URL:

http://dl2.filehorse.com/win/file-transfer-and-networking/xender-windows/Xender.exe

Full analysis: https://app.any.run/tasks/8b3c08cd-1bee-467a-bd34-a048ad580dc5
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: May 23, 2020, 23:30:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
loader
evasion
Indicators:
MD5:

82FEF5A0809599A6C6B2DE1800246C26

SHA1:

C42F6AAA2DB8B2C94032D8B0E27C3E62FFF62B47

SHA256:

410A9FFDF3B07EBB0D24D64D63AF48EB64CF91E62E446894989ECD699E3D5A16

SSDEEP:

3:N1KaJnSbGGSM+QRX0+P8ALBfBKSUA:CaJnSbGFR+EqR1fBKSUA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Xender_0256885740.exe (PID: 3876)
      • Xender_0256885740.exe (PID: 3056)
      • avastfreeantivirussetuponline.m.exe (PID: 2272)
      • avast_free_antivirus_setup_online.exe (PID: 3604)
      • instup.exe (PID: 3540)
      • instup.exe (PID: 3500)
      • sbr.exe (PID: 1920)
      • AvEmUpdate.exe (PID: 4036)
      • AvEmUpdate.exe (PID: 1172)
      • AvEmUpdate.exe (PID: 536)
      • AvEmUpdate.exe (PID: 3816)
      • CCUpdate.exe (PID: 2572)
      • CCUpdate.exe (PID: 376)
      • CCUpdate.exe (PID: 1232)
      • CCUpdate.exe (PID: 1252)
      • avBugReport.exe (PID: 2544)
      • avBugReport.exe (PID: 2988)
      • overseer.exe (PID: 3832)
      • AvastNM.exe (PID: 620)

    • Loads dropped or rewritten executable

      • Xender_0256885740.exe (PID: 3876)
      • instup.exe (PID: 3540)
      • instup.exe (PID: 3500)
      • AvEmUpdate.exe (PID: 1172)
      • AvEmUpdate.exe (PID: 3816)
      • RegSvr.exe (PID: 3012)
      • engsup.exe (PID: 2660)

    • Actions looks like stealing of personal data

      • Xender_0256885740.exe (PID: 3876)

    • Downloads executable files from the Internet

      • Xender_0256885740.exe (PID: 3876)
      • avastfreeantivirussetuponline.m.exe (PID: 2272)
      • AvEmUpdate.exe (PID: 1172)
      • CCUpdate.exe (PID: 376)

    • Changes settings of System certificates

      • instup.exe (PID: 3540)
      • AvEmUpdate.exe (PID: 1172)
      • SetupInf.exe (PID: 3576)
      • Xender_0256885740.exe (PID: 3876)

    • Changes the autorun value in the registry

      • instup.exe (PID: 3500)

    • Loads the Task Scheduler COM API

      • AvEmUpdate.exe (PID: 4036)
      • AvEmUpdate.exe (PID: 1172)
      • CCUpdate.exe (PID: 376)
      • CCUpdate.exe (PID: 2816)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2456)
      • iexplore.exe (PID: 2432)
      • Xender_0256885740.exe (PID: 3876)
      • avastfreeantivirussetuponline.m.exe (PID: 2272)
      • avast_free_antivirus_setup_online.exe (PID: 3604)
      • instup.exe (PID: 3540)
      • AvEmUpdate.exe (PID: 1172)
      • instup.exe (PID: 3500)
      • AvEmUpdate.exe (PID: 3816)
      • CCUpdate.exe (PID: 2572)
      • CCUpdate.exe (PID: 1232)
      • SetupInf.exe (PID: 3576)

    • Cleans NTFS data-stream (Zone Identifier)

      • Xender_0256885740.exe (PID: 3056)

    • Application launched itself

      • Xender_0256885740.exe (PID: 3056)
      • AvEmUpdate.exe (PID: 1172)
      • CCUpdate.exe (PID: 376)

    • Reads Internet Cache Settings

      • Xender_0256885740.exe (PID: 3876)

