URL:

http://vlasta-s.ru/logista.rtf

Full analysis: https://app.any.run/tasks/8305a34b-aec8-40b5-a43d-fd2e0a2d7c6d
Verdict: Malicious activity
Analysis date: May 14, 2024, 13:48:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

754A65874C03661679A793D8DAB601CB

SHA1:

CD15264F299978F741ACB4F1C48056BC253C0735

SHA256:

7BA71D0F14C02DF29B3EF2A1A46BA9EAD341857229668B196044B7213AD2F52F

SSDEEP:

3:N1KIKDIWGLXl:CIlWGLXl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3964)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2032)

    • Reads the computer name

      • wmpnscfg.exe (PID: 2032)

    • Checks supported languages

      • wmpnscfg.exe (PID: 2032)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2032"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3964"C:\Program Files\Internet Explorer\iexplore.exe" "http://vlasta-s.ru/logista.rtf"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
4024"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3964 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
13 032
Read events
12 916
Write events
82
Delete events
34

Modification events

(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31106565
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31106565
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
7
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
3964iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177binary
MD5:9F222F0A3DEA52F35ACC45A2A46DB9C3
SHA256:6DE2B1A5C8EB006FC3E315639F29B4345D0331165B0B184CD944EAC210686871
3964iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3964iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118Abinary
MD5:7C0FB1392DCACA4833A474A69B38C0D4
SHA256:7590DA7740173E87402888EAA37C683837660118273C2C8C7E0AB4003A12B04D
3964iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[1].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3964iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[2].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3964iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\VQDVTH0O.txttext
MD5:3D49768F8014E961134B3EFE72582972
SHA256:16BACBFF2C6EBD2951495A182416289E9714F1C47927D3827A7DE4F0EAFC65A7
3964iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177binary
MD5:85D5D62B6EB3B419455BF9188470CC91
SHA256:1FED293373C72B7C19A951C15AE1846F6EAF9244F4080F1D87B2B7B3F9A8F734
3964iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\WKCMR3AR.txttext
MD5:101AC74B7752BFBB2B6E2A1AB132C155
SHA256:E14728FE8F9594FCE67DA81FE4EB7723D9B0DAFA72ACEE52E55A8B19C53777F2
3964iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\XSULODLY.txttext
MD5:5D66FEF7AD1D28A171BFE44F7EDBBEC6
SHA256:01CB60215EB61003A50093B7BD7E9BF2EC9C5EAF5068C3956E8F206053E32383
3964iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\CM0HPHMR.txttext
MD5:6B0742BF059C466278D86C6B17FF3410
SHA256:044928C02F5B2C68EDD887E09D5F532903FAE5CA3BDEDBC864C2C2A413E53CD5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
18
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4024
iexplore.exe
GET
195.161.68.8:80
http://vlasta-s.ru/logista.rtf
unknown
unknown
3964
iexplore.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?79a7655eb74e6b7f
unknown
unknown
3964
iexplore.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?abfaa68ff91a6278
unknown
unknown
1088
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1a460631b50eba60
unknown
unknown
3964
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
unknown
3964
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAxq6XzO1ZmDhpCgCp6lMhQ%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
unknown
224.0.0.252:5355
unknown
4024
iexplore.exe
195.161.68.8:80
vlasta-s.ru
JSC RTComm.RU
RU
malicious
3964
iexplore.exe
2.16.65.74:443
www.bing.com
Akamai International B.V.
PT
unknown
3964
iexplore.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
3964
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3964
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
whitelisted
1088
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
3964
iexplore.exe
204.79.197.200:443
ieonline.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
vlasta-s.ru
  • 195.161.68.8
unknown
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 2.16.65.74
  • 2.16.65.97
  • 2.16.65.89
  • 2.16.65.88
  • 2.16.65.104
  • 2.16.65.75
  • 2.16.65.91
  • 2.16.65.90
  • 2.16.65.81
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
go.microsoft.com
  • 23.2.86.152
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://vlasta-s.ru/logista.rtf