URL:

http://www.purolator-efp.com/

Full analysis: https://app.any.run/tasks/e7cf15fc-bf87-443b-b9ad-a1ffc80376ff
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: January 17, 2020, 21:24:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
miner
coinminer
trojan
Indicators:
MD5:

33F0FCCF16253AFB484BEF93A5CA99DA

SHA1:

F3CBA95EAB7BFEF3D5E5AF135A2672AA47F44812

SHA256:

22FBED432CA65E1ACA9E136337EBF8C2994A5488954A00DA0F4BEC60C47778F8

SSDEEP:

3:N1KJS4bJ4KYmfIK:Cc42KYmf3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • COINMINER was detected

      • iexplore.exe (PID: 776)

  • SUSPICIOUS

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3788)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 776)

    • Application launched itself

      • iexplore.exe (PID: 1560)

    • Creates files in the user directory

      • iexplore.exe (PID: 776)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3788)

    • Reads internet explorer settings

      • iexplore.exe (PID: 776)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 776)

    • Changes internet zones settings

      • iexplore.exe (PID: 1560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe #COINMINER iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
776"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1560 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1560"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3788C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Exit code:
0
Version:
26,0,0,131
Modules
Images
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_activex.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
428
Read events
363
Write events
63
Delete events
2

Modification events

(PID) Process:(1560) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(1560) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1560) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(1560) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(1560) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1560) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(1560) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{CB07B71B-396F-11EA-AB41-5254004A04AF}
Value:
0
(PID) Process:(1560) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(1560) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
2
(PID) Process:(1560) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E4070100050011001500180033000001
Executable files
0
Suspicious files
1
Text files
48
Unknown types
7

Dropped files

PID
Process
Filename
Type
1560iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
1560iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
776iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@www.purolator-efp[2].txt
MD5:
SHA256:
776iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@www.purolator-efp[1].txttext
MD5:
SHA256:
776iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\000HKF6X\Style[1].csstext
MD5:
SHA256:
776iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:
SHA256:
776iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:
SHA256:
776iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:
SHA256:
776iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5VKQI314\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
776iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FNTOAOTZ\portal[1].csstext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
36
TCP/UDP connections
12
DNS requests
5
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
776
iexplore.exe
GET
200
12.233.213.74:80
http://www.purolator-efp.com/DesktopModules/DNNGo_DNNGallery/Effects/Effect_03_SkitterSlideshow/Themes/Theme_03_Default/Style.css?cdv=05.02.00.881
US
text
6.35 Kb
malicious
776
iexplore.exe
GET
200
12.233.213.74:80
http://www.purolator-efp.com/Portals/21/portal.css?cdv=881
US
text
610 b
malicious
776
iexplore.exe
GET
200
12.233.213.74:80
http://www.purolator-efp.com/DesktopModules/DNNGo_DNNGallery/Effects/Effect_03_SkitterSlideshow/js/jquery.animate-colors-min.js?cdv=05.02.00.881
US
text
4.16 Kb
malicious
776
iexplore.exe
GET
200
12.233.213.74:80
http://www.purolator-efp.com/DesktopModules/DNNGo_DNNGallery/Effects/Effect_03_SkitterSlideshow/js/jquery.skitter.js?cdv=05.02.00.881
US
html
98.0 Kb
malicious
776
iexplore.exe
GET
200
12.233.213.74:80
http://www.purolator-efp.com/Portals/_default/admin.css?cdv=881
US
text
4.28 Kb
malicious
1560
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
776
iexplore.exe
GET
200
12.233.213.74:80
http://www.purolator-efp.com/Resources/Shared/stylesheets/dnndefault/7.0.0/default.css?cdv=881
US
text
94.2 Kb
malicious
776
iexplore.exe
GET
200
12.233.213.74:80
http://www.purolator-efp.com/Resources/libraries/jQuery-UI/01_11_03/jquery-ui.js?cdv=881
US
text
475 Kb
malicious
776
iexplore.exe
GET
200
12.233.213.74:80
http://www.purolator-efp.com/Resources/libraries/jQuery-Migrate/01_02_01/jquery-migrate.js?cdv=881
US
text
16.7 Kb
malicious
776
iexplore.exe
GET
200
152.199.19.160:80
http://ajax.aspnetcdn.com/ajax/4.5.2/1/MicrosoftAjaxWebForms.js
US
text
9.74 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1560
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
776
iexplore.exe
12.233.213.74:80
www.purolator-efp.com
AT&T Data Communications Services
US
malicious
776
iexplore.exe
152.199.19.160:80
ajax.aspnetcdn.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
776
iexplore.exe
81.171.8.134:443
www.hostingcloud.racing
LeaseWeb Netherlands B.V.
NL
malicious
1560
iexplore.exe
12.233.213.74:80
www.purolator-efp.com
AT&T Data Communications Services
US
malicious
776
iexplore.exe
172.217.16.174:80
www.google-analytics.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.purolator-efp.com
  • 12.233.213.74
unknown
ajax.aspnetcdn.com
  • 152.199.19.160
whitelisted
www.hostingcloud.racing
  • 81.171.8.134
whitelisted
www.google-analytics.com
  • 172.217.16.174
whitelisted

Threats

PID
Process
Class
Message
776
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Coinhive/DeepMiner JavaScript Miner
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.purolator-efp.com/