Malware analysis http://ul.to/jakj4ity Malicious activity

analyze malware

Huge database of samples and IOCs
Custom VM setup
Unlimited submissions
Interactive approach

Add for printing

URL:	http://ul.to/jakj4ity
Full analysis:	https://app.any.run/tasks/3b7b87a2-6d6d-4afc-a9e5-cbb76394a201
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	February 21, 2020, 18:30:21
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	loader
Indicators:
MD5:	CEE9E81AAC71FAEBD5A83601C6A48B27
SHA1:	856C97498DBAB31374C090555373C6AF4DB0EBB1
SHA256:	A3869DF4D004B7DECD5F302E3D68D0565D8120A88792226C6528AC678F30DA7B
SSDEEP:	3:N1KLrFRJ:C1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.17843 KB3058515
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Hyphenation Parent Package English
IE Spelling Parent Package English
IE Troubleshooters Package
InternetExplorer Optional Package
InternetExplorer Package TopLevel
KB2533623
KB2534111
KB2639308
KB2729094
KB2731771
KB2786081
KB2834140
KB2882822
KB2888049
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
PlatformUpdate Win7 SRV08R2 Package TopLevel
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - DiscoverAncestry.3d69991d72364e2d8f2b7b75b5294c48.exe (PID: 3168)
  - SlimCleanerPlus.exe (PID: 3748)
  - SlimCleanerPlus.exe (PID: 3264)
  - DriverUpdate-setup.exe (PID: 676)
  - MyFormsFinder.3b043792dea84780bdbd17a2448b16bf.exe (PID: 1832)
  - PDFConverterHQ.6e7c02f9e4f845d1951b8e79d4f0188f.exe (PID: 3436)
- Loads dropped or rewritten executable
  - DiscoverAncestry.3d69991d72364e2d8f2b7b75b5294c48.exe (PID: 3168)
  - Rundll32.exe (PID: 2380)
  - svchost.exe (PID: 860)
  - explorer.exe (PID: 372)
  - MyFormsFinder.3b043792dea84780bdbd17a2448b16bf.exe (PID: 1832)
  - Rundll32.exe (PID: 1296)
  - PDFConverterHQ.6e7c02f9e4f845d1951b8e79d4f0188f.exe (PID: 3436)
  - Rundll32.exe (PID: 2988)
- Downloads executable files from the Internet
  - SlimCleanerPlus.exe (PID: 3264)
- Changes settings of System certificates
  - SlimCleanerPlus.exe (PID: 3264)
SUSPICIOUS
- Starts Internet Explorer
  - explorer.exe (PID: 372)
- Reads Internet Cache Settings
  - DiscoverAncestry.3d69991d72364e2d8f2b7b75b5294c48.exe (PID: 3168)
  - MyFormsFinder.3b043792dea84780bdbd17a2448b16bf.exe (PID: 1832)
  - PDFConverterHQ.6e7c02f9e4f845d1951b8e79d4f0188f.exe (PID: 3436)
- Executable content was dropped or overwritten
  - iexplore.exe (PID: 3508)
  - iexplore.exe (PID: 1440)
  - DiscoverAncestry.3d69991d72364e2d8f2b7b75b5294c48.exe (PID: 3168)
  - SlimCleanerPlus.exe (PID: 3264)
  - msiexec.exe (PID: 3544)
  - MyFormsFinder.3b043792dea84780bdbd17a2448b16bf.exe (PID: 1832)
  - iexplore.exe (PID: 3068)
  - PDFConverterHQ.6e7c02f9e4f845d1951b8e79d4f0188f.exe (PID: 3436)
- Creates files in the user directory
  - DiscoverAncestry.3d69991d72364e2d8f2b7b75b5294c48.exe (PID: 3168)
  - MyFormsFinder.3b043792dea84780bdbd17a2448b16bf.exe (PID: 1832)
  - PDFConverterHQ.6e7c02f9e4f845d1951b8e79d4f0188f.exe (PID: 3436)
- Changes the started page of IE
  - DiscoverAncestry.3d69991d72364e2d8f2b7b75b5294c48.exe (PID: 3168)
  - MyFormsFinder.3b043792dea84780bdbd17a2448b16bf.exe (PID: 1832)
