URL:

https://blakemag.com/road-trip-test-bmw-vs-triumph/

Full analysis: https://app.any.run/tasks/3affea36-87d0-45e2-8486-3136144d8198
Verdict: Malicious activity
Analysis date: April 29, 2024, 07:00:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
socgholish
Indicators:
MD5:

6A54415F14699AA9F56C2A6C0E32666E

SHA1:

65905899A51F02EB62E0B8F4346AF2A44942C885

SHA256:

423A846C69266230D0444536EAD3F5D92FF638C727C40F0D7B7CB44B4A821E9A

SSDEEP:

3:N8A6RXpscTWYITphfn:2A6PTejfn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Contacting a server suspected of hosting an Exploit Kit

      • iexplore.exe (PID: 4024)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3964)

    • Checks supported languages

      • wmpnscfg.exe (PID: 2028)

    • Reads the computer name

      • wmpnscfg.exe (PID: 2028)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2028"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3964"C:\Program Files\Internet Explorer\iexplore.exe" "https://blakemag.com/road-trip-test-bmw-vs-triumph/"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
4024"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3964 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
21 412
Read events
21 238
Write events
132
Delete events
42

Modification events

(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31103490
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
214379664
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31103491
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
48
Text files
80
Unknown types
13

Dropped files

PID
Process
Filename
Type
4024iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\road-trip-test-bmw-vs-triumph[1].htmhtml
MD5:2A3F9D1202403FA08C2D6F00C751D34F
SHA256:3AA9850E897E16408DDAAAAD1DE4C7F9A9BBD5ADB12106B8E930D2348E649B1C
4024iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\ruby-responsive[1].csstext
MD5:D2AE12EE3BC852058C797CEA55886790
SHA256:78A7F7BED44EC2FB9BBC916E9B37256F5BEC308140F070817BDE4E228CB21E8A
4024iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751der
MD5:822467B728B7A66B081C91795373789A
SHA256:AF2343382B88335EEA72251AD84949E244FF54B6995063E24459A7216E9576B9
4024iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:C8E773DE67B01B07BA36A1F92FDBC526
SHA256:1550D7BD4B1C2AB653369DC84D20AB30764595A35BCB14E8E3C3ACB398050D4A
4024iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0CFA9A8301B4AF356A0DFAC74F1640F9der
MD5:592F87E2AE3D8377333618810FDE7E98
SHA256:C070A37308DAA3AE8EB4ED68CF1BAA34A0384A6D1F5942039839A0A16DC39BBF
4024iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\jquery-migrate.min[1].jsbinary
MD5:79B4956B7EC478EC10244B5E2D33AC7D
SHA256:029E0A2E809FD6B5DBE76ABE8B7A74936BE306C9A8C27C814C4D44AA54623300
4024iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:5C59061286C17B01A9D2E5CC50C437BA
SHA256:588E27461C8FCB2B699CD6B8B713EA8AB0A39158F5F23946809ECBA1CEE75A18
4024iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\ruby-style[1].csstext
MD5:AEAAC9D42E9EBE72E387FD1504A555F1
SHA256:FAD7ADDC55D61133C7824CB2CB25547A36E87C6D36372076F721B6AA9B8B66E4
4024iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\animation[1].csstext
MD5:1FA6EEE79FAB511A63609DE851EA2CF7
SHA256:C6D2D3CFF0BBB71A13A17627DB5180499941F7AAF58064C080600FBDFC4D62FB
4024iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\ruby-shortcodes-script[1].jstext
MD5:BC353578B2653C8107A537FCA2312E4F
SHA256:AB757D1D7CB91490D8D8F71262DC1DC2B70F500C7FF80D04E69840267CC77CCA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
68
DNS requests
32
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4024
iexplore.exe
GET
304
95.101.54.123:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9b5f474efa3999f3
unknown
unknown
4024
iexplore.exe
GET
200
142.250.186.35:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDq8VlpL7aJJwm1OnoGOVwL
unknown
unknown
4024
iexplore.exe
GET
200
95.101.54.139:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgTIZwYKHn%2BDuJrF2oz7hrVQsg%3D%3D
unknown
unknown
4024
iexplore.exe
GET
304
95.101.54.217:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?068eb670bb243701
unknown
unknown
4024
iexplore.exe
GET
200
2.19.105.18:80
http://x1.c.lencr.org/
unknown
unknown
4024
iexplore.exe
GET
200
142.250.186.35:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEFFNAL5y0qOaCU1agms6UWo%3D
unknown
unknown
4024
iexplore.exe
GET
200
142.250.186.35:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
unknown
4024
iexplore.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEFZnHQTqT5lMbxCBR1nSdZQ%3D
unknown
unknown
4024
iexplore.exe
GET
200
142.250.186.35:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCNbnFNjxLCZRKVsCHt2Y3B
unknown
unknown
4024
iexplore.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSr83eyJy3njhjVpn5bEpfc6MXawQQUOuEJhtTPGcKWdnRJdtzgNcZjY5oCECO3bePBuysaUZYeCOq3ZOg%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
4024
iexplore.exe
91.121.179.87:443
blakemag.com
OVH SAS
FR
unknown
4024
iexplore.exe
95.101.54.217:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
4024
iexplore.exe
95.101.54.123:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
4024
iexplore.exe
2.19.105.18:80
x1.c.lencr.org
AKAMAI-AS
DE
unknown
4024
iexplore.exe
95.101.54.139:80
r3.o.lencr.org
Akamai International B.V.
DE
unknown
4024
iexplore.exe
142.250.186.106:443
fonts.googleapis.com
GOOGLE
US
whitelisted
4024
iexplore.exe
142.250.185.136:443
www.googletagmanager.com
GOOGLE
US
unknown

