download:

/

Full analysis: https://app.any.run/tasks/a32dd408-d0b8-4a00-9654-aca1f2ae4842
Verdict: Malicious activity
Analysis date: May 10, 2024, 04:21:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/html
File info: HTML document, Unicode text, UTF-8 text, with very long lines (9773), with CRLF, LF line terminators
MD5:

24480084A654D9772CB08B34E0A4F52D

SHA1:

BB1784EA065C27561EF7196CB28CF0E3AD326E6D

SHA256:

4EE58E460A42B300E5709C416EEF43BA88C6A677F49760E6227BEC362D9FAB5E

SSDEEP:

1536:ZNwaporz67UmQSR1qEYtYxqNBrqYdUYHLaYsmpA/KPf5vRkP5O:ZhjwER1qEYtYxqbrqVYsmp6K355kP5O

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3980)
      • iexplore.exe (PID: 4040)

    • Checks supported languages

      • wmpnscfg.exe (PID: 1948)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1948)
      • explorer.exe (PID: 1976)

    • Reads the computer name

      • wmpnscfg.exe (PID: 1948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)

EXIF

HTML

Viewport: width=device-width, initial-scale=1
Title: RO-EXEC PC Executor (OFFICIAL) | Krampus Executor
Description: RO-EXEC or Krampus executor is developed for PC Windows, Mac and Linux devices to run Roblox scripts. For the unversed, Roblox scripts offer a bunch of additional features but they can’t be accessed without using executors like RO-EXEC.
Robots: follow, index, max-snippet:-1, max-video-preview:-1, max-image-preview:large
TwitterCard: summary_large_image
TwitterTitle: RO-EXEC PC Executor (OFFICIAL) | Krampus Executor
TwitterDescription: RO-EXEC or Krampus executor is developed for PC Windows, Mac and Linux devices to run Roblox scripts. For the unversed, Roblox scripts offer a bunch of additional features but they can’t be accessed without using executors like RO-EXEC.
TwitterLabel1: Written by
TwitterData1: Team Roexec
TwitterLabel2: Time to read
TwitterData2: 6 minutes
Generator: WordPress 6.5.3
Msvalidate01: 2AC306E85118241DDDBF20AB109CB39E
MsapplicationTileImage: https://roexec.com/wp-content/uploads/2024/02/RO-EXEC-Icon.webp
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe wmpnscfg.exe no specs iexplore.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1948"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1976"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2244"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3980 CREDAT:333057 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3980"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\a32dd408-d0b8-4a00-9654-aca1f2ae4842.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
4040"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3980 CREDAT:144385 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
57 522
Read events
57 233
Write events
176
Delete events
113

Modification events

(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31105681
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31105681
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
52
Text files
64
Unknown types
10