  - PDFConverterHQ.6e7c02f9e4f845d1951b8e79d4f0188f.exe (PID: 3436)
- Uses RUNDLL32.EXE to load library
  - DiscoverAncestry.3d69991d72364e2d8f2b7b75b5294c48.exe (PID: 3168)
  - MyFormsFinder.3b043792dea84780bdbd17a2448b16bf.exe (PID: 1832)
  - PDFConverterHQ.6e7c02f9e4f845d1951b8e79d4f0188f.exe (PID: 3436)
- Creates a software uninstall entry
  - DiscoverAncestry.3d69991d72364e2d8f2b7b75b5294c48.exe (PID: 3168)
  - MyFormsFinder.3b043792dea84780bdbd17a2448b16bf.exe (PID: 1832)
  - PDFConverterHQ.6e7c02f9e4f845d1951b8e79d4f0188f.exe (PID: 3436)
- Changes IE settings (feature browser emulation)
  - MsiExec.exe (PID: 3884)
- Changes the autorun value in the registry
  - MsiExec.exe (PID: 3884)
- Creates COM task schedule object
  - msiexec.exe (PID: 3544)
- Adds / modifies Windows certificates
  - SlimCleanerPlus.exe (PID: 3264)
INFO
- Reads Internet Cache Settings
  - iexplore.exe (PID: 1440)
  - iexplore.exe (PID: 3248)
  - iexplore.exe (PID: 3508)
  - iexplore.exe (PID: 3760)
  - iexplore.exe (PID: 924)
  - iexplore.exe (PID: 956)
  - iexplore.exe (PID: 2140)
  - iexplore.exe (PID: 3288)
  - iexplore.exe (PID: 3068)
  - iexplore.exe (PID: 280)
  - iexplore.exe (PID: 2000)
- Changes internet zones settings
  - iexplore.exe (PID: 1440)
- Reads internet explorer settings
  - iexplore.exe (PID: 3248)
  - iexplore.exe (PID: 3508)
  - iexplore.exe (PID: 924)
  - iexplore.exe (PID: 3760)
  - iexplore.exe (PID: 956)
  - iexplore.exe (PID: 3068)
  - iexplore.exe (PID: 3288)
  - iexplore.exe (PID: 2140)
  - iexplore.exe (PID: 2000)
  - iexplore.exe (PID: 280)
- Reads settings of System Certificates
  - iexplore.exe (PID: 3248)
  - iexplore.exe (PID: 3508)
  - SlimCleanerPlus.exe (PID: 3264)
  - iexplore.exe (PID: 924)
  - iexplore.exe (PID: 1440)
  - iexplore.exe (PID: 2140)
  - iexplore.exe (PID: 956)
  - iexplore.exe (PID: 3068)
  - iexplore.exe (PID: 280)
  - iexplore.exe (PID: 2000)
  - iexplore.exe (PID: 3288)
- Creates files in the user directory
  - iexplore.exe (PID: 3248)
  - iexplore.exe (PID: 3508)
  - iexplore.exe (PID: 1440)
  - iexplore.exe (PID: 3760)
  - iexplore.exe (PID: 924)
  - iexplore.exe (PID: 956)
  - iexplore.exe (PID: 2140)
  - iexplore.exe (PID: 3068)
  - iexplore.exe (PID: 3288)
  - iexplore.exe (PID: 280)
- Dropped object may contain TOR URL's
  - iexplore.exe (PID: 3248)
  - iexplore.exe (PID: 2000)
- Application launched itself
  - iexplore.exe (PID: 1440)
  - msiexec.exe (PID: 3544)
- Modifies the phishing filter of IE
  - iexplore.exe (PID: 1440)
- Dropped object may contain Bitcoin addresses
  - svchost.exe (PID: 860)
  - iexplore.exe (PID: 3508)
  - DiscoverAncestry.3d69991d72364e2d8f2b7b75b5294c48.exe (PID: 3168)
  - iexplore.exe (PID: 924)
  - iexplore.exe (PID: 3760)
  - msiexec.exe (PID: 3544)
  - iexplore.exe (PID: 3248)
  - iexplore.exe (PID: 1440)
- Creates files in the program directory
  - msiexec.exe (PID: 3544)
- Creates a software uninstall entry
  - msiexec.exe (PID: 3544)
- Changes settings of System certificates
  - iexplore.exe (PID: 1440)
- Adds / modifies Windows certificates
  - iexplore.exe (PID: 1440)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
