analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.download.windowsupdate.com/

Full analysis: https://app.any.run/tasks/bcd4cf26-ddbe-41a2-b810-a10c9105627a
Verdict: No threats detected
Analysis date: January 14, 2020, 15:34:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

37FF1DC7EA3350F9FBCA5BBDBE6DD711

SHA1:

494219F50407182852056AA04246627745090453

SHA256:

49D4ACFFBE1D91DC43611824FDBD3E5144C3C49CC924DFB0E1CDF709581CF831

SSDEEP:

3:N1KJS40Wd9r4E3:Cc43d9L

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 3428)
      • iexplore.exe (PID: 2368)
    • Application launched itself

      • iexplore.exe (PID: 992)
    • Creates files in the user directory

      • iexplore.exe (PID: 3428)
    • Changes internet zones settings

      • iexplore.exe (PID: 992)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2368)
      • iexplore.exe (PID: 3428)
    • Manual execution by user

      • iexplore.exe (PID: 2256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe wuapp.exe no specs wuapp.exe no specs iexplore.exe no specs iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
992"C:\Program Files\Internet Explorer\iexplore.exe" "http://www.download.windowsupdate.com/"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3428"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:992 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2612"C:\Windows\system32\wuapp.exe"C:\Windows\system32\wuapp.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows Update Application Launcher
Exit code:
0
Version:
7.5.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\wuapp.exe
c:\systemroot\system32\ntdll.dll
2456"C:\Windows\system32\wuapp.exe"C:\Windows\system32\wuapp.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Application Launcher
Exit code:
0
Version:
7.5.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\wuapp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2256"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?LinkId=70156C:\Program Files\Internet Explorer\iexplore.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2368"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:992 CREDAT:71938C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
785
Read events
646
Write events
137
Delete events
2

Modification events

(PID) Process:(992) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(992) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(992) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(992) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(992) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(992) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(992) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{591A840F-36E3-11EA-AB41-5254004A04AF}
Value:
0
(PID) Process:(992) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(992) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
2
(PID) Process:(992) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E407010002000E000F0022001C007E00
Executable files
0
Suspicious files
0
Text files
91
Unknown types
7

Dropped files

PID
Process
Filename
Type
992iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
992iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3428iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2EQYN4RX\default[1].aspx
MD5:
SHA256:
3428iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9D5BJ2Z7\redirect[1].htm
MD5:
SHA256:
3428iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9D5BJ2Z7\vistadefault[1].aspx
MD5:
SHA256:
3428iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\index.datdat
MD5:BB000E8687886A55370AD7F03654408F
SHA256:2DD69F9B0056D38EA1142B835CEF9838C0A85F2874C33790AC97D5240B9D6475
3428iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012020011420200115\index.datdat
MD5:BB53B24D44641F4CDCA728FC97C9A2CD
SHA256:BBBFDA050F41246C69314C63800C6221067C850A6207AA2C7C2EF57385215455
3428iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:E50B95E47E42E0D794A4D12DA7C1DA5B
SHA256:6CA5ADF94747DF452C1C938656D8D0A8F9BD96BF270A929DC570F8253FD564FC
992iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012020011420200115\index.datdat
MD5:CCA95C57A5B3D19E4CBD63004819303E
SHA256:D3B608996E76568F36A4FD811238546B9ADB7286996132A30FDC5C813BE169CE
3428iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:2F01C6EBA28869C7F068CC0AFD637456
SHA256:904E6A3B7FA43AFA26E916F2C265979E94C202AB759EBE968125E24E1A26A744
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
80
TCP/UDP connections
24
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3428
iexplore.exe
POST
200
13.64.25.102:80
http://www.update.microsoft.com/windowsupdate/v6/redirect.asp?OS=6.1&Processor=x86&Lang=en&CurrentSite=6Live&SP=1&control=7.5.7601.17514
US
text
238 b
whitelisted
3428
iexplore.exe
GET
200
13.64.25.102:80
http://www.update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us
US
html
5.15 Kb
whitelisted
3428
iexplore.exe
POST
200
13.64.25.102:80
http://www.update.microsoft.com/windowsupdate/v6/redirect.asp?UA=true
US
text
304 b
whitelisted
3428
iexplore.exe
POST
200
13.64.25.102:80
http://www.update.microsoft.com/windowsupdate/v6/redirect.asp?OS=6.1&Processor=x86&Lang=en&CurrentSite=6Live&SP=1&control=7.5.7601.17514
US
text
238 b
whitelisted
3428
iexplore.exe
GET
200
13.64.25.102:80
http://www.update.microsoft.com/windowsupdate/v6/shared/js/commontop.js?637146128696898976
US
text
9.35 Kb
whitelisted
3428
iexplore.exe
GET
200
13.64.25.102:80
http://www.update.microsoft.com/windowsupdate/v6/shared/js/tgar.js?637146128696898976
US
text
1009 b
whitelisted
3428
iexplore.exe
GET
200
13.64.25.102:80
http://www.update.microsoft.com/windowsupdate/v6/shared/js/redirect.js?637146128696898976
US
text
10.0 Kb
whitelisted
3428
iexplore.exe
GET
200
13.64.25.102:80
http://www.update.microsoft.com/windowsupdate/v6/default.aspx
US
html
1.15 Kb
whitelisted
3428
iexplore.exe
GET
200
13.64.25.102:80
http://www.update.microsoft.com/windowsupdate/v6/shared/js/spupdateids.js?637146128696898976
US
text
1.56 Kb
whitelisted
992
iexplore.exe
GET
404
13.64.25.102:80
http://www.update.microsoft.com/favicon.ico
US
html
1.22 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
992
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
13.64.25.102:80
www.update.microsoft.com
Microsoft Corporation
US
malicious
2368
iexplore.exe
13.64.25.102:80
www.update.microsoft.com
Microsoft Corporation
US
malicious
3428
iexplore.exe
13.64.25.102:80
www.update.microsoft.com
Microsoft Corporation
US
malicious
992
iexplore.exe
40.90.247.210:80
www.update.microsoft.com
Microsoft Corporation
US
malicious
3428
iexplore.exe
205.185.216.42:80
www.download.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
992
iexplore.exe
13.64.25.102:80
www.update.microsoft.com
Microsoft Corporation
US
malicious
3428
iexplore.exe
52.185.71.28:80
windowsupdate.microsoft.com
Microsoft Corporation
US
malicious
2368
iexplore.exe
95.101.192.162:80
go.microsoft.com
Akamai Technologies, Inc.
malicious

DNS requests

Domain
IP
Reputation
www.download.windowsupdate.com
  • 205.185.216.42
  • 205.185.216.10
whitelisted
windowsupdate.microsoft.com
  • 52.185.71.28
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.update.microsoft.com
  • 13.64.25.102
  • 40.90.247.210
whitelisted
c.microsoft.com
whitelisted
go.microsoft.com
  • 95.101.192.162
whitelisted
update.microsoft.com
  • 13.64.25.102
  • 40.90.247.210
whitelisted

Threats

No threats detected
No debug info