analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

MEMZ-Destructive.exe

Full analysis: https://app.any.run/tasks/63148cec-d0a6-44cc-a10d-f296893b3280
Verdict: Malicious activity
Analysis date: June 16, 2019, 13:49:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

19DBEC50735B5F2A72D4199C4E184960

SHA1:

6FED7732F7CB6F59743795B2AB154A3676F4C822

SHA256:

A3D5715A81F2FBEB5F76C88C9C21EEEE87142909716472F911FF6950C790C24D

SSDEEP:

192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Low-level write access rights to disk partition

      • MEMZ-Destructive.exe (PID: 2448)

    • Application was dropped or rewritten from another process

      • firefox.exe (PID: 3032)
      • firefox.exe (PID: 1020)
      • firefox.exe (PID: 908)
      • firefox.exe (PID: 2352)
      • firefox.exe (PID: 3580)
      • firefox.exe (PID: 2212)
      • pingsender.exe (PID: 3440)
      • updater.exe (PID: 3548)
      • pingsender.exe (PID: 1360)
      • updater.exe (PID: 3156)
      • helper.exe (PID: 3740)
      • firefox.exe (PID: 2856)
      • firefox.exe (PID: 2680)
      • firefox.exe (PID: 3872)
      • firefox.exe (PID: 2104)
      • firefox.exe (PID: 3892)
      • firefox.exe (PID: 3396)
      • firefox.exe (PID: 3592)
      • pingsender.exe (PID: 3508)
      • pingsender.exe (PID: 1556)
      • pingsender.exe (PID: 1712)

    • Loads dropped or rewritten executable

      • firefox.exe (PID: 3032)
      • firefox.exe (PID: 2352)
      • firefox.exe (PID: 908)
      • firefox.exe (PID: 2212)
      • pingsender.exe (PID: 1360)
      • firefox.exe (PID: 1020)
      • firefox.exe (PID: 3580)
      • pingsender.exe (PID: 3440)
      • csrss.exe (PID: 404)
      • firefox.exe (PID: 2856)
      • firefox.exe (PID: 2680)
      • firefox.exe (PID: 2104)
      • helper.exe (PID: 3740)
      • firefox.exe (PID: 3396)
      • firefox.exe (PID: 3872)
      • firefox.exe (PID: 3892)
      • firefox.exe (PID: 3592)
      • pingsender.exe (PID: 3508)
      • pingsender.exe (PID: 1712)
      • pingsender.exe (PID: 1556)

    • Runs app for hidden code execution

      • MEMZ-Destructive.exe (PID: 2448)

  • SUSPICIOUS

    • Application launched itself

      • MEMZ-Destructive.exe (PID: 3480)
      • updater.exe (PID: 3548)

    • Low-level read access rights to disk partition

      • MEMZ-Destructive.exe (PID: 2448)

    • Creates files in the user directory

      • MEMZ-Destructive.exe (PID: 2448)

    • Creates files in the program directory

      • firefox.exe (PID: 1020)
      • updater.exe (PID: 3548)
      • updater.exe (PID: 3156)
      • helper.exe (PID: 3740)
      • firefox.exe (PID: 2680)

    • Starts Internet Explorer

      • MEMZ-Destructive.exe (PID: 2448)

    • Loads DLL from Mozilla Firefox

      • csrss.exe (PID: 404)
      • helper.exe (PID: 3740)

    • Executable content was dropped or overwritten

      • updater.exe (PID: 3156)
      • helper.exe (PID: 3740)

    • Creates COM task schedule object

      • helper.exe (PID: 3740)

    • Modifies the open verb of a shell class

      • helper.exe (PID: 3740)

    • Creates a software uninstall entry

      • helper.exe (PID: 3740)

    • Starts CMD.EXE for commands execution

      • MEMZ-Destructive.exe (PID: 2448)

  • INFO

    • Manual execution by user

      • firefox.exe (PID: 1020)
      • taskmgr.exe (PID: 2456)

    • Application launched itself

      • firefox.exe (PID: 1020)
      • iexplore.exe (PID: 3188)
      • firefox.exe (PID: 2680)
      • iexplore.exe (PID: 2068)
      • iexplore.exe (PID: 2208)
      • iexplore.exe (PID: 3544)

    • Creates files in the user directory

      • firefox.exe (PID: 1020)
      • iexplore.exe (PID: 4028)
      • firefox.exe (PID: 2680)
      • iexplore.exe (PID: 2592)
      • iexplore.exe (PID: 3712)
      • iexplore.exe (PID: 1884)

    • Reads CPU info

      • firefox.exe (PID: 1020)
      • firefox.exe (PID: 2680)

    • Changes internet zones settings

      • iexplore.exe (PID: 3188)
      • iexplore.exe (PID: 1032)
      • iexplore.exe (PID: 2068)
      • iexplore.exe (PID: 3544)
      • iexplore.exe (PID: 2208)

