URL:

http://165.227.121.41/a.txt

Full analysis: https://app.any.run/tasks/18a2da8c-09a0-4d0f-86d0-dde7e7236ba8
Verdict: Malicious activity
Analysis date: September 24, 2024, 15:50:19
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
Indicators:
MD5:

2340314883A7202ADFD907ABD5FF9E5E

SHA1:

2BC83754CB063F3CFF1E94E632BD62B36DBBD178

SHA256:

160C41622083B2FF21687A3EFD9DC0AF85B63A7E03013C929B5EEA9395394EFA

SSDEEP:

3:N1KreXXLT:CiXbT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Potential Corporate Privacy Violation

      • firefox.exe (PID: 1128)
      • svchost.exe (PID: 2256)

    • Checks for external IP

      • svchost.exe (PID: 2256)

  • INFO

    • Application launched itself

      • firefox.exe (PID: 4444)
      • firefox.exe (PID: 1128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
185
Monitored processes
55
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs sppextcomobj.exe no specs slui.exe svchost.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs slui.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1020"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2208 -parentBuildID 20240213221259 -prefsHandle 2200 -prefMapHandle 2196 -prefsLen 30537 -prefMapSize 244343 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6881194a-d9ac-4b2e-b774-42c16487352d} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" 21cdd981510 socketC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1128"C:\Program Files\Mozilla Firefox\firefox.exe" http://165.227.121.41/a.txtC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1184"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10492 -childID 33 -isForBrowser -prefsHandle 4784 -prefMapHandle 8932 -prefsLen 31936 -prefMapSize 244343 -jsInitHandle 1276 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35d2fd05-8f4c-4aad-a7b3-5180777a5b48} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" 21cf27c2a10 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1480"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8528 -childID 20 -isForBrowser -prefsHandle 9344 -prefMapHandle 9460 -prefsLen 31936 -prefMapSize 244343 -jsInitHandle 1276 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc8e3f0f-f024-4772-8c43-da782710712b} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" 21cf46efa10 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1728"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11004 -childID 37 -isForBrowser -prefsHandle 6580 -prefMapHandle 6596 -prefsLen 31936 -prefMapSize 244343 -jsInitHandle 1276 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2a2e63c-7db3-4e4c-8ee4-12fcd97f0058} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" 21cf27c2f50 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
123.0
1776"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4648 -childID 3 -isForBrowser -prefsHandle 3452 -prefMapHandle 3508 -prefsLen 31161 -prefMapSize 244343 -jsInitHandle 1276 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a7db219-8545-44df-9a7c-be3fc636ae48} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" 21cf1d5f850 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1944"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7848 -childID 29 -isForBrowser -prefsHandle 9124 -prefMapHandle 7872 -prefsLen 31936 -prefMapSize 244343 -jsInitHandle 1276 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {035586c8-a765-435c-bcf8-ba4f1d0991ff} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" 21cef8fb310 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1984"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8196 -childID 44 -isForBrowser -prefsHandle 10160 -prefMapHandle 10184 -prefsLen 31978 -prefMapSize 244343 -jsInitHandle 1276 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42f4671b-b7f9-4afc-99d8-572b76059b86} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" 21cf3917f50 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
123.0
2204"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9180 -childID 18 -isForBrowser -prefsHandle 9168 -prefMapHandle 9172 -prefsLen 31936 -prefMapSize 244343 -jsInitHandle 1276 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b6e9f54-bc8a-41a6-8925-713524d27205} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" 21cf46ef4d0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
37 375
Read events
37 374
Write events
1
Delete events
0

Modification events

(PID) Process:(1128) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
Executable files
0
Suspicious files
193
Text files
37
Unknown types
12

Dropped files

PID
Process
Filename
Type
1128firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1128firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
1128firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
1128firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.jsonbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
1128firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.jstext
MD5:B6F8AE898234E1397F49AF678F1EDEAC
SHA256:3D17A46BC0304C918A4EAD1ED84CF054BE39FD5D7C80B17E5A8E6D184C2ED316
1128firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\protections.sqlite-journalbinary
MD5:E98A4830A3B4BE33BFEA3982C9924891
SHA256:B46EE7C6CB08D9E90E128660F38D48C33975EDED59B23CBA46F7F970D78187D6
1128firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1128firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1128firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1128firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cert9.dbsqlite
MD5:75AFC8C468AC5D0E07FBBEE936775EB8
SHA256:7B400BE9BFF10F8176F423385B6396060D0BD0B3E166D7F9C9DA6BFB629E8FF5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
121
TCP/UDP connections
350
DNS requests
629
Threats
20

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1128
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
1128
firefox.exe
GET
200
165.227.121.41:80
http://165.227.121.41/a.txt
unknown
suspicious
1128
firefox.exe
POST
200
2.16.241.8:80
http://r10.o.lencr.org/
unknown
unknown
1128
firefox.exe
POST
200
2.16.241.8:80
http://r10.o.lencr.org/
unknown
unknown
1128
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
1128
firefox.exe
POST
200
2.16.241.8:80
http://r10.o.lencr.org/
unknown
unknown
1128
firefox.exe
POST
200
216.58.212.163:80
http://o.pki.goog/wr2
unknown
unknown
1128
firefox.exe
POST
200
2.16.241.8:80
http://r10.o.lencr.org/
unknown
unknown
1128
firefox.exe
GET
404
165.227.121.41:80
http://165.227.121.41/favicon.ico
unknown
suspicious
1128
firefox.exe
POST
200
216.58.212.163:80
http://o.pki.goog/s/wr3/XjA
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4076
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5900
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
1128
firefox.exe
165.227.121.41:80
DIGITALOCEAN-ASN
US
unknown
1128
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
1128
firefox.exe
34.117.188.166:443
contile.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
whitelisted
1128
firefox.exe
142.250.181.234:443
safebrowsing.googleapis.com
whitelisted
1128
firefox.exe
34.160.144.191:443
content-signature-2.cdn.mozilla.net
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 142.250.181.238
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
example.org
  • 93.184.215.14
whitelisted
ipv4only.arpa
  • 192.0.0.171
  • 192.0.0.170
whitelisted
contile.services.mozilla.com
  • 34.117.188.166
whitelisted
spocs.getpocket.com
  • 34.117.188.166
whitelisted
content-signature-2.cdn.mozilla.net
  • 34.160.144.191
whitelisted
prod.ads.prod.webservices.mozgcp.net
  • 34.117.188.166
unknown

Threats

PID
Process
Class
Message
1128
firefox.exe
Potentially Bad Traffic
ET HUNTING Terse Request for .txt - Likely Hostile
1128
firefox.exe
Potentially Bad Traffic
ET HUNTING Powershell Downloader with Start-Process Inbound M1
2256
svchost.exe
Potential Corporate Privacy Violation
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
2256
svchost.exe
Potential Corporate Privacy Violation
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
1128
firefox.exe
Potential Corporate Privacy Violation
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
2256
svchost.exe
Potential Corporate Privacy Violation
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
2256
svchost.exe
Potential Corporate Privacy Violation
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
2256
svchost.exe
Potential Corporate Privacy Violation
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
1128
firefox.exe
Potential Corporate Privacy Violation
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
2256
svchost.exe
Potential Corporate Privacy Violation
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://165.227.121.41/a.txt