analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://go.microsoft.com/fwlink/?LinkId=838604

Full analysis: https://app.any.run/tasks/2a8eacca-695b-4fd1-af91-2d9f27e9dcde
Verdict: Malicious activity
Analysis date: October 17, 2020, 15:50:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

F6E06B12C33AD3D615BD8820447308C3

SHA1:

5396B73E470AE034B4BA006CB8A8E3B33C4EA73D

SHA256:

6D110BD63924989E6EF63BE756BAA1E07D88EE6896340C70308612DC064B68A7

SSDEEP:

3:N1KZKLIetR7LOCdvRn:C08eDPOCdJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2428)
    • Manual execution by user

      • cmd.exe (PID: 2456)
    • Changes internet zones settings

      • iexplore.exe (PID: 2428)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1844)
      • iexplore.exe (PID: 2428)
    • Application launched itself

      • iexplore.exe (PID: 2428)
    • Creates files in the user directory

      • iexplore.exe (PID: 1844)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2428)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2428)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1844)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 2428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe cmd.exe no specs tracert.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2428"C:\Program Files\Internet Explorer\iexplore.exe" "http://go.microsoft.com/fwlink/?LinkId=838604"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
1844"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2428 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2456"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2540tracert google.comC:\Windows\system32\TRACERT.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Traceroute Command
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\tracert.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\icmp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rpcrt4.dll
Total events
449
Read events
349
Write events
98
Delete events
2

Modification events

(PID) Process:(2428) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
1646637194
(PID) Process:(2428) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30844061
(PID) Process:(2428) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2428) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2428) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2428) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2428) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2428) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000A5000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2428) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2428) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
0
Suspicious files
45
Text files
59
Unknown types
20

Dropped files

PID
Process
Filename
Type
1844iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab4153.tmp
MD5:
SHA256:
1844iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar4154.tmp
MD5:
SHA256:
1844iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04binary
MD5:328FEDABD7CDE26DB2D9DEC6AFB44296
SHA256:BFC41AF89A69904A02C1060774D5A2494E05F66C99481E4B2E6AE633EFAE925E
1844iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04der
MD5:0C575BD049E419503C704224FACABC04
SHA256:9114D790F498FC5315001B19B5CBBA8EC366AD985F6B00210AB69AAE9CF0FB7F
1844iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\MWF_SocialFacebook.png[1].svgimage
MD5:58064C0EDB5F8C89D1C066A50AF5ED7D
SHA256:6CD47E002200FC07167C3D1552C5E84693412784AE15B039383F4607A6DB08E7
1844iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5ABbinary
MD5:8D842D028C3A4E73547472A8EC9BEC80
SHA256:BABE0CE9056D580A6C7E3C959A6DA2135F2FF3A87408D536D64FE2DE47D3F189
1844iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5ABder
MD5:69CE0F8127A8878A5B88CE11379C9E68
SHA256:9CD0599533309F69C9AEC5F581FEBAB94EE88E2D43A0A5AA60B27E36E4834252
1844iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_5FDD03068CBBD8A96F3AB9595BA10093der
MD5:BDE9F1FA77524F27CE840588F7FD1602
SHA256:1F58D5A6ADFF89B52C6CB5AC7440F5A00D349331BBF51D17DD96CB4E7000E578
1844iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:AA1CFB3869C3A1D152FEE7BFF1E00758
SHA256:A6CFE66764D16AAAEBA05DCE10B6F95AB5C9322E795EC589A9496C6DCF7142CC
1844iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_5FDD03068CBBD8A96F3AB9595BA10093binary
MD5:375105EAE96C16ADA4C021C3B7934D2C
SHA256:C97AA39DEDB8D1BEEA6EBDFDE99FE821443B17D38C6A5851643B696C565C0C69
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
57
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1844
iexplore.exe
GET
302
104.108.39.131:80
http://go.microsoft.com/fwlink/?LinkId=838604
NL
whitelisted
1844
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAtb9ltrp%2FvQiykNkEU33uA%3D
US
der
471 b
whitelisted
1844
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAtb9ltrp%2FvQiykNkEU33uA%3D
US
der
471 b
whitelisted
1844
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
1844
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
471 b
whitelisted
1844
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAtb9ltrp%2FvQiykNkEU33uA%3D
US
der
471 b
whitelisted
1844
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
1844
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAtb9ltrp%2FvQiykNkEU33uA%3D
US
der
471 b
whitelisted
1844
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAtb9ltrp%2FvQiykNkEU33uA%3D
US
der
471 b
whitelisted
1844
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAtb9ltrp%2FvQiykNkEU33uA%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1844
iexplore.exe
104.108.39.131:80
go.microsoft.com
Akamai Technologies, Inc.
NL
unknown
1844
iexplore.exe
2.16.186.41:443
statics-marketingsites-neu-ms-com.akamaized.net
Akamai International B.V.
whitelisted
1844
iexplore.exe
2.16.186.18:443
mwf-service.akamaized.net
Akamai International B.V.
whitelisted
1844
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1844
iexplore.exe
13.107.246.10:443
wcpstatic.microsoft.com
Microsoft Corporation
US
whitelisted
1844
iexplore.exe
95.100.197.46:443
assets.adobedtm.com
Akamai Technologies, Inc.
unknown
1844
iexplore.exe
2.16.186.40:443
img-prod-cms-rt-microsoft-com.akamaized.net
Akamai International B.V.
whitelisted
1844
iexplore.exe
104.108.39.131:443
go.microsoft.com
Akamai Technologies, Inc.
NL
unknown
1844
iexplore.exe
104.80.29.181:443
www.microsoft.com
Akamai Technologies, Inc.
US
malicious
1844
iexplore.exe
95.100.198.11:443
c.s-microsoft.com
Akamai Technologies, Inc.
unknown

DNS requests

Domain
IP
Reputation
go.microsoft.com
  • 104.108.39.131
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
www.microsoft.com
  • 104.80.29.181
whitelisted
assets.adobedtm.com
  • 95.100.197.46
whitelisted
statics-marketingsites-neu-ms-com.akamaized.net
  • 2.16.186.41
  • 2.16.186.27
whitelisted
mwf-service.akamaized.net
  • 2.16.186.18
  • 2.16.186.9
whitelisted
wcpstatic.microsoft.com
  • 13.107.246.10
whitelisted
img-prod-cms-rt-microsoft-com.akamaized.net
  • 2.16.186.40
  • 2.16.186.27
whitelisted
c.s-microsoft.com
  • 95.100.198.11
whitelisted
az725175.vo.msecnd.net
  • 152.199.19.160
whitelisted

Threats

No threats detected
No debug info