URL:

www.thinkman.com

Full analysis: https://app.any.run/tasks/1793db00-c7e3-4cd6-8a9a-9e4180432a84
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 18, 2024, 09:05:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

4B3CD6F049F4405B808CB6D404BE3DC4

SHA1:

F5A4D381084C1763E839A273DE34252D4E9DA45D

SHA256:

039A336B2387D3B11F30E9578F27E546CF80BBC3B871F27120CC6055F6DACE85

SSDEEP:

3:EcLnHn:HHn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 3680)
      • D4.exe (PID: 4064)

    • Reads security settings of Internet Explorer

      • D4.exe (PID: 2584)
      • D4.exe (PID: 4064)

    • Reads the Internet Settings

      • D4.exe (PID: 2584)

    • Application launched itself

      • D4.exe (PID: 2584)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3936)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3936)

    • Checks supported languages

      • D4.exe (PID: 2584)
      • D4.exe (PID: 3256)
      • D4.exe (PID: 4064)

    • Reads the computer name

      • D4.exe (PID: 2584)
      • D4.exe (PID: 3256)
      • D4.exe (PID: 4064)

    • Manual execution by a user

      • D4.exe (PID: 2584)

    • The process uses the downloaded file

      • iexplore.exe (PID: 3936)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3936)
      • iexplore.exe (PID: 3276)

    • Checks proxy server information

      • D4.exe (PID: 4064)

    • Creates files in the program directory

      • D4.exe (PID: 4064)

    • Reads the machine GUID from the registry

      • D4.exe (PID: 4064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
7
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe msiexec.exe no specs vssvc.exe no specs d4.exe no specs d4.exe d4.exe

Process information

PID
CMD
Path
Indicators
Parent process
2584"C:\Program Files\D4\D4.exe" C:\Program Files\D4\D4.exeexplorer.exe
User:
admin
Company:
Thinking Man Software
Integrity Level:
MEDIUM
Description:
Dimension 4
Exit code:
0
Version:
5.31.331.0
Modules
Images
c:\program files\d4\d4.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2968"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\d4time531.msi" C:\Windows\System32\msiexec.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3256"C:\Program Files\D4\D4.exe" /startserviceC:\Program Files\D4\D4.exe
D4.exe
User:
admin
Company:
Thinking Man Software
Integrity Level:
HIGH
Description:
Dimension 4
Exit code:
0
Version:
5.31.331.0
Modules
Images
c:\program files\d4\d4.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3276"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3936 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3680C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3936"C:\Program Files\Internet Explorer\iexplore.exe" "www.thinkman.com"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
4064"C:\Program Files\D4\D4.exe"C:\Program Files\D4\D4.exe
services.exe
User:
SYSTEM
Company:
Thinking Man Software
Integrity Level:
SYSTEM
Description:
Dimension 4
Exit code:
0
Version:
5.31.331.0
Modules
Images
c:\program files\d4\d4.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
16 950
Read events
16 650
Write events
247
Delete events
53

Modification events

(PID) Process:(3936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31095059
(PID) Process:(3936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31095059
(PID) Process:(3936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
2
Suspicious files
7
Text files
14
Unknown types
2

Dropped files

PID
Process
Filename
Type
3276iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\d4icon[1].jpgimage
MD5:9FF4796493A0270710CB91A606C4CEBC
SHA256:7E5CAB8A93F6B699DC31BDEB36E49F47757209ED00B537AE694D2FC09B237078
3276iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\MRB2XEJP.htmhtml
MD5:12E75E84677550713CD2E9AF1845A5EE
SHA256:4310A9C1D0391723E5492EE255C59BF7669631BE9C721E692803BD3CA66111FC
3936iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118Ader
MD5:03286F86A6340EF1EB71162CA877B4CA
SHA256:F6E395EAB531C2331F213B764ECB38E1B4A1E883299D15C1D8B688291E26F20A
3936iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:C1DAFFA1E9EED8E2DE6F609968E4B1CA
SHA256:70D5A2F145CA305A8F9924056D463F49410C4C5E45917CA0005B58E29F41ABFB
3936iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118Abinary
MD5:3C7A59D01CD75A1AD626BC37E94C07FD
SHA256:B227F2F0375FF12DD040D243686AD3804B2FC17916850DC58C166002EA81B956
3936iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\favicon[1].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3936iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3936iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[1].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3276iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\style1[1].csstext
MD5:6B9840214E417304AFA8EDF920FD67E6
SHA256:CF27865CDBEAD1B4FD94E62E9213BBEBBFCE28B0C65012818B3A1255E62755F5
3276iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\x-click-but04[1].gifimage
MD5:4525C2AD55EAFD47EE367F1A6CCB7C1D
SHA256:74DD45EF012E1FC144C84C7E25D9074602897204C64C690AFF46B03953F2A9EA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
19
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1080
svchost.exe
GET
304
92.123.135.139:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1dd404ff67a3d8ee
unknown
compressed
67.5 Kb
unknown
1080
svchost.exe
GET
200
92.123.135.139:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?624d1ab720bef5f8
unknown
compressed
67.5 Kb
unknown
3276
iexplore.exe
GET
200
74.208.229.157:80
http://www.thinkman.com/
unknown
html
2.94 Kb
unknown
3936
iexplore.exe
GET
304
92.123.135.139:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b23edf5cfbe16fd7
unknown
unknown
3276
iexplore.exe
GET
200
74.208.229.157:80
http://www.thinkman.com/styles/style1.css
unknown
text
2.70 Kb
unknown
3276
iexplore.exe
GET
200
74.208.229.157:80
http://www.thinkman.com/styles/layout.css
unknown
text
427 b
unknown
3276
iexplore.exe
GET
200
74.208.229.157:80
http://www.thinkman.com/dimension4/images/d4icon.jpg
unknown
image
923 b
unknown
3276
iexplore.exe
GET
404
74.208.229.157:80
http://www.thinkman.com/images/bkgd_tile.gif
unknown
html
1.60 Kb
unknown
3936
iexplore.exe
GET
304
92.123.135.139:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?76ad697231f9b13b
unknown
unknown
3936
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
binary
314 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
3276
iexplore.exe
74.208.229.157:80
www.thinkman.com
IONOS SE
US
unknown
3936
iexplore.exe
74.208.229.157:80
www.thinkman.com
IONOS SE
US
unknown
3936
iexplore.exe
184.86.251.31:443
www.bing.com
Akamai International B.V.
DE
unknown
3936
iexplore.exe
92.123.135.139:80
ctldl.windowsupdate.com
Akamai International B.V.
NL
unknown
3936
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
3936
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
EDGECAST
US
whitelisted
1080
svchost.exe
92.123.135.139:80
ctldl.windowsupdate.com
Akamai International B.V.
NL
unknown
4064
D4.exe
74.208.229.157:80
www.thinkman.com
IONOS SE
US
unknown

DNS requests

Domain
IP
Reputation
www.thinkman.com
  • 74.208.229.157
unknown
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 184.86.251.9
  • 184.86.251.13
  • 184.86.251.7
  • 184.86.251.4
  • 184.86.251.5
  • 184.86.251.8
  • 184.86.251.14
  • 184.86.251.31
  • 184.86.251.11
whitelisted
ctldl.windowsupdate.com
  • 92.123.135.139
  • 92.123.135.133
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
tick.usno.navy.mil
  • 192.5.41.40
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
www.thinkman.com