analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://wormhole.app/20RZy#--K0fcBey9mIyKT0BneAFg

Full analysis: https://app.any.run/tasks/c8e04ed7-b9b8-401f-95a9-b27a3b3c7d46
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Analysis date: October 05, 2022, 00:26:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
asyncrat
trojan
rat
Indicators:
MD5:

F28DA5D15213709C5EA6D1642D9A322C

SHA1:

0BF31DC36B88CC047ABF305EB870B09032EB8C5D

SHA256:

55F114DE63FDFF1DD038FE4E4B4951D1824E52E18B264A1EEA49E695D7813D59

SSDEEP:

3:N8bXINKJujNEKWg:2kNSujNEK9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ASYNCRAT detected by memory dumps

      • RegAsm.exe (PID: 1940)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3756)
      • schtasks.exe (PID: 3156)
    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 3692)
      • cmd.exe (PID: 4056)
    • ASYNCRAT was detected

      • RegAsm.exe (PID: 1940)
  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 2900)
      • cmd.exe (PID: 3692)
      • Inv4449.exe (PID: 2840)
      • RegAsm.exe (PID: 1940)
      • cmd.exe (PID: 864)
      • cmd.exe (PID: 1304)
      • msdtc.exe (PID: 296)
      • cmd.exe (PID: 1364)
      • cmd.exe (PID: 3332)
      • RegAsm.exe (PID: 3092)
      • cmd.exe (PID: 4056)
    • Reads the computer name

      • WinRAR.exe (PID: 2900)
      • Inv4449.exe (PID: 2840)
      • RegAsm.exe (PID: 1940)
      • RegAsm.exe (PID: 3092)
      • msdtc.exe (PID: 296)
    • Starts CMD.EXE for commands execution

      • Inv4449.exe (PID: 2840)
      • msdtc.exe (PID: 296)
    • Creates files in the user directory

      • cmd.exe (PID: 1304)
    • Executed via Task Scheduler

      • msdtc.exe (PID: 296)
    • Reads Environment values

      • RegAsm.exe (PID: 1940)
  • INFO

    • Checks supported languages

      • firefox.exe (PID: 3136)
      • firefox.exe (PID: 3492)
      • firefox.exe (PID: 472)
      • firefox.exe (PID: 900)
      • firefox.exe (PID: 2620)
      • firefox.exe (PID: 2740)
      • firefox.exe (PID: 4028)
      • firefox.exe (PID: 2328)
      • firefox.exe (PID: 3112)
      • firefox.exe (PID: 3720)
      • schtasks.exe (PID: 3756)
      • schtasks.exe (PID: 3156)
    • Reads the computer name

      • firefox.exe (PID: 3492)
      • firefox.exe (PID: 472)
      • firefox.exe (PID: 2620)
      • firefox.exe (PID: 2740)
      • firefox.exe (PID: 900)
      • firefox.exe (PID: 2328)
      • firefox.exe (PID: 3720)
      • firefox.exe (PID: 3112)
      • firefox.exe (PID: 4028)
      • schtasks.exe (PID: 3756)
      • schtasks.exe (PID: 3156)
    • Reads CPU info

      • firefox.exe (PID: 3492)
    • Application launched itself

      • firefox.exe (PID: 3136)
      • firefox.exe (PID: 3492)
    • Creates files in the program directory