1440	"C:\Program Files\Internet Explorer\iexplore.exe" "http://ul.to/jakj4ity"	C:\Program Files\Internet Explorer\iexplore.exe		explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700)
3248	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1440 CREDAT:267521 /prefetch:2	C:\Program Files\Internet Explorer\iexplore.exe		iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700)
3508	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1440 CREDAT:3085581 /prefetch:2	C:\Program Files\Internet Explorer\iexplore.exe		iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700)
3168	"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\DiscoverAncestry.3d69991d72364e2d8f2b7b75b5294c48.exe"	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\DiscoverAncestry.3d69991d72364e2d8f2b7b75b5294c48.exe		iexplore.exe
User: admin Company: Mindspark Interactive Network, Inc. Integrity Level: MEDIUM Description: DiscoverAncestry Setup Exit code: 0 Version: 2.7.1.3000
2380	"Rundll32.exe" "C:\Users\admin\AppData\Local\DiscoverAncestryTooltab\TooltabExtension.dll",A -hp=https://hp.myway.com/discoverancestry/ttab02/index.html -ua="(Windows NT 6.1; Win32; MSIE 11.0; Build 7601; SP 1)" -ul=https://anx.mindspark.com/anx.gif?anxa=%251&anxe=%252&anxt=ED1C7E5C-851F-4296-B242-3A65B4628DC1&anxtv=2.7.1.3000&anxp=^BSH^yyyyyy^TTAB02^gb&anxsi=&anxv=%253&anxd=2020-02-21&anxr=%254 -hu=SHOW	C:\Windows\system32\Rundll32.exe	—	DiscoverAncestry.3d69991d72364e2d8f2b7b75b5294c48.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3748	SI_MODE=toaster SI_DELAY=60 SI_LAUNCH=onreboot @P2_ORIGIN=^BSH^yyyyyy^TTAB02^gb @P2=^SW2^xdm110 @UL_STUBID=3d69991d72364e2d8f2b7b75b5294c48	C:\Users\admin\AppData\Local\Temp\nsr3D8A.tmp\SlimCleanerPlus.exe	—	DiscoverAncestry.3d69991d72364e2d8f2b7b75b5294c48.exe
User: admin Company: SlimWare Utilities Holdings, Inc. Integrity Level: MEDIUM Description: DriverUpdate SlimWare Downloader Exit code: 3221226540 Version: 2.4.1
3264	"C:\Users\admin\AppData\Local\Temp\nsr3D8A.tmp\SlimCleanerPlus.exe" SI_MODE=toaster SI_DELAY=60 SI_LAUNCH=onreboot @P2_ORIGIN=^BSH^yyyyyy^TTAB02^gb @P2=^SW2^xdm110 @UL_STUBID=3d69991d72364e2d8f2b7b75b5294c48	C:\Users\admin\AppData\Local\Temp\nsr3D8A.tmp\SlimCleanerPlus.exe		DiscoverAncestry.3d69991d72364e2d8f2b7b75b5294c48.exe
User: admin Company: SlimWare Utilities Holdings, Inc. Integrity Level: HIGH Description: DriverUpdate SlimWare Downloader Exit code: 0 Version: 2.4.1
924	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1440 CREDAT:3282259 /prefetch:2	C:\Program Files\Internet Explorer\iexplore.exe		iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700)
3760	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1440 CREDAT:3806500 /prefetch:2	C:\Program Files\Internet Explorer\iexplore.exe		iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700)
676	"C:\Users\admin\AppData\Local\Temp\DriverUpdate-setup.exe" SI_MODE=toaster SI_DELAY=60 SI_LAUNCH=onreboot	C:\Users\admin\AppData\Local\Temp\DriverUpdate-setup.exe	—	SlimCleanerPlus.exe
User: admin Company: SlimWare Utilities, Inc. Integrity Level: HIGH Description: SlimWare Installer Exit code: 0 Version: 2.3.1

