URL:

Sexyforums.com

Full analysis: https://app.any.run/tasks/1c66efd0-0772-4f97-abfb-2c4d2a760f46
Verdict: Malicious activity
Analysis date: June 13, 2024, 15:56:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

B65FB19BF3345346C639178E7C1C29DC

SHA1:

C56F79AB0C86BB44C047181DA13313F6F3E0ACB3

SHA256:

3108E8CD19AFADCAC3D54778F283112B072734A31025AAD9F416FEBB6895940D

SSDEEP:

3:eFuTn:cyn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1284)

    • Checks supported languages

      • wmpnscfg.exe (PID: 1284)

    • Reads the computer name

      • wmpnscfg.exe (PID: 1284)

    • Application launched itself

      • iexplore.exe (PID: 3984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1284"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3984"C:\Program Files\Internet Explorer\iexplore.exe" "Sexyforums.com"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
4040"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3984 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
19 950
Read events
19 829
Write events
87
Delete events
34

Modification events

(PID) Process:(3984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31112618
(PID) Process:(3984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31112618
(PID) Process:(3984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
54
Text files
53
Unknown types
14

Dropped files

PID
Process
Filename
Type
4040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\TYX336G5.htmhtml
MD5:0104C301C5E02BD6148B8703D19B3A73
SHA256:446A6087825FA73EADB045E5A2E9E2ADF7DF241B571228187728191D961DDA1F
4040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\notice.min[1].jstext
MD5:9254E5B16BDE70C963ED59CEBC8902C5
SHA256:BFE3ECAD86362036BFBF2E0D2BC27A6A593CB0FFF32A97A5B1B5F81B409A3BB6
4040iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:6D6832E66C2159BFE39E615B5B37A39E
SHA256:D0D21D56F77DEA927B2814ECFC1536A00A5D72D353A2AD559037FF7942EC7821
4040iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:954C54875908A1611DA86CA371F61FCC
SHA256:4FF400F5896AC46241862BBD192F368608E74CBEB9B2010F8F525C18705524E3
4040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\OBR40UQO.htmhtml
MD5:FF6BDB6F50B37FC2855BDC0812659A5A
SHA256:4BCCE45E2B45958244DBC6C5EE197BD9D95234C588586974CD6A33FEED361A99
4040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\SexyForums1[1].pngimage
MD5:7159195DAEED044A5D9D2950D72B1C70
SHA256:475AAEE454A0DB0DA98F3060D49C1CCE03677462CFA2494C5840EA205F902A60
4040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\gtm[1].jsbinary
MD5:6560DF52DE374B96D1BFC6560E67F69E
SHA256:C249CA9E343A73710FA244C27CE26427C34FC09B4A5053ACFE9F4648A7FA61F6
4040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\preamble.min[1].jsbinary
MD5:387F790DF3B04817B3B499539218A32F
SHA256:F8F0D5E29E4408E8ECDCCEE5E73A185566774F71C7F440CC50AD5C647B127CE3
4040iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:B0C62B9A434E9DEE3269998880B384BF
SHA256:3B655361A18E3262855D7E3CFEF368563C32A0981CD8D9CBF349E6DD93D0F6C8
4040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\nut[1].pngimage
MD5:DB6430974BD713C3FAC129210ADC72A2
SHA256:A67CEB00D317A65E35EE5AA01886DB67FE2AE72D7A3B9F0FE30DA3A7F32A4A63
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
88
DNS requests
42
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4040
iexplore.exe
GET
301
172.67.138.143:80
http://sexyforums.com/
unknown
4040
iexplore.exe
GET
304
2.19.126.137:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0eb42db1385d6a0b
unknown
4040
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
unknown
4040
iexplore.exe
GET
200
2.19.126.137:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9061d5aa6d0ed04e
unknown
4040
iexplore.exe
GET
200
216.58.212.163:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
4040
iexplore.exe
GET
200
2.19.126.163:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0950bbb8847fa8c4
unknown
4040
iexplore.exe
GET
200
216.58.212.163:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D
unknown
4040
iexplore.exe
GET
200
2.19.105.18:80
http://x1.c.lencr.org/
unknown
4040
iexplore.exe
GET
200
216.58.212.163:80
http://c.pki.goog/r/r1.crl
unknown
4040
iexplore.exe
GET
200
2.16.241.8:80
http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgMcfLVQc1c929GWjgQVi4cb5w%3D%3D
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4040
iexplore.exe
172.67.138.143:80
sexyforums.com
CLOUDFLARENET
US
unknown
4
System
192.168.100.255:137
unknown
1088
svchost.exe
224.0.0.252:5355
unknown
4040
iexplore.exe
172.67.138.143:443
sexyforums.com
CLOUDFLARENET
US
unknown
4040
iexplore.exe
2.19.126.137:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
4040
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
unknown
4040
iexplore.exe
142.250.186.74:443
fonts.googleapis.com
GOOGLE
US
unknown
4040
iexplore.exe
104.21.5.179:443
ip1.imgporn.to
CLOUDFLARENET
unknown
4040
iexplore.exe
88.208.22.2:443
bobabillydirect.org
DataWeb Global Group B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
sexyforums.com
  • 172.67.138.143
  • 104.21.40.199
unknown
ctldl.windowsupdate.com
  • 2.19.126.137
  • 2.19.126.163
unknown
ocsp.digicert.com
  • 192.229.221.95
unknown
api.bing.com
  • 13.107.5.80
unknown
www.bing.com
  • 184.86.103.140
  • 184.86.103.154
  • 184.86.103.145
unknown
fonts.googleapis.com
  • 142.250.186.74
unknown
ip1.imgporn.to
  • 104.21.5.179
  • 172.67.133.177
unknown
bobabillydirect.org
  • 88.208.22.2
  • 88.208.22.4
  • 88.208.22.1
  • 88.208.22.3
unknown
cdn.tsyndicate.com
  • 45.133.44.71
  • 45.133.44.70
unknown
linktr.ee
  • 151.101.130.133
  • 151.101.2.133
  • 151.101.66.133
  • 151.101.194.133
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query for .to TLD
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Sexyforums.com