analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

url.txt

Full analysis: https://app.any.run/tasks/0b193821-4242-4d5b-bb7d-c76e2d86c39a
Verdict: Malicious activity
Analysis date: April 25, 2019, 14:27:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

E21D00A36D61CD78C2BA6A27C99E615B

SHA1:

698547348F698C4C6B6B6BAB8FD960FD40BA86AE

SHA256:

DAB4CF34DE8B032C951B3E7BB06EE78CA4D40A54760CF46E8761059A91721742

SSDEEP:

3:N1Kf7h62gHBjPsK:CDhfgVsK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Creates files in the user directory

      • iexplore.exe (PID: 2596)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2596)
    • Changes internet zones settings

      • iexplore.exe (PID: 2052)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2052)
      • iexplore.exe (PID: 2596)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start notepad.exe no specs iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2812"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\url.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2052"C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2596"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2052 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
429
Read events
358
Write events
70
Delete events
1

Modification events

(PID) Process:(2052) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2052) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2052) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2052) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2052) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2052) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000006E000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2052) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{541995A1-6766-11E9-B3B3-5254004A04AF}
Value:
0
(PID) Process:(2052) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2052) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
1
(PID) Process:(2052) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E3070400040019000E001C000100D003
Executable files
0
Suspicious files
0
Text files
25
Unknown types
8

Dropped files

PID
Process
Filename
Type
2052iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2052iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2596iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\42P01DL0\fwdssp_com[1].txt
MD5:
SHA256:
2596iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JV2GFHUW\fwdssp_com[1].txt
MD5:
SHA256:
2596iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:2B7BB2D8027B95CC46CBFEDB77E74AB6
SHA256:1F4CB3A577D3384F790C3347E601C2CDC0939B9C05C74BD904EB734C9759F9A6
2052iexplore.exeC:\Users\admin\AppData\Local\Temp\StructuredQuery.logtext
MD5:5DE761A84A175EDC06300321AFFB494E
SHA256:95AF46F1C7A892CDB63EBD9DF3BE139EB64BDA4B22D01AD81741FA87D165DE18
2596iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\42P01DL0\fwdssp_com[1].htmhtml
MD5:94EBC4D97C9B1DEF8D293C0B2C740337
SHA256:4ACBC0971029E30B1DA3D7658591DAD597F85EE8D6899BE679C65F8B794D4D9F
2596iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1HK3S99R\min[1].jstext
MD5:5563332AD6AF63C9C94CEF15761BE544
SHA256:4EFEC11A42893D4DF0249174CBE5AFAE24A5734F5DED35C5E84C56BF9F473EC2
2596iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JV2GFHUW\fwdssp_com[1].htmhtml
MD5:A8886DE8C35E154352D93B8630EA063A
SHA256:1DB72F6A2C175782DC5520187D46B9612CC33D64F85DE2DA38AC67734548FD4C
2596iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1LZ5OGI6\suspendedpage[1].htmhtml
MD5:0357AA49EA850B11B99D09A2479C321B
SHA256:0FF0B7FCB090C65D0BDCB2AF4BBD2C30F33356B3CE9B117186FA20391EF840A3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
17
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2596
iexplore.exe
GET
192.232.218.170:80
http://ayrislogic.com/cgi-sys/suspendedpage.cgi
US
unknown
2596
iexplore.exe
GET
302
192.232.218.170:80
http://ayrislogic.com/wp-admin/DOC/YTiIvWyI/
US
html
295 b
unknown
2596
iexplore.exe
GET
302
192.232.218.170:80
http://ayrislogic.com/wp-admin/DOC/YTiIvWyI/
US
html
295 b
unknown
2596
iexplore.exe
GET
200
208.91.196.46:80
http://fwdssp.com/?domain=ayrislogic.com&dn=ayrislogic.com&fp=Z5JhEkAvHywWOPc1TvfnSrt3uhXjokrCjMX9N5jnRMgd4QSE4X6M6pTERRZQKvGtKj7CtGX7nna5vR%2BK%2BtCDPSTdZkZgHB8iMG2B0xsoPuiUs06ZYTxvWo4Kok2yf%2Fg2dsiBXbawM9ULQwWxJ4j6%2BGk0hRq6z5H5OtYpQP7QHp4%3D&prvtof=%2FZYK1PVJekBwKkwnbqJxCoaHXbpOZgV2hSHmLpi8Ogvw20E%2BO4xRuPKhlITFsFY790oPqafhvJiPfXDJssaBXQ%3D%3D&poru=2bpCqmLiySqqTwLGaAlvKEAVyXsRNUkGGJn86vhBGduLUpF%2BMBTRwzRQKiRFRH1LW%2FifOPRA0GQPgHBgg0Q38YcbHutN7760kXBsqdlpNgs%3D&
VG
html
6.72 Kb
whitelisted
2596
iexplore.exe
GET
200
192.232.218.170:80
http://ayrislogic.com/cgi-sys/suspendedpage.cgi
US
html
322 b
unknown
2596
iexplore.exe
GET
200
2.16.186.64:80
http://i3.cdn-image.com/__media__/js/min.js?v2.2
unknown
text
2.97 Kb
whitelisted
2596
iexplore.exe
GET
200
208.91.196.46:80
http://fwdssp.com/?dn=referer_detect&pid=5POL4F2O4
VG
html
1.72 Kb
whitelisted
2596
iexplore.exe
GET
200
2.16.186.106:80
http://i2.cdn-image.com/__media__/pics/12471/bodybg.png
unknown
image
94.9 Kb
whitelisted
2596
iexplore.exe
GET
302
208.91.196.4:80
http://searchdiscovered.com/__media__/pics/657/error-bg.gif
VG
html
243 b
malicious
2596
iexplore.exe
GET
200
2.16.186.64:80
http://i3.cdn-image.com/__media__/pics/12471/logo.png
unknown
image
3.86 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2052
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2596
iexplore.exe
192.232.218.170:80
ayrislogic.com
Unified Layer
US
unknown
2596
iexplore.exe
208.91.196.4:80
searchdiscovered.com
Confluence Networks Inc
VG
malicious
2596
iexplore.exe
2.16.186.64:80
i3.cdn-image.com
Akamai International B.V.
whitelisted
2052
iexplore.exe
192.232.218.170:80
ayrislogic.com
Unified Layer
US
unknown
2596
iexplore.exe
2.16.186.106:80
i3.cdn-image.com
Akamai International B.V.
whitelisted
2596
iexplore.exe
208.91.196.46:80
fwdssp.com
Confluence Networks Inc
VG
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ayrislogic.com
  • 192.232.218.170
unknown
fwdssp.com
  • 208.91.196.46
whitelisted
i3.cdn-image.com
  • 2.16.186.64
  • 2.16.186.106
whitelisted
i4.cdn-image.com
  • 2.16.186.106
  • 2.16.186.64
whitelisted
searchdiscovered.com
  • 208.91.196.4
malicious
i2.cdn-image.com
  • 2.16.186.106
  • 2.16.186.64
whitelisted
i1.cdn-image.com
  • 2.16.186.106
  • 2.16.186.64
whitelisted
freeresultsguide.com
  • 208.91.196.4
whitelisted

Threats

PID
Process
Class
Message
2596
iexplore.exe
Misc activity
ADWARE [PTsecurity] InstantAccess
No debug info