General Info

URL

http://www.dkmeco.com/multimedia/metoposcopic_molligrubs.html

Full analysis
https://app.any.run/tasks/e93d9b66-a552-4722-ab44-9097f8262203
Verdict
Malicious activity
Analysis date
11/8/2018, 19:13:21
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO

No malicious indicators.

No suspicious indicators.

Creates files in the user directory
  • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 544)
  • iexplore.exe (PID: 3144)
  • iexplore.exe (PID: 3532)
Reads settings of System Certificates
  • iexplore.exe (PID: 3144)
Application launched itself
  • iexplore.exe (PID: 3144)
Changes internet zones settings
  • iexplore.exe (PID: 3144)
Reads Internet Cache Settings
  • iexplore.exe (PID: 3144)
  • iexplore.exe (PID: 3532)
Reads internet explorer settings
  • iexplore.exe (PID: 3532)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Screenshots

Processes

Total processes
35
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

+
start iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3144
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\version.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mlang.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll

PID
3532
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3144 CREDAT:71937
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\jscript.dll
c:\windows\system32\winmm.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\qagentrt.dll
c:\windows\system32\fveui.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\iepeers.dll
c:\windows\system32\winspool.drv
c:\windows\system32\macromed\flash\flash32_26_0_0_131.ocx
c:\windows\system32\dsound.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\mscms.dll
c:\windows\system32\dinput8.dll

PID
544
CMD
C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding
Path
C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Adobe Systems Incorporated
Description
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version
26,0,0,131
Modules
Image
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_activex.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\secur32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\version.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\riched20.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\ws2help.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\psapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_activex.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\dinput8.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mlang.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll

Registry activity

Total events
475
Read events
400
Write events
72
Delete events
3

Modification events

PID
Process
Operation
Key
Name
Value
3144
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018082720180903
3144
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018090920180910
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{0877F317-E382-11E8-BFAB-5254004AAD11}
0
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
3
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E2070B000400080012000D002F002D02
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
3
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E2070B000400080012000D002F002D02
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
3
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E2070B000400080012000D002F00C902
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
12
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
3
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E2070B000400080012000D002F00D802
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
21
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
3
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E2070B000400080012000D002F00F802
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
18
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Path
C:\Users\admin\Favorites\Links\Suggested Sites.url
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
FeedUrl
https://ieonline.microsoft.com/#ieslice
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayName
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
ErrorState
0
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayMask
0
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Path
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
FeedUrl
http://go.microsoft.com/fwlink/?LinkId=121315
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayName
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
ErrorState
0
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayMask
0
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018110820181109
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018110820181109
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018110820181109
CachePrefix
:2018110820181109:
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018110820181109
CacheLimit
8192
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018110820181109
CacheOptions
11
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018110820181109
CacheRepair
0
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
F0C842D78E77D401
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
1DFA43D78E77D401
3144
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Type
1
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Count
2
3144
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Time
E2070B000400080012000E000900A902
3532
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018082820180829
3532
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018110820181109
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012018110820181109
3532
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018110820181109
CachePrefix
:2018110820181109:
3532
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018110820181109
CacheLimit
8192
3532
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018110820181109
CacheOptions
11
3532
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018110820181109
CacheRepair
0

