URL:

https://google.co.ve/url?6q=i6yzoppJLi6z73yh&rct=tTPvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/s%2fwdsoft.com.br%2f7yoya/ru8ujsdxm2ryxv/YmFsYW51dGEuZWNhdGVyaW5hQHBldHJvbHZhbHZlcy5pdA==%E3%80%82$$%E3%80%82

Full analysis: https://app.any.run/tasks/0f23539f-18c0-4ec1-843d-a3dd890f115a
Verdict: Malicious activity
Analysis date: December 14, 2024, 00:28:19
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
phishing
43
evilproxy
Indicators:
MD5:

0329BA28B3A95437473EA53D15D24248

SHA1:

0F4471225EAF686EE00F086F471249BBE6507E36

SHA256:

7F765391DE16273186C676CD659156A10A5475F2799A1DA6BFC566E1498D6977

SSDEEP:

3:N8r3uJLQkT6YR3t8dq9DfJ4HP4HMDXt98JLDQA84xzNKS7WAXAdX3HwdXn:2LuJLQk1RtMqfMPTOMAjp7wVAVn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • PHISHING has been detected (SURICATA)

      • svchost.exe (PID: 2192)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 6384)

    • Application launched itself

      • firefox.exe (PID: 6336)
      • firefox.exe (PID: 6384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
14
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs #PHISHING svchost.exe firefox.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6336"C:\Program Files\Mozilla Firefox\firefox.exe" "https://google.co.ve/url?6q=i6yzoppJLi6z73yh&rct=tTPvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/s%2fwdsoft.com.br%2f7yoya/ru8ujsdxm2ryxv/YmFsYW51dGEuZWNhdGVyaW5hQHBldHJvbHZhbHZlcy5pdA==%E3%80%82$%E3%80%82"C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
6384"C:\Program Files\Mozilla Firefox\firefox.exe" https://google.co.ve/url?6q=i6yzoppJLi6z73yh&rct=tTPvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/s%2fwdsoft.com.br%2f7yoya/ru8ujsdxm2ryxv/YmFsYW51dGEuZWNhdGVyaW5hQHBldHJvbHZhbHZlcy5pdA==%E3%80%82$%E3%80%82C:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
6688"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1544 -parentBuildID 20240213221259 -prefsHandle 1768 -prefMapHandle 1744 -prefsLen 31031 -prefMapSize 244583 -appDir "C:\Program Files\Mozilla Firefox\browser" - {95172471-c62b-4709-8d62-4a89a50d0dc6} 6384 "\\.\pipe\gecko-crash-server-pipe.6384" 1c1b07ec110 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\windows\system32\d3dcompiler_47.dll
c:\program files\mozilla firefox\libglesv2.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\wldp.dll
c:\program files\mozilla firefox\libegl.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\dcomp.dll
6776"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2092 -parentBuildID 20240213221259 -prefsHandle 2076 -prefMapHandle 2072 -prefsLen 31031 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe5e936a-62b4-4f14-a2f2-9ff303ecb1d9} 6384 "\\.\pipe\gecko-crash-server-pipe.6384" 1c1a487f510 socketC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
6204"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4240 -childID 2 -isForBrowser -prefsHandle 2548 -prefMapHandle 4216 -prefsLen 36588 -prefMapSize 244583 -jsInitHandle 1400 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5962f7df-9222-4623-897f-3c9e2102a5bc} 6384 "\\.\pipe\gecko-crash-server-pipe.6384" 1c1b6bce310 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
6372"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4744 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 4828 -prefMapHandle 4604 -prefsLen 36588 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f0ef443-607e-40c0-b6bb-bf123f41a0c2} 6384 "\\.\pipe\gecko-crash-server-pipe.6384" 1c1bbbcad10 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
7212"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5016 -childID 3 -isForBrowser -prefsHandle 5008 -prefMapHandle 4964 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1400 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91ee022a-15fb-487e-a5de-c1982ddc42d7} 6384 "\\.\pipe\gecko-crash-server-pipe.6384" 1c1bae5e150 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
7228"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5036 -childID 4 -isForBrowser -prefsHandle 5028 -prefMapHandle 5024 -prefsLen 38925 -prefMapSize 244583 -jsInitHandle 1400 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cb8c8e9-c1b8-493a-a88f-909ab087331b} 6384 "\\.\pipe\gecko-crash-server-pipe.6384" 1c1bae5e690 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
7536"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5392 -childID 5 -isForBrowser -prefsHandle 5384 -prefMapHandle 5380 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1400 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {140dbd26-2541-4fb5-8e97-7b85f00076e5} 6384 "\\.\pipe\gecko-crash-server-pipe.6384" 1c1bae5e850 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
7544"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5348 -childID 6 -isForBrowser -prefsHandle 5488 -prefMapHandle 5484 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1400 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b30d266d-43b2-4c89-86b0-b5db113e1650} 6384 "\\.\pipe\gecko-crash-server-pipe.6384" 1c1bae5ebd0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\mozavutil.dll
c:\program files\mozilla firefox\mozavcodec.dll
c:\windows\system32\avrt.dll
c:\windows\system32\webauthn.dll
c:\windows\system32\winsta.dll
Total events
4 251
Read events
4 251
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
202
Text files
42
Unknown types
4

