analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://cdn.discordapp.com/attachments/922029674840858643/922486779360206888/Robux_Hack.zip

Full analysis: https://app.any.run/tasks/08f5db5e-a1fb-436c-a0fe-6c045b0c4aab
Verdict: Malicious activity
Analysis date: January 15, 2022, 02:03:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

C6801EAB8B8CC36823C2DF8384F8C46C

SHA1:

609FF75E05EDC248CD1F8044562D0FB9FA8BD288

SHA256:

C38068CAE2716E06E2C8B132B8703FC36E804A6EA47CE7DCF23BFB12CE8D9C99

SSDEEP:

3:N8cCWdy6//mXVXiiZduwKc3zwUn:2cry6Xg9iWJK6zwU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3836)
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3284)
    • Checks supported languages

      • WinRAR.exe (PID: 3428)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3428)
    • Reads the computer name

      • WinRAR.exe (PID: 3428)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3428)
    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 3428)
  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 3980)
      • iexplore.exe (PID: 3284)
    • Checks supported languages

      • iexplore.exe (PID: 3980)
      • iexplore.exe (PID: 3284)
    • Application launched itself

      • iexplore.exe (PID: 3980)
    • Changes internet zones settings

      • iexplore.exe (PID: 3980)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3980)
      • iexplore.exe (PID: 3284)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3980)
    • Reads the date of Windows installation

      • iexplore.exe (PID: 3980)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3284)
      • iexplore.exe (PID: 3980)
    • Creates files in the user directory

      • iexplore.exe (PID: 3980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe winrar.exe searchprotocolhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3980"C:\Program Files\Internet Explorer\iexplore.exe" "https://cdn.discordapp.com/attachments/922029674840858643/922486779360206888/Robux_Hack.zip"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3284"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3980 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\iertutil.dll
3428"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Robux_Hack.zip"C:\Program Files\WinRAR\WinRAR.exe
iexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
3836"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
20 814
Read events
20 609
Write events
203
Delete events
2

Modification events

(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
238147104
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30935476
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
538309604
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30935476
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3980) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
6
Suspicious files
12
Text files
18
Unknown types
4

Dropped files

PID
Process
Filename
Type
3980iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:DE954B09DF9C77AEE3DEE30471F06D89
SHA256:AC9499C6FA57A41DA40D4269422C0DE045CA6F96E2A82EBD73D189752D12FAA2
3284iexplore.exeC:\Users\admin\Desktop\Robux_Hack.zip.ra62wvw.partialcompressed
MD5:2C511F7294FA1D15EF753D342A53C4B6
SHA256:92EAD6CA55A48335759434138E42E185BE740DE7CEBA1C176643D5476F0A7CEB
3980iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:AC68ACF50745357D4EA92B214D9E7132
SHA256:AE3F7FDE380D2D90571A61378E52B1BC284B4C4C6A1E099F6F022395EBED6154
3980iexplore.exeC:\Users\admin\Desktop\Robux_Hack.zipcompressed
MD5:2C511F7294FA1D15EF753D342A53C4B6
SHA256:92EAD6CA55A48335759434138E42E185BE740DE7CEBA1C176643D5476F0A7CEB
3284iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:BEAB9DA0AA8E569DD7B0DEDBA4676D02
SHA256:7C5EE0FF5ECD229BA442C639096CFB79D50D7FC6841A8E99693393A920A70C33
3284iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:C30F3E9476DC702ADEB20331A829F735
SHA256:7A901A9A9F1F33E475A58A9397B6F3ACBC5A5F3E5CB59F1AFB5ACBE7262B5660
3980iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:1EAB95AB9FD769432A8CDCBED4CB7932
SHA256:C7D6F3E77F985D0A37BD2C51B1289E09A8B412B6BD935F1DC9950DCACB12B1C0
3980iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:4DBE8CEA97B5997CF92B92DD2C005BCA
SHA256:E7E6549255D73274F95316183CB13A11C3D9E3DD87A81CC5F1A01FF81D7818F8
3980iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776der
MD5:ACE427D9E2E5197DA2F600C887DCFCB1
SHA256:9D985EC5E3675B2C7DED4535F7DE2CBE39934D67046E25C3D0466220FAFE9651
3980iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{4BD75359-75A7-11EC-A20C-12A9866C77DE}.datbinary
MD5:A7C8CE9017C6FC71BBF8EEABD94CB758
SHA256:F9039B652172B1F59993DE0788AA33391EF75D333B669DE2A34D2ED56C955ED6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
27
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3980
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3980
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3284
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
3284
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d8ce35b610dd58be
US
compressed
4.70 Kb
whitelisted
3284
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?50539304c6442a1b
US
compressed
4.70 Kb
whitelisted
3980
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b2ed770e5196e9b2
US
compressed
4.70 Kb
whitelisted
3980
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?332af297bfda49e6
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3284
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
3980
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3284
iexplore.exe
162.159.134.233:443
cdn.discordapp.com
Cloudflare Inc
shared
3980
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3980
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
3980
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3980
iexplore.exe
204.79.197.203:443
www.msn.com
Microsoft Corporation
US
whitelisted
3980
iexplore.exe
104.111.242.51:443
go.microsoft.com
Akamai International B.V.
NL
unknown
3284
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3980
iexplore.exe
40.83.186.94:443
query.prod.cms.msn.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
cdn.discordapp.com
  • 162.159.134.233
  • 162.159.130.233
  • 162.159.135.233
  • 162.159.133.233
  • 162.159.129.233
shared
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
go.microsoft.com
  • 104.111.242.51
whitelisted
www.msn.com
  • 204.79.197.203
whitelisted

Threats

No threats detected
No debug info