    • Reads Environment values

      • Xender_0256885740.exe (PID: 3876)
      • AvEmUpdate.exe (PID: 4036)
      • AvEmUpdate.exe (PID: 1172)
      • AvEmUpdate.exe (PID: 536)
      • AvEmUpdate.exe (PID: 3816)

    • Reads internet explorer settings

      • Xender_0256885740.exe (PID: 3876)

    • Creates files in the Windows directory

      • avastfreeantivirussetuponline.m.exe (PID: 2272)
      • avast_free_antivirus_setup_online.exe (PID: 3604)
      • instup.exe (PID: 3540)
      • instup.exe (PID: 3500)
      • DrvInst.exe (PID: 1792)
      • SetupInf.exe (PID: 3576)

    • Creates files in the program directory

      • avast_free_antivirus_setup_online.exe (PID: 3604)
      • instup.exe (PID: 3540)
      • AvEmUpdate.exe (PID: 4036)
      • AvEmUpdate.exe (PID: 1172)
      • instup.exe (PID: 3500)
      • CCUpdate.exe (PID: 2572)
      • CCUpdate.exe (PID: 376)
      • CCUpdate.exe (PID: 1232)
      • CCUpdate.exe (PID: 2816)
      • AvastNM.exe (PID: 620)
      • avBugReport.exe (PID: 2988)

    • Low-level read access rights to disk partition

      • avastfreeantivirussetuponline.m.exe (PID: 2272)
      • avast_free_antivirus_setup_online.exe (PID: 3604)
      • instup.exe (PID: 3540)
      • instup.exe (PID: 3500)
      • AvEmUpdate.exe (PID: 1172)
      • AvEmUpdate.exe (PID: 536)
      • AvEmUpdate.exe (PID: 3816)
      • CCUpdate.exe (PID: 2572)
      • CCUpdate.exe (PID: 1232)
      • CCUpdate.exe (PID: 376)
      • CCUpdate.exe (PID: 1252)
      • CCUpdate.exe (PID: 2816)
      • avBugReport.exe (PID: 2544)
      • avBugReport.exe (PID: 2988)

    • Creates or modifies windows services

      • instup.exe (PID: 3540)
      • instup.exe (PID: 3500)
      • SetupInf.exe (PID: 1636)
      • SetupInf.exe (PID: 3600)
      • SetupInf.exe (PID: 3232)
      • SetupInf.exe (PID: 1640)
      • AvEmUpdate.exe (PID: 4036)
      • AvEmUpdate.exe (PID: 1172)
      • AvEmUpdate.exe (PID: 536)
      • AvEmUpdate.exe (PID: 3816)
      • avBugReport.exe (PID: 2988)
      • avBugReport.exe (PID: 2544)
      • SetupInf.exe (PID: 2884)
      • SetupInf.exe (PID: 3576)
      • RegSvr.exe (PID: 1684)
      • RegSvr.exe (PID: 3012)

    • Removes files from Windows directory

      • instup.exe (PID: 3540)
      • instup.exe (PID: 3500)
      • DrvInst.exe (PID: 1792)
      • SetupInf.exe (PID: 3576)

    • Adds / modifies Windows certificates

      • instup.exe (PID: 3540)
      • AvEmUpdate.exe (PID: 1172)
      • Xender_0256885740.exe (PID: 3876)

    • Starts itself from another location

      • instup.exe (PID: 3540)
      • CCUpdate.exe (PID: 1232)

    • Creates a software uninstall entry

      • instup.exe (PID: 3500)
      • AvEmUpdate.exe (PID: 3816)

    • Creates files in the driver directory

      • instup.exe (PID: 3500)
      • DrvInst.exe (PID: 1792)
      • SetupInf.exe (PID: 3576)

    • Modifies the open verb of a shell class

      • instup.exe (PID: 3500)

    • Creates COM task schedule object

      • instup.exe (PID: 3500)
      • RegSvr.exe (PID: 1684)
      • RegSvr.exe (PID: 3012)

    • Checks for external IP

      • CCUpdate.exe (PID: 2572)
      • CCUpdate.exe (PID: 376)
      • CCUpdate.exe (PID: 1232)
      • CCUpdate.exe (PID: 1252)
      • CCUpdate.exe (PID: 2816)