      • firefox.exe (PID: 3492)
    • Reads the date of Windows installation

      • firefox.exe (PID: 3492)
    • Manual execution by user

      • WinRAR.exe (PID: 2900)
    • Dropped object may contain Bitcoin addresses

      • firefox.exe (PID: 3492)
    • Checks Windows Trust Settings

      • firefox.exe (PID: 3492)
    • Creates files in the user directory

      • firefox.exe (PID: 3492)
    • Reads settings of System Certificates

      • RegAsm.exe (PID: 1940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(1940) RegAsm.exe
Install_Folder%AppData%
SaltVenomByVenom
Aes_Key37e25da38d2b11da16c09e535330137ff4967aaa16e6439eeb130383200c01b8
Botnetvenom clients
bdosfalse
PasteBinnull
AntiVMfalse
Server_SignatureOE/C5apa9LHcYDR04Ug6fg+NX0Ys/uqCfvMdWUmvJytrV/Mlj9Yx8r8xGQjnXfdMUkQURpowUBZ5em+NZqJnQlHqKoJwoH+HmDsidZNv5c8JBuz11ENg0LF3VIBUsrS6AY+/0A0tVqe1LnTOTEgSUv/btP0QmfeRDVCq/VyT70s=
CertificateMIICMzCCAZygAwIBAgIVALgbuadTIXCBGx92qk2Pt658vf8pMA0GCSqGSIb3DQEBDQUAMGcxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDExMjE3MzIzNloXDTMxMTAyMjE3MzIzNlowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQAD...
MutexVenom_RAT_HVNC_Mutex_Venom RAT_HVNC
Autorunfalse
Version5.0.5
Ports (1)4449
C2 (2)venom12345.duckdns.org
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
66
Monitored processes
23
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs winrar.exe no specs inv4449.exe #ASYNCRAT regasm.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs schtasks.exe no specs msdtc.exe regasm.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3136"C:\Program Files\Mozilla Firefox\firefox.exe" "https://wormhole.app/20RZy#--K0fcBey9mIyKT0BneAFg"C:\Program Files\Mozilla Firefox\firefox.exeExplorer.EXE
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
83.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
3492"C:\Program Files\Mozilla Firefox\firefox.exe" https://wormhole.app/20RZy#--K0fcBey9mIyKT0BneAFgC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
83.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
472"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3492.0.898472677\1103294488" -parentBuildID 20201112153044 -prefsHandle 964 -prefMapHandle 960 -prefsLen 1 -prefMapSize 238726 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3492 "\\.\pipe\gecko-crash-server-pipe.3492" 1200 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
83.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
900"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3492.6.653906091\313677128" -childID 1 -isForBrowser -prefsHandle 2848 -prefMapHandle 2844 -prefsLen 245 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3492 "\\.\pipe\gecko-crash-server-pipe.3492" 2860 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
83.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
2740"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3492.13.1576807014\134320351" -childID 2 -isForBrowser -prefsHandle 3092 -prefMapHandle 3088 -prefsLen 6644 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3492 "\\.\pipe\gecko-crash-server-pipe.3492" 3104 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
83.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
2328"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3492.20.2045496063\1523793418" -childID 3 -isForBrowser -prefsHandle 3552 -prefMapHandle 3540 -prefsLen 7399 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3492 "\\.\pipe\gecko-crash-server-pipe.3492" 3560 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
83.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\sechost.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
2620"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3492.21.2074537712\701676228" -childID 4 -isForBrowser -prefsHandle 3568 -prefMapHandle 2192 -prefsLen 7399 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3492 "\\.\pipe\gecko-crash-server-pipe.3492" 3528 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
83.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
3112"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3492.34.907608809\1030765942" -childID 5 -isForBrowser -prefsHandle 2216 -prefMapHandle 1880 -prefsLen 7470 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3492 "\\.\pipe\gecko-crash-server-pipe.3492" 3792 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
83.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\rpcrt4.dll
4028"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3492.35.1631667926\1137448366" -childID 6 -isForBrowser -prefsHandle 3820 -prefMapHandle 3816 -prefsLen 7470 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3492 "\\.\pipe\gecko-crash-server-pipe.3492" 3860 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
83.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
3720"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3492.48.1827423869\1884484447" -childID 7 -isForBrowser -prefsHandle 3688 -prefMapHandle 3700 -prefsLen 7470 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3492 "\\.\pipe\gecko-crash-server-pipe.3492" 3564 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
83.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msasn1.dll
Total events
23 363
Read events
23 221
Write events
141
Delete events
1

Modification events

(PID) Process:(3136) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Launcher
Value:
08B31F7616000000
(PID) Process:(3492) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Browser
Value:
8EBF1F7616000000
(PID) Process:(3492) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry
Value:
0
(PID) Process:(3492) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(3492) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:writeName:C:\Program Files\Mozilla Firefox|DisableTelemetry
Value:
1
(PID) Process:(3492) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:writeName:C:\Program Files\Mozilla Firefox|DisableDefaultBrowserAgent
Value:
0
(PID) Process:(3492) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:writeName:C:\Program Files\Mozilla Firefox|ServicesSettingsServer
Value:
https://firefox.settings.services.mozilla.com/v1
(PID) Process:(3492) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:writeName:C:\Program Files\Mozilla Firefox|SecurityContentSignatureRootHash
Value:
97:E8:BA:9C:F1:2F:B3:DE:53:CC:42:A4:E6:57:7E:D6:4D:F4:93:C2:47:B4:14:FE:A0:36:81:8D:38:23:56:0E
(PID) Process:(3492) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3492) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
0
Suspicious files
290
Text files
43
Unknown types
36

