URL:

https://ngsl7.bemobtrcks.com/go/827fa843-2e94-4629-8a7d-18f3e25382fd?561143

Full analysis: https://app.any.run/tasks/f96fdefc-492d-440e-8081-60c33dfa63a3
Verdict: Malicious activity
Analysis date: March 24, 2024, 13:14:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

4187D230F6D850024E8B678B783F4464

SHA1:

C957E28C0E72912C3A56C44FE4EF78D1CFCA5CB3

SHA256:

2609A5C089B1F45F2EA36071F5EB1A9ABBFEE51A2BA1581BEA42438EEB5368FA

SSDEEP:

3:N8ALghJq3CKK3QNRTx8aTBa3:2AshJ1e1/Ba

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2232"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3992 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3992"C:\Program Files\Internet Explorer\iexplore.exe" "https://ngsl7.bemobtrcks.com/go/827fa843-2e94-4629-8a7d-18f3e25382fd?561143"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
18 338
Read events
18 199
Write events
96
Delete events
43

Modification events

(PID) Process:(3992) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3992) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3992) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31096301
(PID) Process:(3992) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3992) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31096301
(PID) Process:(3992) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3992) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3992) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3992) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3992) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
14
Text files
36
Unknown types
8

Dropped files

PID
Process
Filename
Type
2232iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\690CCA761149CBDA9193EC848893F3AEbinary
MD5:B5C51AA49E1ECD1D2294A292428BD9E4
SHA256:964C03764DFAE08E08A4C510B507DAEEA65CD1E43556CC2B567131F4921E3FAD
2232iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:835E228FF5312FCCD82B4DA2135DD5D5
SHA256:F443D950C33909AD9D2E3CF6B85CE3BC81505BC56AE29257F262D908D79ECCA7
2232iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\M3H0U47Y.txttext
MD5:186B85E58346B08BD6FF831FF381EB31
SHA256:AD05ADEB133177E2C71ED6E32D4A2821CB657D6C9D28B0E05C8D3597C4A0EC10
2232iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\VEEDYNZT.txttext
MD5:7CF0777DAFAEDA0BC318D4C2BAAE067C
SHA256:9280AADBB965E77D787AD79124CE8CCE6204B0B4CC7701105AE6A10316F390DB
2232iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\15YRVNEA.txttext
MD5:5BD9FFBA5209FA31E640399CF5923479
SHA256:B6EC1202F6A95E008C2510B9882870E0A3AD15C10ACFBE507B572ED5748D26F3
2232iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\SRZUCU66.txttext
MD5:DAE3555E06339F46369E933E8F6B1930
SHA256:7037E7400217200654F6690E74F5212AB7A79F5E330A16B897E8D5347A984672
2232iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\690CCA761149CBDA9193EC848893F3AEbinary
MD5:A2F3101CE2F2A3822BFBBCE37042D3DB
SHA256:CE41BB43070115FCC037BFB07A4A346FFC192F47737398390C8783407F335800
2232iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751der
MD5:822467B728B7A66B081C91795373789A
SHA256:AF2343382B88335EEA72251AD84949E244FF54B6995063E24459A7216E9576B9
2232iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\MRB2XEJP.txttext
MD5:CF31948590C5B77386E19A43488E3D5A
SHA256:A0E14B3C41FBDDB87445551F6919210A7E4313D4D1D7B087FFCFF5FE7CC70A9D
2232iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:1B710EEDF955EC7258EC44760458E55E
SHA256:9B680B718587660F5FA0ACAA19510ECF91CA2C4B984E399B5B26E5B3BBA295D3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
40
DNS requests
24
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2232
iexplore.exe
GET
304
217.20.57.35:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?545e1839169dd0e6
US
unknown
2232
iexplore.exe
GET
304
217.20.57.35:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f78d505714a595e3
US
unknown
2232
iexplore.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
GB
binary
717 b
unknown
2232
iexplore.exe
GET
200
2.16.202.120:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgMIMwj85nIoE8fyy0b3MpvCbw%3D%3D
NL
binary
503 b
unknown
2232
iexplore.exe
GET
200
2.16.202.120:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgP2kgdZlwbcL33vc9vlEj%2Fg6Q%3D%3D
NL
binary
503 b
unknown
3992
iexplore.exe
GET
304
217.20.57.35:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?70d85e3b0e586cab
US
unknown
3992
iexplore.exe
GET
304
217.20.57.35:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?96c8eb5dfc595a04
US
unknown
3992
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
US
binary
313 b
unknown
2232
iexplore.exe
GET
200
172.64.149.23:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
binary
1.42 Kb
unknown
2232
iexplore.exe
GET
200
172.64.149.23:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
binary
2.18 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2232
iexplore.exe
3.70.16.242:443
ngsl7.bemobtrcks.com
AMAZON-02
DE
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
2232
iexplore.exe
217.20.57.35:80
ctldl.windowsupdate.com
US
unknown
2232
iexplore.exe
2.23.197.184:80
x1.c.lencr.org
CW Vodafone Group PLC
GB
unknown
2232
iexplore.exe
2.16.202.120:80
r3.o.lencr.org
Akamai International B.V.
NL
unknown
2232
iexplore.exe
5.8.11.74:443
receivepayment.fun
Petersburg Internet Network ltd.
RU
unknown
3992
iexplore.exe
104.126.37.169:443
www.bing.com
Akamai International B.V.
DE
unknown
3992
iexplore.exe
217.20.57.35:80
ctldl.windowsupdate.com
US
unknown

