analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://u10817722.ct.sendgrid.net/wf/click?upn=w4gJimGE6OfjzU3knIJqd4tkXdU4FwxrErqVQL5P9PQKxaSaPlP8OeYmGFI35lfbd1B-2BhEBP5n9kWnk0NK5KdkLakpJl3DOpTYaBUZi7iFAVu0BiAQbWoYEtHNzyIuh-2FItM3QSUG8Bx0NxmvbGcTNQgrY690OJmYc9mTyDexi-2B5gYvw6o2GuPKemhk8Ttf0uvnqt5IZSizMcGFXMNSGaMj-2BsdLfRx1G9Ma-2BGim9BQYM-3D_RponfwD6SWCG-2FiVEIcoB4HjTrvP54Omdf-2BKfk78FDiHM-2FU5qTL5U-2Bj-2BVKVrZkbf97zT4H8YorIdHL92FTBuuMdqmMLMnGCwT-2FhoZGAhJdFKu-2FeBfw3Jrv3OInZiAU2SB5MIpmZtIY2KVvPL-2F-2F1Is6ScjD2NBgf7obWhWdTgeB2Ks8WhVZBUV8edUub4F-2BLyN99eIh89pScFUfBL-2BOffoeiuNI0WAtVKfZzJL0eieKSY-3D

Full analysis: https://app.any.run/tasks/a3bd3678-cdff-4bbb-b36f-9de69fc44f53
Verdict: Malicious activity
Analysis date: June 18, 2019, 21:35:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
phishing
Indicators:
MD5:

FC365A8BA05195EBDC54094A0A140D33

SHA1:

A00EEB0FBB66139EE3E9E70D59D91D3B8EFD659D

SHA256:

DED556305E243182C79FFDF3D22B45297C82B8C03957F87317C1D33A38F38C43

SSDEEP:

12:2mDSspLW2EDXDXNXp62hMsql8JoZ2pliV6dpMy2j1phvhCMoGMyA:20hLxQD9p62hBGs4OliQdKyc1/8GdA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates files in the program directory

      • AdobeARM.exe (PID: 3036)

  • INFO

    • Creates files in the user directory

      • iexplore.exe (PID: 3452)
      • iexplore.exe (PID: 3484)
      • iexplore.exe (PID: 3620)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3452)
      • iexplore.exe (PID: 3484)
      • iexplore.exe (PID: 3620)

    • Changes internet zones settings

      • iexplore.exe (PID: 2956)

    • Application launched itself

      • iexplore.exe (PID: 2956)
      • RdrCEF.exe (PID: 2776)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3452)
      • iexplore.exe (PID: 2956)
      • iexplore.exe (PID: 3484)
      • iexplore.exe (PID: 3620)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2956)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2956)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
13
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe iexplore.exe iexplore.exe acrord32.exe no specs acrord32.exe acrord32.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs adobearm.exe no specs reader_sl.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2956"C:\Program Files\Internet Explorer\iexplore.exe" https://u10817722.ct.sendgrid.net/wf/click?upn=w4gJimGE6OfjzU3knIJqd4tkXdU4FwxrErqVQL5P9PQKxaSaPlP8OeYmGFI35lfbd1B-2BhEBP5n9kWnk0NK5KdkLakpJl3DOpTYaBUZi7iFAVu0BiAQbWoYEtHNzyIuh-2FItM3QSUG8Bx0NxmvbGcTNQgrY690OJmYc9mTyDexi-2B5gYvw6o2GuPKemhk8Ttf0uvnqt5IZSizMcGFXMNSGaMj-2BsdLfRx1G9Ma-2BGim9BQYM-3D_RponfwD6SWCG-2FiVEIcoB4HjTrvP54Omdf-2BKfk78FDiHM-2FU5qTL5U-2Bj-2BVKVrZkbf97zT4H8YorIdHL92FTBuuMdqmMLMnGCwT-2FhoZGAhJdFKu-2FeBfw3Jrv3OInZiAU2SB5MIpmZtIY2KVvPL-2F-2F1Is6ScjD2NBgf7obWhWdTgeB2Ks8WhVZBUV8edUub4F-2BLyN99eIh89pScFUfBL-2BOffoeiuNI0WAtVKfZzJL0eieKSY-3DC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3452"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2956 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3484"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2956 CREDAT:71938C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3620"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2956 CREDAT:71939C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2348"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id 3452C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeiexplore.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Exit code:
0
Version:
15.23.20070.215641
1296"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id 3452C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
iexplore.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
2388"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /o /eo /l /b /id 3452C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
2776"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
1476"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2776.0.1701715304\113421057" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
0
Version:
15.23.20053.211670
2496"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2776.1.1176555314\1117183931" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
Total events
1 171
Read events
991
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
113
Unknown types
25