Add for printing

Total events

16 562

Read events

7 247

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

226

Text files

684

Unknown types

119

Dropped files

PID	Process	Filename		Type
3248	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\protoculous[1].js		text
		MD5:A28BC466CC4DB9C7A4597AF552E3C9A3	SHA256:841CC73402A126EF429E6FF3880241BDA3178F4C749742534A492788E77B8D41
3248	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\md5[1].js		text
		MD5:F2129BB8CBFB0CA75B94A2598ACE6664	SHA256:C84D257DA1EFB65E852C20D2F2F288F02BB5F3F02B4E7D25E416B502522FCC5B
3248	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\8QU1CQCK.txt		text
		MD5:70D9F5087FDDD356531ECB9E1C8F0603	SHA256:D56CBC1BA8EACBCCACA39C10C6F0ACFF735C0E959754D64EC6ECB8584685241E
860	svchost.exe	C:\Windows\appcompat\programs\RecentFileCache.bcf		txt
		MD5:9D8FC6D7D4BE05ECA3CFDA3A4290AD3D	SHA256:A3000F6B5ECDEA78C06CA08B65791B1DFD94A6F41A0A734F9817DAE59D098D69
3248	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\layout[1].css		text
		MD5:19C2A572421AF933C2D9FED4EB868035	SHA256:28FB00F2ACC80901172910A92A5BF237724512FC06389C3A362BB0C0ED014055
3248	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\uploaded[1].png		image
		MD5:535A0F1938068335294FCBC11A5D2EED	SHA256:4DECDF09D8D89D64C03AEDB734C03B82CC88D4D3848D310E6341184BDC49C278
3248	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\noIE[1].css		text
		MD5:86FC7C8B98A348FB8454F8D5245291BD	SHA256:05A7D4D308ECC8A536F4898237B8EE007D8210D0267D039D477AF3DCC498E0F8
3248	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\spcjs[1].js		text
		MD5:E8F4837AA90F441AEAE22F5B2A8DF600	SHA256:05669517827ED173506104F0A24D1763B5745A4DB9E2562F856B5D829F178DA0
3248	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\ablock[1].js		text
		MD5:A7177B97321A032F879B2C3DFE735707	SHA256:66095259CFB39E3DEEBC4F36806A02975A167A4807BC518ED69F9E3FC6B346AB
3248	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\uploader-min[1].js		text
		MD5:CEFD4E26B4ECC77B5AD5C493F92AEBB6	SHA256:BFA62C5FF7F1FFBA26DBD9BE4F9FE8370E66227B3B264495915CE5C151B52484

