URL:

https://security.thelist.tas.gov.au/cas/login?gateway=true&service=http://pais.su/vr72mw9q50.htm

Full analysis: https://app.any.run/tasks/3874beea-c4bd-4cfd-859c-332de55f9d9a
Verdict: Malicious activity
Analysis date: November 09, 2023, 11:59:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
SHA1:

C373A1B1713BDCA757ECA80D895C903368F28053

SHA256:

CEC0F7DCAD1515C085CEF4CDFA73227D4F3CEC4B9FA9B934387E63E7A972DD43

SSDEEP:

3:N8N3QlRl/2IlGNJXRZAbXAk3EMMWf2NCu:2ZQlRl/HGbXRZAbxlMa2d

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads the computer name

      • wmpnscfg.exe (PID: 3488)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3488)

    • Application launched itself

      • iexplore.exe (PID: 3416)

    • Checks supported languages

      • wmpnscfg.exe (PID: 3488)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 3488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3216"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3416 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3416"C:\Program Files\Internet Explorer\iexplore.exe" "https://security.thelist.tas.gov.au/cas/login?gateway=true&service=http://pais.su/vr72mw9q50.htm"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3488"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
Total events
19 394
Read events
19 335
Write events
54
Delete events
5

Modification events

(PID) Process:(3416) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
0
(PID) Process:(3416) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30847387
(PID) Process:(3416) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30847437
(PID) Process:(3416) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3416) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3416) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3416) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3416) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3416) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3416) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
0
Suspicious files
40
Text files
43
Unknown types
0

Dropped files

PID
Process
Filename
Type
3216iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
3216iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:8121F9891EE6B85BADA16947785DA332
SHA256:76CE48D70D1C35276BFB63843517A14AF4C4CC6B0201964E34C8BBAE0090CE85
3216iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:76397A39606827DBC2AB11B4EE3BC19C
SHA256:9975F3548DC5D127FECCA135474E1AFC14F392DA6D544606198C88EFA57EEF48
3216iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_34D61B4A2A4AE0D3DDAB879224BCA77Bbinary
MD5:E9B5CC0BEA2E134DD2F4E22D5F0B0ADF
SHA256:32AEE11901762A0EDDB7C692A329EB83E8EDFB69212616768A843572E5123EB4
3216iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:E5B7592F0C9812B9640AD5C97E867091
SHA256:E625667213E66A4A91DBF64F48246EF6A3D1D1C7867FB8392AE560F65D057C03
3216iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3D66B8F592816E4D56A9F94798E8770binary
MD5:13F79D1C0339B3BCA52B067D00A56FAF
SHA256:EAC5CBEEC9B0315682C73D87E19D21EA7A54B73E984300B1488A2C8BA92FBA23
3216iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\E6S8BJOH.txttext
MD5:2C185CC26ABAB48E4ACF515F7018AFEE
SHA256:DB97708D4D3D515C402F8330746B53C455ACD708B7793054C3864A791BB7F148
3216iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\38WRF5N8.txttext
MD5:8B25A6515656471AD65D816A5E4C04E7
SHA256:32CB6551946BAE09B1DCBBA0963DBF9198208C6F10DA6101616657C7649E871B
3416iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868binary
MD5:BC7CE829F2F6B1521390212140904993
SHA256:DA917B7733B59949A69AF0FC970FE0FE99C374E94E835843BA64E47973AA0AB5
3216iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\4KORSAFM.txttext
MD5:33F2C4D3B7EF95B83EEF3625648C5DF7
SHA256:03B3E7338306EC04C249E5FE8E90D68349DAAB08472529616779493DFB77A465
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
42
DNS requests
23
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3216
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?24ee352ddd3d4dea
unknown
compressed
4.66 Kb
unknown
3216
iexplore.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEGxVq9vQB5LHnQcM2BGe1r8%3D
unknown
binary
2.18 Kb
unknown
3216
iexplore.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
binary
1.42 Kb
unknown
3216
iexplore.exe
GET
200
172.64.149.23:80
http://zerossl.ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQILj%2F5BYz%2BinwYvRPv3x0WYHB6awQUyNl4aKLZGWjVPXLeXwo%2B3LWGhqYCEQCT1sTTIPJzidpW808lzd83
unknown
binary
728 b
unknown
3216
iexplore.exe
GET
200
185.238.171.72:80
http://pais.su/vr72mw9q50.htm
unknown
html
6.00 Kb
unknown
3216
iexplore.exe
GET
200
67.27.235.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d6bb2ad0af14907d
unknown
compressed
4.66 Kb
unknown
3216
iexplore.exe
GET
200
23.201.254.55:80
http://x1.c.lencr.org/
unknown
binary
717 b
unknown
3216
iexplore.exe
GET
303
185.238.171.72:80
http://pais.su/vr72mw9q50.htm
unknown
binary
72 b
unknown
3216
iexplore.exe
GET
200
2.16.202.121:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgQ6C7qlIy8RfCLZmp4eOFaQCA%3D%3D
unknown
binary
503 b
unknown
3216
iexplore.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/alphasslcasha256g4/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBSPdwLcDiHQXlVfp8h37hrpMerTggQUT8usqMLvq92Db2u%2Fzpg9XFgldhUCDF8UEFuKOsZS4YsffA%3D%3D
unknown
binary
1.40 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2588
svchost.exe
239.255.255.250:1900
whitelisted
1080
svchost.exe
192.168.100.2:53
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
iexplore.exe
147.109.255.201:443
Networking Tasmania
AU
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
3216
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
3216
iexplore.exe
67.27.235.126:80
ctldl.windowsupdate.com
LEVEL3
US
unknown
3216
iexplore.exe
104.18.38.233:80
ocsp.comodoca.com
CLOUDFLARENET
shared
3216
iexplore.exe
172.64.149.23:80
ocsp.comodoca.com
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
security.thelist.tas.gov.au
unknown
ctldl.windowsupdate.com
  • 93.184.221.240
  • 67.27.235.126
  • 8.248.145.254
  • 8.253.95.120
  • 8.241.9.126
  • 67.27.159.126
whitelisted
ocsp.comodoca.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
ocsp.usertrust.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
zerossl.ocsp.sectigo.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
pais.su
  • 185.238.171.72
malicious
stackpath.bootstrapcdn.com
  • 104.18.10.207
  • 104.18.11.207
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

PID
Process
Class
Message
3216
iexplore.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
3216
iexplore.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
1080
svchost.exe
Potentially Bad Traffic
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
3216
iexplore.exe
Potentially Bad Traffic
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
3416
iexplore.exe
Potentially Bad Traffic
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
3216
iexplore.exe
Potentially Bad Traffic
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
3216
iexplore.exe
Potentially Bad Traffic
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://security.thelist.tas.gov.au/cas/login?gateway=true&service=http://pais.su/vr72mw9q50.htm