| URL: | https://proudflex.org/213db237bbd6bf854a.js |
| Full analysis: | https://app.any.run/tasks/c417000b-5965-43bb-9cd3-27af388fb2d0 |
| Verdict: | Malicious activity |
| Analysis date: | July 29, 2021, 18:31:33 |
| OS: | Windows 10 Professional (build: 16299, 64 bit) |
| Indicators: | |
| MD5: | 153E4643C12808119477A39F9241D93B |
| SHA1: | 30114CA1DAFA220DAE6928FB6772ACA00D7DDD8D |
| SHA256: | AFF86BDC7162AC2FD7A89A5353D5015BA69B7CD6129C863D486F954C20C2B3BA |
| SSDEEP: | 3:N8TKQBqE5XUGFBTHDdtS:2HDXUcBTHzS |
MALICIOUS
Scans artifacts that could help determine the target
- iexplore.exe (PID: 412)
- MicrosoftEdgeCP.exe (PID: 4244)
- MicrosoftEdgeCP.exe (PID: 5288)
- MicrosoftEdge.exe (PID: 1860)
SUSPICIOUS
Executed via COM
- ApplicationFrameHost.exe (PID: 1596)
- MicrosoftEdge.exe (PID: 1860)
- browser_broker.exe (PID: 3168)
- MicrosoftEdgeCP.exe (PID: 5288)
- MicrosoftEdgeCP.exe (PID: 3020)
- MicrosoftEdgeCP.exe (PID: 4244)
- MicrosoftEdgeCP.exe (PID: 6000)
- MicrosoftEdgeCP.exe (PID: 5168)
Reads the computer name
- MicrosoftEdge.exe (PID: 1860)
- browser_broker.exe (PID: 3168)
- MicrosoftEdgeCP.exe (PID: 4244)
- MicrosoftEdgeCP.exe (PID: 3020)
- MicrosoftEdgeCP.exe (PID: 5288)
- MicrosoftEdgeCP.exe (PID: 5168)
- MicrosoftEdgeCP.exe (PID: 6000)
Reads Microsoft Outlook installation path
- IEXPLORE.EXE (PID: 2716)
Checks supported languages
- MicrosoftEdge.exe (PID: 1860)
- browser_broker.exe (PID: 3168)
- MicrosoftEdgeCP.exe (PID: 4244)
- MicrosoftEdgeCP.exe (PID: 3020)
- MicrosoftEdgeCP.exe (PID: 5168)
- MicrosoftEdgeCP.exe (PID: 5288)
- MicrosoftEdgeCP.exe (PID: 6000)
Reads Environment values
- MicrosoftEdge.exe (PID: 1860)
INFO
Checks supported languages
- iexplore.exe (PID: 412)
- ApplicationFrameHost.exe (PID: 1596)
- IEXPLORE.EXE (PID: 2716)
Reads settings of System Certificates
- IEXPLORE.EXE (PID: 2716)
- iexplore.exe (PID: 412)
- MicrosoftEdgeCP.exe (PID: 4244)
- MicrosoftEdgeCP.exe (PID: 5288)
Checks Windows Trust Settings
- iexplore.exe (PID: 412)
- IEXPLORE.EXE (PID: 2716)
- MicrosoftEdgeCP.exe (PID: 4244)
- MicrosoftEdgeCP.exe (PID: 5288)
Reads the software policy settings
- iexplore.exe (PID: 412)
- IEXPLORE.EXE (PID: 2716)
- MicrosoftEdgeCP.exe (PID: 4244)
- MicrosoftEdgeCP.exe (PID: 5288)
Reads the date of Windows installation
- iexplore.exe (PID: 412)
Reads the computer name
- ApplicationFrameHost.exe (PID: 1596)
- iexplore.exe (PID: 412)
- IEXPLORE.EXE (PID: 2716)
Changes internet zones settings
- iexplore.exe (PID: 412)
Modifies the phishing filter of IE
- iexplore.exe (PID: 412)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
102
Monitored processes
10
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 412 | "C:\Program Files\internet explorer\iexplore.exe" "https://proudflex.org/213db237bbd6bf854a.js" | C:\Program Files\internet explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1596 | C:\WINDOWS\system32\ApplicationFrameHost.exe -Embedding | C:\WINDOWS\system32\ApplicationFrameHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Application Frame Host Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1860 | "C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca | C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 1 Version: 11.00.16299.402 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2716 | "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:412 CREDAT:9474 /prefetch:2 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3020 | "C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca | C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Content Process Exit code: 0 Version: 11.00.16299.402 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3168 | C:\WINDOWS\system32\browser_broker.exe -Embedding | C:\WINDOWS\system32\browser_broker.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Browser_Broker Exit code: 2147500037 Version: 11.00.