analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://rftech.custhelp.com/app/answers/detail/a_id/63/~/how-do-speakers-get-blown%3F-why-do-they-sound-distorted%3F

Full analysis: https://app.any.run/tasks/182606a5-bf1d-496c-b087-af75cf0c9de6
Verdict: Malicious activity
Analysis date: April 01, 2023, 05:59:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

2264F131ED10C1A8AC716254155C1531

SHA1:

92027DBC470BFE8CF55F522314C4818BAD956699

SHA256:

DF10145AB2E50888D63BD1D155157F8CA59E0B2E10AFAB14810356B577EEDCF8

SSDEEP:

3:N1KMNA3ud3oaAvJSAeCaWqnFJvZcI8s5INe622Akn:CMNYud3mRSkGF9iI8KINe6BPn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2744)
    • Create files in a temporary directory

      • iexplore.exe (PID: 2744)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2744"C:\Program Files\Internet Explorer\iexplore.exe" "http://rftech.custhelp.com/app/answers/detail/a_id/63/~/how-do-speakers-get-blown%3F-why-do-they-sound-distorted%3F"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\iertutil.dll
3108"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2744 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
25 862
Read events
25 662
Write events
200
Delete events
0

Modification events

(PID) Process:(2744) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
0
(PID) Process:(2744) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30847387
(PID) Process:(2744) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30847437
(PID) Process:(2744) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2744) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2744) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2744) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2744) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2744) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2744) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
0
Suspicious files
20
Text files
90
Unknown types
12

Dropped files

PID
Process
Filename
Type
3108iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04der
MD5:21ED9CA0F4579A63723066FAB3CDB1E9
SHA256:818A6653F6011A83D251998208826644FE68D228A739C87EC14E470E10817889
3108iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:E207B00E0A43D4A5EB483F4653A37695
SHA256:C9781812B074B52E52C4F33872C1F52227300486D0CC8A2E076B74D3EDA977A2
3108iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\detail.themes.standard[1].csstext
MD5:70D527065376B70492E008C4943518E6
SHA256:393F77C12B20B4BFE1D87DEFE6D5FEFFF09CD5A3A691668205310CBC61DBD7B6
3108iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_4E801842C65A05B32894AA44728A63C4der
MD5:A696094DDD713C86F344C6FD32F11F14
SHA256:7A237E02F1144B5A546FE94E4A61B1BE58C2FB3B8FF2E8AA87E5AAC1212C0521
3108iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\standard.themes.standard.SITE[1].csstext
MD5:92B65AA5604FDFBD86ABFB19A044585D
SHA256:FBA73E62E187D97261B6A3CE9514852F5D6CA2E4A2AA3ACBAD1D7C9732543124
3108iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\answerid_63-a[1].htmhtml
MD5:CED597F73574D1A28D11C904ABCCB09E
SHA256:5E0D3EB4706CB1A0DD034812266BC69DDD22593B48EEF619C0CED098E20C40D9
3108iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04binary
MD5:F21CACBC9AB42B32BF8F0B85559BD437
SHA256:C1A418D4F9BB7B3AD61AAC2EA91F378FA9E7CEAAD5CF0A4DA7F1EABB5D68EDF6
3108iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_4E801842C65A05B32894AA44728A63C4binary
MD5:590ECFEF1A07D1B1E3F7914895710EB0
SHA256:FC9FC63814E9DCB30E1213108290CEBF8AD6C6E9FC9BC9F7B4F74E4BC6A00FF1
3108iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\how-do-speakers-get-blown_-why-do-they-sound-distorted_[1].htmhtml
MD5:C859539E91667A229F54F089DC838AB7
SHA256:6F27C7457DD454779E39DF3B1C83A0F9C6FFC4293F4B004D889D63A9E19BBF28
3108iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\answerid_63-b[1].htmhtml
MD5:D875974F001B8647177B46033251178D
SHA256:A1AB444BAAF6C111C2B2731F16608FCFDE21455A6B2586EDC34B80C7E0486E79
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
56
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3108
iexplore.exe
GET
301
147.154.16.196:80
http://rftech.custhelp.com/app/answers/detail/a_id/63/~/how-do-speakers-get-blown%3F-why-do-they-sound-distorted%3F
US
suspicious
3108
iexplore.exe
GET
301
172.66.42.238:80
http://rockfordfosgate.com/rnt/rnw/docs/63/answerid_63-b.jpg
US
html
548 b
whitelisted
3108
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
der
471 b
whitelisted
3108
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAOouRkHnj79Qf7CLZzMA54%3D
US
der
471 b
whitelisted
3108
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
3108
iexplore.exe
GET
301
172.66.42.238:80
http://www.rockfordfosgate.com/rnt/rnw/docs/63/answerid_63-b.jpg
US
html
548 b
suspicious
3108
iexplore.exe
GET
301
172.66.42.238:80
http://rockfordfosgate.com/rnt/rnw/docs/63/answerid_63-a.jpg
US
html
548 b
whitelisted
3108
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAJm2rSFQJYKsCIt47N8dcg%3D
US
der
471 b
whitelisted
3108
iexplore.exe
GET
301
172.66.42.238:80
http://www.rockfordfosgate.com/rnt/rnw/docs/63/answerid_63-a.jpg
US
html
548 b
suspicious
3108
iexplore.exe
GET
200
8.238.33.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?405ee83d6c2ae9ac
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3108
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3108
iexplore.exe
172.66.42.238:80
www.rockfordfosgate.com
CLOUDFLARENET
US
suspicious
3108
iexplore.exe
147.154.16.196:443
rftech.custhelp.com
ORACLE-BMC-31898
US
unknown
3108
iexplore.exe
8.238.33.254:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious
3108
iexplore.exe
147.154.16.196:80
rftech.custhelp.com
ORACLE-BMC-31898
US
unknown
3108
iexplore.exe
147.154.45.247:443
rftech.widget.custhelp.com
ORACLE-BMC-31898
US
unknown
3108
iexplore.exe
172.66.42.238:443
www.rockfordfosgate.com
CLOUDFLARENET
US
suspicious
3108
iexplore.exe
23.37.40.225:443
www.rnengage.com
AKAMAI-AS
DE
suspicious
2744
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2744
iexplore.exe
147.154.16.196:443
rftech.custhelp.com
ORACLE-BMC-31898
US
unknown

DNS requests

Domain
IP
Reputation
rftech.custhelp.com
  • 147.154.16.196
unknown
ctldl.windowsupdate.com
  • 8.238.33.254
  • 67.26.73.254
  • 8.253.95.249
  • 67.26.75.254
  • 8.241.9.254
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.rockfordfosgate.com
  • 172.66.42.238
  • 172.66.41.18
unknown
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
rockfordfosgate.com
  • 172.66.42.238
  • 172.66.41.18
whitelisted
rftech.widget.custhelp.com
  • 147.154.45.247
unknown
www.rnengage.com
  • 23.37.40.225
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

PID
Process
Class
Message
3108
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3108
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3108
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3108
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3108
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3108
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3108
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3108
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
No debug info