URL:

http://www.nyfzx.com/showWiki.aspx?id=142

Full analysis: https://app.any.run/tasks/4f151a25-1f7b-4884-8bf4-c96cf86c0416
Verdict: Malicious activity
Analysis date: July 08, 2024, 05:22:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

1F216EEB700A49AA706F0B2A28DDE2E3

SHA1:

45807FD5EDAC270859E0B20022CC10C4AE551D72

SHA256:

5F7504B8DF7F12BB7ABD8108D34DB9BC2DB34F67665EE05E85F01D79E6D9BAB7

SSDEEP:

3:N1KJS4oDdZIKWNJfOMLESdOq:Cc4oDdtWNMKES

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3268"C:\Program Files\Internet Explorer\iexplore.exe" "http://www.nyfzx.com/showWiki.aspx?id=142"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3532"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3268 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
16 823
Read events
16 713
Write events
89
Delete events
21

Modification events

(PID) Process:(3268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31117558
(PID) Process:(3268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31117558
(PID) Process:(3268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3268) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
14
Text files
22
Unknown types
1

Dropped files

PID
Process
Filename
Type
3532iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\top-3[1].pngimage
MD5:35826A8564347E6D96B7AE4639B8B3EA
SHA256:08004DBDB8122CB746635228B3B2F3C0DF18581057B1135050BCAA7E172B26A7
3532iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\style[1].csstext
MD5:A69C92391B757A025E9C66343A55858A
SHA256:87B4208EF55D78CDF4AE30322538145136BEC2B9EA01B85E17533130905F0209
3532iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\menu[1].jstext
MD5:95CE7D695D6146F2BDCB93D040061415
SHA256:1E3242D401ADD7C9EE5AF27702D3D99E274EB1737A22610D22802B4425FF7A59
3532iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751binary
MD5:822467B728B7A66B081C91795373789A
SHA256:AF2343382B88335EEA72251AD84949E244FF54B6995063E24459A7216E9576B9
3532iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:4C3183B267C91B059F3BF92996AA065A
SHA256:E62687DC570EF64E2F1C79A2F7CF12F4B39246412C8FE8503F4C28CE692ADD9D
3532iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:C0A9CDFF49A32E723AB990DD825750C1
SHA256:E6BED5999FB9B579096A58A525E675EE725D2A9D5EF785F8A1FDEBB82D42BCA1
3532iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\zh_CN[1].jstext
MD5:895B6713AF054CFD611636CC3EE5445B
SHA256:182D4C854FC9AA605A86938C530E5F504C83419265D4F3DBD0372A4FD4FD50CC
3532iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F6E1C49308DE5535559961F4A4A887der
MD5:B0BCB9970FE7A480BE0E175C95A0D8E2
SHA256:8928E3C913C404C20E591982F986D535CFDCAFF71D507BBE5FF753FF4AB7558C
3532iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\default[1].csstext
MD5:E0057FA61395DC7EC0F5CB23D4619958
SHA256:C3237553BA559F4419FA67B9298DF07ACFA44172337E7EF9A0B5EB53B79C3849
3532iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\prettify[1].jstext
MD5:B56ED594DA5B2708E3B71DF6185A12B4
SHA256:CEB552B49C88D7DCCA22C7321F5AB7117AEEA6A4CD6B9798609409154F011F86
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
36
DNS requests
17
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3532
iexplore.exe
GET
200
121.42.47.145:80
http://www.nyfzx.com/kingEdit/themes/default/default.css
unknown
3532
iexplore.exe
GET
200
121.42.47.145:80
http://www.nyfzx.com/showWiki.aspx?id=142
unknown
3532
iexplore.exe
GET
200
121.42.47.145:80
http://www.nyfzx.com/kingEdit/kindeditor.js
unknown
3532
iexplore.exe
GET
200
121.42.47.145:80
http://www.nyfzx.com/kingEdit/lang/zh_CN.js
unknown
3532
iexplore.exe
GET
200
121.42.47.145:80
http://www.nyfzx.com/kingEdit/plugins/code/prettify.js
unknown
3532
iexplore.exe
GET
200
121.42.47.145:80
http://www.nyfzx.com/kingEdit/plugins/code/prettify.css
unknown
3532
iexplore.exe
GET
304
23.32.238.218:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?53d7d950db8549e2
unknown
3532
iexplore.exe
GET
200
121.42.47.145:80
http://www.nyfzx.com/images/top-bj.jpg
unknown
3532
iexplore.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
3268
iexplore.exe
GET
304
23.32.238.218:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?51a1dcf3f3c100e5
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
2564
svchost.exe
239.255.255.250:3702
unknown
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown
3532
iexplore.exe
121.42.47.145:80
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
3532
iexplore.exe
179.60.150.123:443
beonlineboo.com
GHOSTnet GmbH
VE
unknown
3532
iexplore.exe
23.32.238.218:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
3532
iexplore.exe
69.192.161.44:80
x1.c.lencr.org
AKAMAI-AS
DE
unknown
3532
iexplore.exe
184.24.77.54:80
r10.o.lencr.org
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
beonlineboo.com
  • 179.60.150.123
unknown
ctldl.windowsupdate.com
  • 23.32.238.218
  • 23.32.238.234
  • 23.32.238.235
  • 23.32.238.186
  • 23.32.238.242
  • 23.32.238.243
  • 23.32.238.227
  • 23.32.238.179
  • 23.32.238.224
unknown
x1.c.lencr.org
  • 69.192.161.44
unknown
r10.o.lencr.org
  • 184.24.77.54
  • 184.24.77.48
unknown
api.bing.com
  • 13.107.5.80
unknown
www.bing.com
  • 104.126.37.130
  • 104.126.37.170
  • 104.126.37.161
  • 104.126.37.186
  • 104.126.37.139
  • 104.126.37.171
  • 104.126.37.178
  • 104.126.37.145
  • 104.126.37.136
unknown
s4.cnzz.com
  • 106.225.241.86
unknown
ocsp.digicert.com
  • 192.229.221.95
unknown
ocsp.globalsign.com
  • 104.18.20.226
  • 104.18.21.226
unknown
ocsp2.globalsign.com
  • 104.18.20.226
  • 104.18.21.226
unknown

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE BMANAGER CnC Domain in DNS Lookup (beonlineboo .com)
A Network Trojan was detected
ET MALWARE Observed BMANAGER Domain (beonlineboo .com in TLS SNI)
A Network Trojan was detected
ET MALWARE Observed BMANAGER Domain (beonlineboo .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.nyfzx.com/showWiki.aspx?id=142