URL:

https://ss1.xrea.com/pyonkichi.g1.xrea.com/archives/cl64_406.exe

Full analysis: https://app.any.run/tasks/17bfd165-6d98-4551-a4db-a64e989930d5
Verdict: Malicious activity
Analysis date: November 29, 2023, 07:01:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

B2BCFFECBD9FBF7E591920B3735D441E

SHA1:

8ECD76D138670295EF6770B4BBB1FE5C31E9135C

SHA256:

BD6C4A6915738B7FF8FB29B1B5F829F602BA0AECDB7E6715FE4817E4C431665E

SSDEEP:

3:N8buSKLO+LbVdMrR7C:2rb0bVdMY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • cl64_406.exe (PID: 2868)

  • SUSPICIOUS

    • Reads the Internet Settings

      • cl64_406.exe (PID: 2868)

  • INFO

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1128)

    • Application launched itself

      • iexplore.exe (PID: 564)

    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 2480)
      • iexplore.exe (PID: 564)

    • Checks supported languages

      • wmpnscfg.exe (PID: 1128)
      • cl64_406.exe (PID: 2868)

    • Reads the computer name

      • wmpnscfg.exe (PID: 1128)
      • cl64_406.exe (PID: 2868)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 1128)

    • The process uses the downloaded file

      • iexplore.exe (PID: 564)

    • Create files in a temporary directory

      • cl64_406.exe (PID: 2868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe wmpnscfg.exe no specs cl64_406.exe no specs cl64_406.exe

Process information

PID
CMD
Path
Indicators
Parent process
564"C:\Program Files\Internet Explorer\iexplore.exe" "https://ss1.xrea.com/pyonkichi.g1.xrea.com/archives/cl64_406.exe"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
1128"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
2480"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:564 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2868"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\cl64_406.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\cl64_406.exe
iexplore.exe
User:
admin
Company:
Pyonkichi
Integrity Level:
HIGH
Description:
CLaunch Program Launcher
Exit code:
4294967295
Version:
4, 0, 6, 0
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\78rfyb7z\cl64_406.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3868"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\cl64_406.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\cl64_406.exeiexplore.exe
User:
admin
Company:
Pyonkichi
Integrity Level:
MEDIUM
Description:
CLaunch Program Launcher
Exit code:
3221226540
Version:
4, 0, 6, 0
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\78rfyb7z\cl64_406.exe
c:\windows\system32\ntdll.dll
Total events
15 335
Read events
15 269
Write events
63
Delete events
3

Modification events

(PID) Process:(564) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
0
(PID) Process:(564) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30847387
(PID) Process:(564) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30847437
(PID) Process:(564) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(564) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(564) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(564) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(564) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(564) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(564) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
13
Suspicious files
16
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:9ADC56B56C00F142CEA5395D0C5DF9D3
SHA256:CBEAC1E44089B11676AB8B1CFCACF2A18029DC592137B8173EC030FAD9286363
2480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_96EEC010953ED454BBCDFA69FC071E7Cbinary
MD5:27CCEA2474DD93024F4CB1DF7521AAE6
SHA256:229CB2B2C42F198F1110AB688C42017303D2F4101CC7139185E713E582F89717
2480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4B3D1CD03E2BE9D4F9CDDE390F5EFE31_635180BB000A93EDCBAF170C8AEE95C3binary
MD5:211D74A6ABB36023F164D5056F900AEB
SHA256:04BFE8A1277BBFDE71F0BCB84C88C267A628BA4B8D1BDADE252F2F7EF5FC1718
2480iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\cl64_406[1].exeexecutable
MD5:30370FF5962826135DEBC076F6A1081F
SHA256:14C6578AAF71EF0218DCBB36E67A489C2D3777427D44E42EDD75BDF08695D82F
2480iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\cl64_406.exe.nfy394c.partialexecutable
MD5:194937A572CB41A383BF46FAC6260001
SHA256:16C7A291D2FCEDA4942A17BDEEF55AE34FD9DB781A18E4D43DFCB8F79D13E957
2480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
2480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_96EEC010953ED454BBCDFA69FC071E7Cbinary
MD5:B0FB9F17C4E4A57799EF5FA24EEAFD67
SHA256:D367186811F96E8DE2784B183E76D230DF3EA3C097D9A010985A68771404D1EE
564iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF5B8203311FB049A3.TMPbinary
MD5:96F01ED4AF6583E6E87583938FAF70B8
SHA256:E187CB81D809FB5DFC5B8CF49B9D2EE766E565D11E052EC72C94C1201C5D574A
2868cl64_406.exeC:\Users\admin\AppData\Local\Temp\~cl64_406.exe\Languages\Chinese.dllexecutable
MD5:8BD48F8B8C6BD8D62617EDE0B6489F8F
SHA256:E438BC772F5FC43E6AAA6D33C3C110920618231A2FC513116641678573E3E3CA
2868cl64_406.exeC:\Users\admin\AppData\Local\Temp\~cl64_406.exe\Docs\CLaunch_en.chmbinary
MD5:DC2A689F021F7F171C5687716E913010
SHA256:CE169DA25A23378F99CECD1E28D25D7F0BC7B47B58BB01D0DBA7E114C15618D2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
15
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2480
iexplore.exe
GET
200
8.248.131.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0e152650b56312b4
unknown
compressed
4.66 Kb
2480
iexplore.exe
GET
200
8.248.131.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e569524345d4d114
unknown
compressed
4.66 Kb
2480
iexplore.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/rootr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEH1NQqkrQx1%2BZFPnwZqNWHc%3D
unknown
binary
1.41 Kb
2480
iexplore.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/alphasslcasha256g4/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBSPdwLcDiHQXlVfp8h37hrpMerTggQUT8usqMLvq92Db2u%2Fzpg9XFgldhUCDHiDsZvjBwzqord9Jg%3D%3D
unknown
binary
1.40 Kb
1080
svchost.exe
GET
304
8.248.131.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?60b2f43ad8cf70d9
unknown
1080
svchost.exe
GET
200
8.248.131.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?df5eacd0fb157a26
unknown
compressed
65.2 Kb
564
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2480
iexplore.exe
203.189.105.202:443
ss1.xrea.com
GMO Internet,Inc
JP
unknown
2588
svchost.exe
239.255.255.250:1900
whitelisted
2480
iexplore.exe
8.248.131.254:80
ctldl.windowsupdate.com
LEVEL3
US
unknown
2480
iexplore.exe
104.18.20.226:80
ocsp.globalsign.com
CLOUDFLARENET
shared
1080
svchost.exe
8.248.131.254:80
ctldl.windowsupdate.com
LEVEL3
US
unknown
564
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
whitelisted
564
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
ss1.xrea.com
  • 203.189.105.202
unknown
ctldl.windowsupdate.com
  • 8.248.131.254
  • 67.27.235.126
  • 67.26.81.254
  • 67.26.83.254
  • 67.27.234.126
unknown
ocsp.globalsign.com
  • 104.18.20.226
  • 104.18.21.226
unknown
iecvlist.microsoft.com
  • 152.199.19.161
unknown
r20swj13mr.microsoft.com
  • 152.199.19.161
unknown
ocsp.digicert.com
  • 192.229.221.95
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://ss1.xrea.com/pyonkichi.g1.xrea.com/archives/cl64_406.exe