analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://download3.portableapps.com/portableapps/PortableApps.comPlatform/PortableApps.com_Platform_Setup_15.0.2.paf.exe?201806

Full analysis: https://app.any.run/tasks/f7566a32-800e-470a-9158-4f9092f91dcc
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 08, 2018, 09:58:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
adware
mindspark
Indicators:
MD5:

017795B3D9D8F00DFF9E81D5A340A1D9

SHA1:

152720E32308812556BF3EA771CDB4A4230DC6A9

SHA256:

4D45E5C75A8E6E17EFC2D0F18E26D76130DCD67FF7D2A447C4E313211006C753

SSDEEP:

3:N1KaKE4LgyKZlKUq4pB/Wy+M3CGB/WySJOMWA2VYYDJaFEVT:CaNbQUdppeM3CGptMWVhDUmT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • GetFormsOnline.78c1eb647b1341b2ac98b4df70fafc75[1].exe (PID: 4020)

    • Loads dropped or rewritten executable

      • GetFormsOnline.78c1eb647b1341b2ac98b4df70fafc75[1].exe (PID: 4020)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3280)

    • MINDSPARK was detected

      • GetFormsOnline.78c1eb647b1341b2ac98b4df70fafc75[1].exe (PID: 4020)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3900)
      • iexplore.exe (PID: 920)
      • iexplore.exe (PID: 3280)
      • GetFormsOnline.78c1eb647b1341b2ac98b4df70fafc75[1].exe (PID: 4020)

    • Uses RUNDLL32.EXE to load library

      • iexplore.exe (PID: 920)

    • Creates files in the user directory

      • GetFormsOnline.78c1eb647b1341b2ac98b4df70fafc75[1].exe (PID: 4020)

    • Changes the started page of IE

      • GetFormsOnline.78c1eb647b1341b2ac98b4df70fafc75[1].exe (PID: 4020)

    • Creates a software uninstall entry

      • GetFormsOnline.78c1eb647b1341b2ac98b4df70fafc75[1].exe (PID: 4020)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 920)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3900)
      • iexplore.exe (PID: 3280)
      • iexplore.exe (PID: 2620)
      • iexplore.exe (PID: 1016)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3900)
      • iexplore.exe (PID: 920)
      • iexplore.exe (PID: 3280)
      • iexplore.exe (PID: 2620)
      • iexplore.exe (PID: 1016)

    • Creates files in the user directory

      • iexplore.exe (PID: 3900)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 1180)
      • iexplore.exe (PID: 920)
      • iexplore.exe (PID: 3280)
      • iexplore.exe (PID: 2620)
      • iexplore.exe (PID: 1016)

    • Application launched itself

      • iexplore.exe (PID: 920)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 920)
      • iexplore.exe (PID: 3280)
      • iexplore.exe (PID: 1016)

    • Changes settings of System certificates

      • iexplore.exe (PID: 920)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start iexplore.exe iexplore.exe rundll32.exe no specs iexplore.exe flashutil32_26_0_0_131_activex.exe no specs #MINDSPARK getformsonline.78c1eb647b1341b2ac98b4df70fafc75[1].exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
920"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3900"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:920 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3868"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\PortableApps.com_Platform_Setup_15.0.2.paf[1]C:\Windows\system32\rundll32.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3280"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:920 CREDAT:71941C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1180C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
4020"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\GetFormsOnline.78c1eb647b1341b2ac98b4df70fafc75[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\GetFormsOnline.78c1eb647b1341b2ac98b4df70fafc75[1].exe
iexplore.exe
User:
admin
Company:
Mindspark Interactive Network, Inc.
Integrity Level:
MEDIUM
Description:
GetFormsOnline Setup
Exit code:
0
Version:
2.7.1.3000
2620"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:920 CREDAT:203009C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1016"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:920 CREDAT:334081C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
2 175
Read events
1 764
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
15
Text files
255
Unknown types
13