Dropped files

PID
Process
Filename
Type
6384firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
6384firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6384firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:297E88D7CEB26E549254EC875649F4EB
SHA256:8B75D4FB1845BAA06122888D11F6B65E6A36B140C54A72CC13DF390FD7C95702
6384firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6384firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6384firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\datareporting\glean\db\data.safe.tmpdbf
MD5:3B156E12141F8CBCE9D60CDCE2077617
SHA256:E6287E44B44ABEA20E1B2E3F415D22B9E5E5FBBC155AD9DADBABA63951B2AF6F
6384firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.jstext
MD5:3E646578EE6F0B138BFA9123160472C5
SHA256:11A54071EBA8A7078ACCBE656680D9E0A1FC46844F68A0CE2442C6C0933A9DFB
6384firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\SiteSecurityServiceState.binbinary
MD5:6D6AAFC073C50567683811499BF73F8B
SHA256:D4405CD157645470B9B8E1F74335BF1783F9E68EBCB7649316B89F073580541E
6384firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cert9.db-journalbinary
MD5:454267AC27D5C7F014076AA46A70BFCA
SHA256:2A94C1E9ED8AB28948AF9B41D29290D0935E187CB6767B916EF820F40C58947F
6384firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
120
DNS requests
179
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6384
firefox.exe
POST
200
2.16.202.121:80
http://r10.o.lencr.org/
unknown
whitelisted
POST
200
142.250.184.195:80
http://o.pki.goog/wr2
unknown
whitelisted
POST
200
142.250.184.195:80
http://o.pki.goog/wr2
unknown
whitelisted
POST
200
142.250.184.195:80
http://o.pki.goog/wr2
unknown
whitelisted
POST
200
2.16.202.121:80
http://r11.o.lencr.org/
unknown
whitelisted
POST
200
142.250.184.195:80
http://o.pki.goog/wr2
unknown
whitelisted
POST
200
2.16.202.121:80
http://r11.o.lencr.org/
unknown
whitelisted
POST
200
142.250.184.195:80
http://o.pki.goog/wr2
unknown
whitelisted
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
104.126.37.128:443
www.bing.com
Akamai International B.V.
DE
whitelisted
142.250.184.234:443
safebrowsing.googleapis.com
whitelisted
34.117.188.166:443
contile.services.mozilla.com
whitelisted
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
142.250.184.227:443
google.co.ve
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
google.com
  • 142.250.185.78
whitelisted
www.bing.com
  • 104.126.37.128
  • 104.126.37.176
  • 104.126.37.139
  • 104.126.37.163
  • 104.126.37.131
  • 104.126.37.144
  • 104.126.37.123
  • 104.126.37.129
  • 104.126.37.136
  • 104.126.37.130
  • 104.126.37.154
whitelisted
google.co.ve
  • 142.250.184.227
  • 2a00:1450:4001:810::2003
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
ipv4only.arpa
  • 192.0.0.171
  • 192.0.0.170
whitelisted
example.org
  • 93.184.215.14
whitelisted

Threats

PID
Process
Class
Message
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain (wdsoft .com .br)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain (wdsoft .com .br)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain (wdsoft .com .br)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected phishing domain name created with Leet (0ffice)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected phishing domain name created with Leet (0ffice)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected phishing domain name created with Leet (0ffice)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected phishing domain name created with Leet (0ffice)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected phishing domain name created with Leet (0ffice)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected phishing domain name created with Leet (l1ve)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected phishing domain name created with Leet (l1ve)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://google.co.ve/url?6q=i6yzoppJLi6z73yh&rct=tTPvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/s%2fwdsoft.com.br%2f7yoya/ru8ujsdxm2ryxv/YmFsYW51dGEuZWNhdGVyaW5hQHBldHJvbHZhbHZlcy5pdA==%E3%80%82$$%E3%80%82