analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://onedrive.live.com/download?cid=E9A4ABA28EDB0B05&resid=E9A4ABA28EDB0B05%21112&authkey=AL9w-5qUbG9VH98

Full analysis: https://app.any.run/tasks/bbc6353a-f0f7-4a67-bd58-44b990b3c823
Verdict: Malicious activity
Analysis date: May 15, 2019, 14:34:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

57734512014BEA5EEACE92445F6B2E26

SHA1:

B6F5FB1F87DF11BC53B0202D42AE99C1B680CAF4

SHA256:

7BC6DC8EB02D114E3928B2479B2AB350364EB10A659C45BF02324385D0DB5934

SSDEEP:

3:N8Ck3CTwKblNcJkyBQvALCkyBQ0OpgjIGHius:2CkST/ZOJjBQJjBQ0Opg0QiR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • parkinglist.pdf.exe (PID: 2848)
      • parkinglist.pdf.exe (PID: 3296)
      • parkinglist.pdf.exe (PID: 2952)
      • parkinglist.pdf.exe (PID: 2604)
      • parkinglist.pdf.exe (PID: 3556)
      • parkinglist.pdf.exe (PID: 2564)
      • parkinglist.pdf.exe (PID: 772)
      • parkinglist.pdf.exe (PID: 3572)
      • parkinglist.pdf.exe (PID: 1244)
      • parkinglist.pdf.exe (PID: 1900)
      • parkinglist.pdf.exe (PID: 1924)
      • parkinglist.pdf.exe (PID: 1704)
      • parkinglist.pdf.exe (PID: 124)
      • parkinglist.pdf.exe (PID: 3228)
    • Changes the autorun value in the registry

      • parkinglist.pdf.exe (PID: 2848)
      • parkinglist.pdf.exe (PID: 3296)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2660)
    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 832)
    • Application launched itself

      • parkinglist.pdf.exe (PID: 2848)
      • parkinglist.pdf.exe (PID: 3296)
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2832)
      • chrome.exe (PID: 832)
    • Application launched itself

      • iexplore.exe (PID: 3360)
      • chrome.exe (PID: 832)
      • AcroRd32.exe (PID: 1140)
      • RdrCEF.exe (PID: 3660)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3360)
    • Changes internet zones settings

      • iexplore.exe (PID: 3360)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2832)
    • Creates files in the user directory

      • iexplore.exe (PID: 3360)
      • iexplore.exe (PID: 2832)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3360)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3360)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
82
Monitored processes
44
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe parkinglist.pdf.exe parkinglist.pdf.exe no specs parkinglist.pdf.exe no specs parkinglist.pdf.exe no specs parkinglist.pdf.exe no specs parkinglist.pdf.exe no specs parkinglist.pdf.exe no specs chrome.exe no specs parkinglist.pdf.exe parkinglist.pdf.exe no specs parkinglist.pdf.exe no specs parkinglist.pdf.exe no specs parkinglist.pdf.exe no specs parkinglist.pdf.exe no specs parkinglist.pdf.exe no specs acrord32.exe acrord32.exe no specs rdrcef.exe no specs rdrcef.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3360"C:\Program Files\Internet Explorer\iexplore.exe" https://onedrive.live.com/download?cid=E9A4ABA28EDB0B05&resid=E9A4ABA28EDB0B05%21112&authkey=AL9w-5qUbG9VH98C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2832"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3360 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
832"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
3196"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=73.0.3683.75 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6b700f18,0x6b700f28,0x6b700f34C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
3624"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1752 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
2796"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=960,16556530931734505552,16541851452398260554,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=16771420407433306438 --mojo-platform-channel-handle=952 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
73.0.3683.75
1380"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=960,16556530931734505552,16541851452398260554,131072 --enable-features=PasswordImport --service-pipe-token=16419911088255832892 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=16419911088255832892 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2016 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
3276"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=960,16556530931734505552,16541851452398260554,131072 --enable-features=PasswordImport --service-pipe-token=2647533170510902771 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2647533170510902771 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2260 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
3040"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=960,16556530931734505552,16541851452398260554,131072 --enable-features=PasswordImport --service-pipe-token=1426279850782724922 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1426279850782724922 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2252 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
3804"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=960,16556530931734505552,16541851452398260554,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=7808604065836821234 --mojo-platform-channel-handle=3596 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
Total events
1 207
Read events
1 012
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
52
Text files
225
Unknown types
24