Files activity

Executable files
0
Suspicious files
1
Text files
34
Unknown types
2

Dropped files

PID
Process
Filename
Type
3144
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 7aff3e3c7ba3901108f8a8b7f82f76dc
SHA256: f33879b288f2fdef9952e71b5cc0fd35501eef9ed0af3015c4150f157710733c
3144
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018110820181109\index.dat
dat
MD5: e938d7653f0412c3a8e63a373e5ee17f
SHA256: 9a3bd4bd68392b405d02e3ca20cf957cdd8c852f2d0273110a1e2f0d9f30bc5d
3144
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 8993cc57fa7552bf6384475f95f8e831
SHA256: 05ce26827b1833cf8ffe49d73361aedfee671e6995f42cf2af0eb73e305909da
3532
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\fbevents[1].js
text
MD5: 64570371a36114a629e7ed1c3e795803
SHA256: d17ea7f38ba0acd5b1dfc4131655626a2353277fe99c97936765e4f6ae55a56c
3532
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\app.4b5a56cfecb8fb3a2c22[1].js
text
MD5: 4b85288c995f38053181ad88ef455464
SHA256: 68c9d259ecf5d8f773886689cce071a0172d387d69c505720f6941d87e553907
3532
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\vendor.67a3473f2e81164982d5[1].js
text
MD5: 57b773af41fafa28cca4b4fae23af64d
SHA256: fb0dd95d2bf4391bb6b134f4b1836993b486bf889777154adaa0a76103882644
3532
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
text
MD5: 0ebbd8460e6c9349efdc4e9bee46f2f2
SHA256: 9cb6859f57fcae372e23060632d08d9b0626e2abefa7ce1867f4f3f09b9dd331
3532
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
544
FlashUtil32_26_0_0_131_ActiveX.exe
C:\Users\admin\AppData\Roaming\Adobe\Flash Player\NativeCache\NativeCache.directory:Zone.Identifier
text
MD5: fbccf14d504b7b2dbcb5a5bda75bd93b
SHA256: eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
3532
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\analytics[1].js
text
MD5: 45eff9ff7d6c7c1e3c3d4184fdbbed90
SHA256: 8cb05b675fe6419a9e91eb587c60902c7ed1cb6c42b8cff8ce404ef89f635cde
3532
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\gtm[1].js
text
MD5: 5e215d944c32544a7e5dd91d7f177132
SHA256: 0c805049c6f37ecebae9edb4f9b8e311184f296862b89c3297b96a4256a9097c
3532
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\styles.b6b06a752b3414beb16b[1].css
text
MD5: 7dc68e31e175bc9c086d35535687e5b3
SHA256: af0b74ed6dfa77342966406db70c1f74654a6fe19c4f87a1178789f87aeff3b4
3532
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\manifest.64aa30b80743d699b778[1].js
text
MD5: fbdd53dc91f8f4011c6ed86719ae0162
SHA256: ed44c890875535908e0eb7cc2c509e213403c0f23f82276e17de46f59da4786c
3532
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\signup[1].htm
html
MD5: 95334d7ae73aeb9c6b022c642a392030
SHA256: bac805fbc926a3a47c13472a5c41cebb056a164dcc143a56fbf720414c70acd1
3532
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
text
MD5: 90b8bf3098fa47dc60e0fc4476e46434
SHA256: 4dabcf389a7dff9e1842fd8ba1e3ec0ea3e0139840bbf7b268d6e5707fd467c9
3532
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
text
MD5: bf2f45d5eae8686d1f917196bd69ee71
SHA256: 08048af777274e72259c36919c331087062db4b475dd039a2196be9cd8ecd623
3532
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
text
MD5: ba4b176b48362eed26fabea9d74b8f4c
SHA256: fc4c983b27d6e8ceef0d4463942274271901d4d8db9bbe82ec9c878f1ea58797
3532
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
text
MD5: 20a86161734f8bdda43374b8e6bd888f
SHA256: da3e83a4fd5faab02ea272e9e7f0a4798cfd1cadf1b14d9eced73c57a18034de
3532
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
3144
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E02357FC7708441D4B0BE5F371F4B28961870F70
binary
MD5: da6c793fb0533af0139a6d76c9956547
SHA256: bcec4bffd8ee03e0fdf1c1577ef4635ac08db1f94cf07b0c406a6b3a171e9e1d
3144
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\favicon[1].ico
image
MD5: 89bdf93fdf650e1b76e780e8e6c45791
SHA256: 575522ddbee99a965c33ca5672bbaf3d1cef32b5b393a02945bd19e0cd536b84
3532
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012018110820181109\index.dat
dat
MD5: 1fcfbd417e881f1e706c8fd304491da2
SHA256: 6a424f0e605dd316876124de108551cdf9a2cc6a945a72a29b66d8758fdf17b9
3532
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\meta[1].htm
html
MD5: f3db6fb04973f33bf0c514d8a1433ba2
SHA256: 98885d136234a9e38e6c6e21b9af98b31152c577228ad770dedfc5a686216fba
3532
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
text
MD5: 9c23bae7c42435ba2a9f550664debc90
SHA256: 2cca7091c24194f27ee586935f40f7661aaec3bed9561789805bd4a76f22e58c
3532
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\lp[1].htm
––
MD5:  ––
SHA256:  ––
3532
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
3532
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
text
MD5: 33187e753eae94a1b603e5b525f7ceac
SHA256: de8d783a24ff75a9708d3d6ec4f64e8ecdb5e7ea60009bf5afc02f05ad9bd249
3532
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
3532
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
text
MD5: edcdfdc48e6f8a63f7084e1b4d73e1ca
SHA256: ca682f4adb9dac4c06b3936887f33479727438ea6ec1a04ec615886fbe67c752
3532
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
––
MD5:  ––
SHA256:  ––
3532
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\ykwnsxwz29[1].htm
––
MD5:  ––
SHA256:  ––
3532
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
text
MD5: 05253e29a9270ab4ac7c5debd2bdbdea
SHA256: 4a1394ce4bb0b0356488c7c5584345c92139bf9e13d7a6277dfd874bbd3cea2c
3532
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\index[1].htm
html
MD5: f2ad116050667c4601c51cffaae0a273
SHA256: 0ea7c3a52aabc55f149261af5e1736db8c5eb7752737051739c69b18c7ae5c2f
3532
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\index[1].php
––
MD5:  ––
SHA256:  ––
3532
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
text
MD5: db4ee56e123fc7f6eaaca0b5a0c726c7
SHA256: cd647ec5fd48ff38ca6d790808ce4f07896a777dd6eef4f693ef0e40785f94dc
3532
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\jquery[1].js
text
MD5: 5c01bca4ef57b314c38eccad803e0b82
SHA256: 76dcd014a73be9db7339ccea99808094eca2f77b169a387610573d86184cbd64
3532
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\metoposcopic_molligrubs[1].htm
html
MD5: 0795a898f49ae6c5a05f82659f75c6ff
SHA256: 2f11df316a17028248915b20bea82e296c131d59a72df3e925f057575af98781
3144
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[3].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
3144
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
––
MD5:  ––
SHA256:  ––
3144
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
4
TCP/UDP connections
18
DNS requests
13
Threats
1

