URL:

http://45.148.10.84/r.png

Full analysis: https://app.any.run/tasks/fe45370c-0eae-4af7-ae0d-8df26861ceac
Verdict: Malicious activity
Analysis date: March 15, 2020, 00:12:42
OS: Windows 10 Professional (build: 16299, 64 bit)
Indicators:
MD5:

1A7A5B984E5CF1354CE9720C5F0D1E28

SHA1:

F96A0D6AE37C7E0FE060566D8A8424F28FBFC4A1

SHA256:

A727223651E5448F8FDE65047CBBA0E6758DAC07200950A881B7BCE06609F127

SSDEEP:

3:N1KgJULsQ:CgaLR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 5572)
  • SUSPICIOUS

    • Executed via COM

      • RuntimeBroker.exe (PID: 5408)
      • rundll32.exe (PID: 5972)
    • Reads Environment values

      • powershell.exe (PID: 4224)
    • Creates files in the program directory

      • firefox.exe (PID: 5288)
    • Checks supported languages

      • RuntimeBroker.exe (PID: 5408)
    • Creates files in the user directory

      • notepad++.exe (PID: 3384)
    • Reads the machine GUID from the registry

      • notepad++.exe (PID: 3384)
      • powershell.exe (PID: 4224)
  • INFO

    • Reads CPU info

      • firefox.exe (PID: 5288)
    • Reads the software policy settings

      • powershell.exe (PID: 4224)
    • Reads the machine GUID from the registry

      • firefox.exe (PID: 5288)
    • Manual execution by user

      • cmd.exe (PID: 5572)
      • notepad++.exe (PID: 3384)
    • Application launched itself

      • firefox.exe (PID: 5288)
    • Reads settings of System Certificates

      • powershell.exe (PID: 4224)
    • Creates files in the user directory

      • firefox.exe (PID: 5288)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
92
Monitored processes
11
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe runtimebroker.exe no specs cmd.exe no specs conhost.exe powershell.exe rundll32.exe no specs notepad++.exe

Process information

PID
CMD
Path
Indicators
Parent process
5288"C:\Program Files\Mozilla Firefox\firefox.exe" "http://45.148.10.84/r.png"C:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
3188"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5288.0.343506542\830036633" -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - "C:\Users\admin\AppData\LocalLow\Mozilla\Temp-{048b6647-5496-472c-a8de-1c5bfaf6adf3}" 5288 "\\.\pipe\gecko-crash-server-pipe.5288" 1480 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
1
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
3800"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5288.6.98134537\675813341" -childID 1 -isForBrowser -prefsHandle 2324 -prefMapHandle 2320 -prefsLen 1 -prefMapSize 179819 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 5288 "\\.\pipe\gecko-crash-server-pipe.5288" 2144 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
3424"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5288.13.801949341\205785359" -childID 2 -isForBrowser -prefsHandle 3340 -prefMapHandle 3348 -prefsLen 301 -prefMapSize 179819 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 5288 "\\.\pipe\gecko-crash-server-pipe.5288" 2824 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
4544"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5288.20.406587133\1111218184" -childID 3 -isForBrowser -prefsHandle 3988 -prefMapHandle 4188 -prefsLen 5925 -prefMapSize 179819 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 5288 "\\.\pipe\gecko-crash-server-pipe.5288" 4200 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
5408C:\Windows\System32\RuntimeBroker.exe -EmbeddingC:\Windows\System32\RuntimeBroker.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Runtime Broker
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runtimebroker.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\sechost.dll
5572"C:\WINDOWS\system32\cmd.exe" C:\WINDOWS\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
1020\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\WINDOWS\system32\conhost.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
4224powershellC:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\atl.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
5972C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\WINDOWS\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
Total events
2 929
Read events
2 863
Write events
66
Delete events
0

Modification events

(PID) Process:(5408) RuntimeBroker.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5408) RuntimeBroker.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5408) RuntimeBroker.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5408) RuntimeBroker.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4224) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\192\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4224) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4224) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4224) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4224) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4224) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
Executable files
0
Suspicious files
33
Text files
26
Unknown types
26

