URL:

ppo.webredirect.org

Full analysis: https://app.any.run/tasks/72127bc2-e7f1-4fe0-bbf8-50eab5eabc5a
Verdict: Malicious activity
Analysis date: May 02, 2024, 06:58:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

A8D4B1879C5C4CBF714117A1DBD0F78B

SHA1:

2C62AA2B473E08A6C14A26910E49C8CCAF092691

SHA256:

58CB67BAE1E6A8EB60AFB7265E5D684763B0A477525ED09D491707BBE047EADD

SSDEEP:

3:viXA6XA7S:viiO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads the computer name

      • wmpnscfg.exe (PID: 2312)

    • Checks supported languages

      • wmpnscfg.exe (PID: 2312)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2312)

    • Application launched itself

      • iexplore.exe (PID: 3972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2312"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3972"C:\Program Files\Internet Explorer\iexplore.exe" "ppo.webredirect.org"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
4028"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3972 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
18 326
Read events
18 200
Write events
91
Delete events
35

Modification events

(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
581100176
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31104094
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
881420176
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31104094
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
21
Text files
39
Unknown types
5

Dropped files

PID
Process
Filename
Type
4028iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\jquery-1.8.1.min[1].jss
MD5:E7155EE7C8C9898B6D4F2A9A12A1288E
SHA256:FC184F96DD18794E204C41075A00923BE7E8E568744231D74F2FDF8921F78D29
4028iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAbinary
MD5:98732CE59728FFA4DDC3F0EC23075830
SHA256:C50DF89E0687AEAA55F5C9606CF292550AD31CA221C32FD728452FAA0CC1F3CB
4028iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\animate[1].csstext
MD5:D96B2083B0ACBB11911BB4F068158299
SHA256:8150A6E66442996F64560B128D0EFFE532ED5EABDF0A8C6176C8C4E8ED502E6F
4028iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\layerslider[1].csstext
MD5:8FA51CA4B04B369D34D5A12C57CB9C03
SHA256:5E1C8334F722E390A1F1F45D896EB36668C5339478CE9C929DBFEFB3FF1625DB
4028iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\custom[1].jsbinary
MD5:09B9BE2CE6C6AE9F0A0596641DCE6722
SHA256:2D0B26C6F46575140B0DF2CFE9201999FD55F5A5E4992E3788E858CC2ECF9782
4028iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\greensock[1].jsbinary
MD5:56E948A35FC41C4EAAA5F270A5CC8B4D
SHA256:9BD12EBF830C8336C57DDCAAE4AFB1715D94DA795EB6A5B48AEE5CEDC2A4D25E
4028iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:DFC03C3064FC543A28CF6294D9FCC98B
SHA256:937D5637EE2F4F771711F102C903028F73D889B753AC9FA73A9E94582F01928F
4028iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAder
MD5:1954F91D1857433A6E671FC2134627C4
SHA256:1900C86CF885B5A30F4C6978DB628CAA35291D0EA1C37ADA12638FADADB66467
4028iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:D40A17D8FD35E460639BCC3AC7B0D079
SHA256:61FD6009CC59F6FC5A28A05BD50B159541F845D5DEE27CCA77D83CC55DF90688
4028iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAder
MD5:AC89A852C2AAA3D389B2D2DD312AD367
SHA256:0B720E19270C672F9B6E0EC40B468AC49376807DE08A814573FE038779534F45
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
58
TCP/UDP connections
42
DNS requests
21
Threats
46

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4028
iexplore.exe
GET
200
216.9.224.179:80
http://ppo.webredirect.org/
unknown
unknown
4028
iexplore.exe
GET
200
216.9.224.179:80
http://ppo.webredirect.org/gap-site/css/main.css
unknown
unknown
4028
iexplore.exe
GET
200
216.9.224.179:80
http://ppo.webredirect.org/gap-site/css/animate.css
unknown
unknown
4028
iexplore.exe
GET
200
216.9.224.179:80
http://ppo.webredirect.org/gap-site/css/layerslider.css
unknown
unknown
4028
iexplore.exe
GET
200
216.9.224.179:80
http://ppo.webredirect.org/gap-site/css/ltr.css
unknown
unknown
4028
iexplore.exe
GET
200
216.9.224.179:80
http://ppo.webredirect.org/gap-site/js/jquery-1.8.1.min.js
unknown
unknown
4028
iexplore.exe
GET
200
216.9.224.179:80
http://ppo.webredirect.org/gap-site/images/s-world.png
unknown
unknown
4028
iexplore.exe
GET
200
216.9.224.179:80
http://ppo.webredirect.org/gap-site/js/custom.js
unknown
unknown
4028
iexplore.exe
GET
200
216.9.224.179:80
http://ppo.webredirect.org/gap-site/js/greensock.js
unknown
unknown
4028
iexplore.exe
GET
200
216.9.224.179:80
http://ppo.webredirect.org/gap-site/fonts/Samim.eot?
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4028
iexplore.exe
216.9.224.179:80
ppo.webredirect.org
ATT-INTERNET4
US
unknown
1088
svchost.exe
224.0.0.252:5355
unknown
4028
iexplore.exe
172.217.18.8:443
www.googletagmanager.com
GOOGLE
US
whitelisted
4028
iexplore.exe
2.21.240.240:80
ctldl.windowsupdate.com
Akamai International B.V.
SE
unknown
4028
iexplore.exe
2.21.240.200:80
ctldl.windowsupdate.com
Akamai International B.V.
SE
unknown
4028
iexplore.exe
142.250.74.195:80
ocsp.pki.goog
GOOGLE
US
whitelisted
4028
iexplore.exe
142.250.184.238:443
www.google-analytics.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
ppo.webredirect.org
  • 216.9.224.179
unknown
www.googletagmanager.com
  • 172.217.18.8
whitelisted
ctldl.windowsupdate.com
  • 2.21.240.200
  • 2.21.240.240
whitelisted
ocsp.pki.goog
  • 142.250.74.195
whitelisted
www.google-analytics.com
  • 142.250.184.238
whitelisted
region1.analytics.google.com
  • 216.239.34.36
  • 216.239.32.36
whitelisted
stats.g.doubleclick.net
  • 64.233.167.155
  • 64.233.167.157
  • 64.233.167.154
  • 64.233.167.156
whitelisted
www.google.de
  • 142.250.185.67
whitelisted
www.google.com
  • 142.250.186.36
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted

Threats

PID
Process
Class
Message
1088
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.webredirect .org Domain
4028
iexplore.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.webredirect .org Domain
4028
iexplore.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.webredirect .org Domain
4028
iexplore.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.webredirect .org Domain
4028
iexplore.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.webredirect .org Domain
4028
iexplore.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.webredirect .org Domain
4028
iexplore.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.webredirect .org Domain
4028
iexplore.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.webredirect .org Domain
4028
iexplore.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.webredirect .org Domain
4028
iexplore.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.webredirect .org Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ppo.webredirect.org