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

164

TCP/UDP connections

501

DNS requests

137

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3248	iexplore.exe	GET	200	81.171.123.200:80	http://uploaded.net/js2/yahoo-dom-event.js	NL	text	14.4 Kb	whitelisted
3248	iexplore.exe	GET	200	81.171.123.200:80	http://uploaded.net/js/script.js	NL	html	14.6 Kb	whitelisted
3248	iexplore.exe	GET	200	81.171.123.204:80	http://udarem.com/spcjs.php?id=1&target=_blank	NL	text	750 b	unknown
3248	iexplore.exe	GET	200	81.171.123.200:80	http://uploaded.net/js/guest.js	NL	text	1.59 Kb	whitelisted
3248	iexplore.exe	GET	200	81.171.123.200:80	http://uploaded.net/img/layout.css?xcache=3256	NL	text	13.0 Kb	whitelisted
3248	iexplore.exe	GET	200	81.171.123.200:80	http://uploaded.net/js2/uploader-min.js	NL	text	3.79 Kb	whitelisted
3248	iexplore.exe	GET	200	81.171.123.200:80	http://uploaded.net/img/noIE.css	NL	text	1.20 Kb	whitelisted
3248	iexplore.exe	GET	200	81.171.123.200:80	http://uploaded.net/js2/protoculous.js?v=1	NL	text	51.9 Kb	whitelisted
3248	iexplore.exe	GET	200	81.171.123.200:80	http://uploaded.net/img/e/warn-sign.png	NL	image	336 b	whitelisted
3248	iexplore.exe	GET	200	81.171.123.200:80	http://uploaded.net/img/e/center.gif	NL	image	282 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3248	iexplore.exe	81.171.123.204:80	udarem.com	StackPath LLC	NL	unknown
3248	iexplore.exe	52.206.141.131:80	sadorsagreeng.info	Amazon.com, Inc.	US	unknown
3248	iexplore.exe	13.35.254.70:80	d1w24oanovvxvg.cloudfront.net	—	US	suspicious
3248	iexplore.exe	216.58.205.227:80	ocsp.pki.goog	Google Inc.	US	whitelisted
3248	iexplore.exe	54.81.42.188:80	diantcummiere.info	Amazon.com, Inc.	US	unknown
3248	iexplore.exe	81.171.123.200:80	uploaded.net	StackPath LLC	NL	suspicious
3248	iexplore.exe	172.217.22.100:443	www.google.com	Google Inc.	US	whitelisted
3248	iexplore.exe	143.204.208.134:80	dc5k8fg5ioc8s.cloudfront.net	—	US	whitelisted
3248	iexplore.exe	216.58.206.2:443	adservice.google.com	Google Inc.	US	whitelisted
3248	iexplore.exe	172.217.23.162:80	pagead2.googlesyndication.com	Google Inc.	US	whitelisted

DNS requests

Domain	IP	Reputation
ul.to	95.101.72.51 95.101.72.35	malicious
uploaded.net	81.171.123.200	whitelisted
udarem.com	81.171.123.204	unknown
www.google.com	172.217.22.100 216.58.210.4	whitelisted
api.bing.com	13.107.5.80	whitelisted
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
ocsp.pki.goog	216.58.205.227	whitelisted
dc5k8fg5ioc8s.cloudfront.net	143.204.208.134 143.204.208.188 143.204.208.189 143.204.208.29	shared
sadorsagreeng.info	52.206.141.131 3.213.126.51 54.84.230.40 100.24.131.182	unknown
diantcummiere.info	54.81.42.188 52.44.195.200 3.222.228.88 52.45.126.182 3.210.115.87	suspicious

Threats

PID	Process	Class	Message
1052	svchost.exe	Potentially Bad Traffic	ET DNS Query for .to TLD
3248	iexplore.exe	Misc activity	SUSPICIOUS [PTsecurity] JS obfuscation (obfuscator.io)
3264	SlimCleanerPlus.exe	Generic Protocol Command Decode	SURICATA HTTP Request abnormal Content-Encoding header
3264	SlimCleanerPlus.exe	Potentially Bad Traffic	ET POLICY Executable served from Amazon S3
3264	SlimCleanerPlus.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
3508	iexplore.exe	Generic Protocol Command Decode	SURICATA HTTP unable to match response to request

5 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

http://ul.to/jakj4ity

CEE9E81AAC71FAEBD5A83601C6A48B27

856C97498DBAB31374C090555373C6AF4DB0EBB1

A3869DF4D004B7DECD5F302E3D68D0565D8120A88792226C6528AC678F30DA7B

3:N1KLrFRJ:C1

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Downloads executable files from the Internet

Changes settings of System certificates

SUSPICIOUS

Starts Internet Explorer

Reads Internet Cache Settings

Executable content was dropped or overwritten

Creates files in the user directory

Changes the started page of IE

Uses RUNDLL32.EXE to load library

Creates a software uninstall entry

Changes IE settings (feature browser emulation)

Changes the autorun value in the registry

Creates COM task schedule object

Adds / modifies Windows certificates

INFO

Reads Internet Cache Settings

Changes internet zones settings

Reads internet explorer settings

Reads settings of System Certificates

Creates files in the user directory

Dropped object may contain TOR URL's

Application launched itself

Modifies the phishing filter of IE

Dropped object may contain Bitcoin addresses

Creates files in the program directory

Creates a software uninstall entry

Changes settings of System certificates

Adds / modifies Windows certificates

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings