analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://theonlygames.com/ce/ce_1020/land_ce_121020_na_en/?landing\=modest&haff_pid\=5&haff_oid\=16&haff_cid\=4ae100006e79ace6&haff_sub1\=4370757&haff_sub2\=&haff_sub3\=&haff_tag\=cpa&utm_source\=hooligan

Full analysis: https://app.any.run/tasks/17e406e6-7a02-43b8-8486-4c059ca2b6f1
Verdict: Malicious activity
Analysis date: June 27, 2022, 08:59:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

BD02E2025A64FE25AB7E06DBDD7CB3A8

SHA1:

CF35726DEEC2E4FD7BE7904DA8C185CF11F3C799

SHA256:

D6060895699DD9E0D79DAF772D7930EFAE24F308D906162886C2C7075E479F1B

SSDEEP:

3:N8FAK9cHIngAdA6UVXMiMGDRrTim3BAWlN4LgDOG0lGiAUdewPN46E5GSHJU2GBG:2h9oIngVqsRPxb7RjblGSHJyrufW7YLn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2996)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 2996)
      • iexplore.exe (PID: 1000)
    • Reads the computer name

      • iexplore.exe (PID: 1000)
      • iexplore.exe (PID: 2996)
    • Changes internet zones settings

      • iexplore.exe (PID: 1000)
    • Application launched itself

      • iexplore.exe (PID: 1000)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 1000)
      • iexplore.exe (PID: 2996)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2996)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 1000)
      • iexplore.exe (PID: 2996)
    • Creates files in the user directory

      • iexplore.exe (PID: 2996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1000"C:\Program Files\Internet Explorer\iexplore.exe" "https://theonlygames.com/ce/ce_1020/land_ce_121020_na_en/?landing\=modest&haff_pid\=5&haff_oid\=16&haff_cid\=4ae100006e79ace6&haff_sub1\=4370757&haff_sub2\=&haff_sub3\=&haff_tag\=cpa&utm_source\=hooligan"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2996"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1000 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
14 721
Read events
14 590
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
15
Text files
30
Unknown types
9

Dropped files

PID
Process
Filename
Type
2996iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\land_ce_121020_na_en[1].htmhtml
MD5:CDFF4B317BAA1E464A28719B7963C44F
SHA256:33449B3D4A6CCB535A0E4284FEBC2410FDAD8223F629A2129B7F86A9115F6DCD
2996iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\awpx_click[1].jstext
MD5:1E596326DCD6E03DE94281A1D54449B7
SHA256:D8F13A3A5AC434BCB827EF744A472239F68BA781C661EA7DC3D6D80C1AEE5E40
2996iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\notice[1].pngimage
MD5:A363F371D7CCBFC88C3D35885106C120
SHA256:885CBCB649154D7B30A5383F9E436A7B49F2A28884EA2C6BD3A4AB323C14BFDE
2996iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\main[1].csstext
MD5:318EE32C1E43C57C02DEDD416274C41D
SHA256:C6EB85F915C2798D4AAC423B9E5198F78ACFBB1A8977BF213EEFCD83893F9A47
1000iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:13B409C88BEA60AAA59C1C7594FCBCC9
SHA256:F2172F0174ADA36895AAB0F97588EA31F92A41BDDD549D81AD363B9B676B9793
2996iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\p1[1].pngimage
MD5:6C53C13C0CD9DBE619265F182CC1D470
SHA256:2B62F392506EF4E906863D9D0E0CD1FE763F9465E9277A07B1FA904C48EA15BD
1000iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8Fder
MD5:DF6DEECBA36F8D0AF53EAFA9C51AB1F7
SHA256:60D1053BDE5FBCA23ED8976F1EABAEE9C4BB459D9C997E5A76BB2182EE916D98
2996iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\p3[1].pngimage
MD5:DEDA1E0F8EE365F5EC608359F6AA3993
SHA256:915AADE99795B115C367F0F52EAAF799825CD6EAFB86ECDD121471BEB84F0CD3
1000iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8Fbinary
MD5:C41DD2DDAE13C03B3846ACDA1F822951
SHA256:7F5385A26226454193018DA55BE8C5D3796A1A4A19738B0C5CCE612D872B6677
2996iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\chain[1].pngimage
MD5:96B536DFC5315191D392484BE8F989B0
SHA256:1DEF00C869315F2970E0D4D4AFFC8919BC245D2BA4A46324FA06C7CB50C676DA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
34
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2996
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ba69424ae744821e
US
compressed
60.0 Kb
whitelisted
2996
iexplore.exe
GET
200
92.123.224.235:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgNG7UZme8WRSAca5bJiZyFPxA%3D%3D
unknown
der
503 b
shared
1000
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
1000
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.78 Kb
whitelisted
2996
iexplore.exe
GET
200
104.89.32.83:80
http://x1.c.lencr.org/
NL
der
717 b
whitelisted
2996
iexplore.exe
GET
200
104.18.21.226:80
http://ocsp2.globalsign.com/rootr5/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQiD0S5cIHyfrLTJ1fvAkJWflH%2B2QQUPeYpSJvqB8ohREom3m7e0oPQn1kCDQHuXyKVQkkF%2BQGRqNw%3D
US
der
1.26 Kb
whitelisted
2996
iexplore.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/rootr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHUeP1PjGFkz6V8I7O6tApc%3D
US
der
1.41 Kb
whitelisted
2996
iexplore.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/gseccovsslca2018/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBSTMjK03nNiYoQYvu4Izyfn9OJNdAQUWHuOdSr%2BYYCqkEABrtboB0ZuP0gCDDr6WyPB2UqgqvyNjw%3D%3D
US
der
941 b
whitelisted
1000
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2e50a28c016993cb
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1000
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1000
iexplore.exe
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
1000
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2996
iexplore.exe
104.21.235.54:443
theonlygames.com
Cloudflare Inc
US
suspicious
2996
iexplore.exe
204.155.147.176:443
ln.gamesrevenue.com
WZ Communications Inc.
US
suspicious
2996
iexplore.exe
104.21.235.53:443
theonlygames.com
Cloudflare Inc
US
suspicious
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2996
iexplore.exe
104.89.32.83:80
x1.c.lencr.org
Akamai Technologies, Inc.
NL
suspicious
2996
iexplore.exe
87.250.251.119:443
mc.yandex.ru
YANDEX LLC
RU
whitelisted
2996
iexplore.exe
92.123.224.235:80
r3.o.lencr.org
Akamai International B.V.
unknown

DNS requests

Domain
IP
Reputation
theonlygames.com
  • 104.21.235.54
  • 104.21.235.53
malicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
ln.gamesrevenue.com
  • 204.155.147.176
suspicious
x1.c.lencr.org
  • 104.89.32.83
whitelisted
r3.o.lencr.org
  • 92.123.224.235
  • 92.123.224.240
shared
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info