Dropped files

PID
Process
Filename
Type
3492firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin
MD5:
SHA256:
3492firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
3492firefox.exeC:\Users\admin\AppData\Local\Temp\mz_etilqs_DGKUVO2MJkNRyl5binary
MD5:9C9F2A0DD1FC55533710A665FCB9221E
SHA256:6ACBFE47208015834971F31BB1838894DD6A120C26D98CC1E049E04287A1F761
3492firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walbinary
MD5:2F21FF49543AB65505EAECA042B78333
SHA256:0225AF3CB6BC9E594AEC8BFE508205B832E30545F42DCE15E2ADB04EF6EF1BBC
3492firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
3492firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
3492firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.binbinary
MD5:994A33896BB41A278A315D0D796422B6
SHA256:54EC50A20FFF8CC016710E49437CF6A11D3FE5EE7B28C185E4A9AAFEE2908B63
3492firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.jstext
MD5:299A2B747C11E4BDA194E563FEA4A699
SHA256:94EE461F62E8B4A0A65471A41E10C8C56722B73C0A019D76ACA7F5BAF109813E
3492firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\places.sqlite-walsqlite-wal
MD5:EF2EFD23ABD13B31CFD0C5B2E45E8B9E
SHA256:C71A9036E766827302D4D696209EE50DA6B600C9F47947774F2A541EF604853F
3492firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
94
DNS requests
136
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3492
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3492
firefox.exe
POST
200
195.138.255.17:80
http://r3.o.lencr.org/
DE
der
503 b
shared
3492
firefox.exe
POST
200
195.138.255.17:80
http://r3.o.lencr.org/
DE
der
503 b
shared
3492
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3492
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3492
firefox.exe
POST
200
195.138.255.17:80
http://r3.o.lencr.org/
DE
der
503 b
shared
3492
firefox.exe
POST
200
172.217.17.99:80
http://ocsp.pki.goog/gts1c3
US
der
471 b
whitelisted
3492
firefox.exe
POST
200
142.250.185.99:80
http://ocsp.pki.goog/gts1c3
US
der
471 b
whitelisted
3492
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
US
text
8 b
whitelisted
3492
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt
US
text
8 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3492
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
3492
firefox.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
3492
firefox.exe
13.224.189.76:443
firefox.settings.services.mozilla.com
AMAZON-02
US
unknown
3492
firefox.exe
195.138.255.17:80
r3.o.lencr.org
AS33891 Netzbetrieb GmbH
DE
whitelisted
3492
firefox.exe
13.225.78.92:443
firefox-settings-attachments.cdn.mozilla.net
AMAZON-02
US
malicious
3492
firefox.exe
13.224.189.85:443
firefox.settings.services.mozilla.com
AMAZON-02
US
suspicious
3492
firefox.exe
104.26.6.129:443
wormhole.app
CLOUDFLARENET
US
suspicious
3492
firefox.exe
35.163.138.146:443
location.services.mozilla.com
AMAZON-02
US
unknown
3492
firefox.exe
104.153.233.176:443
api000.backblazeb2.com
UNWIRED
US
unknown
3492
firefox.exe
13.225.78.106:443
content-signature-2.cdn.mozilla.net
AMAZON-02
US
suspicious

DNS requests

Domain
IP
Reputation
detectportal.firefox.com
  • 34.107.221.82
whitelisted
wormhole.app
  • 104.26.6.129
  • 172.67.73.142
  • 104.26.7.129
  • 2606:4700:20::681a:781
  • 2606:4700:20::ac43:498e
  • 2606:4700:20::681a:681
suspicious
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
firefox.settings.services.mozilla.com
  • 13.224.189.76
  • 13.224.189.71
  • 13.224.189.54
  • 13.224.189.85
whitelisted
location.services.mozilla.com
  • 35.163.138.146
  • 52.40.138.9
  • 35.161.134.0
  • 52.41.132.37
  • 54.184.13.11
  • 52.35.17.16
whitelisted
locprod2-elb-us-west-2.prod.mozaws.net
  • 52.35.17.16
  • 54.184.13.11
  • 52.41.132.37
  • 35.161.134.0
  • 52.40.138.9
  • 35.163.138.146
whitelisted
example.org
  • 93.184.216.34
  • 178.79.242.128
whitelisted
ipv4only.arpa
  • 192.0.0.171
  • 192.0.0.170
whitelisted
r3.o.lencr.org
  • 195.138.255.17
  • 195.138.255.18
  • 2.16.218.170
  • 2.16.218.144
shared
a1887.dscq.akamai.net
  • 195.138.255.18
  • 195.138.255.17
  • 2a02:26f0:3500:e::1732:835c
  • 2a02:26f0:3500:e::1732:8353
  • 2.16.218.144
  • 2.16.218.170
  • 2a02:26f0:6a::210:da90
  • 2a02:26f0:6a::210:daaa
whitelisted

Threats

PID
Process
Class
Message
3492
firefox.exe
Potentially Bad Traffic
ET INFO Terse Request for .txt - Likely Hostile
3492
firefox.exe
Potentially Bad Traffic
ET INFO Terse Request for .txt - Likely Hostile
Attempted User Privilege Gain
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard Low Port)
Attempted User Privilege Gain
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard Low Port)
Attempted User Privilege Gain
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard Low Port)
Attempted User Privilege Gain
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard Low Port)
Attempted User Privilege Gain
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard Low Port)
Attempted User Privilege Gain
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard Low Port)
Attempted User Privilege Gain
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard Low Port)
Attempted User Privilege Gain
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard Low Port)
2 ETPRO signatures available at the full report
Process
Message
Inv4449.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
Inv4449.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
Inv4449.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
Inv4449.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
msdtc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
msdtc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
msdtc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
msdtc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278