analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

CoinMine.exe

Full analysis: https://app.any.run/tasks/ab085a6b-ebcd-4ea4-bce2-c3937550a435
Verdict: Malicious activity
Analysis date: April 01, 2023, 11:11:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

49F6BDCF34BC0BE593A9E7DD64AA6E62

SHA1:

CD523DDA29635FD2F159457C485C055D2920033B

SHA256:

7D2E4A096CFB9DA6EF9B1757B36C6FB462B39ADBF927FECC4D10EF8D6A6DCCB1

SSDEEP:

24576:BO/yiVlOzZoncHBbqjDlnGacRBk17ti1BeNBrx2m97Mj59iM9rG:BHOyocRq1nGP6iWNBrxnlMj59iwrG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • taskhost.exe (PID: 2900)

    • Changes the autorun value in the registry

      • unregmp2.exe (PID: 2200)
      • regsvr32.exe (PID: 3124)

    • Create files in the Startup directory

      • regsvr32.exe (PID: 3124)

    • Application was dropped or rewritten from another process

    • Changes the login/logoff helper path in the registry

  • SUSPICIOUS

    • Executes as Windows Service

      • taskhost.exe (PID: 2900)
      • EOSNotify.exe (PID: 2424)

    • The process executes via Task Scheduler

      • sipnotify.exe (PID: 3492)

    • Application launched itself

      • ie4uinit.exe (PID: 3868)
      • rundll32.exe (PID: 2412)

    • Reads Internet Explorer settings

      • ie4uinit.exe (PID: 3868)

    • Reads the Internet Settings

      • ie4uinit.exe (PID: 3868)
      • rundll32.exe (PID: 2412)
      • rundll32.exe (PID: 2012)
      • taskhost.exe (PID: 2900)
      • ie4uinit.exe (PID: 3596)
      • ie4uinit.exe (PID: 2968)

    • Reads security settings of Internet Explorer

      • ie4uinit.exe (PID: 3868)
      • sipnotify.exe (PID: 3492)

    • Reads Microsoft Outlook installation path

      • ie4uinit.exe (PID: 3868)

    • Changes internet zones settings

      • ie4uinit.exe (PID: 3868)

    • Uses RUNDLL32.EXE to load library

      • ie4uinit.exe (PID: 3868)
      • rundll32.exe (PID: 2412)

    • Write to the desktop.ini file (may be used to cloak folders)

      • ie4uinit.exe (PID: 3868)
      • unregmp2.exe (PID: 2200)
      • regsvr32.exe (PID: 3124)

    • Changes default file association

      • unregmp2.exe (PID: 2200)

    • Reads settings of System Certificates

      • sipnotify.exe (PID: 3492)
      • YouAreAnIdiot.exe (PID: 1240)

    • The COM object is verified by Verclsid

      • verclsid.exe (PID: 3024)

  • INFO

    • The process checks LSA protection

      • sipnotify.exe (PID: 3492)
      • CoinMine.exe (PID: 1900)
      • ie4uinit.exe (PID: 3868)
      • taskhost.exe (PID: 2900)
      • regsvr32.exe (PID: 3124)
      • unregmp2.exe (PID: 2200)
      • wmpnscfg.exe (PID: 3740)
      • wmpnscfg.exe (PID: 1868)
      • YouAreAnIdiot.exe (PID: 1240)

    • Reads the computer name

      • CoinMine.exe (PID: 1900)
      • IMEKLMG.EXE (PID: 2200)
      • wmpnscfg.exe (PID: 3740)
      • wmpnscfg.exe (PID: 1868)
      • IMEKLMG.EXE (PID: 304)
      • YouAreAnIdiot.exe (PID: 1240)

    • Checks supported languages

      • CoinMine.exe (PID: 1900)
      • IMEKLMG.EXE (PID: 2200)
      • IMEKLMG.EXE (PID: 304)
      • IMKRMIG.EXE (PID: 3248)
      • wmpnscfg.exe (PID: 3740)
      • wmpnscfg.exe (PID: 1868)
      • YouAreAnIdiot.exe (PID: 1240)
      • [email protected] (PID: 580)