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3144 iexplore.exe GET 200 204.79.197.200:80 http://www.bing.com/favicon.ico US
image
whitelisted
3532 iexplore.exe GET 200 47.104.241.199:80 http://www.dkmeco.com/multimedia/metoposcopic_molligrubs.html CN
html
malicious
3532 iexplore.exe GET 200 134.249.116.78:80 http://134.249.116.78/jquery.js UA
text
unknown
3532 iexplore.exe GET 200 185.143.221.14:80 http://185.143.221.14/index.php?count=17p19_7147347&utm_um=clickun&utm_content=land&work=j12&utm_source=140 unknown
html
suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3144 iexplore.exe 204.79.197.200:80 Microsoft Corporation US whitelisted
3532 iexplore.exe 47.104.241.199:80 Hangzhou Alibaba Advertising Co.,Ltd. CN malicious
3532 iexplore.exe 134.249.116.78:80 Kyivstar PJSC UA unknown
3532 iexplore.exe 185.143.221.14:80 –– suspicious
3532 iexplore.exe 199.193.73.38:443 Webair Internet Development Company Inc. US unknown
3532 iexplore.exe 35.156.186.33:443 Amazon.com, Inc. DE unknown
3144 iexplore.exe 35.156.186.33:443 Amazon.com, Inc. DE unknown
3532 iexplore.exe 104.18.229.31:443 Cloudflare Inc US unknown
3532 iexplore.exe 104.20.61.141:443 Cloudflare Inc US unknown
3532 iexplore.exe 216.58.215.234:443 Google Inc. US whitelisted
3532 iexplore.exe 216.58.215.232:443 Google Inc. US whitelisted
3532 iexplore.exe 172.217.168.78:443 Google Inc. US whitelisted
3532 iexplore.exe 108.177.119.156:443 Google Inc. US whitelisted
3532 iexplore.exe 172.217.168.4:443 Google Inc. US whitelisted
3532 iexplore.exe 172.217.168.3:443 Google Inc. US whitelisted
3532 iexplore.exe 31.13.92.14:443 Facebook, Inc. IE whitelisted
3144 iexplore.exe 104.20.61.141:443 Cloudflare Inc US unknown

DNS requests

Domain IP Reputation
www.bing.com 204.79.197.200
13.107.21.200
whitelisted
www.dkmeco.com 47.104.241.199
malicious
www.hibids10.com 199.193.73.38
199.193.73.40
199.193.73.36
199.193.73.42
unknown
appdatum.com 35.156.186.33
35.158.68.101
whitelisted
record.liflandaffiliates.com 104.18.229.31
104.18.228.31
unknown
www.optibet.lt 104.20.61.141
104.20.62.141
unknown
fonts.googleapis.com 216.58.215.234
whitelisted
www.googletagmanager.com 216.58.215.232
whitelisted
www.google-analytics.com 172.217.168.78
whitelisted
stats.g.doubleclick.net 108.177.119.156
108.177.119.155
108.177.119.154
108.177.119.157
whitelisted
www.google.com 172.217.168.4
whitelisted
www.google.lt 172.217.168.3
whitelisted
connect.facebook.net 31.13.92.14
whitelisted

Threats

PID Process Class Message
3532 iexplore.exe A Network Trojan was detected MALWARE [PTsecurity] Malicious Redirect URL

Debug output strings

No debug info.