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4244 | "C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca | C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Content Process Exit code: 1 Version: 11.00.16299.402 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5168 | "C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca | C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Content Process Exit code: 0 Version: 11.00.16299.402 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5288 | "C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca | C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Content Process Exit code: 0 Version: 11.00.16299.402 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6000 | "C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca | C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Content Process Exit code: 0 Version: 11.00.16299.402 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
21 334
Read events
20 796
Write events
532
Delete events
6
Modification events
| (PID) Process: | (412) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock |
| Operation: | write | Name: | L1WatermarkLowPart |
Value: 956341420 | |||
| (PID) Process: | (412) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock |
| Operation: | write | Name: | L1WatermarkHighPart |
Value: 148313293 | |||
| (PID) Process: | (412) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock |
| Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: 239206604 | |||
| (PID) Process: | (412) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock |
| Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30901416 | |||
| (PID) Process: | (412) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (412) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (412) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (412) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (412) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (412) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
Executable files
0
Suspicious files
8
Text files
129
Unknown types
10
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2716 | IEXPLORE.EXE | C:\Users\admin\Downloads\213db237bbd6bf854a.js.wn3yrwd.partial | text | |
MD5:— | SHA256:— | |||
| 412 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF7BDA91CFFEF11F45.TMP | gmc | |
MD5:— | SHA256:— | |||
| 412 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\SmartScreenCache.dat | binary | |
MD5:— | SHA256:— | |||
| 412 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{39FE9BEB-F09B-11EB-B47A-18F7786F96EE}.dat | binary | |
MD5:— | SHA256:— | |||
| 2716 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\APFYKMZ9\213db237bbd6bf854a[1].js | text | |
MD5:— | SHA256:— | |||
| 1860 | MicrosoftEdge.exe | C:\Users\admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm | dbf | |
MD5:— | SHA256:— | |||
| 412 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{39FE9BE9-F09B-11EB-B47A-18F7786F96EE}.dat | binary | |
MD5:— | SHA256:— | |||
| 1860 | MicrosoftEdge.exe | C:\Users\admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb | edb | |
MD5:— | SHA256:— | |||
| 412 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF5A4663C9F685386D.TMP | gmc | |
MD5:— | SHA256:— | |||
| 1860 | MicrosoftEdge.exe | C:\Users\admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk | binary | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
219
TCP/UDP connections
115
DNS requests
40
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2284 | svchost.exe | GET | 302 | 104.111.242.51:443 | https://go.microsoft.com/fwlink/?LinkId=525773 | NL | — | — | whitelisted |
2716 | IEXPLORE.EXE | GET | 200 | 5.149.248.141:443 | https://proudflex.org/213db237bbd6bf854a.js | NL | text | 181 Kb | malicious |
2284 | svchost.exe | GET | 302 | 13.66.39.88:443 | https://microsoftedgetips.microsoft.com/?source=welcome | US | html | 120 b | whitelisted |
2284 | svchost.exe | GET | 200 | 23.32.238.171:443 | https://static-spartan-neu-s-msn-com.akamaized.net/spartan/en-us/_ssc/css/ac12fb0b-4e64c3a/kerneldhp-f44ca46e.css?ver=20210723_22747471&fdhead=1s-bing-news,1s-mobauthcf,1s-winblisp1,bbh20200521msncf,btrecrow1,modmmhac,msnallexpusers,onetrustpoplive,prg-1sw-scronc,prg-adspeek,prg-rotctrl,prg-wpo-hp750,prg-wpo-hpads,prg-wpo-hpads750,prg-wpo-olypc,vebudumu04302020 | US | text | 108 Kb | whitelisted |