Dropped files

PID
Process
Filename
Type
4040iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:BA40CAE22F62073DB4F5D279BE419BBA
SHA256:486D8E6F52AB11DAA10EA9535DEABB432FABBDE202A12CC46F3F34DD10F7B316
4040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\rank-math-snippet[1].csstext
MD5:149A0B20BCECFDF2662724BD4F15AA66
SHA256:9D650FA59C49B549CEB7FE45C93C1F139C27D2BA5BD379522E3A80D9FA69FDD2
4040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\main.min[1].csstext
MD5:867585929EE8B21749CDEFA675D9AA11
SHA256:BC3B2C1E618A27E485095A3C0DB20DA5BA2FBFAF3B872CCD6CA35CB19EB37B5D
4040iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464der
MD5:8202A1CD02E7D69597995CABBE881A12
SHA256:58F381C3A0A0ACE6321DA22E40BD44A597BD98B9C9390AB9258426B5CF75A7A5
4040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\jquery.scrollTo.min[1].jsbinary
MD5:4F3D9D7281A2828E319DE38B9142F860
SHA256:ED04B5707B07EF987720582B14AB1D8662871E95AA17CDAC6FFF6F34BA9CAACD
4040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\style.min[1].csstext
MD5:51A8390B47AA0582CF2D9C96C5ADDEE2
SHA256:98CECF88A23542FA047CE46EEDB650B5C5128761ED4386C0977B847094DDFA20
4040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\style-11[1].csstext
MD5:34839ACE6CBCBBFB3A849BBFF6B6D3C6
SHA256:FF8B3DE8A1898C5686A327F32657B8423A538426553836FBCDD3865062850E60
4040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\jquery.localScroll.min[1].jsbinary
MD5:1E5B0083242DEB21E4C6C3FF55BE641F
SHA256:CE8CA3591DE9FBC34D8F2CE180D2720E7E3A1E1AD7558553E2A44747C13AF635
4040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\style.min[1].csstext
MD5:340DF9CB2C8A1E5D5428A81637866C40
SHA256:D5D086AB8DD7703A41E01C913E225FAFDC942BE3BBD121DBD3C615F33091875F
4040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\menu.min[1].jsbinary
MD5:70BB4FAB119EB133CAE33105B69F65CB
SHA256:395121E5B9981325951EF88BEC68D065D23087B16A70D4459109E1DD84A10936
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
85
DNS requests
48
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4040
iexplore.exe
GET
304
2.16.135.41:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?668da2777c908bf3
unknown
unknown
4040
iexplore.exe
GET
304
2.16.135.41:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7d8535d7137e4e7b
unknown
unknown
4040
iexplore.exe
GET
304
173.222.245.51:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?386151522f624b4f
unknown
unknown
4040
iexplore.exe
GET
304
173.222.245.51:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4c8228cb27158706
unknown
unknown
4040
iexplore.exe
GET
304
2.16.135.41:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d5a87845fe4c5904
unknown
unknown
4040
iexplore.exe
GET
304
2.16.135.41:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6d46ad67fa526b12
unknown
unknown
4040
iexplore.exe
GET
304
2.16.135.41:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2b1174fd977d7f30
unknown
unknown
4040
iexplore.exe
GET
304
2.16.135.41:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?830d30b3a7e373db
unknown
unknown
4040
iexplore.exe
GET
304
2.16.135.41:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?beb6a37933f2d461
unknown
unknown
4040
iexplore.exe
GET
304
173.222.245.51:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c217e55963a0e9a4
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4040
iexplore.exe
192.0.76.3:443
stats.wp.com
AUTOMATTIC
US
unknown
4040
iexplore.exe
216.58.206.66:443
pagead2.googlesyndication.com
GOOGLE
US
whitelisted
4040
iexplore.exe
188.114.97.3:443
roexec.com
CLOUDFLARENET
NL
unknown
4040
iexplore.exe
216.58.206.72:443
www.googletagmanager.com
GOOGLE
US
unknown
4040
iexplore.exe
2.16.135.41:80
ctldl.windowsupdate.com
Akamai International B.V.
IT
unknown
4040
iexplore.exe
173.222.245.51:80
ctldl.windowsupdate.com
Akamai International B.V.
IT
unknown
4040
iexplore.exe
216.58.212.131:80
ocsp.pki.goog
GOOGLE
US
whitelisted
4040
iexplore.exe
104.18.38.233:80
ocsp.comodoca.com
CLOUDFLARENET
shared
3980
iexplore.exe
2.16.135.179:443
www.bing.com
Akamai International B.V.
IT
unknown
3980
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
www.googletagmanager.com
  • 216.58.206.72
whitelisted
roexec.com
  • 188.114.97.3
  • 188.114.96.3
unknown
pagead2.googlesyndication.com
  • 216.58.206.66
whitelisted
stats.wp.com
  • 192.0.76.3
whitelisted
ctldl.windowsupdate.com
  • 173.222.245.51
  • 2.16.135.41
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 2.16.135.179
  • 2.17.101.40
  • 2.17.101.33
  • 2.17.101.26
  • 2.16.135.240
  • 2.17.101.32
  • 2.17.101.35
  • 2.16.135.241
  • 2.17.101.48
whitelisted
ocsp.pki.goog
  • 216.58.212.131
whitelisted
ocsp.comodoca.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
ocsp.usertrust.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted

Threats

No threats detected
No debug info