URL:

https://a.bypass.city/jump/next.php?r=7667110

Full analysis: https://app.any.run/tasks/e9ca288b-5945-4c37-b032-fa01c78af93d
Verdict: Malicious activity
Analysis date: December 02, 2023, 18:59:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

14C1C8C5870D257912353558D119884F

SHA1:

00D5DC47C78ED7C5232AD1931E3630F370AF9FE1

SHA256:

B7A95840E9A07205E52FA6D497828DA095C9C3929A623F6A841C6D7946980EC6

SSDEEP:

3:N8tERLb6UXX6nM:2eW7nM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 3872)

    • Application launched itself

      • iexplore.exe (PID: 564)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2976)
      • explorer.exe (PID: 3288)

    • Reads the computer name

      • wmpnscfg.exe (PID: 2976)

    • Checks supported languages

      • wmpnscfg.exe (PID: 2976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe wmpnscfg.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
564"C:\Program Files\Internet Explorer\iexplore.exe" "https://a.bypass.city/jump/next.php?r=7667110"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2976"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3288"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3872"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:564 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
19 574
Read events
19 506
Write events
66
Delete events
2

Modification events

(PID) Process:(564) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
0
(PID) Process:(564) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30847387
(PID) Process:(564) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30847437
(PID) Process:(564) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(564) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(564) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(564) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(564) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005A010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(564) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(564) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
1
Suspicious files
33
Text files
21
Unknown types
0

Dropped files

PID
Process
Filename
Type
3872iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464der
MD5:8202A1CD02E7D69597995CABBE881A12
SHA256:58F381C3A0A0ACE6321DA22E40BD44A597BD98B9C9390AB9258426B5CF75A7A5
3872iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464binary
MD5:2A6BE54FBB30E012A41C2E6D7844B6FB
SHA256:59A3A0320BDD9CDA2C7F27F9F9EAA2A5E9954A4E3DB9B3D474738ED8E760DAB6
3872iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab711D.tmpcompressed
MD5:AC05D27423A85ADC1622C714F2CB6184
SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
3872iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\next[1].htmhtml
MD5:5CFAFCE763007ECC0FB5347786876F83
SHA256:BF4240867F6F5FB910C3743AD819FE0D6937D35EAA4DFD443437DF2117F45540
3872iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:C05A4765F1EBB8FCAE4A6718BE8AA1A2
SHA256:A1D834BC698B78AFD57FA185D153080785827BA57DCB0BAE366C737E3B8F4D16
3872iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:BC3B90815007D86B3AF6937AFE875221
SHA256:6CFF4BBA2121AD624851A4A0B48F976BD4F58BB0839B8A6B191ADA9DFB56B1F7
3872iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:64085C4F13AC73B743E9EBD220CED861
SHA256:A62E7C8A46D09CC783B2520091282225E431DF1FF3BB6318A0FCACF01413FCDE
3872iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:32680DD7C59230C37B1EE059B6006CA5
SHA256:34FE05B6BE89CA2CF5070A42F5E75340F1D965F425FB731253E3184EDED1EF73
3872iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar711E.tmpbinary
MD5:9C0C641C06238516F27941AA1166D427
SHA256:4276AF3669A141A59388BC56A87F6614D9A9BDDDF560636C264219A7EB11256F
3872iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:AC05D27423A85ADC1622C714F2CB6184
SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
34
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3872
iexplore.exe
GET
200
184.24.77.205:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0b7725d384a0a9d4
unknown
compressed
4.66 Kb
unknown
564
iexplore.exe
GET
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
564
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D
unknown
binary
471 b
unknown
564
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
binary
471 b
unknown
564
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
unknown
binary
471 b
unknown
3872
iexplore.exe
GET
200
184.24.77.205:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7c0985578a653cb5
unknown
compressed
4.66 Kb
unknown
3872
iexplore.exe
GET
200
172.217.18.99:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
binary
1.41 Kb
unknown
3872
iexplore.exe
GET
200
172.217.18.99:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D
unknown
binary
724 b
unknown
3872
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
unknown
binary
1.47 Kb
unknown
3872
iexplore.exe
GET
200
184.24.77.205:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?cf05b7114e60f582
unknown
compressed
65.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
3872
iexplore.exe
188.114.96.3:443
a.bypass.city
CLOUDFLARENET
NL
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3872
iexplore.exe
184.24.77.205:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
3872
iexplore.exe
172.217.18.99:80
ocsp.pki.goog
GOOGLE
US
whitelisted
3872
iexplore.exe
104.16.57.101:443
static.cloudflareinsights.com
CLOUDFLARENET
unknown
3872
iexplore.exe
104.21.81.209:443
buzzonclick.com
CLOUDFLARENET
unknown
3872
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
a.bypass.city
  • 188.114.96.3
  • 188.114.97.3
unknown
ctldl.windowsupdate.com
  • 184.24.77.205
  • 184.24.77.197
  • 184.24.77.187
  • 184.24.77.188
  • 184.24.77.183
  • 184.24.77.193
  • 184.24.77.199
  • 184.24.77.189
  • 184.24.77.191
whitelisted
ocsp.pki.goog
  • 172.217.18.99
whitelisted
static.cloudflareinsights.com
  • 104.16.57.101
  • 104.16.56.101
whitelisted
buzzonclick.com
  • 104.21.81.209
  • 172.67.164.155
malicious
ocsp.digicert.com
  • 192.229.221.95
whitelisted
safe-surfers.com
  • 3.125.239.17
  • 3.126.48.135
unknown
x1.c.lencr.org
  • 23.212.210.158
whitelisted
r3.o.lencr.org
  • 184.24.77.46
  • 184.24.77.56
  • 184.24.77.53
shared
mediatrackerr.com
  • 104.21.39.208
  • 172.67.148.126
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://a.bypass.city/jump/next.php?r=7667110