URL:

http://151.106.56.254

Full analysis: https://app.any.run/tasks/5c1a3b09-fbd6-4c1d-a6dc-993018f81eff
Verdict: No threats detected
Analysis date: May 28, 2019, 12:17:09
OS: Windows 10 Professional (build: 16299, 64 bit)
Indicators:
MD5:

238191974505FA608B115658E5E2FFF0

SHA1:

0375D3F62CF68D298B1CBBD33E293BD6EB70B19F

SHA256:

83F2B94E3CB456EB1DA6FA139B202395B5F4496836A17281DAE6F8E4A39D2157

SSDEEP:

3:N1KoULUVmL0:CoULUVx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Checks supported languages

      • CredentialUIBroker.exe (PID: 432)

    • Executed via COM

      • CredentialUIBroker.exe (PID: 432)

    • Reads the machine GUID from the registry

      • mstsc.exe (PID: 2316)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 5924)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 5924)
      • mstsc.exe (PID: 2316)
      • IEXPLORE.EXE (PID: 3444)

    • Manual execution by user

      • mstsc.exe (PID: 2316)

    • Reads the software policy settings

      • iexplore.exe (PID: 5924)
      • mstsc.exe (PID: 2316)
      • IEXPLORE.EXE (PID: 3444)

    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 4536)
      • IEXPLORE.EXE (PID: 3444)

    • Reads the machine GUID from the registry

      • IEXPLORE.EXE (PID: 3444)
      • IEXPLORE.EXE (PID: 4536)
      • iexplore.exe (PID: 5924)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 5924)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
95
Monitored processes
6
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe mstsc.exe credentialuibroker.exe no specs iexplore.exe iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
432"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainerFailedMip -EmbeddingC:\Windows\System32\CredentialUIBroker.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Credential Manager UI Host
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\credentialuibroker.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
2316"C:\WINDOWS\system32\mstsc.exe" C:\WINDOWS\system32\mstsc.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Remote Desktop Connection
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mstsc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
3444"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5924 CREDAT:9476 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
4340"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5924 CREDAT:3937574 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
4536"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5924 CREDAT:9474 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
5924"C:\Program Files\internet explorer\iexplore.exe" http://151.106.56.254C:\Program Files\internet explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
1 847
Read events
1 723
Write events
124
Delete events
0

Modification events

(PID) Process:(5924) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:L1WatermarkLowPart
Value:
2774191708
(PID) Process:(5924) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:L1WatermarkHighPart
Value:
148288328
(PID) Process:(5924) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
1636665644
(PID) Process:(5924) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30741839
(PID) Process:(5924) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5924) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5924) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5924) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(5924) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5924) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
0
Suspicious files
9
Text files
26
Unknown types
2

Dropped files

PID
Process
Filename
Type
5924iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\UrlBlock\URLDE2D.tmp
MD5:
SHA256:
5924iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\UrlBlock\urlblock_636893521912712796.OLD
MD5:
SHA256:
432CredentialUIBroker.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PRICache\1289068558\2609689668.pripri
MD5:
SHA256:
5924iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\UrlBlock\urlblock_636946406815557620.binbinary
MD5:
SHA256:
5924iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLJYL64M\l1[1].datbinary
MD5:
SHA256:
5924iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZSVOB39W\iecompatviewlist[1].xmlxml
MD5:
SHA256:
3444IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\LD57I5PR\welcomeie11[1].htmhtml
MD5:
SHA256:
3444IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\LD57I5PR\da-fe9ebf[1].csstext
MD5:
SHA256:
3444IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\FZ4P8RAN\typographicintro[1].csstext
MD5:
SHA256:
3444IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\5UIG5DSE\meversion[1].jstext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
33
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4536
IEXPLORE.EXE
GET
151.106.56.254:80
http://151.106.56.254/
US
unknown
5924
iexplore.exe
GET
304
152.199.19.161:443
https://iecvlist.microsoft.com/ie11blocklist/1401746408/versionlist.xml
US
whitelisted
3444
IEXPLORE.EXE
GET
302
23.222.42.9:443
https://go.microsoft.com/fwlink/?LinkId=517287
NL
whitelisted
3444
IEXPLORE.EXE
GET
302
23.222.42.9:443
https://go.microsoft.com/fwlink/?LinkId=838604
NL
whitelisted
5924
iexplore.exe
GET
200
40.112.75.175:443
https://c.urs.microsoft.com/l1.dat?v=3&cv=9.11.16299.0&os=10.0.16299.0.0&pg=4A72F430-B40C-4D36-A068-CE33ADA5ADF9
IE
binary
57.3 Kb
whitelisted
5924
iexplore.exe
GET
200
152.199.19.161:443
https://iecvlist.microsoft.com/IE11/1478281996/iecompatviewlist.xml?cvlp=4587762498695031746
US
xml
243 Kb
whitelisted
3444
IEXPLORE.EXE
GET
301
2.18.233.62:443
https://www.microsoft.com/en-us/welcomeie11/
unknown
whitelisted
3444
IEXPLORE.EXE
GET
200
2.18.233.62:443
https://www.microsoft.com/onerfstatics/marketingsites-neu-prod/west-european/welcomeie11/_scrf/css/themes=default.device=uplevel_web_pc_ie/e0-f738f0/bb-57b92e/da-fe9ebf?ver=2.0
unknown
text
76.5 Kb
whitelisted
3444
IEXPLORE.EXE
GET
200
2.18.233.62:443
https://www.microsoft.com/onerfstatics/marketingsites-neu-prod/welcomeie11/_scrf/js/themes=default/78-6f121b/1e-fd610f?ver=2.0
unknown
text
64.8 Kb
whitelisted
3444
IEXPLORE.EXE
GET
200
2.18.233.62:443
https://www.microsoft.com/onerfstatics/marketingsites-neu-prod/welcomeie11/_scrf/js/themes=default/2f-63ce8f/2d-7a9063/dc-7e9864/4f-5115f8/7d-266f10/4a-abd94b/78-4c7d22/9f-d154ca/e4-8302f6/cd-23d3b0/6d-1e7ed0/b7-cadaa7/ca-40b7b0/4e-ee3a55/3e-f5c39b/c3-6454d7/f9-7592d3/92-10345d/f8-73a5f2/79-499886/7e-cda2d3/32-6dafa3/93-283c2d/91-97a04f/1f-100dea/33-abe4df/18-d72213/e3-082b89?ver=2.0
unknown
text
102 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4536
IEXPLORE.EXE
151.106.56.254:80
US
unknown
2316
mstsc.exe
151.106.56.254:3389
US
unknown
5924
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
5924
iexplore.exe
40.112.75.175:443
c.urs.microsoft.com
Microsoft Corporation
IE
unknown
3444
IEXPLORE.EXE
2.18.233.62:443
www.microsoft.com
Akamai International B.V.
whitelisted
3444
IEXPLORE.EXE
23.222.42.9:443
go.microsoft.com
Akamai Technologies, Inc.
NL
whitelisted
2.18.233.62:443
www.microsoft.com
Akamai International B.V.
whitelisted
3444
IEXPLORE.EXE
104.109.56.54:443
mem.gfx.ms
Akamai International B.V.
NL
whitelisted
104.109.56.54:443
mem.gfx.ms
Akamai International B.V.
NL
whitelisted
2.16.186.40:443
img-prod-cms-rt-microsoft-com.akamaized.net
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
c.urs.microsoft.com
  • 40.112.75.175
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
go.microsoft.com
  • 23.222.42.9
whitelisted
www.microsoft.com
  • 2.18.233.62
whitelisted
c.s-microsoft.com
  • 2.18.233.62
whitelisted
mem.gfx.ms
  • 104.109.56.54
whitelisted
img-prod-cms-rt-microsoft-com.akamaized.net
  • 2.16.186.40
  • 2.16.186.27
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://151.106.56.254