Malware analysis urls.txt Malicious activity | ANY.RUN

Add for printing

File name:	urls.txt
Full analysis:	https://app.any.run/tasks/9661a822-a380-4ff9-a7b1-3e071d8a1260
Verdict:	Malicious activity
Analysis date:	March 22, 2019, 08:55:39
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	text/plain
File info:	ASCII text, with CRLF line terminators
MD5:	E25AA85D4A1349434B06F1C5912FDF21
SHA1:	689661834DAE9880BC50CF373E51B3D0BB2F8A80
SHA256:	117A269A22C1D7D74FF0A0A8DC50541968A0CF7A61EAACE602DBD817D26BD87E
SSDEEP:	12:2MNUj6UwX3tpce68DMbwWMNUzsYmtDMbwWMNUjNSTDMbs:2yU2/X3568DwwWyUnQDwwWyUJSTDws

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executable content was dropped or overwritten
  - firefox.exe (PID: 2436)
INFO
- Reads CPU info
  - firefox.exe (PID: 2436)
- Application launched itself
  - firefox.exe (PID: 2436)
- Reads settings of System Certificates
  - firefox.exe (PID: 2436)
- Dropped object may contain Bitcoin addresses
  - firefox.exe (PID: 2436)
- Creates files in the user directory
  - firefox.exe (PID: 2436)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
1484	"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\urls.txt	C:\Windows\system32\NOTEPAD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2436	"C:\Program Files\Mozilla Firefox\firefox.exe"	C:\Program Files\Mozilla Firefox\firefox.exe		explorer.exe
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 65.0.2
324	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.0.96569499\1292492323" -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - "C:\Users\admin\AppData\LocalLow\Mozilla\Temp-{ce348e4c-7d33-445e-89f9-60108c51bcaf}" 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 1108 gpu	C:\Program Files\Mozilla Firefox\firefox.exe	—	firefox.exe
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 65.0.2
2540	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.6.450064173\1141797179" -childID 1 -isForBrowser -prefsHandle 1644 -prefMapHandle 1640 -prefsLen 1 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 1608 tab	C:\Program Files\Mozilla Firefox\firefox.exe		firefox.exe
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 65.0.2
3304	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.13.1116617424\141568979" -childID 2 -isForBrowser -prefsHandle 2332 -prefMapHandle 2340 -prefsLen 122 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 2392 tab	C:\Program Files\Mozilla Firefox\firefox.exe		firefox.exe
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 65.0.2
580	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.20.525388003\489297531" -childID 3 -isForBrowser -prefsHandle 3024 -prefMapHandle 2984 -prefsLen 5094 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 2936 tab	C:\Program Files\Mozilla Firefox\firefox.exe		firefox.exe
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 65.0.2
1524	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.27.593045318\1281186470" -childID 4 -isForBrowser -prefsHandle 3284 -prefMapHandle 3288 -prefsLen 5824 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 3292 tab	C:\Program Files\Mozilla Firefox\firefox.exe		firefox.exe
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 65.0.2
2952	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.34.924486299\910274962" -childID 5 -isForBrowser -prefsHandle 3528 -prefMapHandle 3464 -prefsLen 5882 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 3512 tab	C:\Program Files\Mozilla Firefox\firefox.exe		firefox.exe
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 65.0.2
2084	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.41.528732124\1262774639" -childID 6 -isForBrowser -prefsHandle 3036 -prefMapHandle 3140 -prefsLen 6843 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 3736 tab	C:\Program Files\Mozilla Firefox\firefox.exe		firefox.exe
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 65.0.2
516	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.48.1170858508\1708885888" -childID 7 -isForBrowser -prefsHandle 2260 -prefMapHandle 7996 -prefsLen 6996 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 8028 tab	C:\Program Files\Mozilla Firefox\firefox.exe		firefox.exe
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 65.0.2

Add for printing

Total events

799

Read events

787

Write events

Delete events

Modification events


(PID) Process:	(2436) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(2436) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 460000006E000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:	(2436) firefox.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US

Add for printing

Executable files

Suspicious files

184

Text files

Unknown types

127

Dropped files

PID	Process	Filename		Type
2436	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js		—
		MD5:—	SHA256:—
2436	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp		—
		MD5:—	SHA256:—
2436	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.bin		binary
		MD5:C3A9989BA17002377D139ECE64F6989F	SHA256:783A90DE10044CC155212243ED346C2AB51BFF1FF3B50232CABFD9DF8EB0091A
2436	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json		text
		MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A	SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
2436	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js		text
		MD5:95802314368804DC02B0983737400430	SHA256:792AF4DB39ACE4FCD52AB3512769B6F2BA508C541A62D4E137A2BA91314ECF55
2436	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\entries\2A61ECA461A465E97511D68135C0DFFFBF093BB0		der
		MD5:DF6816A3183442079F7A5B56D1A61493	SHA256:EE6BD910D5F725801424D9770D88AA82771F85B94F7B1B7C9460C3D18AACBEDB
2436	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-child-current.bin		binary
		MD5:C8C881CB2BCDAE33DA6F19BB200BC4BF	SHA256:BF7A738A7F98D25531E0CE0DA229B9031C1040795AC30BC3D341759B6083EFAC
2436	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin		binary
		MD5:AC883E1540054B6B75B0229FD8CF8BB3	SHA256:1298683E48691721E36AD37EA14504B4EE025A0317B58AD259704FFD088F0625
2436	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-track-digest256.sbstore		binary
		MD5:23E438FD4AF1829D4469FF8D0BC83854	SHA256:96E0D7644AEA81D26F039AE633EB405583E11B020363090DAC5CAD9B4B188846
2436	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

