URL:	https://base64.guru/converter/decode/file
Full analysis:	https://app.any.run/tasks/6698d5eb-d81f-411f-b21b-2e0a983f1891
Verdict:	Malicious activity
Analysis date:	February 26, 2020, 13:47:18
OS:	Windows Vista Business Service Pack 2 (build: 6002, 32 bit)
Indicators:
MD5:	BEAE4DD9059DE2544CC61218E113C092
SHA1:	A43A0AB999266128CF8E36DE24BE98540FAC6FBB
SHA256:	1EE4E6664B6A404CF62FA6433E878D9C3098E8CB749EE9BEBEAEEA6A9C794170
SSDEEP:	3:N8ldGAk2Kxn:2TX6


(PID) Process:	(3432) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9da96397-48b9-11e8-bb1b-806e6f6e6963}
Operation:	write	Name:	BaseClass
Value: Drive
(PID) Process:	(3432) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	MigrateProxy
Value: 1
(PID) Process:	(3432) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(3432) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 460000002F000000010000000000000000000000000000000000000000000000A064E98E49DCD301000000000000000000000000030000001700000000000000FE800000000000008C79D8E2DC06194A0800000070C7E77580C7E775B0F1E875F8C7E775010000005044393800000000000000000000000000000000000000000000000000000000000000000800000000000000E8DB1900E0A65C0400080000020000000000006000000020F00A000040595D04020000001700000000000000FE8000000000000000005EFEC0A801F80900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002C00000020000000C8000000000000000000000000000000000000000000000000000000070000000000000000000000000000000000000002000000C0A801F8000000000000000000000000000000000000000000000000181002C00000000000000000000000000000000001000000485F4C040000000000000000000000000100000000000000FFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000001C00000000
(PID) Process:	(3432) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(3432) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(788) application.com	Key:	HKEY_CURRENT_USER
Operation:	write	Name:	di
Value: !
(PID) Process:	(3776) rundll32.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9da96397-48b9-11e8-bb1b-806e6f6e6963}
Operation:	write	Name:	BaseClass
Value: Drive
(PID) Process:	(3776) rundll32.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:	write	Name:	C:\Windows\system32\mspaint.exe
Value: Paint
(PID) Process:	(3776) rundll32.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:	write	Name:	C:\PROGRA~1\MICROS~1\Office12\OIS.EXE
Value: Microsoft Office Picture Manager

PID	Process	Filename		Type
3432	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\xdgwq2fe.default\sessionCheckpoints.json.tmp		—
		MD5:—	SHA256:—
3432	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\xdgwq2fe.default\pluginreg.dat.tmp		—
		MD5:—	SHA256:—
3432	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\xdgwq2fe.default\cache2\entries\80D1F25ED342E3C154179F51AB4EDC92CDE0B9E6		image
		MD5:—	SHA256:—
3432	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\xdgwq2fe.default\cache2\entries\83ADFCCE347FF814DA819C7A0C210EB9DD08B641		image
		MD5:—	SHA256:—
3432	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\xdgwq2fe.default\cache2\entries\5909FBB54D48BF4ABD4BE077EB3363C63410C935		binary
		MD5:—	SHA256:—
3432	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\xdgwq2fe.default\safebrowsing-backup		—
		MD5:—	SHA256:—
3432	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\xdgwq2fe.default\cache2\entries\DDC6770BCF19C5611D819DBDC678F583C57A388B		image
		MD5:—	SHA256:—
3432	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\xdgwq2fe.default\cache2\entries\3E7A452AE8430347D35E76CD2A05CAFBE0283F99		binary
		MD5:—	SHA256:—
3432	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\xdgwq2fe.default\cache2\entries\E50000862DC7658EDA5FA0586761A1D3E643CCF5		image
		MD5:—	SHA256:—
3432	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\xdgwq2fe.default\cache2\entries\D77083F11ACBD9A279D652E9178CD431E7A4F044		image
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3432	firefox.exe	GET	200	104.27.142.51:443	https://base64.guru/converter/decode/file	US	html	48.1 Kb	malicious
3432	firefox.exe	GET	200	52.11.143.45:443	https://search.services.mozilla.com/1/firefox/50.0.2/esr/en-US/DE/default/default	US	text	152 b	whitelisted
3432	firefox.exe	GET	200	104.27.142.51:443	https://static.base64.guru/js/form_base64.min.js?1.0.37	US	text	4.35 Kb	whitelisted
3432	firefox.exe	GET	200	172.217.16.136:443	https://www.googletagmanager.com/gtag/js?id=UA-134607367-1	US	text	74.4 Kb	whitelisted
3432	firefox.exe	GET	200	104.27.142.51:443	https://static.base64.guru/css/style.min.css?1.0.60	US	text	11.1 Kb	whitelisted
3432	firefox.exe	GET	200	104.27.142.51:443	https://static.base64.guru/js/comments.min.js?1.0.37	US	text	2.79 Kb	whitelisted
3432	firefox.exe	GET	200	172.217.16.194:443	https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js	US	text	105 Kb	whitelisted
3432	firefox.exe	GET	200	104.27.142.51:443	https://static.base64.guru/img/favicon.ico	US	image	1.12 Kb	whitelisted
3432	firefox.exe	GET	200	104.27.142.51:443	https://static.base64.guru/uploads/blog/base64-encryption-is-a-lie.jpg	US	image	34.6 Kb	whitelisted
3432	firefox.exe	GET	200	104.27.142.51:443	https://static.base64.guru/uploads/blog/validate-base64-using-notepad-plus-plus.jpg	US	image	41.3 Kb	whitelisted

