URL:

https://rz.nakadashi.pw/

Full analysis: https://app.any.run/tasks/1e0772c1-d27e-44d3-846b-586ad43c8fd5
Verdict: Malicious activity
Analysis date: March 19, 2021, 02:52:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

58F21E43611DE0E2FA4DBE750AA64BA7

SHA1:

77AF2BA0482A39FB9310647670699C4BE88508C8

SHA256:

C3D9822EA7DD039D997514404D189C4E643AD958EF52A9F1374AB152EA270C03

SSDEEP:

3:N89wOE3MLH:29Fj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2376)
      • iexplore.exe (PID: 648)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 648)

    • Application launched itself

      • iexplore.exe (PID: 648)

    • Changes internet zones settings

      • iexplore.exe (PID: 648)

    • Creates files in the user directory

      • iexplore.exe (PID: 2376)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2376)

    • Changes settings of System certificates

      • iexplore.exe (PID: 648)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
648"C:\Program Files\Internet Explorer\iexplore.exe" https://rz.nakadashi.pw/C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2376"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:648 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
1 165
Read events
1 074
Write events
88
Delete events
3

Modification events

(PID) Process:(648) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
4062603670
(PID) Process:(648) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30874730
(PID) Process:(648) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(648) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(648) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(648) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(648) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(648) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000A5000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(648) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(648) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
0
Suspicious files
215
Text files
93
Unknown types
73

Dropped files

PID
Process
Filename
Type
2376iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabFE89.tmp
MD5:
SHA256:
2376iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarFE8A.tmp
MD5:
SHA256:
2376iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\ZRJDD49W.txt
MD5:
SHA256:
2376iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab244.tmp
MD5:
SHA256:
2376iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab266.tmp
MD5:
SHA256:
2376iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar267.tmp
MD5:
SHA256:
2376iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar245.tmp
MD5:
SHA256:
2376iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:
SHA256:
2376iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:
SHA256:
2376iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\301727-1[1].jpgimage
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
177
TCP/UDP connections
192
DNS requests
70
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2376
iexplore.exe
GET
103.55.193.7:80
http://img.idol-mile.com/av/product/h4/pp_232992.jpg
JP
unknown
2376
iexplore.exe
GET
200
192.200.112.78:80
http://static.thisav.com/images/videothumbs/309864-1.jpg
US
image
13.5 Kb
suspicious
2376
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEAiYRR7B3uJjCj33sxLWM6Q%3D
US
der
280 b
whitelisted
2376
iexplore.exe
GET
200
192.200.112.78:80
http://static.thisav.com/images/videothumbs/53008-1.jpg
US
image
14.3 Kb
suspicious
2376
iexplore.exe
GET
200
172.64.134.31:80
http://www.pornbest.org/videos0/4069/40691131/v.jpg?2
US
image
28.4 Kb
suspicious
2376
iexplore.exe
GET
200
5.63.144.85:80
http://rapefilms.net/tb/money-strip.jpg
GB
image
39.8 Kb
whitelisted
2376
iexplore.exe
GET
200
104.21.235.96:80
http://img.capranger.jp/tousatux/5233/large.jpg
US
image
116 Kb
suspicious
2376
iexplore.exe
GET
200
192.200.112.78:80
http://static.thisav.com/images/videothumbs/301727-1.jpg
US
image
16.2 Kb
suspicious
2376
iexplore.exe
GET
200
192.200.112.78:80
http://static.thisav.com/images/videothumbs/307697-1.jpg
US
image
16.2 Kb
suspicious
2376
iexplore.exe
GET
200
89.41.177.100:80
http://wild-kitty.net/video/vid163.jpg
RO
image
52.8 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2376
iexplore.exe
172.64.193.2:443
rz.nakadashi.pw
Cloudflare Inc
US
shared
172.64.193.2:443
rz.nakadashi.pw
Cloudflare Inc
US
shared
2376
iexplore.exe
104.21.233.245:443
js.gazo.space
Cloudflare Inc
US
unknown
2376
iexplore.exe
104.244.42.129:443
twitter.com
Twitter Inc.
US
malicious
2376
iexplore.exe
195.181.170.25:443
cdn77-pic.xvideos-cdn.com
Datacamp Limited
DE
suspicious
2376
iexplore.exe
103.109.101.144:443
img.share-videos.se
unknown
2376
iexplore.exe
13.32.21.25:443
pics.r18.com
Amazon.com, Inc.
US
unknown
2376
iexplore.exe
209.197.3.84:443
img-hw.xvideos-cdn.com
Highwinds Network Group, Inc.
US
suspicious
2376
iexplore.exe
192.200.112.78:80
static.thisav.com
GorillaServers, Inc.
US
suspicious
2376
iexplore.exe
202.6.245.122:443
pics.dmm.co.jp
DooGA Co., Ltd.
JP
unknown

DNS requests

Domain
IP
Reputation
rz.nakadashi.pw
  • 172.64.193.2
  • 172.64.192.2
suspicious
ocsp.digicert.com
  • 93.184.220.29
whitelisted
js.gazo.space
  • 104.21.233.245
  • 104.21.233.246
whitelisted
twitter.com
  • 104.244.42.129
  • 104.244.42.65
whitelisted
cdn77-pic.xvideos-cdn.com
  • 195.181.170.25
  • 195.181.175.3
  • 195.181.175.6
suspicious
img.share-videos.se
  • 103.109.101.144
unknown
pics.r18.com
  • 13.32.21.25
  • 13.32.21.68
  • 13.32.21.58
  • 13.32.21.75
suspicious
static.thisav.com
  • 192.200.112.78
suspicious
img-hw.xvideos-cdn.com
  • 209.197.3.84
whitelisted
pics.dmm.co.jp
  • 202.6.245.122
  • 202.6.245.93
  • 202.6.247.39
  • 202.6.246.10
  • 202.6.244.93
  • 202.6.247.66
  • 202.6.247.40
unknown

Threats

PID
Process
Class
Message
1040
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
1040
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
2376
iexplore.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.pw domain
1040
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
1040
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
2376
iexplore.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.pw domain
648
iexplore.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.pw domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://rz.nakadashi.pw/