Dropped files

PID
Process
Filename
Type
5288firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\ccduiye8.default\pluginreg.dat.tmp
MD5:
SHA256:
5288firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\ccduiye8.default\prefs-1.js
MD5:
SHA256:
5288firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\ccduiye8.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
5288firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\ccduiye8.default\startupCache\urlCache-current.binbinary
MD5:6BE90D5B88E2D0E67B03D47BE69F46C9
SHA256:98DDF9B3A0A7FCB83CA0B97EF3A58E52B826C7FA2D055D5CB735F9184019136D
5288firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\ccduiye8.default\pluginreg.dattext
MD5:EFF3B2743D0030C24B55A3DBAD1DBBF2
SHA256:839C3D45F96266B6A4A45DEE4D109B920CD1DD039665921762DF8A09626C4083
5288firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\ccduiye8.default\startupCache\scriptCache-child-current.binbinary
MD5:FFE3D6E882CFFF7630148B3682FBF935
SHA256:40D35E6A88630C2B7A9C908F822EB79309228E612019250B364429D16BDDD337
5288firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\ccduiye8.default\prefs.jstext
MD5:4DA906EFF58A6AC688454015AF870586
SHA256:CFB72EB0FC901B80BEF073B326CE1A7E97FEF805CDF44039DC27AF689E163723
5288firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\ccduiye8.default\safebrowsing-updating\block-flashsubdoc-digest256.sbstorebinary
MD5:04824A1F92353F43EBB9E7F74B7476FD
SHA256:B48E58EBAB82E4C376F16150A3FFF850C1111FF1F5985D68819CFD6F0DB159D2
5288firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\ccduiye8.default\safebrowsing-updating\except-flash-digest256.sbstorebinary
MD5:C921D8E98FA01B4F303481E112202E92
SHA256:4EF1038730EC8BC7206713C29A936768831B922C5E6C83355FD62D7401D8C1DC
5288firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\ccduiye8.default\safebrowsing-updating\block-flash-digest256.sbstorebinary
MD5:0E8FE60CCD7E9B4C32589A5743A95302
SHA256:2B124D4026850A3CFFD28DBACB58AEC28F7DCD4D40BC14E52BBE96D60CE4E749
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
10
DNS requests
38
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4224
powershell.exe
GET
200
45.148.10.84:80
http://45.148.10.84/r.png
unknown
pl
58.2 Kb
unknown
4224
powershell.exe
GET
200
45.148.10.84:80
http://45.148.10.84/r.png
unknown
pl
58.2 Kb
unknown
5288
firefox.exe
GET
200
45.148.10.84:80
http://45.148.10.84/r.png
unknown
pl
58.2 Kb
unknown
5288
firefox.exe
GET
404
45.148.10.84:80
http://45.148.10.84/favicon.ico
unknown
html
287 b
unknown
5288
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
5288
firefox.exe
POST
200
173.194.220.94:80
http://ocsp.pki.goog/gts1o1
US
der
472 b
whitelisted
5288
firefox.exe
GET
200
188.43.76.56:80
http://detectportal.firefox.com/success.txt
RU
text
8 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5288
firefox.exe
188.43.76.56:80
detectportal.firefox.com
Closed Joint Stock Company TransTeleCom
RU
unknown
5288
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
5288
firefox.exe
45.148.10.84:80
unknown
5288
firefox.exe
13.33.243.84:443
snippets.cdn.mozilla.net
US
unknown
5288
firefox.exe
173.194.220.94:80
ocsp.pki.goog
Google Inc.
US
whitelisted
5288
firefox.exe
52.11.143.45:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
4224
powershell.exe
45.148.10.84:80
unknown
5288
firefox.exe
64.233.165.95:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
detectportal.firefox.com
  • 188.43.76.56
whitelisted
search.services.mozilla.com
  • 52.11.143.45
whitelisted
snippets.cdn.mozilla.net
  • 13.33.243.84
whitelisted
safebrowsing.googleapis.com
  • 64.233.165.95
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ocsp.pki.goog
  • 173.194.220.94
whitelisted
blog.mozilla.org
  • 35.197.18.156
whitelisted
www.youtube.com
  • 173.194.73.91
whitelisted
www.facebook.com
  • 31.13.72.36
whitelisted
www.ebay.de
  • 92.122.109.224
whitelisted

Threats

No threats detected
Process
Message
conhost.exe
InitSideBySide failed create an activation context. Error: 1814
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093