Domain	IP	Reputation
search.services.mozilla.com	52.11.143.45 52.38.153.3 54.149.124.142	whitelisted
search.r53-2.services.mozilla.com	54.149.124.142 52.38.153.3 52.11.143.45	whitelisted
tiles.services.mozilla.com	—	whitelisted
base64.guru	104.27.142.51 104.27.143.51	malicious
static.base64.guru	104.27.142.51 104.27.143.51 13.35.253.69 13.35.253.124 13.35.253.12 13.35.253.15	whitelisted
pagead2.googlesyndication.com	172.217.16.194	whitelisted
www.googletagmanager.com	172.217.16.136	whitelisted
pagead46.l.doubleclick.net	172.217.16.194	whitelisted
www-googletagmanager.l.google.com	104.111.236.128	whitelisted
adservice.google.fr	172.217.22.66	whitelisted

PID	Process	Class	Message
1240	svchost.exe	Potentially Bad Traffic	ET INFO Observed DNS Query to .cloud TLD
1240	svchost.exe	Potentially Bad Traffic	ET INFO Observed DNS Query to .cloud TLD

Process	Message
notepad++.exe	VerifyLibrary: certificate revocation checking is disabled
notepad++.exe	VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe	42C4C5846BB675C74E2B2C90C69AB44366401093
notepad++.exe	VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe	VerifyLibrary: certificate revocation checking is disabled
notepad++.exe	42C4C5846BB675C74E2B2C90C69AB44366401093
notepad++.exe	VerifyLibrary: certificate revocation checking is disabled
notepad++.exe	VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe	42C4C5846BB675C74E2B2C90C69AB44366401093
notepad++.exe	VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll

PID	Process	IP	Domain	ASN	CN	Reputation
3432	firefox.exe	52.11.143.45:443	search.services.mozilla.com	Amazon.com, Inc.	US	unknown
3432	firefox.exe	216.58.210.2:443	adservice.google.com	Google Inc.	US	whitelisted
3432	firefox.exe	172.217.22.66:443	adservice.google.fr	Google Inc.	US	whitelisted
3432	firefox.exe	172.217.18.162:443	googleads.g.doubleclick.net	Google Inc.	US	whitelisted
3432	firefox.exe	216.58.207.46:443	www.google-analytics.com	Google Inc.	US	whitelisted
3432	firefox.exe	64.233.167.156:443	stats.g.doubleclick.net	Google Inc.	US	whitelisted
3432	firefox.exe	172.217.23.142:443	safebrowsing.google.com	Google Inc.	US	whitelisted
3432	firefox.exe	143.204.202.50:443	tracking-protection.cdn.mozilla.net	—	US	malicious
3432	firefox.exe	52.43.22.113:443	shavar.services.mozilla.com	Amazon.com, Inc.	US	unknown
3432	firefox.exe	216.58.205.226:443	adservice.google.com	Google Inc.	US	whitelisted

General Info

https://base64.guru/converter/decode/file

BEAE4DD9059DE2544CC61218E113C092

A43A0AB999266128CF8E36DE24BE98540FAC6FBB

1EE4E6664B6A404CF62FA6433E878D9C3098E8CB749EE9BEBEAEEA6A9C794170

3:N8ldGAk2Kxn:2TX6

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

SUSPICIOUS

Executable content was dropped or overwritten

Creates files in the user directory

Uses RUNDLL32.EXE to load library

Starts CMD.EXE for commands execution

Application launched itself

INFO

Application launched itself

Manual execution by user

Reads CPU info

Creates files in the user directory

Modifies the open verb of a shell class

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings