| URL: | https://proudflex.org/213db237bbd6bf854a.js |
| Full analysis: | https://app.any.run/tasks/c417000b-5965-43bb-9cd3-27af388fb2d0 |
| Verdict: | Malicious activity |
| Analysis date: | July 29, 2021, 18:31:33 |
| OS: | Windows 10 Professional (build: 16299, 64 bit) |
| Indicators: | |
| MD5: | 153E4643C12808119477A39F9241D93B |
| SHA1: | 30114CA1DAFA220DAE6928FB6772ACA00D7DDD8D |
| SHA256: | AFF86BDC7162AC2FD7A89A5353D5015BA69B7CD6129C863D486F954C20C2B3BA |
| SSDEEP: | 3:N8TKQBqE5XUGFBTHDdtS:2HDXUcBTHzS |
MALICIOUS
Scans artifacts that could help determine the target
- iexplore.exe (PID: 412)
- MicrosoftEdgeCP.exe (PID: 4244)
- MicrosoftEdgeCP.exe (PID: 5288)
- MicrosoftEdge.exe (PID: 1860)
SUSPICIOUS
Reads the computer name
- MicrosoftEdge.exe (PID: 1860)
- browser_broker.exe (PID: 3168)
- MicrosoftEdgeCP.exe (PID: 3020)
- MicrosoftEdgeCP.exe (PID: 4244)
- MicrosoftEdgeCP.exe (PID: 5288)
- MicrosoftEdgeCP.exe (PID: 5168)
- MicrosoftEdgeCP.exe (PID: 6000)
Executed via COM
- MicrosoftEdge.exe (PID: 1860)
- browser_broker.exe (PID: 3168)
- MicrosoftEdgeCP.exe (PID: 5288)
- MicrosoftEdgeCP.exe (PID: 3020)
- MicrosoftEdgeCP.exe (PID: 4244)
- ApplicationFrameHost.exe (PID: 1596)
- MicrosoftEdgeCP.exe (PID: 5168)
- MicrosoftEdgeCP.exe (PID: 6000)
Reads Microsoft Outlook installation path
- IEXPLORE.EXE (PID: 2716)
Checks supported languages
- MicrosoftEdge.exe (PID: 1860)
- browser_broker.exe (PID: 3168)
- MicrosoftEdgeCP.exe (PID: 3020)
- MicrosoftEdgeCP.exe (PID: 4244)
- MicrosoftEdgeCP.exe (PID: 5288)
- MicrosoftEdgeCP.exe (PID: 5168)
- MicrosoftEdgeCP.exe (PID: 6000)
Reads Environment values
- MicrosoftEdge.exe (PID: 1860)
INFO
Changes internet zones settings
- iexplore.exe (PID: 412)
Checks supported languages
- ApplicationFrameHost.exe (PID: 1596)
- iexplore.exe (PID: 412)
- IEXPLORE.EXE (PID: 2716)
Reads the computer name
- ApplicationFrameHost.exe (PID: 1596)
- iexplore.exe (PID: 412)
- IEXPLORE.EXE (PID: 2716)
Reads the software policy settings
- IEXPLORE.EXE (PID: 2716)
- iexplore.exe (PID: 412)
- MicrosoftEdgeCP.exe (PID: 4244)
- MicrosoftEdgeCP.exe (PID: 5288)
Checks Windows Trust Settings
- iexplore.exe (PID: 412)
- MicrosoftEdgeCP.exe (PID: 4244)
- IEXPLORE.EXE (PID: 2716)
- MicrosoftEdgeCP.exe (PID: 5288)
Reads the date of Windows installation
- iexplore.exe (PID: 412)
Reads settings of System Certificates
- IEXPLORE.EXE (PID: 2716)
- iexplore.exe (PID: 412)
- MicrosoftEdgeCP.exe (PID: 5288)
- MicrosoftEdgeCP.exe (PID: 4244)
Modifies the phishing filter of IE
- iexplore.exe (PID: 412)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
102
Monitored processes
10
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 412 | "C:\Program Files\internet explorer\iexplore.exe" "https://proudflex.org/213db237bbd6bf854a.js" | C:\Program Files\internet explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1596 | C:\WINDOWS\system32\ApplicationFrameHost.exe -Embedding | C:\WINDOWS\system32\ApplicationFrameHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Application Frame Host Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1860 | "C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca | C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 1 Version: 11.00.16299.402 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2716 | "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:412 CREDAT:9474 /prefetch:2 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3020 | "C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca | C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Content Process Exit code: 0 Version: 11.00.16299.402 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3168 | C:\WINDOWS\system32\browser_broker.exe -Embedding | C:\WINDOWS\system32\browser_broker.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Browser_Broker Exit code: 2147500037 Version: 11.00.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4244 | "C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca | C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Content Process Exit code: 1 Version: 11.00.16299.402 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5168 | "C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca | C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Content Process Exit code: 0 Version: 11.00.16299.402 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5288 | "C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca | C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Content Process Exit code: 0 Version: 11.00.16299.402 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6000 | "C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca | C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Content Process Exit code: 0 Version: 11.00.16299.402 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
21 334
Read events
20 796
Write events
532
Delete events
6
Modification events
| (PID) Process: | (412) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock |
| Operation: | write | Name: | L1WatermarkLowPart |
Value: 956341420 | |||
| (PID) Process: | (412) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock |
| Operation: | write | Name: | L1WatermarkHighPart |
Value: 148313293 | |||
| (PID) Process: | (412) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock |
| Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: 239206604 | |||
| (PID) Process: | (412) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock |
| Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30901416 | |||
| (PID) Process: | (412) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (412) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (412) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (412) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (412) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (412) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
Executable files
0
Suspicious files
8
Text files
129
Unknown types
10
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 412 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\SmartScreenCache.dat | binary | |
MD5:— | SHA256:— | |||
| 2716 | IEXPLORE.EXE | C:\Users\admin\Downloads\213db237bbd6bf854a.js.wn3yrwd.partial | text | |
MD5:— | SHA256:— | |||
| 412 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF7BDA91CFFEF11F45.TMP | gmc | |
MD5:— | SHA256:— | |||
| 2716 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\APFYKMZ9\213db237bbd6bf854a[1].js | text | |
MD5:— | SHA256:— | |||
| 412 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{39FE9BEB-F09B-11EB-B47A-18F7786F96EE}.dat | binary | |
MD5:— | SHA256:— | |||
| 412 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF5A4663C9F685386D.TMP | gmc | |
MD5:— | SHA256:— | |||
| 1860 | MicrosoftEdge.exe | C:\Users\admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm | dbf | |
MD5:— | SHA256:— | |||
| 5288 | MicrosoftEdgeCP.exe | C:\Users\admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cache\RCOFU4AK\dhp[1].htm | html | |
MD5:— | SHA256:— | |||
| 1860 | MicrosoftEdge.exe | C:\Users\admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk | binary | |
MD5:— | SHA256:— | |||
| 412 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{39FE9BE9-F09B-11EB-B47A-18F7786F96EE}.dat | binary | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
219
TCP/UDP connections
115
DNS requests
40