    • Reads internet explorer settings

      • iexplore.exe (PID: 4028)
      • iexplore.exe (PID: 1972)
      • iexplore.exe (PID: 2592)
      • iexplore.exe (PID: 2144)
      • iexplore.exe (PID: 3712)
      • iexplore.exe (PID: 1884)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 4028)
      • iexplore.exe (PID: 1972)

    • Changes settings of System certificates

      • iexplore.exe (PID: 4028)
      • iexplore.exe (PID: 1972)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 4028)
      • iexplore.exe (PID: 1972)
      • iexplore.exe (PID: 2592)
      • iexplore.exe (PID: 3712)
      • iexplore.exe (PID: 2144)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 1972)
      • iexplore.exe (PID: 2592)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x122d
UninitializedDataSize: -
InitializedDataSize: 10752
CodeSize: 3072
LinkerVersion: 14
PEType: PE32
TimeStamp: 2016:07:10 14:59:43+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 10-Jul-2016 12:59:43
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 10-Jul-2016 12:59:43
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00000B2A
0x00000C00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.85958
.rdata
0x00002000
0x000021C2
0x00002200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.35229
.data
0x00005000
0x00000194
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.5782
.rsrc
0x00006000
0x000001E8
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.75224
.reloc
0x00007000
0x0000020C
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
3.99459

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.89623
392
UNKNOWN
English - United States
RT_MANIFEST

Imports

ADVAPI32.dll
GDI32.dll
KERNEL32.dll
PSAPI.DLL
SHELL32.dll
USER32.dll
WINMM.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
92
Monitored processes
45
Malicious processes
25
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start memz-destructive.exe no specs memz-destructive.exe memz-destructive.exe no specs memz-destructive.exe no specs memz-destructive.exe no specs memz-destructive.exe no specs memz-destructive.exe no specs memz-destructive.exe notepad.exe no specs firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe iexplore.exe iexplore.exe iexplore.exe iexplore.exe pingsender.exe pingsender.exe firefox.exe no specs updater.exe no specs updater.exe helper.exe firefox.exe no specs csrss.exe no specs firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe notepad.exe no specs firefox.exe iexplore.exe iexplore.exe pingsender.exe pingsender.exe pingsender.exe iexplore.exe iexplore.exe iexplore.exe cmd.exe no specs taskmgr.exe no specs iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Users\admin\AppData\Local\Temp\MEMZ-Destructive.exe" C:\Users\admin\AppData\Local\Temp\MEMZ-Destructive.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\memz-destructive.exe
c:\systemroot\system32\ntdll.dll
3480"C:\Users\admin\AppData\Local\Temp\MEMZ-Destructive.exe" C:\Users\admin\AppData\Local\Temp\MEMZ-Destructive.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\memz-destructive.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2840"C:\Users\admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdogC:\Users\admin\AppData\Local\Temp\MEMZ-Destructive.exeMEMZ-Destructive.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\memz-destructive.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2700"C:\Users\admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdogC:\Users\admin\AppData\Local\Temp\MEMZ-Destructive.exeMEMZ-Destructive.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\memz-destructive.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1156"C:\Users\admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdogC:\Users\admin\AppData\Local\Temp\MEMZ-Destructive.exeMEMZ-Destructive.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\memz-destructive.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3920"C:\Users\admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdogC:\Users\admin\AppData\Local\Temp\MEMZ-Destructive.exeMEMZ-Destructive.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\memz-destructive.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1520"C:\Users\admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdogC:\Users\admin\AppData\Local\Temp\MEMZ-Destructive.exeMEMZ-Destructive.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\memz-destructive.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2448"C:\Users\admin\AppData\Local\Temp\MEMZ-Destructive.exe" /mainC:\Users\admin\AppData\Local\Temp\MEMZ-Destructive.exe
MEMZ-Destructive.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\memz-destructive.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2528"C:\Windows\System32\notepad.exe" \note.txtC:\Windows\System32\notepad.exeMEMZ-Destructive.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1020"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\dbghelp.dll
Total events
3 664
Read events
3 064
Write events
581
Delete events
19

Modification events

(PID) Process:(3480) MEMZ-Destructive.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3480) MEMZ-Destructive.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2448) MEMZ-Destructive.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2448) MEMZ-Destructive.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2528) notepad.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Notepad
Operation:writeName:iWindowPosX
Value:
44
(PID) Process:(2528) notepad.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Notepad
Operation:writeName:iWindowPosY
Value:
44
(PID) Process:(2528) notepad.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Notepad
Operation:writeName:iWindowPosDX
Value:
960
(PID) Process:(2528) notepad.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Notepad
Operation:writeName:iWindowPosDY
Value:
501
(PID) Process:(1020) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1020) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
Executable files
149
Suspicious files
151
Text files
212
Unknown types
128

