analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://www.pornhub.com

Full analysis: https://app.any.run/tasks/012d878a-f99f-44c6-9fd1-87a30dfd46dc
Verdict: Malicious activity
Analysis date: July 27, 2022, 16:16:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

0BABB28FBAA5A0557CBECB21A8A24715

SHA1:

79CE9FA0965762F0B43CF6DC71BD9672D62B3892

SHA256:

428FEE64F7249D15B802857D45F3A2FEAA44BB3B870DD187D64CF7EBBA3DDE8C

SSDEEP:

3:N8DSLN2:2OLo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • msdt.exe (PID: 2572)

    • Loads dropped or rewritten executable

      • Explorer.EXE (PID: 2020)

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 1272)

    • Drops a file with a compile date too recent

      • msdt.exe (PID: 2572)

    • Executable content was dropped or overwritten

      • msdt.exe (PID: 2572)

    • Executed via COM

      • sdiagnhost.exe (PID: 3524)

  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 1272)
      • iexplore.exe (PID: 3104)
      • rundll32.exe (PID: 3868)
      • msdt.exe (PID: 2572)
      • makecab.exe (PID: 3564)
      • sdiagnhost.exe (PID: 3524)
      • ROUTE.EXE (PID: 2328)
      • ipconfig.exe (PID: 2052)

    • Reads the computer name

      • iexplore.exe (PID: 1272)
      • iexplore.exe (PID: 3104)
      • rundll32.exe (PID: 3868)
      • msdt.exe (PID: 2572)
      • sdiagnhost.exe (PID: 3524)
      • ROUTE.EXE (PID: 2328)
      • ipconfig.exe (PID: 2052)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3104)
      • msdt.exe (PID: 2572)
      • iexplore.exe (PID: 1272)

    • Changes internet zones settings

      • iexplore.exe (PID: 3104)

    • Application launched itself

      • iexplore.exe (PID: 3104)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1272)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3104)
      • iexplore.exe (PID: 1272)
      • msdt.exe (PID: 2572)
      • sdiagnhost.exe (PID: 3524)

    • Manual execution by user

      • rundll32.exe (PID: 3868)
      • msdt.exe (PID: 2572)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3104)

    • Reads CPU info

      • Explorer.EXE (PID: 2020)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3104)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
9
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe rundll32.exe no specs msdt.exe explorer.exe no specs sdiagnhost.exe no specs ipconfig.exe no specs route.exe no specs makecab.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3104"C:\Program Files\Internet Explorer\iexplore.exe" "https://www.pornhub.com"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1272"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3104 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3868"C:\Windows\System32\rundll32.exe" werconcpl.dll, LaunchErcApp -queuereportingC:\Windows\System32\rundll32.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2572"C:\Windows\System32\msdt.exe" -ep TSControlPanel -path C:\Windows\Diagnostics\Index\NetworkDiagnostics_1_Web.xml -context {82552749-4660-4C85-8F5D-86E0A9B58FAD}C:\Windows\System32\msdt.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2020C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3524C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2052"C:\Windows\system32\ipconfig.exe" /allC:\Windows\system32\ipconfig.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2328"C:\Windows\system32\ROUTE.EXE" printC:\Windows\system32\ROUTE.EXEsdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Route Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3564"C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddfC:\Windows\system32\makecab.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Cabinet Maker
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
25 096
Read events
24 422
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
54
Text files
201
Unknown types
22

Dropped files

PID
Process
Filename
Type
1272iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8864D121A6EBD5E6D0EFEDAB49B51A90binary
MD5:62AE3C5A2C3F7B70EC5FDD5ABD8ED9D4
SHA256:EA9C04356F48955A50748077CC68145A0BEBA21F9E15070453205E858EA790D2
2020Explorer.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\7e4dca80246863e3.automaticDestinations-msautomaticdestinations-ms
MD5:B29BA3703C62F03E24C8692DB918C475
SHA256:BCD40D50F376E00154E09DAD1EB28C4F67C19BC463ABDE7E59B4F77B8BB978D1
3104iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:809172745BB5AC580B3692E4C59477FA
SHA256:47C3DCC73C89A38DB8EE51ECA594A77BD8C60534B9034B94125E5E9862747CAF
1272iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8864D121A6EBD5E6D0EFEDAB49B51A90der
MD5:7F4BB46EAD9BE8D59C3CD6303C933DBF
SHA256:43E1EB05D823AAF13B865C7AF6E678218A3E7187BF5C9FA77A3C3CAB8A2A5372
3104iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:00523DC49A3C5A7CCD0301DB2F05A30A
SHA256:177C88411FC1BDC4074786011B5AA03FBCF65F5BC0489E60D0BF4CB162948531
3104iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:A259D7E35A55A841CF5768370D7770B3
SHA256:745241ED3BE1B479D383218E97960A1ECCAED3EE54E32161050D0A3F2F1AF402
3104iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:F6CF096E5E372922BB3C8FE8F177142C
SHA256:1D1511B7501C33B79FFE93C9F41E4582D236DF39EE20D2C76B640A811970F810
3104iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776der
MD5:7DD20ADFA3458EEEDC6933ADEB906BBC
SHA256:D04BCC0C1E2B0BCD65419DB0AB6E5C8DA2C77C5F8184A5207D487030049308C1
3104iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xmlxml
MD5:CBD0581678FA40F0EDCBC7C59E0CAD10
SHA256:159BD4343F344A08F6AF3B716B6FA679859C1BD1D7030D26FF5EF0255B86E1D9
3104iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\favicon[1].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
96
DNS requests
30
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
732
svchost.exe
GET
2.20.73.154:80
http://www.microsoft.com/
unknown
whitelisted
1272
iexplore.exe
GET
200
142.250.185.99:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
1272
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAonX%2BcE1u7LI9XNW0saTgQ%3D
US
der
471 b
whitelisted
1272
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAfy81yHqHeveu%2FpR5k1Jb0%3D
US
der
471 b
whitelisted
1272
iexplore.exe
GET
200
142.250.185.99:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
1272
iexplore.exe
GET
200
93.184.220.29:80
http://crl4.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl
US
der
26.3 Kb
whitelisted
1272
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl
US
der
26.3 Kb
whitelisted
1272
iexplore.exe
GET
200
142.250.185.99:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEA1h7r3w6RGXEvIC1cLxMsk%3D
US
der
471 b
whitelisted
1272
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
der
471 b
whitelisted
3104
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3104
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3104
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1272
iexplore.exe
66.254.114.41:443
www.pornhub.com
Reflected Networks, Inc.
US
malicious
3104
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1272
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3104
iexplore.exe
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3104
iexplore.exe
8.241.9.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1272
iexplore.exe
205.185.208.142:443
di.phncdn.com
Highwinds Network Group, Inc.
US
suspicious
1272
iexplore.exe
142.250.185.174:443
www.google-analytics.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.pornhub.com
  • 66.254.114.41
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ctldl.windowsupdate.com
  • 8.241.9.254
  • 8.241.11.126
  • 8.248.115.254
  • 8.253.207.121
  • 67.27.234.126
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
crl4.digicert.com
  • 93.184.220.29
whitelisted
di.phncdn.com
  • 205.185.208.142
whitelisted

Threats

PID
Process
Class
Message
3104
iexplore.exe
Generic Protocol Command Decode
SURICATA STREAM TIMEWAIT ACK with wrong seq
732
svchost.exe
A Network Trojan was detected
ET POLICY Microsoft user-agent automated process response to automated request
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.pornhub.com