.1085392750\967144435" -childID 2 -isForBrowser -prefsHandle 2972 -prefMapHandle 2900 -prefsLen 6644 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 3000 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
4084 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.20.1449792688\2117520863" -childID 3 -isForBrowser -prefsHandle 3412 -prefMapHandle 3416 -prefsLen 7307 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 3448 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
3220 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.27.11491376\1342522651" -childID 4 -isForBrowser -prefsHandle 2352 -prefMapHandle 2388 -prefsLen 7307 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 3668 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
1616 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3520.34.1015316670\987338004" -childID 5 -isForBrowser -prefsHandle 1612 -prefMapHandle 4020 -prefsLen 9514 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3520 "\\.\pipe\gecko-crash-server-pipe.3520" 1436 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
2232 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | Explorer.EXE | ||||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 86.0.4240.198 Modules
| |||||||||||||||
1360 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=86.0.4240.198 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x6ec7d988,0x6ec7d998,0x6ec7d9a4 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 86.0.4240.198 Modules
|
(PID) Process: | (2956) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Launcher |
Value: 835C23229F000000 | |||
(PID) Process: | (3520) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Browser |
Value: 4F6723229F000000 | |||
(PID) Process: | (3520) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry |
Value: 0 | |||
(PID) Process: | (3520) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\DllPrefetchExperiment |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe |
Value: 0 | |||
(PID) Process: | (3520) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|DisableTelemetry |
Value: 1 | |||
(PID) Process: | (3520) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|DisableDefaultBrowserAgent |
Value: 0 | |||
(PID) Process: | (3520) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|ServicesSettingsServer |
Value: https://firefox.settings.services.mozilla.com/v1 | |||
(PID) Process: | (3520) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|SecurityContentSignatureRootHash |
Value: 97:E8:BA:9C:F1:2F:B3:DE:53:CC:42:A4:E6:57:7E:D6:4D:F4:93:C2:47:B4:14:FE:A0:36:81:8D:38:23:56:0E | |||
(PID) Process: | (3520) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (3520) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3520 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
3520 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal | binary | |
MD5:6AE91BDB711E9031D2521914876877D4 | SHA256:6514AF8536F418B514F925CC1C026E51088D1DB10A5CF198CBC2065C88B12B52 | |||
3520 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore-backups\recovery.jsonlz4.tmp | jsonlz4 | |
MD5:DF4F2600C112BFDED6B6602A226AF539 | SHA256:13C0244D835A1DEF73287B474AA6613F4C4699D6C2B74A29E9A3607B7829D6C0 | |||
3520 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite | — | |
MD5:— | SHA256:— | |||
3520 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
3520 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4 | jsonlz4 | |
MD5:B17F8D93B0C43D6B72DC03752C20A2D9 | SHA256:ADA0F70D374223FB63C2F19471FAB45D986A681E2485692E63F00F5071F19D76 | |||
3520 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
3520 | firefox.exe | C:\Users\admin\AppData\Local\Temp\mz_etilqs_Jvvfg2bovfVzggQ | binary | |
MD5:40DFDFC76462532A8BD3BD9B02A4BF10 | SHA256:FF03DC1366247F880E380069461C4AE925070CD8843E3DFA69B147BB375AE4EA | |||
3520 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp | binary | |
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A | SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA | |||
3520 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addonStartup.json.lz4 | jsonlz4 | |
MD5:01DAE35763819EE4C2BD72553B33C337 | SHA256:674E499CCF7E955DEFFEB21B94C092DE0A8EA1DD308C426DCF04BC84DBDFA377 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2640 | chrome.exe | GET | 204 | 142.250.185.227:80 | http://www.gstatic.com/generate_204 | US | — | — | whitelisted |
— | — | HEAD | 200 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3 | US | — | — | whitelisted |
— | — | GET | 206 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3 | US | binary | 9.70 Kb | whitelisted |
2640 | chrome.exe | GET | 200 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx | US | crx | 242 Kb | whitelisted |
3520 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt | US | text | 8 b | whitelisted |
3520 | firefox.exe | GET | 302 | 142.250.186.100:80 | http://www.google.com/ | US | html | 231 b | whitelisted |
2640 | chrome.exe | GET | 200 | 178.79.242.128:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?097c20e6847383ea | DE | compressed | 60.0 Kb | whitelisted |
3520 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3520 | firefox.exe | POST | 200 | 142.250.185.67:80 | http://ocsp.pki.goog/gts1c3 | US | der | 471 b | whitelisted |
3520 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt | US | text | 8 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3520 | firefox.exe | 34.107.221.82:80 | detectportal.firefox.com | — | US | whitelisted |
3520 | firefox.exe | 142.250.185.67:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
3520 | firefox.exe | 142.250.186.74:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
3520 | firefox.exe | 172.217.16.206:443 | google.com | Google Inc. | US | whitelisted |
3520 | firefox.exe | 34.209.127.219:443 | location.services.mozilla.com | Amazon.com, Inc. | US | unknown |
3520 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3520 | firefox.exe | 143.204.89.103:443 | firefox.settings.services.mozilla.com | — | US | unknown |
3520 | firefox.exe | 143.204.89.36:443 | content-signature-2.cdn.mozilla.net | — | US | unknown |
3520 | firefox.exe | 143.204.89.60:443 | firefox-settings-attachments.cdn.mozilla.net | — | US | suspicious |
3520 | firefox.exe | 34.215.40.77:443 | push.services.mozilla.com | Amazon.com, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
detectportal.firefox.com |
| whitelisted |
google.com |
| whitelisted |
prod.detectportal.prod.cloudops.mozgcp.net |
| whitelisted |
firefox.settings.services.mozilla.com |
| whitelisted |
location.services.mozilla.com |
| whitelisted |
locprod2-elb-us-west-2.prod.mozaws.net |
| whitelisted |
safebrowsing.googleapis.com |
| whitelisted |
push.services.mozilla.com |
| whitelisted |
autopush.prod.mozaws.net |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3520 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
3520 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
3520 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
— | — | Potential Corporate Privacy Violation | ET POLICY DNS Query to .onion proxy Domain (onion . ly) |
2640 | chrome.exe | Potential Corporate Privacy Violation | ET POLICY .onion.ly Proxy domain in SNI |
2640 | chrome.exe | Potentially Bad Traffic | ET INFO Observed ZeroSSL SSL/TLS Certificate |
2640 | chrome.exe | Potential Corporate Privacy Violation | ET POLICY .onion.ly Proxy domain in SNI |
— | — | Potential Corporate Privacy Violation | ET POLICY DNS Query to .onion proxy domain (onion .ws) |
2640 | chrome.exe | Potential Corporate Privacy Violation | ET POLICY Observed SSL Cert (Tor Proxy Domain (.onion. ws)) |
2640 | chrome.exe | Potential Corporate Privacy Violation | ET POLICY Observed SSL Cert (Tor Proxy Domain (.onion. ws)) |