197

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2436	firefox.exe	POST	200	93.184.220.29:80	http://ocsp.digicert.com/	US	der	471 b	whitelisted
2436	firefox.exe	POST	200	93.184.220.29:80	http://ocsp.digicert.com/	US	der	471 b	whitelisted
2436	firefox.exe	POST	200	216.58.205.227:80	http://ocsp.pki.goog/GTSGIAG3	US	der	471 b	whitelisted
2436	firefox.exe	GET	301	168.1.6.149:80	http://vulnerabilitytest.quixxi.com/?fwd=cd&data=%7B%22email%22%3A%22petermagala%40vub.sk%22%7D	AU	html	223 b	unknown
2436	firefox.exe	POST	200	2.21.242.245:80	http://ocsp.int-x3.letsencrypt.org/	NL	der	527 b	whitelisted
2436	firefox.exe	POST	200	188.121.36.239:80	http://ocsp.godaddy.com/	NL	der	1.74 Kb	whitelisted
2436	firefox.exe	POST	200	93.184.220.29:80	http://ocsp.digicert.com/	US	der	471 b	whitelisted
2436	firefox.exe	POST	200	216.58.205.227:80	http://ocsp.pki.goog/GTSGIAG3	US	der	471 b	whitelisted
2436	firefox.exe	POST	200	216.58.205.227:80	http://ocsp.pki.goog/GTSGIAG3	US	der	471 b	whitelisted
2436	firefox.exe	POST	200	216.58.205.227:80	http://ocsp.pki.goog/GTSGIAG3	US	der	471 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2436	firefox.exe	93.184.220.29:80	ocsp.digicert.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted
2436	firefox.exe	2.16.186.112:80	detectportal.firefox.com	Akamai International B.V.	—	whitelisted
2436	firefox.exe	104.16.40.2:443	www.mozilla.org	Cloudflare Inc	US	shared
2436	firefox.exe	34.214.20.242:443	tiles.services.mozilla.com	Amazon.com, Inc.	US	unknown
2436	firefox.exe	34.213.175.109:443	search.services.mozilla.com	Amazon.com, Inc.	US	unknown
2436	firefox.exe	143.204.99.61:443	snippets.cdn.mozilla.net	—	US	unknown
2436	firefox.exe	172.217.22.115:443	list-manage.agle1.cc	Google Inc.	US	whitelisted
2436	firefox.exe	216.58.207.42:443	safebrowsing.googleapis.com	Google Inc.	US	whitelisted
2436	firefox.exe	216.58.205.227:80	ocsp.pki.goog	Google Inc.	US	whitelisted
2436	firefox.exe	54.187.176.55:443	shavar.services.mozilla.com	Amazon.com, Inc.	US	unknown

DNS requests

Domain	IP	Reputation
detectportal.firefox.com	2.16.186.112 2.16.186.50	whitelisted
a1089.dscd.akamai.net	2.16.186.50 2.16.186.112	whitelisted
search.services.mozilla.com	34.213.175.109 52.88.150.81 35.166.112.39	whitelisted
search.r53-2.services.mozilla.com	35.166.112.39 52.88.150.81 34.213.175.109	whitelisted
ocsp.digicert.com	93.184.220.29	whitelisted
cs9.wac.phicdn.net	93.184.220.29	whitelisted
tiles.services.mozilla.com	34.214.20.242 52.41.78.152 52.43.40.243 52.43.91.152 35.160.41.125 34.208.7.98 54.149.115.79 54.186.163.246 52.39.131.77 52.25.148.139 35.164.197.9 52.26.103.165 35.165.22.140 52.35.250.5	whitelisted
tiles.r53-2.services.mozilla.com	54.186.163.246 54.149.115.79 34.208.7.98 35.160.41.125 52.43.91.152 52.43.40.243 52.41.78.152 34.214.20.242 52.39.131.77 52.35.250.5 35.165.22.140 52.26.103.165 35.164.197.9 52.25.148.139	whitelisted
snippets.cdn.mozilla.net	143.204.99.61	whitelisted
drcwo519tnci7.cloudfront.net	143.204.99.61	shared

Threats

No threats detected

Add for printing

No debug info

General Info

urls.txt

E25AA85D4A1349434B06F1C5912FDF21

689661834DAE9880BC50CF373E51B3D0BB2F8A80

117A269A22C1D7D74FF0A0A8DC50541968A0CF7A61EAACE602DBD817D26BD87E

12:2MNUj6UwX3tpce68DMbwWMNUzsYmtDMbwWMNUjNSTDMbs:2yU2/X3568DwwWyUnQDwwWyUJSTDws

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executable content was dropped or overwritten

INFO

Reads CPU info

Application launched itself

Reads settings of System Certificates

Dropped object may contain Bitcoin addresses

Creates files in the user directory

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings