URL:

http://update.drp.su/notifier/watcher-check/?t=1717038150207

Full analysis: https://app.any.run/tasks/9ae20efe-8c2f-43cd-aec0-3dc70b67fcef
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: May 30, 2024, 04:21:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
pua
adware
Indicators:
MD5:

3E5A80B50A52F3933BDA231E64C7D5BA

SHA1:

FC7039F0A16ADDDBE024120E90EC96F8553A2179

SHA256:

2B5A020FCCAB69A7C8B3F8E75CE40B02A5DD4475B5318ED45C853864819D7752

SSDEEP:

3:N1KLQRAdVLWQSP4Gw1ARMLVQi:CUMWz4tARMLv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • iexplore.exe (PID: 4040)

  • SUSPICIOUS

    • Access to an unwanted program domain was detected

      • iexplore.exe (PID: 4040)

  • INFO

    • Reads the computer name

      • wmpnscfg.exe (PID: 1112)

    • Checks supported languages

      • wmpnscfg.exe (PID: 1112)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1112)

    • Application launched itself

      • iexplore.exe (PID: 3980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1112"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3980"C:\Program Files\Internet Explorer\iexplore.exe" "http://update.drp.su/notifier/watcher-check/?t=1717038150207"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
4040"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3980 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
10 465
Read events
10 334
Write events
95
Delete events
36

Modification events

(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31109704
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31109704
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
7
Text files
6
Unknown types
1

Dropped files

PID
Process
Filename
Type
3980iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verB48C.tmpxml
MD5:CBD0581678FA40F0EDCBC7C59E0CAD10
SHA256:159BD4343F344A08F6AF3B716B6FA679859C1BD1D7030D26FF5EF0255B86E1D9
3980iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776der
MD5:A78885DC856FAEB57C7549A4B25D6A6A
SHA256:D586A36A410C287A57FB08F3E0E137F7FA66A303AAA86396C72B81F6ABAD2C63
3980iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\favicon[1].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3980iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:AE5A047E2ED0AD0EE475CACC1305A131
SHA256:44A87C3370EC2CB78A15BFAA85B8F0812EE95E5C15D84E74B6E0B80E6EA29053
3980iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\favicon[1].icoimage
MD5:636829421A715D8CE28152EBE6C3ACA6
SHA256:ACA43EFA95B7BC45C2364E97B766DEA956ADB4558249C9C0F69C26F5710919DC
3980iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118Abinary
MD5:B0C924F9243D25ECF2C53F9AA1BB8A9F
SHA256:C37B47655D2D470A48B288CD19727BF286F7C2AF107FD0AD6EAEE93E53ABC424
4040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\watcher-check[1].htmbinary
MD5:E67652CEA5180BC9684EB6FDAC54F3F6
SHA256:BD955A7F667911FFEB287E12D9D49937B1EE3DC8C7E5B8B63542D42984A7C7A5
3980iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\urlblockindex[1].binbinary
MD5:FA518E3DFAE8CA3A0E495460FD60C791
SHA256:775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7
3980iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xmlxml
MD5:CBD0581678FA40F0EDCBC7C59E0CAD10
SHA256:159BD4343F344A08F6AF3B716B6FA679859C1BD1D7030D26FF5EF0255B86E1D9
3980iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\imagestore\f7ruq93\imagestore.datbinary
MD5:A58061DB68E8A5C1164D1323E10B6F80
SHA256:52B600792E1A39BFE14F9F68A380C26AAA1D9060E89E78931C577F5803045A44
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
19
DNS requests
15
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3980
iexplore.exe
GET
304
79.140.95.210:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?375896791b56e52b
unknown
unknown
3980
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
unknown
3980
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
3980
iexplore.exe
GET
304
79.140.95.203:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c21588876f974d24
unknown
unknown
1088
svchost.exe
GET
304
79.140.95.203:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a09afb62c623df15
unknown
unknown
3980
iexplore.exe
GET
200
37.9.8.75:80
http://update.drp.su/favicon.ico
unknown
unknown
4040
iexplore.exe
GET
200
37.9.8.75:80
http://update.drp.su/notifier/watcher-check/?t=1717038150207
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
4040
iexplore.exe
37.9.8.75:80
update.drp.su
OOO Network of data-centers Selectel
RU
unknown
4040
iexplore.exe
5.79.87.110:80
static.drp.su
LeaseWeb Netherlands B.V.
NL
unknown
3980
iexplore.exe
93.186.134.232:443
www.bing.com
TELECOM ITALIA SPARKLE S.p.A.
IT
unknown
3980
iexplore.exe
79.140.95.210:80
ctldl.windowsupdate.com
TELECOM ITALIA SPARKLE S.p.A.
IT
unknown
3980
iexplore.exe
79.140.95.203:80
ctldl.windowsupdate.com
TELECOM ITALIA SPARKLE S.p.A.
IT
unknown
3980
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3980
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
update.drp.su
  • 37.9.8.75
malicious
static.drp.su
  • 5.79.87.110
unknown
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 93.186.134.232
  • 93.186.134.242
whitelisted
ctldl.windowsupdate.com
  • 79.140.95.203
  • 79.140.95.210
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted

Threats

PID
Process
Class
Message
1088
svchost.exe
Potentially Bad Traffic
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
1088
svchost.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP DriverPack Domain in DNS Query
1088
svchost.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP Observed DNS Query to DriverPack Domain ( .drp .su)
4040
iexplore.exe
Potentially Bad Traffic
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
4040
iexplore.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP DriverPack Update Checkin
1088
svchost.exe
Potentially Bad Traffic
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
1088
svchost.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP DriverPack Domain in DNS Query
1088
svchost.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP Observed DNS Query to DriverPack Domain ( .drp .su)
1088
svchost.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP DriverPack Domain in DNS Query
1088
svchost.exe
Potentially Bad Traffic
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://update.drp.su/notifier/watcher-check/?t=1717038150207