analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://securepubads.g.doubleclick.net/pcs/view?adurl=https%3a%2f%2fwi2qi8.codesandbox.io/[email protected]

Full analysis: https://app.any.run/tasks/f833bae5-823d-40ef-a040-07a81c023e75
Verdict: Malicious activity
Analysis date: May 20, 2022, 20:42:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

C0696EE4AC3E9FB420FAE8D43122C851

SHA1:

9758DC6AD80289927E528B7CDD00022C3ACCF762

SHA256:

21E581E8CA0F912924598C00C602834A66A352C47AFA554B42F38C8C09F25774

SSDEEP:

3:N8N3wQHEBW21zOGJMB5GNzURVHWpMTSW3LGKBGHGLM0vzIn:2ZwSEBW2PYY5URGMTh8azIn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 1216)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 1216)
      • iexplore.exe (PID: 3912)
    • Reads the computer name

      • iexplore.exe (PID: 1216)
      • iexplore.exe (PID: 3912)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 1216)
      • iexplore.exe (PID: 3912)
    • Changes internet zones settings

      • iexplore.exe (PID: 3912)
    • Application launched itself

      • iexplore.exe (PID: 3912)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 1216)
      • iexplore.exe (PID: 3912)
    • Creates files in the user directory

      • iexplore.exe (PID: 1216)
      • iexplore.exe (PID: 3912)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3912)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3912)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1216)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3912"C:\Program Files\Internet Explorer\iexplore.exe" "https://securepubads.g.doubleclick.net/pcs/view?adurl=https%3a%2f%2fwi2qi8.codesandbox.io/[email protected]"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
1216"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3912 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
Total events
15 509
Read events
15 376
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
18
Text files
38
Unknown types
12

Dropped files

PID
Process
Filename
Type
1216iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\vendors~app~embed~sandbox-startup.6e3433fd3.chunk[1].jstext
MD5:F1BF7F25F09A67CDBFCF5243D79C0D24
SHA256:D3BE0565DC1BBA02E688B13332BFC3DAFDC61D71DF04AA347F3E435BD8291A14
1216iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAbinary
MD5:E2B626EBF3EFDEBA416FCD335581AEDA
SHA256:B1E1AB1C8075F82816661786B2469F434605666D7F8C9906D4E64DE3B6B607C2
1216iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:FB72F93BB0821D9FDFD5F404171D3049
SHA256:7B10F551F95BB222F8F077834E05E352FAF479764D1C82AB9818A56BEDBEDE0E
1216iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAder
MD5:5A11C6099B9E5808DFB08C5C9570C92F
SHA256:91291A5EDC4E10A225D3C23265D236ECC74473D9893BE5BD07E202D95B3FB172
1216iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\FMFKRQIH.htmhtml
MD5:EA6FFBCDE13DE99254FC07D8551824BF
SHA256:357C4D1C856FE6B9B8B2F8C7F9CF1922FC5718E9CDAD7E960458FD3D5305E352
1216iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\646C991C2A28825F3CC56E0A1D1E3FA9der
MD5:3523BFA7B3ACACA361AC9814166709AD
SHA256:CE82F93FDB091E30497236D7F04BB67F7008E8E4133D2A8445B531C16D13AA67
1216iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_7B6729333CC15FF65C8D387F63EE8C27binary
MD5:60C24A914D82D5AC3A337CD481B372DE
SHA256:F12FF16DA03A31547719C229EBCF1DCF80DCBE892455A55946D32EFF344CED2D
1216iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_7B6729333CC15FF65C8D387F63EE8C27der
MD5:B13CA649C2BD31CD9B5CDAC19A9377AD
SHA256:BE5678A0A60533AF71889982FC1EC4774A0E553D423C03AE826193F3040AE0D4
1216iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:41FBBFEF77C9E15DF36E1CB541503D98
SHA256:1C596FD0B7231E43E672CB027BE6117200830DD98929F060C3A97F8EFC4EAE17
1216iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\646C991C2A28825F3CC56E0A1D1E3FA9binary
MD5:DFE2DB3E2695300473F2ADE43A500536
SHA256:DCA75EC08788B57F3BC5FD81917BE56EEDF5E15CF813AD5D8E9D709ED4F0CB6B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
50
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1216
iexplore.exe
GET
200
104.89.32.83:80
http://x2.c.lencr.org/
NL
der
299 b
whitelisted
3912
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
US
der
471 b
whitelisted
1216
iexplore.exe
GET
200
104.90.178.254:80
http://x1.c.lencr.org/
NL
der
717 b
whitelisted
3912
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
1216
iexplore.exe
GET
200
142.250.185.67:80
http://crl.pki.goog/gsr1/gsr1.crl
US
der
1.61 Kb
whitelisted
1216
iexplore.exe
GET
200
92.123.195.73:80
http://e1.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBTvkAFw3ViPKmUeIVEf3NC7b1ErqwQUWvPtK%2Fw2wjd5uVIw6lRvz1XLLqwCEgOopxXmQmHgcmN%2Ft8n4ToOWvQ%3D%3D
unknown
der
344 b
whitelisted
3912
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.78 Kb
whitelisted
1216
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
1216
iexplore.exe
GET
200
142.250.186.131:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCHXS%2FWwGsOSRJbmAIB8NC3
US
der
472 b
whitelisted
1216
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?af1166a2b4d64676
US
compressed
60.0 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1216
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3912
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1216
iexplore.exe
142.250.185.67:80
crl.pki.goog
Google Inc.
US
whitelisted
1216
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
1216
iexplore.exe
142.250.186.131:80
ocsp.pki.goog
Google Inc.
US
whitelisted
1216
iexplore.exe
142.250.74.195:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3912
iexplore.exe
13.107.22.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
1216
iexplore.exe
142.250.74.162:443
securepubads.g.doubleclick.net
Google Inc.
US
unknown
1216
iexplore.exe
104.18.47.230:443
static.cloudflareinsights.com
Cloudflare Inc
US
malicious
1216
iexplore.exe
104.18.43.17:443
wi2qi8.codesandbox.io
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
securepubads.g.doubleclick.net
  • 142.250.74.162
whitelisted
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
ocsp.pki.goog
  • 142.250.74.195
  • 142.250.186.131
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.22.200
  • 131.253.33.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl.pki.goog
  • 142.250.185.67
whitelisted
wi2qi8.codesandbox.io
  • 104.18.43.17
  • 172.64.144.239
suspicious
codesandbox.io
  • 104.18.43.17
  • 172.64.144.239
whitelisted
static.cloudflareinsights.com
  • 104.18.47.230
  • 172.64.156.26
whitelisted

Threats

No threats detected
No debug info