download:

index.html

Full analysis: https://app.any.run/tasks/344811fa-ed38-439a-8287-42795a719eae
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 21, 2019, 16:14:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: text/html
File info: HTML document, UTF-8 Unicode text, with very long lines
MD5:

740D2950C1720C6D6D19A60C8D8EEA18

SHA1:

3B785B31DCA78A1D89C0E791DAA0D1EDEEBE469C

SHA256:

77ECE50A0587B73D8F26316585FE48DAA2371C5728FCFCB6C678FC4B36E78A11

SSDEEP:

768:9G94oi3bUGQU9WbqycQGI8+jIgANxgI7mpeML46w9UU2J5WeA9:9SkQU9WGOGI8oIgANxFAeMLI9xeA9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • powershell.exe (PID: 1604)

  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 1604)
      • powershell.exe (PID: 2996)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 1604)

  • INFO

    • Creates files in the user directory

      • iexplore.exe (PID: 2664)

    • Changes internet zones settings

      • iexplore.exe (PID: 1660)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2664)

    • Application launched itself

      • iexplore.exe (PID: 1660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
7
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe explorer.exe no specs powershell_ise.exe presentationfontcache.exe no specs powershell.exe powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
976"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell ISE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell_ise.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1604"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1660"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\index.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1920C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exeC:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exeservices.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
PresentationFontCache.exe
Exit code:
0
Version:
3.0.6920.4902 built by: NetFXw7
Modules
Images
c:\windows\microsoft.net\framework\v3.0\wpf\presentationfontcache.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2664"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1660 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2996"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3056"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
701
Read events
533
Write events
167
Delete events
1

Modification events

(PID) Process:(1660) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(1660) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1660) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(1660) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(1660) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1660) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000006E000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(1660) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{A5EFAE07-4BF4-11E9-A302-5254004A04AF}
Value:
0
(PID) Process:(2664) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Operation:writeName:Type
Value:
3
(PID) Process:(2664) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Operation:writeName:Count
Value:
1
(PID) Process:(2664) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Operation:writeName:Time
Value:
E307030004001500100010000F00F102
Executable files
1
Suspicious files
6
Text files
3
Unknown types
1

Dropped files

PID
Process
Filename
Type
1660iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFF6FAC5296E1E19BB.TMP
MD5:
SHA256:
1660iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFAE9E83389D6AC89E.TMP
MD5:
SHA256:
1660iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF7CA4721CBEEF59F6.TMP
MD5:
SHA256:
1660iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{A5EFAE08-4BF4-11E9-A302-5254004A04AF}.dat
MD5:
SHA256:
1660iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF60F3412A25B5FDF6.TMP
MD5:
SHA256:
1660iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{A5EFAE07-4BF4-11E9-A302-5254004A04AF}.dat
MD5:
SHA256:
1604powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J9D80KSBVFV8OW2J5RQN.temp
MD5:
SHA256:
1604powershell.exeC:\Users\admin\392.exe
MD5:
SHA256:
2996powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ANE8PKE47FCP08YA1ER7.temp
MD5:
SHA256:
2996powershell.exeC:\temp\456.exe
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
16
DNS requests
12
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2996
powershell.exe
GET
301
185.181.164.251:80
http://ocenidtp.ru/GSSSDpKYA5
UA
malicious
2996
powershell.exe
GET
200
185.181.164.251:80
http://ocenidtp.ru/GSSSDpKYA5/
UA
malicious
1604
powershell.exe
GET
200
209.124.71.12:80
http://simplyresponsive.com/samples/Vxfk/
US
executable
362 Kb
suspicious
2996
powershell.exe
GET
162.251.85.157:80
http://kankasilks.com/RVXvRYClYAbAs
US
malicious
2996
powershell.exe
GET
301
185.181.164.251:80
http://ocenidtp.ru/GSSSDpKYA5
UA
malicious
2996
powershell.exe
GET
404
162.251.85.157:80
http://kankasilks.com/RVXvRYClYAbAs
US
html
87.5 Kb
malicious
2996
powershell.exe
GET
200
185.181.164.251:80
http://ocenidtp.ru/GSSSDpKYA5/
UA
malicious
1604
powershell.exe
GET
302
185.2.4.139:80
http://cayecasas.com/wp-admin/DYGJm/
IT
html
230 b
unknown
2996
powershell.exe
GET
404
213.186.33.87:80
http://randorient.fr/8yenBRbnkOqq_m8PcuX
FR
html
217 b
malicious
2996
powershell.exe
GET
200
208.91.198.170:80
http://mindvim.com/cgi-sys/suspendedpage.cgi
US
html
2.50 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2664
iexplore.exe
172.217.22.99:443
ssl.gstatic.com
Google Inc.
US
whitelisted
1660
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1604
powershell.exe
185.2.4.139:80
cayecasas.com
Simply Transit Ltd
IT
unknown
1604
powershell.exe
199.68.182.163:80
chefmongiovi.com
TeraGo Networks Inc.
CA
suspicious
1604
powershell.exe
209.124.71.12:80
simplyresponsive.com
A2 Hosting, Inc.
US
suspicious
2996
powershell.exe
162.251.85.157:80
kankasilks.com
PDR
US
malicious
2996
powershell.exe
185.10.75.7:80
nilisanat.com
Roshangar Rayaneh Tehran Co. Ltd.
IR
suspicious
2996
powershell.exe
208.91.198.170:80
mindvim.com
PDR
US
suspicious
2996
powershell.exe
185.181.164.251:80
ocenidtp.ru
euro Lir LLC
UA
malicious
2996
powershell.exe
213.186.33.87:80
randorient.fr
OVH SAS
FR
malicious

DNS requests

Domain
IP
Reputation
ssl.gstatic.com
  • 172.217.22.99
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
cayecasas.com
  • 185.2.4.139
unknown
chefmongiovi.com
  • 199.68.182.163
suspicious
simplyresponsive.com
  • 209.124.71.12
suspicious
kankasilks.com
  • 162.251.85.157
malicious
nilisanat.com
  • 185.10.75.7
suspicious
mindvim.com
  • 208.91.198.170
suspicious
ocenidtp.ru
  • 185.181.164.251
malicious

Threats

PID
Process
Class
Message
1604
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1604
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
1604
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
Process
Message
PowerShell_ISE.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
PowerShell_ISE.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
PowerShell_ISE.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
PowerShell_ISE.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
PowerShell_ISE.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
PowerShell_ISE.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
PowerShell_ISE.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
PowerShell_ISE.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
PowerShell_ISE.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
PowerShell_ISE.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
index.html