412 | iexplore.exe | POST | 200 | 52.178.182.73:443 | https://urs.microsoft.com/urs.asmx?MSURS-Client-Key=mOOTtRA5VuYSOtB%2ba0NUbQ%3d%3d&MSURS-MAC=t9Imk1j5CnY%3d | IE | text | 1.08 Kb | whitelisted |
2284 | svchost.exe | GET | 200 | 204.79.197.203:443 | https://www.msn.com/spartan/dhp?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&ishostisolationenforced=0&targetexperience=default | US | html | 294 Kb | whitelisted |
2284 | svchost.exe | GET | 200 | 23.32.238.171:443 | https://static-spartan-neu-s-msn-com.akamaized.net/spartan/en-us/_sc/css/ac12fb0b-c02651e0/direction=ltr.locales=en-us.themes=start.dpi=resolution1x/ca-9c582f-491caa4c/f5-5c0439-ecdc80c3/5c-c2c380-7330345f/7f-611819-43c06d09/9d-663631-f8280fab/f6-2005b5-9c95776b/b7-fa5153-ebbbaaf3/20-bcf74f-5a5aaaad/29-679966-2dfc217f/30-03f957-4b31c4a6/3c-8f7322-491caa4c/2a-b45df6-9894a538/de-0ae0e7-ae503b62/a8-b836ae-e1835b00/11-d72e35-166c02d1/b7-eb2126-e01d984a/f0-a0bd1f-9e3b3f85/9c-ab9525-ebb81256/7d-a8907f-df02ef6a/9c-d2a1cc-68ddb2ab?ver=20210723_22747471&fdhead=msnallexpusers,muidflt12cf,muidflt14cf,muidflt29cf,muidflt49cf,muidflt58cf,pnehp1cf,starthp2cf,modmmhac,pnehz3cf,moneyhz3cf,article3cf,onetrustpoplive,1s-bing-news,vebudumu04302020,bbh20200521msncf,prg-rotctrl,prg-1sw-scronc,1s-winblisp1,prg-adspeek,btrecrow1,1s-mobauthcf,prg-wpo-olypc,prg-wpo-hp750,prg-wpo-hpads,prg-wpo-hpads750&csopd=20210601212206&csopdb=20210716192506 | US | text | 89.7 Kb | whitelisted |
2284 | svchost.exe | GET | 200 | 23.32.238.171:443 | https://static-spartan-neu-s-msn-com.akamaized.net/spartan/en-us/_sc/js/ac12fb0b-ac8b799a/direction=ltr.locales=en-us.themes=start.dpi=resolution1x/7d-ed09f0-68ddb2ab/d7-2139e7-68ddb2ab/85-f52c9b-68ddb2ab/3c-64af1f-68ddb2ab/b3-e53ca4-68ddb2ab/18-d301e0-68ddb2ab/1a-4ab7e0-3bf20bc0/e2-2522eb-e8664fc6/a5-cc5510-53568de/2d-d73afb-a89c49f2/ff-f4f6da-68ddb2ab/f2-58ec27-68ddb2ab/47-77d975-3706e682/90-1b17f2-68ddb2ab/9b-07857b-68ddb2ab/5a-d51f56-68ddb2ab?ver=20210723_22747471&fdhead=msnallexpusers,muidflt12cf,muidflt14cf,muidflt29cf,muidflt49cf,muidflt58cf,pnehp1cf,starthp2cf,modmmhac,pnehz3cf,moneyhz3cf,article3cf,onetrustpoplive,1s-bing-news,vebudumu04302020,bbh20200521msncf,prg-rotctrl,prg-1sw-scronc,1s-winblisp1,prg-adspeek,btrecrow1,1s-mobauthcf,prg-wpo-olypc,prg-wpo-hp750,prg-wpo-hpads,prg-wpo-hpads750&csopd=20210601212206&csopdb=20210716192506 | US | text | 155 Kb | whitelisted |
2284 | svchost.exe | GET | 302 | 40.71.11.133:443 | https://microsoftedgewelcome.microsoft.com/redirect/?source=firstrun | US | html | 154 b | whitelisted |
2716 | IEXPLORE.EXE | POST | 200 | 20.190.160.132:443 | https://login.live.com/RST2.srf | US | xml | 9.87 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 20.190.160.73:443 | — | Microsoft Corporation | US | suspicious |
2716 | IEXPLORE.EXE | 5.149.248.141:443 | proudflex.org | HZ Hosting Ltd | NL | malicious |
412 | iexplore.exe | 52.178.182.73:443 | urs.microsoft.com | Microsoft Corporation | IE | suspicious |
— | — | 23.32.238.168:443 | img-s-msn-com.akamaized.net | XO Communications | US | unknown |
— | — | 13.66.39.88:443 | microsoftedgetips.microsoft.com | Microsoft Corporation | US | unknown |
— | — | 23.32.238.171:443 | static-spartan-neu-s-msn-com.akamaized.net | XO Communications | US | suspicious |
— | — | 184.30.21.171:443 | www.microsoft.com | GTT Communications Inc. | US | suspicious |
— | — | 13.225.87.102:443 | sb.scorecardresearch.com | — | US | malicious |
— | — | 20.190.159.138:443 | login.live.com | Microsoft Corporation | US | suspicious |
— | — | 2.16.186.242:443 | assets.msn.com | Akamai International B.V. | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
proudflex.org |
| malicious |
urs.microsoft.com |
| whitelisted |
t.urs.microsoft.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
www.msn.com |
| whitelisted |
microsoftedgewelcome.microsoft.com |
| whitelisted |
microsoftedgetips.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
static-spartan-neu-s-msn-com.akamaized.net |
| whitelisted |
img-s-msn-com.akamaized.net |
| whitelisted |