DNS requests

Domain
IP
Reputation
blakemag.com
  • 91.121.179.87
unknown
ctldl.windowsupdate.com
  • 95.101.54.123
  • 2.16.202.128
  • 95.101.54.217
  • 95.101.54.203
  • 2.16.202.114
  • 2.16.202.115
  • 95.101.54.121
  • 95.101.54.112
whitelisted
x1.c.lencr.org
  • 2.19.105.18
whitelisted
r3.o.lencr.org
  • 95.101.54.139
  • 2.16.202.121
  • 2.16.202.115
  • 95.101.54.112
  • 95.101.54.123
  • 95.101.54.137
  • 95.101.54.107
  • 95.101.54.145
  • 95.101.54.203
shared
fonts.googleapis.com
  • 142.250.186.106
whitelisted
www.googletagmanager.com
  • 142.250.185.136
whitelisted
ocsp.pki.goog
  • 142.250.186.35
whitelisted
fonts.gstatic.com
  • 142.250.186.67
whitelisted
www.youtube.com
  • 142.250.185.78
  • 216.58.206.78
  • 142.250.185.142
  • 142.250.74.206
  • 142.250.185.206
  • 142.250.186.174
  • 142.250.186.142
  • 142.250.186.110
  • 142.250.185.110
  • 142.250.185.174
  • 172.217.16.206
  • 142.250.184.206
  • 216.58.206.46
  • 142.250.186.46
  • 142.250.186.78
  • 172.217.18.14
whitelisted
region1.google-analytics.com
  • 216.239.34.36
  • 216.239.32.36
whitelisted

Threats

PID
Process
Class
Message
1088
svchost.exe
A Network Trojan was detected
ET MALWARE SocGholish Domain in DNS Lookup (trademark .iglesiaelarca .com)
1088
svchost.exe
Exploit Kit Activity Detected
ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (ipscanadvsf .com)
4024
iexplore.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
4024
iexplore.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
4024
iexplore.exe
Exploit Kit Activity Detected
ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (ipscanadvsf .com)
4024
iexplore.exe
Exploit Kit Activity Detected
ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (ipscanadvsf .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://blakemag.com/road-trip-test-bmw-vs-triumph/