Dropped files

PID
Process
Filename
Type
1020firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin
MD5:
SHA256:
1020firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\trash22103
MD5:
SHA256:
1020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
1020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
1020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
MD5:
SHA256:
1020firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.binbinary
MD5:2EDB16BAAB71D3A265960F122CC9A3D8
SHA256:3A3C81D31180EB9A36856792D4D6FE72FDDA61AF20DA1FEC484F1D3BDFC8B1B7
1020firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\block-flashsubdoc-digest256.sbstorebinary
MD5:04824A1F92353F43EBB9E7F74B7476FD
SHA256:B48E58EBAB82E4C376F16150A3FFF850C1111FF1F5985D68819CFD6F0DB159D2
1020firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\block-flash-digest256.sbstorebinary
MD5:0E8FE60CCD7E9B4C32589A5743A95302
SHA256:2B124D4026850A3CFFD28DBACB58AEC28F7DCD4D40BC14E52BBE96D60CE4E749
1020firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\entries\E0C0CECE28B030D812EB7F970B23FA54B1EF47EFder
MD5:94CBD8F6B6A47B118C37C5BB0CBBE28D
SHA256:6DF61D3879B9816C352C9FF8652804A3007A5639DB065D61061F21AD67F28BE5
1020firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-child-current.binbinary
MD5:D9ED8FC36E44323FC4D590096318834E
SHA256:541A10EF812806C4A23386FFFFDCB5352B2F35E373681788774A27CB82581EE5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
41
TCP/UDP connections
144
DNS requests
127
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1020
firefox.exe
GET
104.111.215.142:80
http://download.cdn.mozilla.net/pub/firefox/releases/67.0.2/update/win32/en-US/firefox-67.0.2.complete.mar
NL
whitelisted
1972
iexplore.exe
GET
301
2.16.106.106:80
http://play.clubpenguin.com/
unknown
whitelisted
1972
iexplore.exe
GET
200
93.184.221.240:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
56.2 Kb
whitelisted
1020
firefox.exe
POST
200
172.217.22.3:80
http://ocsp.pki.goog/GTSGIAG3
US
der
471 b
whitelisted
1020
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
4028
iexplore.exe
GET
301
216.58.207.68:80
http://google.co.ck/search?q=how+2+buy+weed
US
html
244 b
whitelisted
1032
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
4028
iexplore.exe
GET
302
172.217.18.163:80
http://www.google.co.ck/search?q=how+2+buy+weed
US
html
260 b
whitelisted
3188
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
1972
iexplore.exe
GET
200
67.27.233.126:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
56.2 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1020
firefox.exe
52.35.96.157:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
1020
firefox.exe
35.244.181.201:443
aus5.mozilla.org
US
suspicious
1020
firefox.exe
13.33.223.81:443
snippets.cdn.mozilla.net
Amazon.com, Inc.
US
unknown
1020
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1020
firefox.exe
2.16.186.50:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
1020
firefox.exe
54.190.222.97:443
search.services.mozilla.com
Amazon.com, Inc.
US
malicious
1020
firefox.exe
172.217.23.170:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
1020
firefox.exe
52.7.202.80:80
download.mozilla.org
Amazon.com, Inc.
US
unknown
3188
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1020
firefox.exe
172.217.22.3:80
ocsp.pki.goog
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
aus5.mozilla.org
  • 35.244.181.201
whitelisted
detectportal.firefox.com
  • 2.16.186.50
  • 2.16.186.112
whitelisted
balrog-aus5.r53-2.services.mozilla.com
  • 35.244.181.201
whitelisted
a1089.dscd.akamai.net
  • 2.16.186.112
  • 2.16.186.50
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
cs9.wac.phicdn.net
  • 93.184.220.29
whitelisted
search.services.mozilla.com
  • 54.190.222.97
  • 52.11.30.237
  • 34.215.70.240
whitelisted
search.r53-2.services.mozilla.com
  • 34.215.70.240
  • 52.11.30.237
  • 54.190.222.97
whitelisted
tiles.services.mozilla.com
  • 52.35.96.157
  • 52.43.91.152
  • 54.149.115.79
  • 34.209.86.85
  • 52.42.232.148
  • 34.208.138.0
  • 34.210.151.118
  • 54.186.163.246
  • 52.26.166.58
  • 34.213.89.114
  • 35.164.130.113
  • 52.25.71.236
  • 52.26.103.165
  • 52.34.132.219
  • 52.27.87.181
whitelisted
tiles.r53-2.services.mozilla.com
  • 54.186.163.246
  • 34.210.151.118
  • 34.208.138.0
  • 52.42.232.148
  • 34.209.86.85
  • 54.149.115.79
  • 52.43.91.152
  • 52.35.96.157
  • 52.27.87.181
  • 52.34.132.219
  • 52.26.103.165
  • 52.25.71.236
  • 35.164.130.113
  • 34.213.89.114
  • 52.26.166.58
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
MEMZ-Destructive.exe