URL:

https://www108.zippyshare.com/v/qTEfEiRL/file.html

Full analysis: https://app.any.run/tasks/1b883caf-3f44-4e83-bf7c-ad098af135fa
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: May 28, 2019, 00:29:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MD5:

2A9A683127A456D91E934B3C9CEBDCEE

SHA1:

314AECFBCFED09ABFF8EF5558768EC5E9EA420CB

SHA256:

D4793ADE9D7F1AAFD4103969AE2B7BA05FB5FD325AA17FDF1C248668ACA678E1

SSDEEP:

3:N8DSUVmGKjKogDgM3+wJ:2OMmGj91+wJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • DTG.exe (PID: 3640)
      • DTG.exe (PID: 2448)
      • DTG.exe (PID: 3796)
      • DTG.exe (PID: 1816)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3140)

    • Creates files in the program directory

      • firefox.exe (PID: 3532)

  • INFO

    • Application launched itself

      • firefox.exe (PID: 3532)

    • Manual execution by user

      • NOTEPAD.EXE (PID: 912)
      • DTG.exe (PID: 3796)
      • DTG.exe (PID: 1816)
      • DTG.exe (PID: 3640)
      • DTG.exe (PID: 2448)

    • Creates files in the user directory

      • firefox.exe (PID: 3532)

    • Reads CPU info

      • firefox.exe (PID: 3532)

    • Reads Internet Cache Settings

      • firefox.exe (PID: 3532)

    • Dropped object may contain TOR URL's

      • WinRAR.exe (PID: 3140)
      • firefox.exe (PID: 3532)

    • Reads settings of System Certificates

      • firefox.exe (PID: 3532)

    • Dropped object may contain Bitcoin addresses

      • firefox.exe (PID: 3532)
      • WinRAR.exe (PID: 3140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
11
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe winrar.exe dtg.exe notepad.exe no specs dtg.exe no specs dtg.exe no specs dtg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
912"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\DTG - Copy (2)\proxies.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1816"C:\Users\admin\Desktop\DTG - Copy (2)\DTG.exe" C:\Users\admin\Desktop\DTG - Copy (2)\DTG.exeexplorer.exe
User:
admin
Company:
Discord Token Gen
Integrity Level:
MEDIUM
Description:
DTG: Fastest unverified token generator
Exit code:
3221225786
Version:
v5
Modules
Images
c:\users\admin\desktop\dtg - copy (2)\dtg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\gdi32.dll
2448"C:\Users\admin\Desktop\DTG\DTG.exe" C:\Users\admin\Desktop\DTG\DTG.exe
explorer.exe
User:
admin
Company:
Discord Token Gen
Integrity Level:
MEDIUM
Description:
DTG: Fastest unverified token generator
Exit code:
0
Version:
v5
Modules
Images
c:\users\admin\desktop\dtg\dtg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
2588"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3532.6.1995306759\233697120" -childID 1 -isForBrowser -prefsHandle 1280 -prefMapHandle 1520 -prefsLen 1 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3532 "\\.\pipe\gecko-crash-server-pipe.3532" 1700 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2972"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3532.20.702470180\617240190" -childID 3 -isForBrowser -prefsHandle 3600 -prefMapHandle 3656 -prefsLen 5824 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3532 "\\.\pipe\gecko-crash-server-pipe.3532" 3660 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
3140"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\DTG.7z"C:\Program Files\WinRAR\WinRAR.exe
firefox.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3532"C:\Program Files\Mozilla Firefox\firefox.exe" https://www108.zippyshare.com/v/qTEfEiRL/file.htmlC:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
3604"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3532.0.1491389032\1622747598" -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - "C:\Users\admin\AppData\LocalLow\Mozilla\Temp-{ce348e4c-7d33-445e-89f9-60108c51bcaf}" 3532 "\\.\pipe\gecko-crash-server-pipe.3532" 1140 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
3640"C:\Users\admin\Desktop\DTG - Copy (2)\DTG.exe" C:\Users\admin\Desktop\DTG - Copy (2)\DTG.exeexplorer.exe
User:
admin
Company:
Discord Token Gen
Integrity Level:
MEDIUM
Description:
DTG: Fastest unverified token generator
Exit code:
0
Version:
v5
Modules
Images
c:\users\admin\desktop\dtg - copy (2)\dtg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
3784"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3532.13.2065260777\1516410196" -childID 2 -isForBrowser -prefsHandle 2644 -prefMapHandle 2648 -prefsLen 216 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3532 "\\.\pipe\gecko-crash-server-pipe.3532" 2660 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
Total events
1 008
Read events
968
Write events
40
Delete events
0