Dropped files

PID
Process
Filename
Type
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:956C0288F68175AFD655F639ED4B436E
SHA256:46D7EB2B3DBB00B01F3D8B1FB6B7A8C9179EBA82AB2351E342AF256CD8DD6981
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:E17619D39A234CF02A949C253240C537
SHA256:86824D074AB3605D51A59036D7C578AB91A0B337EFC16586572A3FD23ED1C891
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1RDCD0NC\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].pngimage
MD5:9FB559A691078558E77D6848202F6541
SHA256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PPAEALXW\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1RDCD0NC\dnserror[1]html
MD5:68E03ED57EC741A4AFBBCD11FAB1BDBE
SHA256:1FF3334C3EB27033F8F37029FD72F648EDD4551FCE85FC1F5159FEAEA1439630
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DP6V5JFD\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
64
TCP/UDP connections
60
DNS requests
25
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3452
iexplore.exe
GET
200
72.29.67.240:80
http://login.microsoftonline.com-common-oatuth2-authorize-client-dent00590002-0000-0jh1-fz00.wolkenfreitel.com/321/cmd-login=cd01efe09a3c34091edcbd69433f3bbc/bguzwnl9jbbsm18hxzju2lyg.php?rand=13InboxLightaspxn.1774256418&fid.4.1252899642&fid=1&fav.1&rand.13InboxLight.aspxn.1774256418&fid.1252899642&fid.1&fav.1&[email protected]&loginpage=&.rand=13InboxLight.aspx?n=1774256418&fid=4
US
html
37.0 Kb
malicious
3452
iexplore.exe
GET
200
72.29.67.240:80
http://login.microsoftonline.com-common-oatuth2-authorize-client-dent00590002-0000-0jh1-fz00.wolkenfreitel.com/321/empty_files/converged.css
US
text
85.3 Kb
malicious
3452
iexplore.exe
GET
72.29.67.240:80
http://login.microsoftonline.com-common-oatuth2-authorize-client-dent00590002-0000-0jh1-fz00.wolkenfreitel.com/321/empty_files/prefetch_data/boot_003.js
US
malicious
3452
iexplore.exe
GET
200
72.29.67.240:80
http://login.microsoftonline.com-common-oatuth2-authorize-client-dent00590002-0000-0jh1-fz00.wolkenfreitel.com/321/empty_files/prefetch_data/boot.css
US
text
226 Kb
malicious
3452
iexplore.exe
GET
200
72.29.67.240:80
http://login.microsoftonline.com-common-oatuth2-authorize-client-dent00590002-0000-0jh1-fz00.wolkenfreitel.com/321/empty_files/convergedloginpaginatedstrings-en.js
US
text
11.1 Kb
malicious
3452
iexplore.exe
GET
200
72.29.67.240:80
http://login.microsoftonline.com-common-oatuth2-authorize-client-dent00590002-0000-0jh1-fz00.wolkenfreitel.com/321/empty_files/prefetch.htm
US
html
3.93 Kb
malicious
3452
iexplore.exe
GET
200
72.29.67.240:80
http://login.microsoftonline.com-common-oatuth2-authorize-client-dent00590002-0000-0jh1-fz00.wolkenfreitel.com/321/empty_files/picker_more.svg
US
image
899 b
malicious
3452
iexplore.exe
GET
200
72.29.67.240:80
http://login.microsoftonline.com-common-oatuth2-authorize-client-dent00590002-0000-0jh1-fz00.wolkenfreitel.com/321/empty_files/prefetch_data/boot_002_002.js
US
text
639 Kb
malicious
3452
iexplore.exe
GET
200
72.29.67.240:80
http://login.microsoftonline.com-common-oatuth2-authorize-client-dent00590002-0000-0jh1-fz00.wolkenfreitel.com/321/empty_files/ellipsis_white.svg
US
image
915 b
malicious
3452
iexplore.exe
GET
200
72.29.67.240:80
http://login.microsoftonline.com-common-oatuth2-authorize-client-dent00590002-0000-0jh1-fz00.wolkenfreitel.com/321/empty_files/convergedlogin_pcore.js
US
text
422 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3452
iexplore.exe
167.89.118.35:443
u10817722.ct.sendgrid.net
SendGrid, Inc.
US
suspicious
2956
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3452
iexplore.exe
72.29.67.240:80
login.microsoftonline.com-common-oatuth2-authorize-client-dent00590002-0000-0jh1-fz00.wolkenfreitel.com
HostDime.com, Inc.
US
suspicious
3484
iexplore.exe
40.126.9.97:443
passwordreset.microsoftonline.com
Microsoft Corporation
US
unknown
2956
iexplore.exe
184.31.91.84:443
secure.aadcdn.microsoftonline-p.com
Akamai International B.V.
NL
whitelisted
3452
iexplore.exe
184.31.91.84:443
secure.aadcdn.microsoftonline-p.com
Akamai International B.V.
NL
whitelisted
3452
iexplore.exe
2.18.232.137:443
r4.res.office365.com
Akamai International B.V.
whitelisted
3484
iexplore.exe
104.210.51.228:443
client.hip.live.com
Microsoft Corporation
US
unknown
2956
iexplore.exe
40.126.9.97:443
passwordreset.microsoftonline.com
Microsoft Corporation
US
unknown
3484
iexplore.exe
152.199.19.160:443
ajax.aspnetcdn.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
u10817722.ct.sendgrid.net
  • 167.89.118.35
  • 167.89.123.16
  • 167.89.115.54
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
login.microsoftonline.com-common-oatuth2-authorize-client-dent00590002-0000-0jh1-fz00.wolkenfreitel.com
  • 72.29.67.240
malicious
dns.msftncsi.com
  • 131.107.255.255
shared
secure.aadcdn.microsoftonline-p.com
  • 184.31.91.84
whitelisted
r4.res.office365.com
  • 2.18.232.137
whitelisted
passwordreset.microsoftonline.com
  • 40.126.9.97
  • 20.190.137.0
  • 20.190.137.65
  • 20.190.129.161
  • 20.190.129.6
whitelisted
ajax.aspnetcdn.com
  • 152.199.19.160
whitelisted
client.hip.live.com
  • 104.210.51.228
  • 104.215.74.84
whitelisted
wus.client.hip.live.com
  • 104.210.51.228
whitelisted