Dropped files

PID
Process
Filename
Type
920iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
920iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
920iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFE6B3031E644A131D.TMP
MD5:
SHA256:
920iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\favicon[1].ico
MD5:
SHA256:
3900iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@bing[2].txt
MD5:
SHA256:
3900iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\search[1].txt
MD5:
SHA256:
920iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018110820181109\index.datdat
MD5:6A8A397FBA7A7DB1B0F3232E025E8634
SHA256:0A366383D61B70922E9D044D0FB019937C4F7B418C2B24F75E557E126AE333B8
3900iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\Passport[1].aspx
MD5:
SHA256:
3900iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\search[1].htmhtml
MD5:C7126F6A9EB660D98C8BE5FB01F4F4B2
SHA256:87C1D838AC711711239A33A096D7334214F3DB0C066F87808DA23AB17F944E56
3900iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@bing[1].txttext
MD5:8DD2594AD827ABF1824FD86A9D6DDF72
SHA256:95E431D862A8FEDB617ABC5CB5A575AC2863F6A8231686086F59E6EF522D8E45
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
117
TCP/UDP connections
182
DNS requests
57
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3280
iexplore.exe
GET
302
162.243.236.235:80
http://download3.portableapps.com/portableapps/
US
suspicious
3280
iexplore.exe
GET
301
2.16.186.27:80
http://shell.windows.com/fileassoc/fileassoc.asp?Ext=paf%5b1%5d
unknown
whitelisted
3280
iexplore.exe
GET
302
104.94.183.45:80
http://go.microsoft.com/fwlink/?LinkId=57426&Ext=paf[1]
NL
whitelisted
3900
iexplore.exe
GET
301
2.16.186.24:80
http://shell.windows.com/fileassoc/fileassoc.asp?Ext=paf%5b1%5d
unknown
whitelisted
3900
iexplore.exe
GET
162.243.236.235:80
http://download3.portableapps.com/portableapps/PortableApps.comPlatform/PortableApps.com_Platform_Setup_15.0.2.paf.exe?201806
US
suspicious
3900
iexplore.exe
GET
302
104.94.183.45:80
http://go.microsoft.com/fwlink/?LinkId=57426&Ext=paf[1]
NL
whitelisted
3900
iexplore.exe
GET
206
162.243.236.235:80
http://download3.portableapps.com/portableapps/PortableApps.comPlatform/PortableApps.com_Platform_Setup_15.0.2.paf.exe?201806
US
mp3
4.77 Mb
suspicious
3280
iexplore.exe
GET
404
162.243.236.235:80
http://download3.portableapps.com/portableapps/PortableApps.comPlatform/PortableApps.com_Platform_Setup_15.0.2.exe
US
html
370 b
suspicious
920
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3280
iexplore.exe
GET
403
162.243.236.235:80
http://download3.portableapps.com/portableapps/PortableApps.comPlatform/
US
html
332 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
920
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3900
iexplore.exe
2.16.186.24:80
shell.windows.com
Akamai International B.V.
whitelisted
3900
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3900
iexplore.exe
157.55.134.136:443
login.live.com
Microsoft Corporation
US
whitelisted
920
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3900
iexplore.exe
104.94.183.45:80
go.microsoft.com
Akamai Technologies, Inc.
NL
whitelisted
3900
iexplore.exe
162.243.236.235:80
download3.portableapps.com
Digital Ocean, Inc.
US
suspicious
3280
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3280
iexplore.exe
2.16.186.27:80
shell.windows.com
Akamai International B.V.
whitelisted
3280
iexplore.exe
104.239.166.87:80
portableapps.com
Rackspace Ltd.
US
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
download3.portableapps.com
  • 162.243.236.235
unknown
go.microsoft.com
  • 104.94.183.45
whitelisted
shell.windows.com
  • 2.16.186.24
  • 2.16.186.27
whitelisted
login.live.com
  • 157.55.134.136
  • 157.55.135.128
  • 157.55.134.142
whitelisted
portableapps.com
  • 104.239.166.87
suspicious
fonts.googleapis.com
  • 216.58.215.234
whitelisted
fonts.gstatic.com
  • 216.58.215.227
whitelisted
cdn.portableapps.com
  • 94.31.29.131
unknown
pagead2.googlesyndication.com
  • 172.217.168.2
whitelisted

Threats

PID
Process
Class
Message
3900
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3280
iexplore.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious downloader - 404 Not Found for .exe
3280
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4020
GetFormsOnline.78c1eb647b1341b2ac98b4df70fafc75[1].exe
Misc activity
ADWARE [PTsecurity] Mindspark CAPDownloadProcess
4020
GetFormsOnline.78c1eb647b1341b2ac98b4df70fafc75[1].exe
Misc activity
ADWARE [PTsecurity] Mindspark User-Agent
4020
GetFormsOnline.78c1eb647b1341b2ac98b4df70fafc75[1].exe
Misc activity
ADWARE [PTsecurity] Mindspark CAPDownloadProcess
4020
GetFormsOnline.78c1eb647b1341b2ac98b4df70fafc75[1].exe
Misc activity
ADWARE [PTsecurity] Mindspark User-Agent
4020
GetFormsOnline.78c1eb647b1341b2ac98b4df70fafc75[1].exe
Misc activity
ADWARE [PTsecurity] Mindspark CAPDownloadProcess
4020
GetFormsOnline.78c1eb647b1341b2ac98b4df70fafc75[1].exe
Misc activity
ADWARE [PTsecurity] Mindspark User-Agent
4020
GetFormsOnline.78c1eb647b1341b2ac98b4df70fafc75[1].exe
Misc activity
ADWARE [PTsecurity] Mindspark CAPDownloadProcess
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://download3.portableapps.com/portableapps/PortableApps.comPlatform/PortableApps.com_Platform_Setup_15.0.2.paf.exe?201806