analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://domclickext.xyz

Full analysis: https://app.any.run/tasks/da1c6e7b-711c-4295-acaa-8dc4e0e1ad64
Verdict: Malicious activity
Analysis date: June 27, 2022, 13:37:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

7D468FCED24F3854E43EA8C73E829814

SHA1:

E5A069090F826ADD130B2181B84C116FCE358286

SHA256:

289F0867D375F542ED69F6288EE7671CCAAF456F17DF0C4F27A1B97E8A35F0D6

SSDEEP:

3:N8S7042n:2S70bn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3392)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 2040)
      • iexplore.exe (PID: 3392)
    • Reads the computer name

      • iexplore.exe (PID: 3392)
      • iexplore.exe (PID: 2040)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3392)
      • iexplore.exe (PID: 2040)
    • Application launched itself

      • iexplore.exe (PID: 2040)
    • Changes internet zones settings

      • iexplore.exe (PID: 2040)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3392)
      • iexplore.exe (PID: 2040)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2040)
    • Creates files in the user directory

      • iexplore.exe (PID: 3392)
      • iexplore.exe (PID: 2040)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3392)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2040"C:\Program Files\Internet Explorer\iexplore.exe" "https://domclickext.xyz"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3392"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2040 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
15 856
Read events
15 714
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
17
Text files
36
Unknown types
14

Dropped files

PID
Process
Filename
Type
3392iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\L551E5YC.txttext
MD5:5C4B27EBEC051DC37DCA42FBB2DF16F5
SHA256:37978CE9EA1CB4F2BFBC6DCC24EFE1B1D6C5B0BE41B17329FA00465329DD72FF
3392iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAder
MD5:5A11C6099B9E5808DFB08C5C9570C92F
SHA256:91291A5EDC4E10A225D3C23265D236ECC74473D9893BE5BD07E202D95B3FB172
3392iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ADAE058235DF7E2D3F11AD5D40F593D1der
MD5:7B06DE1C63BA1460B4C3E553C9D0EB90
SHA256:5CB53634162FE6F0F77157575E296542EB654C551AC19FC62370D3AD13A2C584
3392iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:308336E7F515478969B24C13DED11EDE
SHA256:889B832323726A9F10AD03F85562048FDCFE20C9FF6F9D37412CF477B4E92FF9
2040iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:75B3F259F0EA33E46F2EFA6EB75094CE
SHA256:54561D8EF8AFA288CB17E122D5985D88D106ED7F064C902E936C174730979EE2
3392iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\036IYWOY.htmhtml
MD5:EBAA4FBDC650CF5F88A782EE93A68302
SHA256:E82B17A16E2EB4B9F9CB212CA11369A8BA5CCADE04D45F9C139BA1208341D33D
3392iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ADAE058235DF7E2D3F11AD5D40F593D1binary
MD5:14BFAADD307E7CB60434FA01C8C4B8EB
SHA256:D352D3E1A933B28FF3F55F3B050035CE275E3F3DD8211FB6A40645CA8B202BBA
3392iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\646C991C2A28825F3CC56E0A1D1E3FA9der
MD5:3523BFA7B3ACACA361AC9814166709AD
SHA256:CE82F93FDB091E30497236D7F04BB67F7008E8E4133D2A8445B531C16D13AA67
3392iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabB027.tmpcompressed
MD5:308336E7F515478969B24C13DED11EDE
SHA256:889B832323726A9F10AD03F85562048FDCFE20C9FF6F9D37412CF477B4E92FF9
3392iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\F9XLN80J.txttext
MD5:CE695C317491DA186F998C0B7AED5480
SHA256:5B0FC7FD8417BC61EF86DB612AF8BF847CCD19829BF81BC078F57E1D5DA32C21
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
52
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3392
iexplore.exe
GET
200
184.24.77.45:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgNJh4b1JykKixDOVSwZ9f%2F8OA%3D%3D
US
der
503 b
shared
3392
iexplore.exe
GET
200
142.250.185.227:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCfB0sRdF8W%2FBIjdfpYeZPw
US
der
472 b
whitelisted
3392
iexplore.exe
GET
200
142.250.185.227:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEESz3%2FmlG2yGCtBzjzp1dVc%3D
US
der
471 b
whitelisted
2040
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3392
iexplore.exe
GET
200
142.250.185.227:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEH7DOolsIz7oCnQABFO7VPs%3D
US
der
471 b
whitelisted
2040
iexplore.exe
GET
200
96.16.145.230:80
http://x1.c.lencr.org/
US
der
717 b
whitelisted
3392
iexplore.exe
GET
200
23.216.77.69:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?95edbe4d3f96167d
US
compressed
4.70 Kb
whitelisted
2040
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3392
iexplore.exe
GET
200
142.250.185.227:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
3392
iexplore.exe
GET
200
23.216.77.69:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2f4b80df843e0acb
US
compressed
60.0 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2040
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3392
iexplore.exe
216.120.147.200:443
domclickext.xyz
Trivalent Group Inc.
US
malicious
3392
iexplore.exe
96.16.145.230:80
x1.c.lencr.org
Akamai Technologies, Inc.
US
suspicious
3392
iexplore.exe
184.24.77.45:80
r3.o.lencr.org
Time Warner Cable Internet LLC
US
unknown
2040
iexplore.exe
23.216.77.69:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
3392
iexplore.exe
23.216.77.69:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
216.120.147.200:443
domclickext.xyz
Trivalent Group Inc.
US
malicious
3392
iexplore.exe
142.250.184.196:443
www.google.com
Google Inc.
US
whitelisted
2040
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3392
iexplore.exe
142.250.186.35:80
crl.pki.goog
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
domclickext.xyz
  • 216.120.147.200
malicious
api.bing.com
  • 13.107.5.80
whitelisted
ctldl.windowsupdate.com
  • 23.216.77.69
  • 23.216.77.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
x1.c.lencr.org
  • 96.16.145.230
whitelisted
r3.o.lencr.org
  • 184.24.77.45
  • 184.24.77.52
  • 184.24.77.53
  • 184.24.77.55
  • 184.24.77.47
  • 184.24.77.54
  • 184.24.77.61
  • 184.24.77.81
  • 184.24.77.58
shared
parking.bodiscdn.com
  • 172.67.5.15
  • 104.22.41.120
  • 104.22.40.120
whitelisted
www.google.com
  • 142.250.184.196
whitelisted
ocsp.pki.goog
  • 142.250.185.227
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
3392
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
3392
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
2040
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
No debug info