    • Executed via COM

      • DrvInst.exe (PID: 1792)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2456)
      • iexplore.exe (PID: 2432)
      • iexplore.exe (PID: 4084)

    • Changes internet zones settings

      • iexplore.exe (PID: 2432)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2432)

    • Creates files in the user directory

      • iexplore.exe (PID: 2432)
      • iexplore.exe (PID: 2456)
      • iexplore.exe (PID: 4084)

    • Application launched itself

      • iexplore.exe (PID: 2432)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2456)
      • iexplore.exe (PID: 4084)

    • Reads the hosts file

      • instup.exe (PID: 3540)
      • instup.exe (PID: 3500)

    • Reads settings of System Certificates

      • Xender_0256885740.exe (PID: 3876)
      • iexplore.exe (PID: 4084)
      • iexplore.exe (PID: 2432)

    • Dropped object may contain Bitcoin addresses

      • instup.exe (PID: 3500)
      • AvEmUpdate.exe (PID: 1172)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2432)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
80
Monitored processes
33
Malicious processes
15
Suspicious processes
6

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe xender_0256885740.exe no specs xender_0256885740.exe avastfreeantivirussetuponline.m.exe avast_free_antivirus_setup_online.exe iexplore.exe instup.exe instup.exe sbr.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs avemupdate.exe no specs avemupdate.exe avemupdate.exe avemupdate.exe ccupdate.exe ccupdate.exe ccupdate.exe ccupdate.exe ccupdate.exe avbugreport.exe avbugreport.exe setupinf.exe no specs setupinf.exe drvinst.exe no specs regsvr.exe no specs regsvr.exe no specs avastnm.exe no specs overseer.exe no specs engsup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2432"C:\Program Files\Internet Explorer\iexplore.exe" "http://dl2.filehorse.com/win/file-transfer-and-networking/xender-windows/Xender.exe"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2456"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2432 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3056"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\Xender_0256885740.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\Xender_0256885740.exeiexplore.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Ridog Setup
Exit code:
0
Version:
1.7.3.4
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\78rfyb7z\xender_0256885740.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
3876"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\Xender_0256885740.exe" RSF /ppn:YWV4dQ0KChAjb3J1FQUI /ads:1 /mnlC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\Xender_0256885740.exe
Xender_0256885740.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Ridog Setup
Exit code:
0
Version:
1.7.3.4
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\78rfyb7z\xender_0256885740.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2272"C:\Users\admin\AppData\Local\Temp\in503B81E5\1D0F5605_stp\avastfreeantivirussetuponline.m.exe" /silent /psh:k9VxFNOOIB3WjCFo1ohUb9WKIR7Az3Fd244lG9aMIBvSjCUa1IgmHNOKM0aA2nBb2/1DaLXoM0qU3yYb248sH9aFIhHTiiL+RwAAAOa8FSk= /wsC:\Users\admin\AppData\Local\Temp\in503B81E5\1D0F5605_stp\avastfreeantivirussetuponline.m.exe
Xender_0256885740.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Antivirus Installer
Version:
2.1.1252.0
Modules
Images
c:\users\admin\appdata\local\temp\in503b81e5\1d0f5605_stp\avastfreeantivirussetuponline.m.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3604"C:\Windows\Temp\asw.cafc3098aa376f3e\avast_free_antivirus_setup_online.exe" /silent /psh:k9VxFNOOIB3WjCFo1ohUb9WKIR7Az3Fd244lG9aMIBvSjCUa1IgmHNOKM0aA2nBb2/1DaLXoM0qU3yYb248sH9aFIhHTiiL+RwAAAOa8FSk= /ws /ga_clientid:2901686c-891d-4240-ba6d-64d874c76344 /edat_dir:C:\Windows\Temp\asw.cafc3098aa376f3eC:\Windows\Temp\asw.cafc3098aa376f3e\avast_free_antivirus_setup_online.exe
avastfreeantivirussetuponline.m.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Antivirus
Version:
20.3.5200.0
Modules
Images
c:\windows\temp\asw.cafc3098aa376f3e\avast_free_antivirus_setup_online.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
4084"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2432 CREDAT:2102559 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3540"C:\Windows\Temp\asw.78d60d94d570c34c\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.78d60d94d570c34c /edition:1 /prod:ais /cookie:mmm_irs_ppi_002_451_m /guid:27e23388-637a-4862-8786-c51bdab4b297 /ga_clientid:2901686c-891d-4240-ba6d-64d874c76344 /silent /psh:k9VxFNOOIB3WjCFo1ohUb9WKIR7Az3Fd244lG9aMIBvSjCUa1IgmHNOKM0aA2nBb2/1DaLXoM0qU3yYb248sH9aFIhHTiiL+RwAAAOa8FSk= /ws /ga_clientid:2901686c-891d-4240-ba6d-64d874c76344 /edat_dir:C:\Windows\Temp\asw.cafc3098aa376f3eC:\Windows\Temp\asw.78d60d94d570c34c\instup.exe
avast_free_antivirus_setup_online.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Antivirus Installer
Version:
20.3.5200.0
Modules
Images
c:\windows\temp\asw.78d60d94d570c34c\instup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
3500"C:\Windows\Temp\asw.78d60d94d570c34c\New_14030965\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.78d60d94d570c34c /edition:1 /prod:ais /cookie:mmm_irs_ppi_002_451_m /guid:27e23388-637a-4862-8786-c51bdab4b297 /ga_clientid:2901686c-891d-4240-ba6d-64d874c76344 /silent /psh:k9VxFNOOIB3WjCFo1ohUb9WKIR7Az3Fd244lG9aMIBvSjCUa1IgmHNOKM0aA2nBb2/1DaLXoM0qU3yYb248sH9aFIhHTiiL+RwAAAOa8FSk= /ws /edat_dir:C:\Windows\Temp\asw.cafc3098aa376f3e /online_installerC:\Windows\Temp\asw.78d60d94d570c34c\New_14030965\instup.exe
instup.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Antivirus Installer
Version:
20.3.5200.0
Modules
Images
c:\windows\temp\asw.78d60d94d570c34c\new_14030965\instup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1920"C:\Windows\Temp\asw.78d60d94d570c34c\New_14030965\sbr.exe" 3500 "Avast Antivirus setup" "Avast Antivirus is being installed. Do not shut down your computer!"C:\Windows\Temp\asw.78d60d94d570c34c\New_14030965\sbr.exeinstup.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Shutdown blocker
Version:
20.3.5200.0
Modules
Images
c:\windows\temp\asw.78d60d94d570c34c\new_14030965\sbr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Total events
16 394
Read events
3 528
Write events
10 609
Delete events
2 257