Dropped files

PID
Process
Filename
Type
3360iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
3360iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2832iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FDZH28SN\download[1].txt
MD5:
SHA256:
2832iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:A1620FB626B6B2E81A21E57AC826410D
SHA256:25191A7182A129B2E0086C9712C1FCAD757C4BC3D204F68FDAAFB83D00857C4C
2832iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:8AC65A2660DB5FC75D70398068981CDE
SHA256:7ED7A2659DF2F1E7313CCC5EDBB36557E17FC097122B3363F642582DE8D976D5
2832iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZZZO44H9\legacy_s_legacy-0f159289[1].jstext
MD5:0F159289853FA82FB6D1558E55F2AB22
SHA256:39DB86FE6A7793F60AEC27CFD27F88A57150C64B58111FF74788504942A80E94
2832iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:67F0B88ECFB15BCF7C1D9111AAAF2D47
SHA256:D3801A87E810EBF92F8FB532DA31BCEA4BF8506A5E7590AB4E5CE347CBAAD531
2832iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FDZH28SN\maincss-aec76c77[1].csstext
MD5:AEC76C77A59885FCB2D01C043118A65A
SHA256:446332E8C993CA5C57C1EC267B71675C4C9E4F72BA3AE4B4AA0468F4E683A0FA
2832iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@live[1].txttext
MD5:FDBF0C8037800F8C5D2C744A2A07FDD7
SHA256:F9F6B075BAF1AF8E5F3C74E49BCB64670041D9E6894D0E03FD1EC3F6A5C646B2
2832iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FDZH28SN\download[1].htmhtml
MD5:2DE9F31AA8758DE40A904D20227D35E6
SHA256:45CD99F9ABF6142E4CBDEB8DF6808AF59B67A59957F99DC371C4B820A99D044A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
59
DNS requests
34
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2832
iexplore.exe
GET
302
52.142.114.176:80
http://g.live.com/9uxp9en-us/ep_bro1
IE
whitelisted
1140
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/message.zip
unknown
whitelisted
832
chrome.exe
GET
200
209.85.230.216:80
http://r2---sn-aigs6n7r.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=194.187.251.125&mm=28&mn=sn-aigs6n7r&ms=nvh&mt=1557930749&mv=m&pl=24&shardbypass=yes
US
crx
842 Kb
whitelisted
1140
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/279_15_23_20070.zip
unknown
whitelisted
2832
iexplore.exe
GET
301
2.23.106.83:80
http://www.microsoft.com/windows/downloads/ie/getitnow.mspx
unknown
html
189 b
whitelisted
1140
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281_15_23_20070.zip
unknown
whitelisted
832
chrome.exe
GET
302
216.58.205.238:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
506 b
whitelisted
1140
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280_15_23_20070.zip
unknown
whitelisted
3360
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
1140
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2832
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3360
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2832
iexplore.exe
2.16.186.25:443
spoprod-a.akamaihd.net
Akamai International B.V.
whitelisted
2832
iexplore.exe
52.142.114.176:80
g.live.com
Microsoft Corporation
IE
whitelisted
2832
iexplore.exe
13.107.42.13:443
onedrive.live.com
Microsoft Corporation
US
malicious
2832
iexplore.exe
104.111.247.75:443
windows.microsoft.com
Akamai International B.V.
NL
whitelisted
2832
iexplore.exe
104.111.216.162:443
mem.gfx.ms
Akamai International B.V.
NL
whitelisted
2832
iexplore.exe
2.16.186.11:443
statics-uhf-wus.akamaized.net
Akamai International B.V.
whitelisted
2832
iexplore.exe
2.21.36.173:443
support.microsoft.com
GTT Communications Inc.
FR
malicious
2832
iexplore.exe
2.23.106.83:80
www.microsoft.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
onedrive.live.com
  • 13.107.42.13
shared
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
spoprod-a.akamaihd.net
  • 2.16.186.25
  • 2.16.186.40
whitelisted
p.sfx.ms
  • 2.19.37.83
whitelisted
g.live.com
  • 52.142.114.176
whitelisted
c.live.com
  • 52.142.114.2
whitelisted
www.microsoft.com
  • 2.23.106.83
whitelisted
c.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
windows.microsoft.com
  • 104.111.247.75
whitelisted
support.microsoft.com
  • 2.21.36.173
whitelisted

Threats

No threats detected
No debug info