URL:

http://new229.com/api/bl-domains?id=yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy

Full analysis: https://app.any.run/tasks/8d24e3c4-97f6-40db-971d-1fa63a87bfa2
Verdict: Malicious activity
Analysis date: February 07, 2022, 18:50:23
OS: Windows 10 Professional (build: 16299, 64 bit)
Indicators:
MD5:

A5C26AB9B2C02A69770CCADA9E5BD409

SHA1:

237E147ED9237C5EBD981CBE686A6F0985F54062

SHA256:

060FAAB8B1A52D529FADC313CE8A213823A60E43694E85A7C86EE08801BF921D

SSDEEP:

3:N1KQ38yGIULOBYctcr:CQ3RBMr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • iexplore.exe (PID: 3476)

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • IEXPLORE.EXE (PID: 2144)
      • IEXPLORE.EXE (PID: 1768)

    • Executed via COM

      • OpenWith.exe (PID: 2132)

    • Checks supported languages

      • notepad++.exe (PID: 4996)

    • Reads the computer name

      • notepad++.exe (PID: 4996)

    • Reads the date of Windows installation

      • taskmgr.exe (PID: 3384)

    • Creates files in the user directory

      • notepad++.exe (PID: 4996)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3476)

    • Checks supported languages

      • iexplore.exe (PID: 3476)
      • IEXPLORE.EXE (PID: 1768)
      • IEXPLORE.EXE (PID: 3308)
      • OpenWith.exe (PID: 2132)
      • taskmgr.exe (PID: 3384)
      • IEXPLORE.EXE (PID: 2144)

    • Reads the computer name

      • IEXPLORE.EXE (PID: 2144)
      • IEXPLORE.EXE (PID: 1768)
      • iexplore.exe (PID: 3476)
      • OpenWith.exe (PID: 2132)
      • IEXPLORE.EXE (PID: 3308)
      • taskmgr.exe (PID: 3384)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3476)
      • IEXPLORE.EXE (PID: 1768)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3476)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3476)
      • IEXPLORE.EXE (PID: 1768)

    • Reads the software policy settings

      • iexplore.exe (PID: 3476)
      • IEXPLORE.EXE (PID: 1768)

    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 1768)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 3476)

    • Manual execution by user

      • taskmgr.exe (PID: 488)
      • notepad++.exe (PID: 4996)
      • taskmgr.exe (PID: 3384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
103
Monitored processes
8
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe iexplore.exe openwith.exe no specs iexplore.exe no specs notepad++.exe taskmgr.exe no specs taskmgr.exe

Process information

PID
CMD
Path
Indicators
Parent process
488"C:\WINDOWS\system32\taskmgr.exe" /4C:\WINDOWS\system32\taskmgr.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Manager
Exit code:
3221226540
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
1768"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3476 CREDAT:75010 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
1
Version:
11.00.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
2132C:\WINDOWS\system32\OpenWith.exe -EmbeddingC:\WINDOWS\system32\OpenWith.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2144"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3476 CREDAT:9474 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
3308"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3476 CREDAT:1512774 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
3384"C:\WINDOWS\system32\taskmgr.exe" /4C:\WINDOWS\system32\taskmgr.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Manager
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
3476"C:\Program Files\internet explorer\iexplore.exe" "http://new229.com/api/bl-domains?id=yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy"C:\Program Files\internet explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4996"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Downloads\bl-domains.json"C:\Program Files\Notepad++\notepad++.exe
Explorer.EXE
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.91
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.431_none_15c7d3ee93659e73\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
Total events
12 244
Read events
12 088
Write events
156
Delete events
0

Modification events

(PID) Process:(3476) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:L1WatermarkLowPart
Value:
956341420
(PID) Process:(3476) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:L1WatermarkHighPart
Value:
148313293
(PID) Process:(3476) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3476) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30940243
(PID) Process:(3476) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3476) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3476) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3476) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3476) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3476) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
0
Suspicious files
8
Text files
69
Unknown types
7