Modification events

(PID) Process:(2432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
905915266
(PID) Process:(2432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30814554
(PID) Process:(2432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000A1000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
387
Suspicious files
176
Text files
452
Unknown types
83

Dropped files

PID
Process
Filename
Type
2456iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab89D0.tmp
MD5:
SHA256:
2456iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar89D1.tmp
MD5:
SHA256:
2456iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CBB16B7A61CE4E298043181730D3CE9B
MD5:
SHA256:
2456iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_74167E25E5476CCA2A5946AAA61BF9E1binary
MD5:7D9E0418BCBB4255300BFDC6E3EAC535
SHA256:2689D2ACFC6FEC4149B32A2CA998488F59415C8735EC96266DE2BD6C89663768
2456iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bbinary
MD5:5208B73001B25D8AA3DEAB62D51E8D33
SHA256:0147FE79AC05AE104695EC6AE373DAE21BB7C17C9D9D2C5FC86F345A03B0D38A
2456iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C1B3CC7FF1466C71640A202F8258105B_686BB7BE6EFB22150E38E76D45B85BC5binary
MD5:690596F8CFAEC89821FDA719B4507AE2
SHA256:F33166EAE82D1EB4958B9EB3ECC609CCCCDCF5D0B2DDE55C66DBEE6DB0D87642
2456iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\K9MWBJ1S.txttext
MD5:450CDFD1CAEDCE2E55E3251B56DD3298
SHA256:600B08D0DEA615D3389BF0F9E18EC430CDFAD40D1E91E414F21CE85037F59B0C
2456iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bder
MD5:1C400D233070530C717A810D7F9BC99E
SHA256:58B407B0DDF17FBF78FCB2E2DAD4FABAADA9BD88641F19941480951A200AE4E0
2456iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dbinary
MD5:17E2B7F3E198E09DE287FD9BA721CD6C
SHA256:73A319F404F486DD95D3DBEBEF0E01D1702834A22DF08F64F1F0EEB805D13647
2456iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C1B3CC7FF1466C71640A202F8258105B_686BB7BE6EFB22150E38E76D45B85BC5der
MD5:69472687A3FCFBA062911F467C12C697
SHA256:1BFBBD28644F3E86F9763C2703A8623A5012AFA5F77474ED37B6BEE6DA0448ED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
216
TCP/UDP connections
281
DNS requests
188
Threats
25

