URL: | http://45.148.10.84/r.png |
Full analysis: | https://app.any.run/tasks/fe45370c-0eae-4af7-ae0d-8df26861ceac |
Verdict: | Malicious activity |
Analysis date: | March 15, 2020, 00:12:42 |
OS: | Windows 10 Professional (build: 16299, 64 bit) |
Indicators: | |
MD5: | 1A7A5B984E5CF1354CE9720C5F0D1E28 |
SHA1: | F96A0D6AE37C7E0FE060566D8A8424F28FBFC4A1 |
SHA256: | A727223651E5448F8FDE65047CBBA0E6758DAC07200950A881B7BCE06609F127 |
SSDEEP: | 3:N1KgJULsQ:CgaLR |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
5288 | "C:\Program Files\Mozilla Firefox\firefox.exe" "http://45.148.10.84/r.png" | C:\Program Files\Mozilla Firefox\firefox.exe | explorer.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 65.0.2 Modules
| |||||||||||||||
3188 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5288.0.343506542\830036633" -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - "C:\Users\admin\AppData\LocalLow\Mozilla\Temp-{048b6647-5496-472c-a8de-1c5bfaf6adf3}" 5288 "\\.\pipe\gecko-crash-server-pipe.5288" 1480 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 1 Version: 65.0.2 Modules
| |||||||||||||||
3800 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5288.6.98134537\675813341" -childID 1 -isForBrowser -prefsHandle 2324 -prefMapHandle 2320 -prefsLen 1 -prefMapSize 179819 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 5288 "\\.\pipe\gecko-crash-server-pipe.5288" 2144 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 65.0.2 Modules
| |||||||||||||||
3424 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5288.13.801949341\205785359" -childID 2 -isForBrowser -prefsHandle 3340 -prefMapHandle 3348 -prefsLen 301 -prefMapSize 179819 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 5288 "\\.\pipe\gecko-crash-server-pipe.5288" 2824 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 65.0.2 Modules
| |||||||||||||||
4544 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5288.20.406587133\1111218184" -childID 3 -isForBrowser -prefsHandle 3988 -prefMapHandle 4188 -prefsLen 5925 -prefMapSize 179819 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 5288 "\\.\pipe\gecko-crash-server-pipe.5288" 4200 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 65.0.2 Modules
| |||||||||||||||
5408 | C:\Windows\System32\RuntimeBroker.exe -Embedding | C:\Windows\System32\RuntimeBroker.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Runtime Broker Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
5572 | "C:\WINDOWS\system32\cmd.exe" | C:\WINDOWS\system32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
1020 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\WINDOWS\system32\conhost.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
4224 | powershell | C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
5972 | C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | C:\WINDOWS\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
|
(PID) Process: | (5408) RuntimeBroker.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (5408) RuntimeBroker.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (5408) RuntimeBroker.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (5408) RuntimeBroker.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (4224) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\192\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (4224) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (4224) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (4224) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (4224) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (4224) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
5288 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\ccduiye8.default\pluginreg.dat.tmp | — | |
MD5:— | SHA256:— | |||
5288 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\ccduiye8.default\prefs-1.js | — | |
MD5:— | SHA256:— | |||
5288 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\ccduiye8.default\sessionCheckpoints.json.tmp | — | |
MD5:— | SHA256:— | |||
5288 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\ccduiye8.default\startupCache\urlCache-current.bin | binary | |
MD5:6BE90D5B88E2D0E67B03D47BE69F46C9 | SHA256:98DDF9B3A0A7FCB83CA0B97EF3A58E52B826C7FA2D055D5CB735F9184019136D | |||
5288 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\ccduiye8.default\pluginreg.dat | text | |
MD5:EFF3B2743D0030C24B55A3DBAD1DBBF2 | SHA256:839C3D45F96266B6A4A45DEE4D109B920CD1DD039665921762DF8A09626C4083 | |||
5288 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\ccduiye8.default\startupCache\scriptCache-child-current.bin | binary | |
MD5:FFE3D6E882CFFF7630148B3682FBF935 | SHA256:40D35E6A88630C2B7A9C908F822EB79309228E612019250B364429D16BDDD337 | |||
5288 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\ccduiye8.default\prefs.js | text | |
MD5:4DA906EFF58A6AC688454015AF870586 | SHA256:CFB72EB0FC901B80BEF073B326CE1A7E97FEF805CDF44039DC27AF689E163723 | |||
5288 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\ccduiye8.default\safebrowsing-updating\block-flashsubdoc-digest256.sbstore | binary | |
MD5:04824A1F92353F43EBB9E7F74B7476FD | SHA256:B48E58EBAB82E4C376F16150A3FFF850C1111FF1F5985D68819CFD6F0DB159D2 | |||
5288 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\ccduiye8.default\safebrowsing-updating\except-flash-digest256.sbstore | binary | |
MD5:C921D8E98FA01B4F303481E112202E92 | SHA256:4EF1038730EC8BC7206713C29A936768831B922C5E6C83355FD62D7401D8C1DC | |||
5288 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\ccduiye8.default\safebrowsing-updating\block-flash-digest256.sbstore | binary | |
MD5:0E8FE60CCD7E9B4C32589A5743A95302 | SHA256:2B124D4026850A3CFFD28DBACB58AEC28F7DCD4D40BC14E52BBE96D60CE4E749 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4224 | powershell.exe | GET | 200 | 45.148.10.84:80 | http://45.148.10.84/r.png | unknown | pl | 58.2 Kb | unknown |
4224 | powershell.exe | GET | 200 | 45.148.10.84:80 | http://45.148.10.84/r.png | unknown | pl | 58.2 Kb | unknown |
5288 | firefox.exe | GET | 200 | 45.148.10.84:80 | http://45.148.10.84/r.png | unknown | pl | 58.2 Kb | unknown |
5288 | firefox.exe | GET | 404 | 45.148.10.84:80 | http://45.148.10.84/favicon.ico | unknown | html | 287 b | unknown |
5288 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
5288 | firefox.exe | POST | 200 | 173.194.220.94:80 | http://ocsp.pki.goog/gts1o1 | US | der | 472 b | whitelisted |
5288 | firefox.exe | GET | 200 | 188.43.76.56:80 | http://detectportal.firefox.com/success.txt | RU | text | 8 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
5288 | firefox.exe | 188.43.76.56:80 | detectportal.firefox.com | Closed Joint Stock Company TransTeleCom | RU | unknown |
5288 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
5288 | firefox.exe | 45.148.10.84:80 | — | — | — | unknown |
5288 | firefox.exe | 13.33.243.84:443 | snippets.cdn.mozilla.net | — | US | unknown |
5288 | firefox.exe | 173.194.220.94:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
5288 | firefox.exe | 52.11.143.45:443 | search.services.mozilla.com | Amazon.com, Inc. | US | unknown |
4224 | powershell.exe | 45.148.10.84:80 | — | — | — | unknown |
5288 | firefox.exe | 64.233.165.95:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
detectportal.firefox.com |
| whitelisted |
search.services.mozilla.com |
| whitelisted |
snippets.cdn.mozilla.net |
| whitelisted |
safebrowsing.googleapis.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
blog.mozilla.org |
| whitelisted |
www.youtube.com |
| whitelisted |
www.facebook.com |
| whitelisted |
www.ebay.de |
| whitelisted |
Process | Message |
---|---|
conhost.exe | InitSideBySide failed create an activation context. Error: 1814 |
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|