analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://www.google.com

Full analysis: https://app.any.run/tasks/11f6b2ec-679d-4813-a679-ef9222c7e269
Verdict: Malicious activity
Analysis date: May 21, 2022, 06:41:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

8FFDEFBDEC956B595D257F0AAEEFD623

SHA1:

EF7EFC9839C3EE036F023E9635BC3B056D6EE2DB

SHA256:

AC6BB669E40E44A8D9F8F0C94DFC63734049DCF6219AAC77F02EDF94B9162C09

SSDEEP:

3:N8DSLIK:2OLIK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 1380)

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 1216)

    • Checks supported languages

      • cmd.exe (PID: 1380)
      • powershell.exe (PID: 2888)
      • cmd.exe (PID: 3268)
      • powershell.exe (PID: 1008)

    • Reads the computer name

      • powershell.exe (PID: 1008)
      • powershell.exe (PID: 2888)

  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 1216)
      • iexplore.exe (PID: 2908)

    • Reads the computer name

      • iexplore.exe (PID: 2908)
      • iexplore.exe (PID: 1216)

    • Changes internet zones settings

      • iexplore.exe (PID: 2908)

    • Application launched itself

      • iexplore.exe (PID: 2908)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 1216)
      • iexplore.exe (PID: 2908)
      • powershell.exe (PID: 2888)
      • powershell.exe (PID: 1008)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2908)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1216)
      • iexplore.exe (PID: 2908)

    • Reads the date of Windows installation

      • iexplore.exe (PID: 2908)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1216)

    • Manual execution by user

      • cmd.exe (PID: 3268)
      • cmd.exe (PID: 1380)

    • Creates files in the user directory

      • iexplore.exe (PID: 1216)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2908)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
6
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe cmd.exe no specs cmd.exe powershell.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2908"C:\Program Files\Internet Explorer\iexplore.exe" "https://www.google.com"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
1216"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2908 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3268"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225786
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
1380"C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2888c:\windows\syswow64\windowspowershell\v1.0\powershell.exe -noninteractive -executionpolicy bypass -c try{$w"$env:appdata"+'\browser assistant\';[reflection.assembly]::load([system.io.file]::readallbytes($w+'updater.dll'));$i=new-object u.u;$i.r()}catch{}c:\windows\syswow64\windowspowershell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1008c:\windows\syswow64\windowspowershell\v1.0\powershell.exe -noninteractive -executionpolicy bypass -c try{$w $env:appdata"+'\browser assistant\';[reflection.assembly]::load([system.io.file]::readallbytes($w+'updater.dll'));$i=new-object u.u;$i.r()}catch{}c:\windows\syswow64\windowspowershell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
16 457
Read events
16 342
Write events
112
Delete events
3

Modification events

(PID) Process:(2908) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(2908) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(2908) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30960861
(PID) Process:(2908) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(2908) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30960861
(PID) Process:(2908) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2908) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2908) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2908) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2908) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
21
Text files
13
Unknown types
14

Dropped files

PID
Process
Filename
Type
1216iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAbinary
MD5:3A2E41CD1115650846F1BFFC24F9BCB2
SHA256:051B0837F8F90E7A659A2A4A675BC6927ACEF22CA3A1AF260DE04679DF7830AE
1216iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAder
MD5:5A11C6099B9E5808DFB08C5C9570C92F
SHA256:91291A5EDC4E10A225D3C23265D236ECC74473D9893BE5BD07E202D95B3FB172
1216iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:0A9CFDAF1E5A13344B6A9414840D8652
SHA256:4526F29B571B83B4C923A3669FDFEED2F74B6123BA281089A9FEE2F9205EBA26
1216iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\1E2HJO4P.txttext
MD5:744DF848725B1EC5BCDC4BB0676C04BF
SHA256:AD0240D72DD1EC3C7CA7061C382EDF26C5D722C0BEE902A868DD6DC6288C7737
1216iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\G77T5QV3.txttext
MD5:C3064416E0A68DF282B19DCBF680C439
SHA256:99CF76FAD3FB1A527DB910478059DB7CEB7F395E6BAD69B7336A73B6571A6EF6
1216iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:D4BA51077B941091FC692F64CD5BB115
SHA256:E9B40BEFDFF1B629CB26CA195DFD7DA771F149FE5C037668F1CE7A84242FEBD4
1216iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_7BD24FBCF7F89F33B2FA5E0C8CE277C8binary
MD5:BD4E1BA3254C991E83E73C26CC0594F0
SHA256:E25277777F9832EA110BB7E21049DEA6183CBC579ECB12C2A525C78BF480FA98
1216iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_7172467AE25B54F1B9D87A9343356E9Bder
MD5:AB3EB6501215BC25425502F92F199868
SHA256:B958DDF2A4704A2E20B468C5A6DC04305200DC4C51013040BD66447C096AB4CF
1216iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\F3FID5GQ.htmhtml
MD5:3197730400148FE74863CB190657C5B8
SHA256:31BFE213314C1C56EDE54FFB9BB0C241A9A02CE714BE0BD85B5EE5E80A2645E8
1216iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAder
MD5:399242ED2925DFFE308E17D4D88BBF6B
SHA256:2142B6734A3A0515D8C8F90C4A510043EEB16B9E00B9CDF8354721C1BD54ECA5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
24
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1216
iexplore.exe
GET
200
142.250.186.99:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEFsL8ccV6MRJElibH7RYju4%3D
US
der
471 b
whitelisted
1216
iexplore.exe
GET
200
142.250.186.99:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
1216
iexplore.exe
GET
200
67.27.157.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?458db577d2a2631b
US
compressed
4.70 Kb
whitelisted
1216
iexplore.exe
GET
200
142.250.186.99:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQD7XjkT15Hv%2FxJBhWf5Zhia
US
der
472 b
whitelisted
1216
iexplore.exe
GET
200
142.250.186.99:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
2908
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
2908
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.78 Kb
whitelisted
1216
iexplore.exe
GET
200
142.250.186.99:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDExSUZ712qmxLhqE9UUaDV
US
der
472 b
whitelisted
1216
iexplore.exe
GET
200
142.250.186.99:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEG3aTvFLTYzNCmxS2fUJutw%3D
US
der
471 b
whitelisted
1216
iexplore.exe
GET
200
67.27.157.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fa1b16f9025586af
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1216
iexplore.exe
142.250.186.164:443
www.google.com
Google Inc.
US
whitelisted
1216
iexplore.exe
142.250.186.99:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2908
iexplore.exe
142.250.186.164:443
www.google.com
Google Inc.
US
whitelisted
2908
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
1216
iexplore.exe
142.250.185.227:443
ssl.gstatic.com
Google Inc.
US
whitelisted
1216
iexplore.exe
67.27.157.126:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious
1216
iexplore.exe
172.217.23.110:443
clients1.google.com
Google Inc.
US
whitelisted
2908
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2908
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1216
iexplore.exe
142.250.185.174:443
apis.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.google.com
  • 142.250.186.164
whitelisted
ctldl.windowsupdate.com
  • 67.27.157.126
  • 8.241.122.126
  • 67.26.73.254
  • 67.26.137.254
  • 8.248.147.254
whitelisted
ocsp.pki.goog
  • 142.250.186.99
whitelisted
ssl.gstatic.com
  • 142.250.185.227
whitelisted
clients1.google.com
  • 172.217.23.110
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
www.gstatic.com
  • 216.58.212.131
whitelisted
apis.google.com
  • 142.250.185.174
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.google.com