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2284 | svchost.exe | GET | 302 | 104.111.242.51:443 | https://go.microsoft.com/fwlink/?LinkId=525773 | NL | — | — | whitelisted |
2716 | IEXPLORE.EXE | GET | 200 | 5.149.248.141:443 | https://proudflex.org/213db237bbd6bf854a.js | NL | text | 181 Kb | malicious |
2284 | svchost.exe | GET | 302 | 13.66.39.88:443 | https://microsoftedgetips.microsoft.com/?source=welcome | US | html | 120 b | whitelisted |
2284 | svchost.exe | GET | 200 | 23.32.238.171:443 | https://static-spartan-neu-s-msn-com.akamaized.net/spartan/en-us/_ssc/css/ac12fb0b-4e64c3a/kerneldhp-f44ca46e.css?ver=20210723_22747471&fdhead=1s-bing-news,1s-mobauthcf,1s-winblisp1,bbh20200521msncf,btrecrow1,modmmhac,msnallexpusers,onetrustpoplive,prg-1sw-scronc,prg-adspeek,prg-rotctrl,prg-wpo-hp750,prg-wpo-hpads,prg-wpo-hpads750,prg-wpo-olypc,vebudumu04302020 | US | text | 108 Kb | whitelisted |
412 | iexplore.exe | POST | 200 | 52.178.182.73:443 | https://urs.microsoft.com/urs.asmx?MSURS-Client-Key=mOOTtRA5VuYSOtB%2ba0NUbQ%3d%3d&MSURS-MAC=t9Imk1j5CnY%3d | IE | text | 1.08 Kb | whitelisted |
2284 | svchost.exe | GET | 200 | 23.32.238.168:443 | https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABiyAn.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png | US | image | 758 b | whitelisted |
2284 | svchost.exe | GET | 200 | 204.79.197.203:443 | https://www.msn.com/spartan/dhp?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&ishostisolationenforced=0&targetexperience=default | US | html | 294 Kb | whitelisted |
2284 | svchost.exe | GET | 200 | 23.32.238.171:443 | https://static-spartan-neu-s-msn-com.akamaized.net/spartan/en-us/_ssc/js/ac12fb0b-8600c376/kerneldhp-9509d55e.js?ver=20210723_22747471&fdhead=1s-bing-news,1s-mobauthcf,1s-winblisp1,bbh20200521msncf,btrecrow1,modmmhac,msnallexpusers,onetrustpoplive,prg-1sw-scronc,prg-adspeek,prg-rotctrl,prg-wpo-hp750,prg-wpo-hpads,prg-wpo-hpads750,prg-wpo-olypc,vebudumu04302020 | US | text | 254 Kb | whitelisted |
2284 | svchost.exe | GET | 200 | 23.32.238.168:443 | https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAMeeIa.img?h=350&w=624&m=6&q=60&u=t&o=t&l=f&f=jpg&x=422&y=220 | US | image | 22.8 Kb | whitelisted |
2284 | svchost.exe | GET | 302 | 40.71.11.133:443 | https://microsoftedgewelcome.microsoft.com/redirect/?source=firstrun | US | html | 154 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2716 | IEXPLORE.EXE | 5.149.248.141:443 | proudflex.org | HZ Hosting Ltd | NL | malicious |
412 | iexplore.exe | 52.178.182.73:443 | urs.microsoft.com | Microsoft Corporation | IE | suspicious |
— | — | 20.190.160.73:443 | — | Microsoft Corporation | US | suspicious |
2284 | svchost.exe | 20.190.160.132:443 | — | Microsoft Corporation | US | suspicious |
— | — | 204.79.197.203:443 | www.msn.com | Microsoft Corporation | US | malicious |
3328 | svchost.exe | 51.103.5.159:443 | — | Microsoft Corporation | GB | whitelisted |
— | — | 104.111.242.51:443 | go.microsoft.com | Akamai International B.V. | NL | unknown |
— | — | 40.71.11.133:443 | microsoftedgewelcome.microsoft.com | Microsoft Corporation | US | suspicious |
— | — | 13.66.39.88:443 | microsoftedgetips.microsoft.com | Microsoft Corporation | US | unknown |
— | — | 23.32.238.171:443 | static-spartan-neu-s-msn-com.akamaized.net | XO Communications | US | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
proudflex.org |
| malicious |
urs.microsoft.com |
| whitelisted |
t.urs.microsoft.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
www.msn.com |
| whitelisted |
microsoftedgewelcome.microsoft.com |
| whitelisted |
microsoftedgetips.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
static-spartan-neu-s-msn-com.akamaized.net |
| whitelisted |
img-s-msn-com.akamaized.net |
| whitelisted |