URL:

https://amxdh1.icu

Full analysis: https://app.any.run/tasks/0e338c0c-82ea-496f-b60d-9ea6fba1610a
Verdict: Malicious activity
Analysis date: April 29, 2025, 14:27:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

6679691618C92639863A33D24C4F8D0F

SHA1:

D3B4DFECB970E1BA0085176D991A0985AD7D79BB

SHA256:

9BBD7D0C0F66BFD2D51ACDB1FA5224D23B9F374AD10A4B40B62CDB9AE54697E3

SSDEEP:

3:N8dGQ:2dGQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2624)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1080C:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2364"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2624 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2624"C:\Program Files\Internet Explorer\iexplore.exe" "https://amxdh1.icu"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
17 712
Read events
17 610
Write events
83
Delete events
19

Modification events

(PID) Process:(2624) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{05A9C42F-2506-11F0-B32B-12A9866C77DE}
Value:
0
(PID) Process:(2624) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2624) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
Operation:writeName:UpgradeTime
Value:
865C42C812B9DB01
(PID) Process:(2624) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:FullScreen
Value:
no
(PID) Process:(2624) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:Window_Placement
Value:
2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
(PID) Process:(2624) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery
Operation:writeName:Active
Value:
0
(PID) Process:(1080) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet
Operation:writeName:{4040CF00-1B3E-486A-B407-FA14C56B6FC0}
Value:
D4DA6D3E3157
(PID) Process:(2364) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2364) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2624) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76464F5C-7142-481A-B7C8-27207E88A00E}
Operation:writeName:WpadDecisionReason
Value:
1
Executable files
0
Suspicious files
57
Text files
29
Unknown types
6

Dropped files

PID
Process
Filename
Type
1080svchost.exeC:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Tar21CE.tmpcat
MD5:91A1B89AA7A488DBB204DBB4767F1F21
SHA256:F6BE95C88C20EF82EE8A6878E16F9ECD77300BC1905EB826592A0DD41AD1C0F8
2364iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:170EDDB9290F917ADE20D5ED941658C9
SHA256:E09926AA5773C1D74CA94DA5EEC203813D9ED2F4DD2E56B6D3002E21072A53F8
2364iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:77B20B5CD41BC6BB475CCA3F91AE6E3C
SHA256:5511A9B9F9144ED7BDE4CCB074733B7C564D918D2A8B10D391AFC6BE5B3B1509
2364iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\107D6567F12C600FF61E03899EEA55B8_85BF81CF9BA73A57390A236A8BDE76C9der
MD5:B421766AEAC81C1CCA90BE28D74776A3
SHA256:78C6DB2E4A91EEBE76535469A268F5CC900A1921AECD70F4884D4CFCE9B9CDC1
2364iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\magnific-popup[1].csstext
MD5:30B593B71D7672658F89BFEA0AB360C9
SHA256:45D1F5F6CF913746C45DD697B1A8F3B719C02D8B3F678DC7FC2766D54E1AAF6E
1080svchost.exeC:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab21CD.tmpcompressed
MD5:77B20B5CD41BC6BB475CCA3F91AE6E3C
SHA256:5511A9B9F9144ED7BDE4CCB074733B7C564D918D2A8B10D391AFC6BE5B3B1509
2364iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:B2190C16474C0F3809BE0706EEAFB1AD
SHA256:ABFD26F2C7EE76225E6D752EEE7542DFF7BB231B46CFE9FDE0598CACA6349E86
2364iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751der
MD5:E192462F281446B5D1500D474FBACC4B
SHA256:F1BA9F1B63C447682EBF9DE956D0DA2A027B1B779ABEF9522D347D3479139A60
2364iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\ZNLTDCLW.htmhtml
MD5:3C43FA9D290A043F3E99081B3F80463B
SHA256:2C91F226CF79BD51430D9D5CD8ACCD7F56C3EC43D2C7518AB45E3D4EE5FB5BD2
1080svchost.exeC:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab216D.tmpcompressed
MD5:77B20B5CD41BC6BB475CCA3F91AE6E3C
SHA256:5511A9B9F9144ED7BDE4CCB074733B7C564D918D2A8B10D391AFC6BE5B3B1509
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
32
DNS requests
16
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2364
iexplore.exe
GET
200
208.89.74.21:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d0e934d27e56d5ed
unknown
whitelisted
2364
iexplore.exe
GET
200
208.89.74.21:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7edf4fff8357cb61
unknown
whitelisted
2364
iexplore.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
whitelisted
2364
iexplore.exe
GET
200
184.24.77.79:80
http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgbN9J1TGhZbcaTRWM3eJDc0Pg%3D%3D
unknown
whitelisted
2364
iexplore.exe
GET
200
142.250.184.227:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
2364
iexplore.exe
GET
200
142.250.185.131:80
http://o.pki.goog/we2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEQDnY2ln4HrjwQmvlODDuY3v
unknown
whitelisted
2364
iexplore.exe
GET
200
142.250.184.227:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
2364
iexplore.exe
GET
200
142.250.185.131:80
http://o.pki.goog/we2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEEF0oG7bE8JYEjRUxUACyd0%3D
unknown
whitelisted
2624
iexplore.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
2624
iexplore.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
2364
iexplore.exe
98.142.240.201:443
amxdh1.icu
VELCOM
CA
unknown
2364
iexplore.exe
208.89.74.21:80
ctldl.windowsupdate.com
US
whitelisted
2364
iexplore.exe
69.192.161.44:80
x1.c.lencr.org
AKAMAI-AS
DE
whitelisted
2364
iexplore.exe
184.24.77.79:80
r10.o.lencr.org
Akamai International B.V.
DE
whitelisted
2364
iexplore.exe
142.250.186.74:443
fonts.googleapis.com
GOOGLE
US
whitelisted
2364
iexplore.exe
142.250.184.227:80
c.pki.goog
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.142
whitelisted
amxdh1.icu
  • 98.142.240.201
unknown
ctldl.windowsupdate.com
  • 208.89.74.21
  • 208.89.74.19
  • 208.89.74.31
  • 208.89.74.27
  • 208.89.74.29
  • 208.89.74.23
  • 208.89.74.17
whitelisted
x1.c.lencr.org
  • 69.192.161.44
whitelisted
r10.o.lencr.org
  • 184.24.77.79
  • 184.24.77.65
  • 184.24.77.78
  • 184.24.77.71
  • 184.24.77.80
  • 184.24.77.69
  • 184.24.77.81
  • 184.24.77.67
  • 184.24.77.77
whitelisted
fonts.googleapis.com
  • 142.250.186.74
whitelisted
c.pki.goog
  • 142.250.184.227
whitelisted
o.pki.goog
  • 142.250.185.131
whitelisted
fonts.gstatic.com
  • 142.250.185.195
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .icu Domain
2364
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious Domain (*.icu) in TLS SNI
2364
iexplore.exe
Potentially Bad Traffic
ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.icu)
2364
iexplore.exe
Potentially Bad Traffic
ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.icu)
2624
iexplore.exe
Potentially Bad Traffic
ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.icu)
2624
iexplore.exe
Potentially Bad Traffic
ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.icu)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://amxdh1.icu