    • Manual execution by a user

      • taskmgr.exe (PID: 2724)
      • ie4uinit.exe (PID: 3868)
      • ie4uinit.exe (PID: 3596)
      • regsvr32.exe (PID: 3124)
      • ie4uinit.exe (PID: 2968)
      • unregmp2.exe (PID: 2200)
      • IMEKLMG.EXE (PID: 2200)
      • IMEKLMG.EXE (PID: 304)
      • chrmstp.exe (PID: 3500)
      • wmpnscfg.exe (PID: 3740)
      • wmpnscfg.exe (PID: 1868)
      • chrome.exe (PID: 3488)
      • YouAreAnIdiot.exe (PID: 1240)
      • taskmgr.exe (PID: 2084)
      • verclsid.exe (PID: 3024)

    • Creates files in the program directory

      • ie4uinit.exe (PID: 3868)
      • chrmstp.exe (PID: 3500)
      • chrmstp.exe (PID: 3880)
      • chrome.exe (PID: 3488)

    • Process checks are UAC notifies on

      • IMEKLMG.EXE (PID: 2200)
      • IMEKLMG.EXE (PID: 304)

    • Application launched itself

      • chrmstp.exe (PID: 3500)
      • chrmstp.exe (PID: 3880)
      • chrome.exe (PID: 3488)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 1868)
      • wmpnscfg.exe (PID: 3740)
      • YouAreAnIdiot.exe (PID: 1240)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 2996)
      • chrome.exe (PID: 1352)
      • WinRAR.exe (PID: 1364)
      • chrome.exe (PID: 4004)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2996)
      • WinRAR.exe (PID: 1364)

    • Reads CPU info

      • YouAreAnIdiot.exe (PID: 1240)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (38.2)
.exe | Win32 EXE Yoda's Crypter (37.5)
.dll | Win32 Dynamic Link Library (generic) (9.2)
.exe | Win32 Executable (generic) (6.3)
.exe | Win16/32 Executable Delphi generic (2.9)

EXIF

EXE

ProductVersion: 1.0.0.0
FileVersion: 1.0.0.0
CharacterSet: Windows, Latin1
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x3b0160
UninitializedDataSize: 2650112
InitializedDataSize: 20480
CodeSize: 1216512
LinkerVersion: 2.25
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
TimeStamp: 2016:07:08 05:36:35+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 08-Jul-2016 05:36:35
Detected languages:
  • English - United States
  • Russian - Russia
FileVersion: 1.0.0.0
ProductVersion: 1.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 08-Jul-2016 05:36:35
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x00287000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x00288000
0x00129000
0x00128400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.92589
.rsrc
0x003B1000
0x00005000
0x00004400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.36489

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.86531
714
UNKNOWN
English - United States
RT_MANIFEST
2
7.21422
308
UNKNOWN
English - United States
RT_CURSOR
3
6.92854
308
UNKNOWN
English - United States
RT_CURSOR
4
7.09594
308
UNKNOWN
English - United States
RT_CURSOR
5
7.20732
308
UNKNOWN
English - United States
RT_CURSOR
6
7.04739
308
UNKNOWN
English - United States
RT_CURSOR
7
7.13266
308
UNKNOWN
English - United States
RT_CURSOR
3682
5.76431
76
UNKNOWN
UNKNOWN
RT_STRING
3683
6.76654
170
UNKNOWN
UNKNOWN
RT_STRING
3684
7.24462
390
UNKNOWN
UNKNOWN
RT_STRING

Imports

KERNEL32.DLL
advapi32.dll
comctl32.dll
comdlg32.dll
gdi32.dll
msvcrt.dll
ole32.dll
oleaut32.dll
shell32.dll
user32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
156
Monitored processes
100
Malicious processes
8
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start coinmine.exe no specs taskmgr.exe no specs taskhost.exe sipnotify.exe ie4uinit.exe no specs ie4uinit.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs ie4uinit.exe no specs unregmp2.exe ie4uinit.exe no specs regsvr32.exe chrmstp.exe no specs chrmstp.exe no specs imeklmg.exe no specs imeklmg.exe no specs imkrmig.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs eosnotify.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe chrome.exe no specs chrome.exe no specs youareanidiot.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs verclsid.exe no specs chrome.exe no specs taskmgr.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe chrome.exe no specs [email protected]