Modification events

(PID) Process:(3532) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3532) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3532) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3532) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3532) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.7z\OpenWithProgids
Operation:writeName:WinRAR
Value:
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3140) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\DTG.7z
(PID) Process:(3140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
Executable files
1
Suspicious files
122
Text files
34
Unknown types
67

Dropped files

PID
Process
Filename
Type
3532firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin
MD5:
SHA256:
3532firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\trash25636
MD5:
SHA256:
3532firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
3532firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
3532firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
MD5:
SHA256:
3532firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db-journal
MD5:
SHA256:
3532firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.binbinary
MD5:
SHA256:
3532firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\entries\6A3BF2F8963B468291176B3E4C9CC8DDC51B7CFBder
MD5:
SHA256:
3532firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\entries\35797F84D45DDAC1E784AE2AFE1B26ED5E45698Bder
MD5:
SHA256:
3532firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-track-digest256.sbstorebinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28 875
TCP/UDP connections
30 563
DNS requests
160
Threats
39

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2448
DTG.exe
CONNECT
180.180.170.15:52007
http://180.180.170.15:52007discordapp.com:443
TH
suspicious
2448
DTG.exe
CONNECT
82.137.251.109:4145
http://82.137.251.109:4145discordapp.com:443
SY
unknown
3532
firefox.exe
POST
200
104.123.50.123:80
http://ocsp.int-x3.letsencrypt.org/
US
der
527 b
whitelisted
3532
firefox.exe
POST
200
151.139.128.14:80
http://ocsp.sectigo.com/
US
der
471 b
whitelisted
3532
firefox.exe
POST
200
151.139.128.14:80
http://ocsp.comodoca.com/
US
der
471 b
whitelisted
3532
firefox.exe
POST
200
104.18.21.226:80
http://ocsp2.globalsign.com/gsalphasha2g2
US
der
1.49 Kb
whitelisted
3532
firefox.exe
POST
200
216.58.206.227:80
http://ocsp.pki.goog/GTSGIAG3
US
der
471 b
whitelisted
3532
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3532
firefox.exe
POST
200
151.139.128.14:80
http://ocsp.comodoca.com/
US
der
471 b
whitelisted
3532
firefox.exe
POST
200
143.204.178.49:80
http://ocsp.sca1b.amazontrust.com/
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3532
firefox.exe
95.101.182.227:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
3532
firefox.exe
46.166.139.229:443
www108.zippyshare.com
NForce Entertainment B.V.
NL
unknown
3532
firefox.exe
104.18.21.226:80
ocsp2.globalsign.com
Cloudflare Inc
US
shared
3532
firefox.exe
216.58.198.196:443
www.google.com
Google Inc.
US
whitelisted
3532
firefox.exe
173.192.101.24:443
p232207.clksite.com
SoftLayer Technologies Inc.
US
suspicious
3532
firefox.exe
88.85.66.163:443
native.propellerclick.com
Webzilla B.V.
NL
unknown
3532
firefox.exe
143.204.178.5:443
d10lumateci472.cloudfront.net
US
unknown
3532
firefox.exe
104.123.50.123:80
ocsp.int-x3.letsencrypt.org
Akamai Technologies, Inc.
US
whitelisted
3532
firefox.exe
151.139.128.14:80
ocsp.comodoca.com
Highwinds Network Group, Inc.
US
suspicious
3532
firefox.exe
216.58.204.138:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www108.zippyshare.com
  • 46.166.139.229
unknown
detectportal.firefox.com
  • 95.101.182.227
whitelisted
aus5.mozilla.org
  • 52.43.79.30
whitelisted
ocsp2.globalsign.com
  • 104.18.21.226
whitelisted
search.services.mozilla.com
  • 52.88.179.171
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
tiles.services.mozilla.com
  • 34.209.86.85
whitelisted
snippets.cdn.mozilla.net
  • 143.204.173.62
  • 216.58.204.99
whitelisted
d10lumateci472.cloudfront.net
  • 143.204.178.5
whitelisted
www.maxonclick.com
  • 35.190.68.123
whitelisted

Threats

PID
Process
Class
Message
2448
DTG.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 5
2448
DTG.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (CONNECT)
2448
DTG.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 336
2448
DTG.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (CONNECT)
2448
DTG.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (CONNECT)
2448
DTG.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 5
2448
DTG.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (CONNECT)
2448
DTG.exe
Misc Attack
ET CINS Active Threat Intelligence Poor Reputation IP group 44
2448
DTG.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (CONNECT)
2448
DTG.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (CONNECT)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www108.zippyshare.com/v/qTEfEiRL/file.html