Threats

PID
Process
Class
Message
3452
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Adobe PDF Phishing Landing
3452
iexplore.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Microsoft Phishing Landing 2018-08-07
3452
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY Http Client Body contains passwd= in cleartext
3452
iexplore.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Microsoft Phishing Landing 2018-08-07
3452
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY Http Client Body contains passwd= in cleartext
10 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://u10817722.ct.sendgrid.net/wf/click?upn=w4gJimGE6OfjzU3knIJqd4tkXdU4FwxrErqVQL5P9PQKxaSaPlP8OeYmGFI35lfbd1B-2BhEBP5n9kWnk0NK5KdkLakpJl3DOpTYaBUZi7iFAVu0BiAQbWoYEtHNzyIuh-2FItM3QSUG8Bx0NxmvbGcTNQgrY690OJmYc9mTyDexi-2B5gYvw6o2GuPKemhk8Ttf0uvnqt5IZSizMcGFXMNSGaMj-2BsdLfRx1G9Ma-2BGim9BQYM-3D_RponfwD6SWCG-2FiVEIcoB4HjTrvP54Omdf-2BKfk78FDiHM-2FU5qTL5U-2Bj-2BVKVrZkbf97zT4H8YorIdHL92FTBuuMdqmMLMnGCwT-2FhoZGAhJdFKu-2FeBfw3Jrv3OInZiAU2SB5MIpmZtIY2KVvPL-2F-2F1Is6ScjD2NBgf7obWhWdTgeB2Ks8WhVZBUV8edUub4F-2BLyN99eIh89pScFUfBL-2BOffoeiuNI0WAtVKfZzJL0eieKSY-3D