URL:

https://xn-xx.org/

Full analysis: https://app.any.run/tasks/13545619-1b3a-494f-8a0d-71e89a980b83
Verdict: No threats detected
Analysis date: May 11, 2019, 12:50:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

EDCC7DE25CEF50F1B03DB81AB499C15A

SHA1:

48F81E5AD8E41AFF20B23E8F3490FEF57BA20D96

SHA256:

C14F4AA5DCFE6FE50F57C4697993900B39AA0340CA0D6D6F15E1CA5D9E7F12D6

SSDEEP:

3:N8n1CKn:2IKn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • msdt.exe (PID: 4092)

    • Uses IPCONFIG.EXE to discover IP address

      • sdiagnhost.exe (PID: 2736)

  • INFO

    • Creates files in the user directory

      • opera.exe (PID: 1816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
12
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start opera.exe msdt.exe sdiagnhost.exe no specs csc.exe cvtres.exe no specs ipconfig.exe no specs route.exe no specs makecab.exe no specs ipconfig.exe no specs route.exe no specs makecab.exe no specs control.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1136"C:\Windows\System32\control.exe" SYSTEMC:\Windows\System32\control.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Control Panel
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\control.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1248"C:\Windows\system32\ROUTE.EXE" printC:\Windows\system32\ROUTE.EXEsdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Route Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\route.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1816"C:\Program Files\Opera\opera.exe" https://xn-xx.org/C:\Program Files\Opera\opera.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Exit code:
0
Version:
1748
Modules
Images
c:\program files\opera\opera.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\rpcrt4.dll
2736C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sdiagnhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\lpk.dll
2908"C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddfC:\Windows\system32\makecab.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Cabinet Maker
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\makecab.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2952"C:\Windows\system32\ipconfig.exe" /allC:\Windows\system32\ipconfig.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ipconfig.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\ws2_32.dll
3268"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\j40-opue.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
sdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.4927 (NetFXspW7.050727-4900)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3292"C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddfC:\Windows\system32\makecab.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Cabinet Maker
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\makecab.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3556"C:\Windows\system32\ROUTE.EXE" printC:\Windows\system32\ROUTE.EXEsdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Route Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\route.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
3924"C:\Windows\system32\ipconfig.exe" /allC:\Windows\system32\ipconfig.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ipconfig.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\nsi.dll
Total events
457
Read events
326
Write events
131
Delete events
0

Modification events

(PID) Process:(1816) opera.exeKey:HKEY_CURRENT_USER\Software\Opera Software
Operation:writeName:Last CommandLine v2
Value:
C:\Program Files\Opera\opera.exe https://xn-xx.org/
(PID) Process:(1816) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4092) msdt.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2736) sdiagnhost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2736) sdiagnhost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(1136) control.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
2
Suspicious files
70
Text files
80
Unknown types
19

Dropped files

PID
Process
Filename
Type
1816opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr74FD.tmp
MD5:
SHA256:
1816opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr750D.tmp
MD5:
SHA256:
1816opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr757C.tmp
MD5:
SHA256:
1816opera.exeC:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00001.tmp
MD5:
SHA256:
1816opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XUYENTZZGVR4WKPDTZ70.temp
MD5:
SHA256:
1816opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr8200.tmp
MD5:
SHA256:
1816opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr194F.tmp
MD5:
SHA256:
1816opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr2527.tmp
MD5:
SHA256:
1816opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr5243.tmp
MD5:
SHA256:
1816opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xmlxml
MD5:E7F6A730E5BB3550B3C989B8D755C19B
SHA256:6B4763C955C9B69FCF022CA0A7CAB4B73A883401528FA06C9B4A27BB12A22777
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
48
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1816
opera.exe
GET
200
66.225.197.197:80
http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
US
der
543 b
whitelisted
1816
opera.exe
GET
200
185.26.182.110:80
http://redir.opera.com/favicons/google/favicon.ico
unknown
image
5.30 Kb
whitelisted
1816
opera.exe
GET
200
172.217.16.195:80
http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEGP04nWBbUL75ThIZuPamrU%3D
US
der
471 b
whitelisted
1816
opera.exe
GET
200
172.217.16.195:80
http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEFTQzKp9kfxtPKoO1QQ8KC8%3D
US
der
471 b
whitelisted
1816
opera.exe
GET
302
172.217.22.100:80
http://www.google.com/search?q=https%3A%2F%2Fxn-xx.org%2F&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest
US
html
336 b
malicious
1816
opera.exe
GET
302
172.217.22.100:80
http://www.google.com/search?client=opera&q=https%3A%2F%2Fxn-xx.org%2F&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest
US
html
352 b
malicious
1816
opera.exe
GET
200
172.217.16.195:80
http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCECVUMfNhRCm2EB0zW1NN2oo%3D
US
der
471 b
whitelisted
1816
opera.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEA4qQ6egejEAoGpLjLoQArQ%3D
US
der
471 b
whitelisted
1816
opera.exe
GET
301
52.58.166.11:80
http://help.opera.com/errorpage/
DE
html
178 b
whitelisted
1816
opera.exe
GET
200
172.217.16.195:80
http://crl.pki.goog/gsr2/gsr2.crl
US
der
546 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1816
opera.exe
104.18.33.64:443
xn-xx.org
Cloudflare Inc
US
shared
1816
opera.exe
66.225.197.197:80
crl4.digicert.com
CacheNetworks, Inc.
US
whitelisted
1816
opera.exe
185.26.182.109:80
redir.opera.com
Opera Software AS
unknown
104.18.33.64:443
xn-xx.org
Cloudflare Inc
US
shared
1816
opera.exe
172.217.22.100:80
www.google.com
Google Inc.
US
whitelisted
1816
opera.exe
172.217.16.195:80
crl.pki.goog
Google Inc.
US
whitelisted
1816
opera.exe
172.217.22.100:443
www.google.com
Google Inc.
US
whitelisted
1816
opera.exe
216.58.207.67:443
ssl.gstatic.com
Google Inc.
US
whitelisted
1816
opera.exe
52.58.166.11:443
help.opera.com
Amazon.com, Inc.
DE
unknown
1816
opera.exe
52.58.166.11:80
help.opera.com
Amazon.com, Inc.
DE
unknown

DNS requests

Domain
IP
Reputation
xn-xx.org
  • 104.18.33.64
  • 104.18.32.64
malicious
sitecheck2.opera.com
  • 185.26.182.112
  • 185.26.182.93
  • 185.26.182.94
  • 185.26.182.111
whitelisted
certs.opera.com
  • 185.26.182.93
  • 185.26.182.94
whitelisted
crl4.digicert.com
  • 66.225.197.197
whitelisted
redir.opera.com
  • 185.26.182.110
  • 185.26.182.109
whitelisted
www.google.com
  • 172.217.22.100
malicious
crl.pki.goog
  • 172.217.16.195
whitelisted
ocsp.pki.goog
  • 172.217.16.195
whitelisted
ssl.gstatic.com
  • 216.58.207.67
whitelisted
clients1.google.com
  • 172.217.18.174
whitelisted

Threats

No threats detected
Process
Message
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://xn-xx.org/