Process information

PID
CMD
Path
Indicators
Parent process
1900"C:\Users\admin\AppData\Local\Temp\CoinMine.exe" C:\Users\admin\AppData\Local\Temp\CoinMine.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\coinmine.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
2724"C:\Windows\system32\taskmgr.exe" C:\Windows\System32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2900"taskhost.exe"C:\Windows\System32\taskhost.exe
services.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Host Process for Windows Tasks
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3492C:\Windows\system32\sipnotify.exe -LogonOrUnlockC:\Windows\System32\sipnotify.exe
taskeng.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
sipnotify
Exit code:
0
Version:
6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716)
Modules
Images
c:\windows\system32\sipnotify.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3868"C:\Windows\System32\ie4uinit.exe" -UserConfigC:\Windows\System32\ie4uinit.exeexplorer.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
IE Per-User Initialization Utility
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\ie4uinit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1792C:\Windows\System32\ie4uinit.exe -ClearIconCacheC:\Windows\System32\ie4uinit.exeie4uinit.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
IE Per-User Initialization Utility
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\ie4uinit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1272C:\Windows\System32\rundll32 advpack.dll,LaunchINFSectionEx C:\Windows\system32\ieuinit.inf,Install,,36C:\Windows\System32\rundll32.exeie4uinit.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2412C:\Windows\System32\rundll32 C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /mC:\Windows\System32\rundll32.exeie4uinit.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
3264C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0C:\Windows\System32\rundll32.exerundll32.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
2012C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0C:\Windows\System32\rundll32.exerundll32.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
Total events
62 062
Read events
60 164
Write events
1 852
Delete events
46

Modification events

(PID) Process:(3868) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
Operation:writeName:Attributes
Value:
0
(PID) Process:(3868) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
Operation:delete keyName:(default)
Value:
(PID) Process:(3868) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3
Operation:writeName:IEPropFontName
Value:
Times New Roman
(PID) Process:(3868) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3
Operation:writeName:IEFixedFontName
Value:
Courier New
(PID) Process:(3868) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\4
Operation:writeName:IEPropFontName
Value:
Times New Roman
(PID) Process:(3868) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\4
Operation:writeName:IEFixedFontName
Value:
Courier New
(PID) Process:(3868) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\5
Operation:writeName:IEPropFontName
Value:
Times New Roman
(PID) Process:(3868) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\5
Operation:writeName:IEFixedFontName
Value:
Courier New
(PID) Process:(3868) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\6
Operation:writeName:IEPropFontName
Value:
Times New Roman
(PID) Process:(3868) ie4uinit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\6
Operation:writeName:IEFixedFontName
Value:
Courier New
Executable files
8
Suspicious files
1 798
Text files
788
Unknown types
352

Dropped files

PID
Process
Filename
Type
2012rundll32.exeC:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\E3EJU7ZL\fwlink[1]
MD5:
SHA256:
2012rundll32.exeC:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\4TD0KH3X\fwlink[1]
MD5:
SHA256:
2012rundll32.exeC:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\2HM2BW7R\fwlink[1]
MD5:
SHA256:
2012rundll32.exeC:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\EK4BLZQC\fwlink[1]
MD5:
SHA256:
2012rundll32.exeC:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\E3EJU7ZL\fwlink[2]
MD5:
SHA256:
2012rundll32.exeC:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\4TD0KH3X\fwlink[2]
MD5:
SHA256:
2900taskhost.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V01tmp.logbinary
MD5:25219F63DACA6EA2714AEAB4895B91AE
SHA256:3848CA23994428C76C07460FB36B062AF9A2A3E06DD3EA51F33F05B2A600E95C
3868ie4uinit.exeC:\Windows\INF\setupapi.app.logini
MD5:A165925E182B307F7B9934DB4F104465
SHA256:D17C20426320E1CA174F19BABB027B63594F7C91D689401C610420072DB8B4D6
2900taskhost.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V01.logbinary
MD5:25219F63DACA6EA2714AEAB4895B91AE
SHA256:3848CA23994428C76C07460FB36B062AF9A2A3E06DD3EA51F33F05B2A600E95C
3868ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\RGIAA8.tmpini
MD5:31CB7778F65DF8D02353E6C7B2B2CFFC
SHA256:647A8C7F316EF325F73C2037E8883854F9287584904C977C81D1662DB6471A58
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
61
DNS requests
44
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
860
svchost.exe
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dl6iudcrkm7tlleep5b7sio2si_2937/jflookgnkcckhobaglndicnbbgbonegd_2937_all_n6dma56ie7wmbezc4aw6zyp2jq.crx3
US
whitelisted
3492
sipnotify.exe
HEAD
200
23.212.215.38:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133248247726360000
AU
whitelisted
3956
chrome.exe
GET
301
140.82.121.4:80
http://github.com/endermanch
US
shared
860
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dl6iudcrkm7tlleep5b7sio2si_2937/jflookgnkcckhobaglndicnbbgbonegd_2937_all_n6dma56ie7wmbezc4aw6zyp2jq.crx3
US
binary
9.30 Kb
whitelisted
860
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dl6iudcrkm7tlleep5b7sio2si_2937/jflookgnkcckhobaglndicnbbgbonegd_2937_all_n6dma56ie7wmbezc4aw6zyp2jq.crx3
US
binary
12.4 Kb
whitelisted
860
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dl6iudcrkm7tlleep5b7sio2si_2937/jflookgnkcckhobaglndicnbbgbonegd_2937_all_n6dma56ie7wmbezc4aw6zyp2jq.crx3
US
binary
18.2 Kb
whitelisted
860
svchost.exe
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/cxpsjblnoxgjoqggdsbvujtof4_58/khaoiebndkojlmppeemjhbpbandiljpe_58_win_advr4ucepztwtigvw3fduftsvbeq.crx3
US
binary
18.2 Kb
whitelisted
860
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dl6iudcrkm7tlleep5b7sio2si_2937/jflookgnkcckhobaglndicnbbgbonegd_2937_all_n6dma56ie7wmbezc4aw6zyp2jq.crx3
US
binary
9.19 Kb
whitelisted
3956
chrome.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?69e69a7d99462110
US
compressed
61.1 Kb
whitelisted
1240
YouAreAnIdiot.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3956
chrome.exe
172.217.16.195:443
clientservices.googleapis.com
GOOGLE
US
whitelisted
3956
chrome.exe
172.217.16.196:443
www.google.com
GOOGLE
US
whitelisted
3956
chrome.exe
142.250.186.110:443
clients2.google.com
GOOGLE
US
whitelisted
3956
chrome.exe
142.250.185.163:443
ssl.gstatic.com
GOOGLE
US
whitelisted
3956
chrome.exe
142.250.74.193:443
clients2.googleusercontent.com
GOOGLE
US
whitelisted
3956
chrome.exe
173.194.187.170:443
r5---sn-4g5e6nz7.gvt1.com
GOOGLE
US
whitelisted
3956
chrome.exe
172.217.23.106:443
www.googleapis.com
GOOGLE
US
whitelisted
3956
chrome.exe
142.250.186.45:443
accounts.google.com
GOOGLE
US
suspicious
3492
sipnotify.exe
23.212.215.38:80
query.prod.cms.rt.microsoft.com
AKAMAI-AS
AU
unknown
3956
chrome.exe
142.250.181.238:443
redirector.gvt1.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
query.prod.cms.rt.microsoft.com
  • 23.212.215.38
whitelisted
accounts.google.com
  • 142.250.186.45
shared
clients2.google.com
  • 142.250.186.110
whitelisted
redirector.gvt1.com
  • 142.250.181.238
whitelisted
r5---sn-4g5e6nz7.gvt1.com
  • 173.194.187.170
whitelisted
clients2.googleusercontent.com
  • 142.250.74.193
whitelisted
clientservices.googleapis.com
  • 172.217.16.195
whitelisted
ssl.gstatic.com
  • 142.250.185.163
whitelisted
www.googleapis.com
  • 172.217.23.106
  • 142.250.185.234
  • 142.250.184.234
  • 142.250.186.42
  • 142.250.186.170
  • 142.250.185.106
  • 142.250.186.74
  • 142.250.184.202
  • 142.250.185.138
  • 142.250.185.170
  • 172.217.16.202
  • 142.250.185.202
  • 142.250.185.74
  • 172.217.18.10
  • 142.250.186.138
  • 172.217.18.106
whitelisted
www.google.com
  • 172.217.16.196
whitelisted

Threats

PID
Process
Class
Message
3956
chrome.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
CoinMine.exe