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2456
iexplore.exe
GET
304
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D
US
whitelisted
2456
iexplore.exe
GET
304
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
whitelisted
2456
iexplore.exe
GET
304
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D
US
whitelisted
2456
iexplore.exe
GET
304
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D
US
der
471 b
whitelisted
2456
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D
US
der
471 b
whitelisted
2456
iexplore.exe
GET
200
216.58.205.227:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
2456
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrBBNpPfHTPX6Jy6BVzyBPnBWMnQQUPnQtH89FdQR%2BP8Cihz5MQ4NRE8YCEAQ6xkzSj%2BRMx5Z5pZ65i7o%3D
US
der
279 b
whitelisted
2456
iexplore.exe
GET
200
216.58.205.227:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
2456
iexplore.exe
GET
304
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D
US
der
471 b
whitelisted
2456
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2456
iexplore.exe
172.217.16.170:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2456
iexplore.exe
178.162.147.149:80
dl2.filehorse.com
LeaseWeb Netherlands B.V.
NL
suspicious
2456
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2456
iexplore.exe
104.16.132.229:443
cdnjs.cloudflare.com
Cloudflare Inc
US
suspicious
2456
iexplore.exe
94.31.29.128:443
static.filehorse.com
netDNA
GB
malicious
2456
iexplore.exe
216.58.205.227:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2456
iexplore.exe
151.139.128.14:80
ocsp.usertrust.com
Highwinds Network Group, Inc.
US
suspicious
2456
iexplore.exe
172.217.16.202:443
ajax.googleapis.com
Google Inc.
US
whitelisted
2456
iexplore.exe
216.58.205.226:443
pagead2.googlesyndication.com
Google Inc.
US
whitelisted
2456
iexplore.exe
172.217.16.195:443
fonts.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
dl2.filehorse.com
  • 178.162.147.149
suspicious
www.filehorse.com
  • 104.20.117.116
  • 104.20.118.116
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
fonts.gstatic.com
  • 172.217.16.195
  • 172.217.21.195
whitelisted
fonts.googleapis.com
  • 172.217.16.170
whitelisted
static.filehorse.com
  • 94.31.29.128
whitelisted
ajax.googleapis.com
  • 216.58.207.74
  • 172.217.16.202
whitelisted
googleads.g.doubleclick.net
  • 172.217.16.194
whitelisted
google-analytics.com
  • 172.217.21.196
whitelisted
pagead2.googlesyndication.com
  • 216.58.205.226
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ADWARE [PTsecurity] InstallCore
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO EXE - Served Attached HTTP
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Potential Corporate Privacy Violation
ET POLICY External IP Lookup (avast .com)
Potential Corporate Privacy Violation
ET POLICY External IP Lookup (avast .com)
Potential Corporate Privacy Violation
ET POLICY External IP Lookup (avast .com)
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Potential Corporate Privacy Violation
ET POLICY External IP Lookup (avast .com)
14 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://dl2.filehorse.com/win/file-transfer-and-networking/xender-windows/Xender.exe