URL:

http://puklusi.ru/webarsm

Full analysis: https://app.any.run/tasks/651f8d32-f909-4d56-a7a7-b4df94e4f125
Verdict: No threats detected
Analysis date: August 31, 2019, 11:44:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
MD5:

52EBECC23A356F39376CF6EB60F0C93D

SHA1:

01635B38AEE592C1BB8D19FB0C3DE48D54A91FDC

SHA256:

A7E034F763F75DAE2BCB47AC85FE880F9042B323DCAFDE99F7D87A57FFAB077B

SSDEEP:

3:N1KOQOJKXfzH+P:CObJKXfzeP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executed via COM

      • FlashUtil64_27_0_0_187_ActiveX.exe (PID: 2872)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2644)

    • Changes internet zones settings

      • iexplore.exe (PID: 2644)

    • Reads the machine GUID from the registry

      • FlashUtil64_27_0_0_187_ActiveX.exe (PID: 2872)
      • iexplore.exe (PID: 2644)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2644)
      • IEXPLORE.EXE (PID: 2460)

    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 2460)

    • Creates files in the user directory

      • iexplore.exe (PID: 2644)
      • IEXPLORE.EXE (PID: 2460)
      • FlashUtil64_27_0_0_187_ActiveX.exe (PID: 2872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe flashutil64_27_0_0_187_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2460"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:267521 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2644"C:\Program Files\Internet Explorer\iexplore.exe" "http://puklusi.ru/webarsm"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2872C:\Windows\system32\Macromed\Flash\FlashUtil64_27_0_0_187_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil64_27_0_0_187_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 27.0 r0
Exit code:
0
Version:
27,0,0,187
Modules
Images
c:\windows\system32\macromed\flash\flashutil64_27_0_0_187_activex.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
760
Read events
625
Write events
134
Delete events
1

Modification events

(PID) Process:(2644) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
3
(PID) Process:(2644) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
1885035280
(PID) Process:(2644) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30760945
(PID) Process:(2644) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
2185350280
(PID) Process:(2644) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30760945
(PID) Process:(2644) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2644) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2644) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2644) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2644) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
Executable files
0
Suspicious files
3
Text files
111
Unknown types
58

Dropped files

PID
Process
Filename
Type
2460IEXPLORE.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\NQSIUWAT.txt
MD5:
SHA256:
2460IEXPLORE.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\54XFSD0H.txt
MD5:
SHA256:
2460IEXPLORE.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\1UO5DLT4.txt
MD5:
SHA256:
2460IEXPLORE.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\3EJZGP25.txt
MD5:
SHA256:
2460IEXPLORE.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\XD4WE0DU.txt
MD5:
SHA256:
2460IEXPLORE.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\QMUHCVL6.txt
MD5:
SHA256:
2460IEXPLORE.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\1JFZSFTZ.txt
MD5:
SHA256:
2460IEXPLORE.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\UZ04EOJF.txt
MD5:
SHA256:
2460IEXPLORE.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\8RAPHOAL.txt
MD5:
SHA256:
2460IEXPLORE.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\4SXJWKH1.txttext
MD5:2A4046BC146475C318BD6FD3ECD80960
SHA256:143AC6F9689E75B0148D3F0D3BAFB51C5AAD58E5BA693446C48735DF87C146C5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
120
TCP/UDP connections
62
DNS requests
25
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2460
IEXPLORE.EXE
GET
302
104.16.147.241:443
https://chaturbate.com/toproom/?join_overlay=1&tour=hr8m&disable_sound=0&campaign=UqG6Z
US
suspicious
2460
IEXPLORE.EXE
GET
302
104.27.145.1:80
http://puklusi.ru/webarsm
US
shared
2460
IEXPLORE.EXE
GET
200
104.16.147.241:443
https://chaturbate.com/blondcandy/?tour=hr8m&join_overlay=1&campaign=UqG6Z&disable_sound=0
US
html
102 Kb
suspicious
2460
IEXPLORE.EXE
GET
301
104.16.147.241:80
http://chaturbate.com/toproom/?join_overlay=1&tour=hr8m&disable_sound=0&campaign=UqG6Z
US
suspicious
2460
IEXPLORE.EXE
GET
200
104.16.46.23:443
https://ssl-ccstatic.highwebmedia.com/images/logo-standard.png
US
image
23.0 Kb
shared
2460
IEXPLORE.EXE
GET
200
104.16.46.23:443
https://ssl-ccstatic.highwebmedia.com/CACHE/css/output.bcedc0a78cd4.css
US
text
29 b
shared
2460
IEXPLORE.EXE
GET
200
104.16.147.241:443
https://chaturbate.com/jsi18n/
US
text
2.30 Kb
suspicious
2460
IEXPLORE.EXE
GET
200
104.16.46.23:443
https://ssl-ccstatic.highwebmedia.com/CACHE/css/output.457cfb6e2652.css
US
text
74.6 Kb
shared
2460
IEXPLORE.EXE
GET
200
104.16.48.55:443
https://camo.stream.highwebmedia.com/a90891300d78e7d34e876a6d4c5befb22565ff21/687474703a2f2f342e62702e626c6f6773706f742e636f6d2f2d76656873637956384347382f55543733617966624c45492f41414141414141414174382f30767079653231456e38552f73313630302f4163746976652d547769747465722d69636f6e2e706e67
US
image
24.5 Kb
shared
2460
IEXPLORE.EXE
GET
200
104.16.46.23:443
https://ssl-ccstatic.highwebmedia.com/images/report_div_carrot.gif
US
image
226 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2460
IEXPLORE.EXE
104.16.46.23:443
ssl-ccstatic.highwebmedia.com
Cloudflare Inc
US
shared
2460
IEXPLORE.EXE
104.16.147.241:443
chaturbate.com
Cloudflare Inc
US
shared
2460
IEXPLORE.EXE
104.16.48.55:443
camo.stream.highwebmedia.com
Cloudflare Inc
US
shared
2460
IEXPLORE.EXE
104.16.108.24:443
public.chaturbate.com
Cloudflare Inc
US
shared
2460
IEXPLORE.EXE
104.16.56.24:443
cdn.exoticads.com
Cloudflare Inc
US
shared
2460
IEXPLORE.EXE
172.217.18.164:443
www.google.com
Google Inc.
US
whitelisted
2644
iexplore.exe
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
104.27.145.1:80
puklusi.ru
Cloudflare Inc
US
shared
2460
IEXPLORE.EXE
88.85.84.124:80
latest-504561.dingligh.ru
Webzilla B.V.
NL
suspicious
2460
IEXPLORE.EXE
151.139.128.10:80
xapi.juicyads.com
Highwinds Network Group, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
puklusi.ru
  • 104.27.145.1
  • 104.27.144.1
unknown
latest-504561.dingligh.ru
  • 88.85.84.124
  • 78.140.179.99
  • 88.85.84.123
suspicious
xapi.juicyads.com
  • 151.139.128.10
whitelisted
redir.jads.co
  • 151.139.128.10
suspicious
chaturbate.com
  • 104.16.147.241
  • 104.16.146.241
suspicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ssl-ccstatic.highwebmedia.com
  • 104.16.46.23
  • 104.16.47.23
unknown
public.chaturbate.com
  • 104.16.108.24
  • 104.16.107.24
suspicious
camo.stream.highwebmedia.com
  • 104.16.48.55
  • 104.16.47.55
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://puklusi.ru/webarsm