URL:

https://www.hitnslab.cn

Full analysis: https://app.any.run/tasks/a13f8edb-5c8a-4eaf-8108-c745e17967df
Verdict: Malicious activity
Analysis date: March 09, 2020, 16:09:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

D8D052F6587EE453921963624B1C4336

SHA1:

5400E9A056C7D3F81318D7E91AF25EFC43A99009

SHA256:

87277BE94B8F9221F26BF04EFBEC3E3735B4C4137372D4DCA51904E82656F892

SSDEEP:

3:N8DSLkWJE4:2OLkOT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3216)
      • iexplore.exe (PID: 2296)
      • iexplore.exe (PID: 2192)

    • Changes internet zones settings

      • iexplore.exe (PID: 2192)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3216)
      • iexplore.exe (PID: 2296)

    • Creates files in the user directory

      • iexplore.exe (PID: 2296)
      • iexplore.exe (PID: 2192)
      • iexplore.exe (PID: 3216)

    • Application launched itself

      • iexplore.exe (PID: 2192)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3216)
      • iexplore.exe (PID: 2192)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2192)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2192)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192"C:\Program Files\Internet Explorer\iexplore.exe" https://www.hitnslab.cnC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2296"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2192 CREDAT:4068736 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3216"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2192 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
11 495
Read events
1 548
Write events
6 791
Delete events
3 156

Modification events

(PID) Process:(3216) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3216) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3216) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2192) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
647099870
(PID) Process:(2192) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30799405
(PID) Process:(2192) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2192) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2192) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2192) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2192) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
Executable files
0
Suspicious files
149
Text files
385
Unknown types
61

Dropped files

PID
Process
Filename
Type
2192iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3216iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\8QU1CQCK.txt
MD5:
SHA256:
3216iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\1UAOJV3W.txt
MD5:
SHA256:
3216iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\qsml[1].htm
MD5:
SHA256:
3216iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\UJV80ULR.txt
MD5:
SHA256:
2192iexplore.exeC:\Users\admin\AppData\Local\Temp\StructuredQuery.logtext
MD5:31C0A1A57CD50678283805CE106F73CC
SHA256:F346016ECD0A56038757590D6050157FFD898D91695C5853B711FD749EDF787D
3216iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\errorPageStrings[1]text
MD5:E3E4A98353F119B80B323302F26B78FA
SHA256:9466D620DC57835A2475F8F71E304F54AEE7160E134BA160BAAE0F19E5E71E66
3216iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\OIXKDX24.txttext
MD5:B4CCBC31B629FC2CB928F0EDE210361C
SHA256:2CD59277BFA18860E6DB9C0DDD09D78BC9591FE8081A7EC990123B07CC3E5DE6
3216iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\453HF2UZ.txttext
MD5:1D3E01B8A1F7B6943C527F4723D37897
SHA256:DABA6FD6F541B9A0CC1E3A12C267DA07D8856BE1D3EC1E221384B3DC4AFD8E66
3216iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DATsmt
MD5:9F7790A0DE2E0EDEC9776EE40CF40B1A
SHA256:76DBD963AE2A4318193E7AEE5E981BBF68D3D8E04E468F4E4B9340298DD2D3DD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
149
TCP/UDP connections
212
DNS requests
79
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3216
iexplore.exe
GET
200
13.107.5.80:80
http://api.bing.com/qsml.aspx?query=www.hitnslab.cn%2F&maxwidth=32765&rowheight=20&sectionHeight=160&FORM=IE11SS&market=en-US
US
xml
172 b
whitelisted
3216
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/search?q=www.hitnslab.cn%2F&src=IE-TopResult&FORM=IE11TR&conversationid=
US
html
32.9 Kb
whitelisted
2192
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3216
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/sa/simg/SharedSpriteDesktop_TealSpyglassUpdate_2x_021820.png
US
image
11.2 Kb
whitelisted
3216
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/rb/15/cj,nj/1a10eb03/af615ab8.js?bu=Di8YZHB1eG1naq8BsQEYnAEY
US
text
7.65 Kb
whitelisted
3216
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/rs/3Q/p9/cj,nj/1beceeda/3baa9af7.js
US
text
425 b
whitelisted
3216
iexplore.exe
POST
204
204.79.197.200:80
http://www.bing.com/fd/ls/lsp.aspx?
US
image
11.2 Kb
whitelisted
3216
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/rb/5h/cj,nj/e3ca6b81/a77c5ed0.js?bu=EvQglCG8IMIgpQXPINEgnyHTIOMg6iCWIZohiCH-H_0egB_sHw
US
text
5.42 Kb
whitelisted
3216
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/rs/30/28/cj,nj/3f1e2270/f8c6dd44.js
US
text
773 b
whitelisted
3216
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/fd/ls/l?IG=FB5FB8D32E1F43D2A4F77DCBE2EFCC39&CID=02360F3A3FC26B430DA301B23ECB6A36&Type=Event.CPT&DATA={"pp":{"S":"L","FC":27,"BC":298,"SE":-1,"TC":-1,"H":394,"BP":396,"CT":410,"IL":2},"ad":[-1,-1,1264,644,1264,502,0]}&P=SERP&DA=HKG01
US
compressed
32.9 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3216
iexplore.exe
172.217.16.130:443
pagead2.googlesyndication.com
Google Inc.
US
whitelisted
3216
iexplore.exe
47.246.48.204:443
img-blog.csdn.net
US
suspicious
2192
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3216
iexplore.exe
13.107.5.80:80
api.bing.com
Microsoft Corporation
US
whitelisted
3216
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3216
iexplore.exe
40.126.1.166:443
login.microsoftonline.com
Microsoft Corporation
US
malicious
3216
iexplore.exe
40.90.22.192:443
login.live.com
Microsoft Corporation
US
malicious
3216
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3216
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3216
iexplore.exe
104.18.25.243:80
ocsp.msocsp.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
www.hitnslab.cn
  • 104.193.88.77
  • 104.193.88.123
malicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
login.microsoftonline.com
  • 40.126.1.166
  • 40.126.1.128
  • 20.190.129.2
  • 40.126.1.130
  • 20.190.129.160
whitelisted
login.live.com
  • 40.90.22.192
  • 40.90.22.187
  • 40.90.22.189
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ocsp.msocsp.com
  • 104.18.25.243
  • 104.18.24.243
whitelisted
0922e048cd5f25fac384f55697721c05.clo.footprintdns.com
  • 52.231.32.10
unknown
www2.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
d144d7c7eb83e99c61ef6b3f71e29d35.clo.footprintdns.com
  • 204.79.197.222
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.hitnslab.cn