DNS requests

Domain
IP
Reputation
ngsl7.bemobtrcks.com
  • 3.70.16.242
unknown
ctldl.windowsupdate.com
  • 217.20.57.35
  • 217.20.57.40
  • 217.20.57.25
  • 217.20.57.24
  • 217.20.57.26
  • 217.20.57.39
  • 217.20.57.42
  • 217.20.57.43
  • 217.20.57.20
  • 217.20.57.21
  • 217.20.57.27
whitelisted
x1.c.lencr.org
  • 2.23.197.184
whitelisted
r3.o.lencr.org
  • 2.16.202.120
  • 95.101.54.123
  • 95.101.54.145
  • 2.16.202.114
  • 2.16.202.121
  • 2.16.202.112
  • 95.101.54.107
  • 95.101.54.203
  • 2.16.202.115
shared
receivepayment.fun
  • 5.8.11.74
unknown
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 104.126.37.169
  • 104.126.37.161
  • 104.126.37.130
  • 104.126.37.139
  • 104.126.37.136
  • 104.126.37.153
  • 104.126.37.145
  • 104.126.37.155
  • 104.126.37.163
whitelisted
bitcoinwallet.receivepayment.xyz
  • 5.8.11.74
unknown
ocsp.digicert.com
  • 192.229.221.95
whitelisted
cdn.jsdelivr.net
  • 104.16.87.20
  • 104.16.88.20
  • 104.16.85.20
  • 104.16.86.20
  • 104.16.89.20
whitelisted

Threats

PID
Process
Class
Message
2232
iexplore.exe
Potentially Bad Traffic
ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
2232
iexplore.exe
Potentially Bad Traffic
ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
2232
iexplore.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code.jquery .com)
2232
iexplore.exe
Not Suspicious Traffic
INFO [ANY.RUN] A free CDN for open source projects (jsdelivr .net)
2232
iexplore.exe
Not Suspicious Traffic
INFO [ANY.RUN] A free CDN for open source projects (jsdelivr .net)
Potentially Bad Traffic
ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
Potentially Bad Traffic
ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
Potentially Bad Traffic
ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
Potentially Bad Traffic
ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
Potentially Bad Traffic
ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://ngsl7.bemobtrcks.com/go/827fa843-2e94-4629-8a7d-18f3e25382fd?561143