analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

view.aspx

Full analysis: https://app.any.run/tasks/ab93bd19-02ad-48fc-bf80-ecc8f7670746
Verdict: Malicious activity
Analysis date: December 02, 2019, 20:17:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with very long lines, with CRLF, LF line terminators
MD5:

E70584517A787A9A6A23D595C96F006E

SHA1:

FF7FC3551B4B6BB0898EBD5394BE22E42772B272

SHA256:

96EA075C2D79AE1CF6D93094E3163085556E4F918180055A62B6E13696326CE5

SSDEEP:

1536:oSqPmf2LEGY8rGhMlP0FwAw2V2I/nDSVUvDl+tVq0hrwRPv1td:oTIeGJFwAWUvDYt3rwRPv1td

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Creates files in the program directory

      • firefox.exe (PID: 1528)
  • INFO

    • Application launched itself

      • firefox.exe (PID: 1528)
    • Reads CPU info

      • firefox.exe (PID: 1528)
    • Modifies the open verb of a shell class

      • rundll32.exe (PID: 2492)
    • Creates files in the user directory

      • firefox.exe (PID: 1528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

EXIF

HTML

Title: Welcome! View Payment Copy - Microsoft OneNote Online
Robots: noindex
formatDetection: telephone=no
viewport: width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=no
referrer: origin-when-cross-origin
msapplicationTapHighlight: no
Description: -
ContentType: text/html;charset=utf-8
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
8
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe firefox.exe

Process information

PID
CMD
Path
Indicators
Parent process
2492"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\view.aspxC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3328"C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Users\admin\AppData\Local\Temp\view.aspx"C:\Program Files\Mozilla Firefox\firefox.exerundll32.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
1528"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\admin\AppData\Local\Temp\view.aspxC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
68.0.1
3568"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1528.0.1195272615\85781755" -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 1528 "\\.\pipe\gecko-crash-server-pipe.1528" 1168 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
68.0.1
3392"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1528.3.1538880144\1896027292" -childID 1 -isForBrowser -prefsHandle 1692 -prefMapHandle 1688 -prefsLen 1 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 1528 "\\.\pipe\gecko-crash-server-pipe.1528" 1712 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
68.0.1
1708"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1528.13.1720830635\2139720379" -childID 2 -isForBrowser -prefsHandle 2596 -prefMapHandle 2728 -prefsLen 5997 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 1528 "\\.\pipe\gecko-crash-server-pipe.1528" 2736 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
68.0.1
3792"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1528.20.2033785405\1336524091" -childID 3 -isForBrowser -prefsHandle 3604 -prefMapHandle 3620 -prefsLen 6719 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 1528 "\\.\pipe\gecko-crash-server-pipe.1528" 3632 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
68.0.1
1884"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1528.27.1749289839\99960781" -childID 4 -isForBrowser -prefsHandle 4028 -prefMapHandle 4024 -prefsLen 7130 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 1528 "\\.\pipe\gecko-crash-server-pipe.1528" 4040 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
68.0.1
Total events
1 112
Read events
964
Write events
147
Delete events
1

Modification events

(PID) Process:(2492) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:LangID
Value:
0904
(PID) Process:(2492) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Windows\system32\NOTEPAD.EXE
Value:
Notepad
(PID) Process:(2492) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
Value:
WordPad
(PID) Process:(2492) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Value:
Adobe Acrobat Reader DC
(PID) Process:(2492) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Windows\eHome\ehshell.exe
Value:
Windows Media Center
(PID) Process:(2492) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Program Files\Internet Explorer\iexplore.exe
Value:
Internet Explorer
(PID) Process:(2492) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Windows\system32\mspaint.exe
Value:
Paint
(PID) Process:(2492) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\PROGRA~1\MICROS~1\Office14\OIS.EXE
Value:
Microsoft Office 2010
(PID) Process:(2492) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Program Files\Opera\Opera.exe
Value:
Opera Internet Browser
(PID) Process:(2492) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Program Files\Windows Photo Viewer\PhotoViewer.dll
Value:
Windows Photo Viewer
Executable files
0
Suspicious files
157
Text files
64
Unknown types
96

Dropped files

PID
Process
Filename
Type
1528firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin
MD5:
SHA256:
1528firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
1528firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
1528firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json
MD5:
SHA256:
1528firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
1528firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm
MD5:
SHA256:
1528firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
MD5:
SHA256:
1528firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm
MD5:
SHA256:
1528firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp
MD5:
SHA256:
1528firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4jsonlz4
MD5:6D378E0D40B6EACA22C8BCE899A1C5C1
SHA256:ADA2467B2477ACEFF837AC7820C435AD1EBBE844B2DA31C7AB9AE8D010C7A639
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
85
DNS requests
144
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1528
firefox.exe
GET
200
193.61.20.134:80
http://www.bbk.ac.uk/ems/faculty/schroeder/schroeder-downloads/PWM.pdf
GB
pdf
210 Kb
whitelisted
1528
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
1528
firefox.exe
GET
200
193.61.20.134:80
http://www.bbk.ac.uk/favicon.ico
GB
image
1.37 Kb
whitelisted
1528
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
1528
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
1528
firefox.exe
GET
301
193.61.20.134:80
http://bbk.ac.uk/ems/faculty/schroeder/schroeder-downloads/PWM.pdf
GB
html
278 b
whitelisted
1528
firefox.exe
GET
200
2.16.186.112:80
http://detectportal.firefox.com/success.txt
unknown
text
8 b
whitelisted
1528
firefox.exe
GET
200
2.16.186.112:80
http://detectportal.firefox.com/success.txt
unknown
text
8 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1528
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1528
firefox.exe
2.16.186.25:443
spoprod-a.akamaihd.net
Akamai International B.V.
whitelisted
1528
firefox.exe
2.16.186.112:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
1528
firefox.exe
23.8.8.186:443
p.sfx.ms
Akamai International B.V.
NL
unknown
1528
firefox.exe
13.107.6.171:443
onenote.officeapps.live.com
Microsoft Corporation
US
whitelisted
1528
firefox.exe
52.39.125.254:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
1528
firefox.exe
13.35.253.28:443
snippets.cdn.mozilla.net
US
malicious
1528
firefox.exe
35.164.109.147:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
1528
firefox.exe
72.247.225.58:443
s1-onenote-15.cdn.office.net
Akamai Technologies, Inc.
US
whitelisted
1528
firefox.exe
172.217.16.170:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
detectportal.firefox.com
  • 2.16.186.112
  • 2.16.186.50
whitelisted
a1089.dscd.akamai.net
  • 2.16.186.50
  • 2.16.186.112
whitelisted
search.services.mozilla.com
  • 35.164.109.147
  • 52.35.182.58
  • 52.89.218.39
whitelisted
search.r53-2.services.mozilla.com
  • 52.89.218.39
  • 52.35.182.58
  • 35.164.109.147
whitelisted
spoprod-a.akamaihd.net
  • 2.16.186.25
  • 2.16.186.40
whitelisted
s1-onenote-15.cdn.office.net
  • 72.247.225.58
whitelisted
s1-officeapps-15.cdn.office.netwv
suspicious
onenote.officeapps.live.com
  • 13.107.6.171
whitelisted
p.sfx.ms
  • 23.8.8.186
whitelisted
a1531.g2.akamai.net
  • 2.16.186.40
  • 2.16.186.25
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Observed DNS Query to .cloud TLD
Potentially Bad Traffic
ET INFO Observed DNS Query to .cloud TLD
No debug info