Dropped files

PID
Process
Filename
Type
1768IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\QRVYFAE6\edge[1].htmhtml
MD5:
SHA256:
2144IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\84QVWPIO\bl-domains[1].jsonini
MD5:
SHA256:
1768IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\UGAFGOLY\oneplayer[1].jstext
MD5:
SHA256:
3476iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\SmartScreenCache.datbinary
MD5:
SHA256:
1768IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\JVE1W4LU\launch-EN7b3d710ac67a4a1195648458258f97dd.min[1].jstext
MD5:
SHA256:
1768IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\UGAFGOLY\polyfill.min[1].jstext
MD5:
SHA256:
3476iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{D02373BA-8846-11EC-B4A3-18F7786F96EE}.datbinary
MD5:
SHA256:
1768IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\QRVYFAE6\css[1].csstext
MD5:
SHA256:
2144IEXPLORE.EXEC:\Users\admin\Downloads\bl-domains.json.4ol424y.partialini
MD5:
SHA256:
1768IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\QRVYFAE6\mwf-auto-init-main.var.min[1].jshtml
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
73
TCP/UDP connections
68
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1768
IEXPLORE.EXE
GET
302
104.89.38.104:443
https://go.microsoft.com/fwlink/?LinkId=517287
NL
whitelisted
1768
IEXPLORE.EXE
GET
301
104.76.201.160:443
https://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DL
NL
whitelisted
1768
IEXPLORE.EXE
GET
301
104.76.201.160:443
https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DL
NL
whitelisted
1768
IEXPLORE.EXE
GET
302
104.89.38.104:80
http://go.microsoft.com/fwlink/?LinkId=838604
NL
whitelisted
1768
IEXPLORE.EXE
GET
301
104.76.201.160:443
https://www.microsoft.com/en-us/welcomeie11/
NL
whitelisted
3476
iexplore.exe
POST
200
20.81.51.95:443
https://urs.microsoft.com/urs.asmx?MSURS-Client-Key=eMz3XNK6UaR/bl2FfuZuJQ%3d%3d&MSURS-MAC=l0HTG0XjNUs%3d
US
text
1.08 Kb
whitelisted
2144
IEXPLORE.EXE
GET
200
18.66.248.16:80
http://new229.com/api/bl-domains?id=yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
US
ini
5.05 Kb
malicious
1768
IEXPLORE.EXE
GET
200
104.76.201.160:443
https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DL
NL
html
215 Kb
whitelisted
1768
IEXPLORE.EXE
GET
200
104.76.201.160:443
https://www.microsoft.com/videoplayer/js/oneplayer.js
NL
text
329 Kb
whitelisted
1768
IEXPLORE.EXE
GET
200
184.87.212.252:443
https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
US
text
599 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2144
IEXPLORE.EXE
18.66.248.96:80
new229.com
Massachusetts Institute of Technology
US
suspicious
2144
IEXPLORE.EXE
18.66.248.16:80
new229.com
Massachusetts Institute of Technology
US
malicious
3476
iexplore.exe
20.81.51.95:443
urs.microsoft.com
US
suspicious
1768
IEXPLORE.EXE
104.89.38.104:80
go.microsoft.com
Akamai Technologies, Inc.
NL
malicious
1768
IEXPLORE.EXE
104.89.38.104:443
go.microsoft.com
Akamai Technologies, Inc.
NL
malicious
1768
IEXPLORE.EXE
104.76.201.160:443
www.microsoft.com
Akamai Technologies, Inc.
NL
suspicious
3476
iexplore.exe
20.98.16.82:443
t.urs.microsoft.com
US
unknown
1768
IEXPLORE.EXE
151.101.1.26:443
polyfill.io
Fastly
US
suspicious
1768
IEXPLORE.EXE
152.199.19.160:443
ajax.aspnetcdn.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1768
IEXPLORE.EXE
92.123.194.52:443
mwf-service.akamaized.net
Akamai International B.V.
unknown

DNS requests

Domain
IP
Reputation
new229.com
  • 18.66.248.96
  • 18.66.248.16
  • 18.66.248.41
  • 18.66.248.73
malicious
urs.microsoft.com
  • 20.81.51.95
whitelisted
go.microsoft.com
  • 104.89.38.104
whitelisted
www.microsoft.com
  • 104.76.201.160
  • 23.35.233.160
whitelisted
t.urs.microsoft.com
  • 20.98.16.82
whitelisted
assets.adobedtm.com
  • 184.87.212.252
whitelisted
polyfill.io
  • 151.101.1.26
  • 151.101.193.26
  • 151.101.129.26
  • 151.101.65.26
whitelisted
ajax.aspnetcdn.com
  • 152.199.19.160
whitelisted
statics-marketingsites-neu-ms-com.akamaized.net
  • 92.123.194.25
  • 92.123.194.76
whitelisted
mwf-service.akamaized.net
  • 92.123.194.52
  • 92.123.194.91
whitelisted

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: error while getting certificate informations
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://new229.com/api/bl-domains?id=yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy