analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://u.pcloud.link/publink/show?code=8aA

Full analysis: https://app.any.run/tasks/fdcc7155-b9b7-45d0-bbfe-0c438f59a3fc
Verdict: Malicious activity
Analysis date: May 30, 2020, 16:38:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

9933C95EB3AB2AB0294AB670BE281A3C

SHA1:

B2ED5E101612AEDB6EB6BAB90851784F70768C58

SHA256:

485BAF1D5C34C79A03E909BD02A4D8D456F27F39F055009C4B08BB267C65E382

SSDEEP:

3:N8sVnLoHCokGk:2sCiodk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • LoL Hack & Cheat Map Hacks.exe (PID: 184)
      • LoL Hack & Cheat Map Hacks.exe (PID: 384)

    • Changes settings of System certificates

      • LoL Hack & Cheat Map Hacks.exe (PID: 184)
      • LoL Hack & Cheat Map Hacks.exe (PID: 384)

  • SUSPICIOUS

    • Executed via COM

      • DllHost.exe (PID: 3484)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2712)

    • Adds / modifies Windows certificates

      • LoL Hack & Cheat Map Hacks.exe (PID: 384)
      • LoL Hack & Cheat Map Hacks.exe (PID: 184)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2384)
      • iexplore.exe (PID: 2416)
      • iexplore.exe (PID: 2544)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2416)

    • Changes internet zones settings

      • iexplore.exe (PID: 2416)

    • Application launched itself

      • iexplore.exe (PID: 2416)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2544)
      • iexplore.exe (PID: 2384)

    • Creates files in the user directory

      • iexplore.exe (PID: 2384)

    • Reads settings of System Certificates

      • LoL Hack & Cheat Map Hacks.exe (PID: 384)
      • iexplore.exe (PID: 2384)
      • iexplore.exe (PID: 2544)
      • iexplore.exe (PID: 2416)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2416)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start iexplore.exe iexplore.exe iexplore.exe winrar.exe lol hack & cheat map hacks.exe lol hack & cheat map hacks.exe PhotoViewer.dll no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2416"C:\Program Files\Internet Explorer\iexplore.exe" https://u.pcloud.link/publink/show?code=8aAC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2384"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2416 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2544"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2416 CREDAT:1053959 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2712"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\LoL Hack & Cheat Map Hacks.zip"C:\Program Files\WinRAR\WinRAR.exe
iexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
184"C:\Users\admin\AppData\Local\Temp\Rar$EXa2712.11716\LoL Hack & Cheat Map Hacks\LoL Hack & Cheat Map Hacks.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2712.11716\LoL Hack & Cheat Map Hacks\LoL Hack & Cheat Map Hacks.exe
WinRAR.exe
User:
admin
Company:
The ICU Project
Integrity Level:
MEDIUM
Description:
ICU Data DLL
Version:
53, 1, 0, 0
384"C:\Users\admin\AppData\Local\Temp\Rar$EXa2712.11753\LoL Hack & Cheat Map Hacks\LoL Hack & Cheat Map Hacks.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2712.11753\LoL Hack & Cheat Map Hacks\LoL Hack & Cheat Map Hacks.exe
WinRAR.exe
User:
admin
Company:
The ICU Project
Integrity Level:
MEDIUM
Description:
ICU Data DLL
Version:
53, 1, 0, 0
3484C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3976"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIa2712.11900\READMY.txtC:\Windows\system32\NOTEPAD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
11 715
Read events
2 453
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
73
Text files
48
Unknown types
37

Dropped files

PID
Process
Filename
Type
2384iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabB222.tmp
MD5:
SHA256:
2384iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarB223.tmp
MD5:
SHA256:
2416iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2384iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\show[1].htmhtml
MD5:68428F2AC6F38C6BED7ADAF384ABD85F
SHA256:6B8F4B911817FB8ADA48BE2C2F788E107913BE51FB42051D9FD7105AD48E2677
2384iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2EE749B7E1A15635422518BB5EBFD338_388E20A320CEBA7AEDB565C151C4A458der
MD5:EF1A1C462E9CC65D457E24D945B4556A
SHA256:CA0938731D42F617CDEF7072CAB4F3265FE79205C07B86F3D5F6CDB92B550C0C
2384iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_AD59C201C52F2EA45B60DE6C0B473A40der
MD5:6C191EF80349AA65829FFAE5BEA8145A
SHA256:C02A4EA3F53431255A98AA2FEC77467836DD8B6F02911100BD2E6F99C87E0FA0
2384iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\polyfill.min[1].jss
MD5:BC56FE9546E38A8733CEE4A57FA2210F
SHA256:DC055AFC612E71513966C1EE6714CDB48E93803097E37783534FDEC1FFEC0DF0
2384iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_7DC3E633EDFAEFC3AA3C99552548EC2Fder
MD5:2F84A1D30406D9CFBA541EC96CBEE94B
SHA256:A623AFF07FAE605C1020B503719BF3805B617C20C6E8CE72AE413D2BF616D838
2384iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBder
MD5:8F355A87492BBA538C2A2168331AEE80
SHA256:A119D66F966FD95FF4217AE82D1FABED996FDC7CFBCED961D29BCDC0BFB373E9
2384iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2EE749B7E1A15635422518BB5EBFD338_388E20A320CEBA7AEDB565C151C4A458binary
MD5:C490B0211D12AF63DB0B566DA1B52E6E
SHA256:A5E7D8A772563F054FBA10BBE4714446DF0142A1124F9BC626D78B391EC2C50D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
71
DNS requests
30
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2384
iexplore.exe
GET
200
35.158.10.169:80
http://ocsp.quovadisglobal.com/MFUwUzBRME8wTTAJBgUrDgMCGgUABBTyhcKR1A4XhQLFZRt5u%2BT8TDsYdQQUGoRivEhMMyUE1O7Q9gPEGUbRlGsCFEiYLeKpLLM54cj5MzWCddPk%2BIJV
DE
der
1.78 Kb
whitelisted
2384
iexplore.exe
GET
200
35.158.10.169:80
http://ocsp.quovadisglobal.com/MFUwUzBRME8wTTAJBgUrDgMCGgUABBTyhcKR1A4XhQLFZRt5u%2BT8TDsYdQQUGoRivEhMMyUE1O7Q9gPEGUbRlGsCFEiYLeKpLLM54cj5MzWCddPk%2BIJV
DE
der
1.78 Kb
whitelisted
2384
iexplore.exe
GET
200
35.158.10.169:80
http://ocsp.quovadisglobal.com/MFUwUzBRME8wTTAJBgUrDgMCGgUABBTyhcKR1A4XhQLFZRt5u%2BT8TDsYdQQUGoRivEhMMyUE1O7Q9gPEGUbRlGsCFEiYLeKpLLM54cj5MzWCddPk%2BIJV
DE
der
1.78 Kb
whitelisted
2384
iexplore.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/rootr1/ME8wTTBLMEkwRzAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDkbwjNvPLFRm7zMB3V80
US
der
1.49 Kb
whitelisted
2384
iexplore.exe
GET
200
35.158.10.169:80
http://ocsp.quovadisglobal.com/MFUwUzBRME8wTTAJBgUrDgMCGgUABBQizVAdki5cQPHmWNk6O3DgVg1ovgQUkRlirVsXpzD78N45JbG9jLm4UScCFCQaPeAVhxCmyWGJqV9iMv93uJYJ
DE
der
1.54 Kb
whitelisted
2384
iexplore.exe
GET
200
216.58.212.163:80
http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEAQoXs0GkwDRCAAAAAA%2Bvho%3D
US
der
471 b
whitelisted
2384
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEQCTi7COYph7T3X5jLalBFyW
US
der
728 b
whitelisted
2384
iexplore.exe
GET
35.158.10.169:80
http://ocsp.quovadisglobal.com/MFUwUzBRME8wTTAJBgUrDgMCGgUABBQizVAdki5cQPHmWNk6O3DgVg1ovgQUkRlirVsXpzD78N45JbG9jLm4UScCFCQaPeAVhxCmyWGJqV9iMv93uJYJ
DE
whitelisted
2384
iexplore.exe
GET
200
35.158.10.169:80
http://ocsp.quovadisglobal.com/MFUwUzBRME8wTTAJBgUrDgMCGgUABBTyhcKR1A4XhQLFZRt5u%2BT8TDsYdQQUGoRivEhMMyUE1O7Q9gPEGUbRlGsCFEiYLeKpLLM54cj5MzWCddPk%2BIJV
DE
der
1.78 Kb
whitelisted
2384
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRyyuDOSqb8BtprWZSAvBT9kFoYdwQU%2BftQxItnu2dk%2FoMhpqnOP1WEk5kCECDJGUwBrGnx4AjOSmT2OJk%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2384
iexplore.exe
216.58.208.42:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2384
iexplore.exe
74.120.9.123:443
u.pcloud.link
Lemuria Communications Inc.
US
unknown
2384
iexplore.exe
104.18.20.226:80
ocsp.globalsign.com
Cloudflare Inc
US
shared
2384
iexplore.exe
151.139.128.14:80
ocsp.usertrust.com
Highwinds Network Group, Inc.
US
suspicious
2384
iexplore.exe
151.101.2.109:443
cdn.polyfill.io
Fastly
US
suspicious
2384
iexplore.exe
35.158.10.169:80
ocsp.quovadisglobal.com
Amazon.com, Inc.
DE
whitelisted
2384
iexplore.exe
216.58.212.163:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2384
iexplore.exe
185.82.210.141:443
pcdn-u.pcloud.com
Servers.com, Inc.
NL
malicious
2384
iexplore.exe
172.217.22.3:443
fonts.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
u.pcloud.link
  • 74.120.9.123
  • 74.120.9.93
  • 74.120.8.102
  • 74.120.8.105
  • 74.120.8.103
  • 74.120.8.104
  • 74.120.10.7
  • 74.120.8.110
  • 74.120.8.115
  • 74.120.10.5
  • 74.120.9.66
  • 74.120.10.6
  • 74.120.9.94
suspicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.usertrust.com
  • 151.139.128.14
whitelisted
fonts.googleapis.com
  • 216.58.208.42
whitelisted
pcdn-u.pcloud.com
  • 185.82.210.141
suspicious
cdn.polyfill.io
  • 151.101.2.109
  • 151.101.66.109
  • 151.101.130.109
  • 151.101.194.109
whitelisted
ocsp.globalsign.com
  • 104.18.20.226
  • 104.18.21.226
whitelisted
ocsp.quovadisglobal.com
  • 35.158.10.169
whitelisted
ocsp.pki.goog
  • 216.58.212.163
whitelisted

Threats

Found threats are available for the paid subscriptions
12 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://u.pcloud.link/publink/show?code=8aA