URL:

https://github.com/OwO-Studio/MEMZ-4.0/raw/master/MEMZ-Destructive.exe

Full analysis: https://app.any.run/tasks/f784d467-9367-486a-a6ba-588c9d7b96b9
Verdict: Malicious activity
Analysis date: June 28, 2021, 17:14:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

70243CE3F19BA497CDD58E3E395ED453

SHA1:

CEC0E62F2A41157E22C63B00CACA727D63CE942A

SHA256:

F15AA408AC0929B102CDF967AC18A7B31568C50E6D6E6F3CAF35A0CE2A086DA3

SSDEEP:

3:N8tEdUI2gMFhKE+QGAC:2uu1Fc0C

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • MEMZ-Destructive.exe (PID: 720)
      • MEMZ-Destructive.exe (PID: 760)
      • MEMZ-Destructive.exe (PID: 2388)
      • MEMZ-Destructive.exe (PID: 2932)
      • MEMZ-Destructive.exe (PID: 1796)
      • MEMZ-Destructive.exe (PID: 3384)
      • MEMZ-Destructive.exe (PID: 588)
      • MEMZ-Destructive.exe (PID: 2756)
    • Changes the autorun value in the registry

      • reg.exe (PID: 1936)
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2536)
      • iexplore.exe (PID: 1420)
      • iexplore.exe (PID: 2736)
      • iexplore.exe (PID: 3756)
      • iexplore.exe (PID: 3460)
      • iexplore.exe (PID: 3040)
      • iexplore.exe (PID: 1196)
      • iexplore.exe (PID: 3440)
      • iexplore.exe (PID: 780)
      • iexplore.exe (PID: 3104)
      • iexplore.exe (PID: 2692)
      • iexplore.exe (PID: 3316)
      • iexplore.exe (PID: 3796)
    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3552)
      • iexplore.exe (PID: 2536)
    • Reads the computer name

      • MEMZ-Destructive.exe (PID: 760)
      • MEMZ-Destructive.exe (PID: 2756)
      • Skype.exe (PID: 388)
      • Skype.exe (PID: 268)
      • Skype.exe (PID: 2920)
      • Skype.exe (PID: 3656)
      • Skype.exe (PID: 2904)
      • Skype.exe (PID: 1448)
    • Application launched itself

      • MEMZ-Destructive.exe (PID: 760)
      • Skype.exe (PID: 268)
      • Skype.exe (PID: 3656)
      • Skype.exe (PID: 2904)
    • Checks supported languages

      • MEMZ-Destructive.exe (PID: 2388)
      • MEMZ-Destructive.exe (PID: 760)
      • MEMZ-Destructive.exe (PID: 3384)
      • MEMZ-Destructive.exe (PID: 588)
      • MEMZ-Destructive.exe (PID: 1796)
      • MEMZ-Destructive.exe (PID: 2932)
      • MEMZ-Destructive.exe (PID: 2756)
      • Skype.exe (PID: 388)
      • Skype.exe (PID: 268)
      • Skype.exe (PID: 3656)
      • Skype.exe (PID: 2920)
      • Skype.exe (PID: 2904)
      • Skype.exe (PID: 1448)
    • Starts Internet Explorer

      • MEMZ-Destructive.exe (PID: 2756)
    • Reads CPU info

      • Skype.exe (PID: 268)
    • Creates files in the user directory

      • Skype.exe (PID: 268)
      • Skype.exe (PID: 3656)
      • Skype.exe (PID: 2904)
    • Changes default file association

      • Skype.exe (PID: 268)
    • Uses REG.EXE to modify Windows registry

      • Skype.exe (PID: 268)
  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 3552)
      • iexplore.exe (PID: 2536)
      • chrome.exe (PID: 3092)
      • chrome.exe (PID: 3456)
      • chrome.exe (PID: 3648)
      • iexplore.exe (PID: 1112)
      • iexplore.exe (PID: 1420)
      • chrome.exe (PID: 2544)
      • iexplore.exe (PID: 3652)
      • iexplore.exe (PID: 2736)
      • iexplore.exe (PID: 3244)
      • iexplore.exe (PID: 3756)
      • iexplore.exe (PID: 3976)
      • iexplore.exe (PID: 3460)
      • iexplore.exe (PID: 952)
      • iexplore.exe (PID: 3040)
      • iexplore.exe (PID: 2616)
      • iexplore.exe (PID: 1196)
      • iexplore.exe (PID: 3716)
      • iexplore.exe (PID: 3440)
      • mmc.exe (PID: 4024)
      • iexplore.exe (PID: 1604)
      • iexplore.exe (PID: 3316)
      • iexplore.exe (PID: 3152)
      • iexplore.exe (PID: 780)
      • msconfig.exe (PID: 1876)
      • iexplore.exe (PID: 3104)
      • iexplore.exe (PID: 2692)
      • mspaint.exe (PID: 3372)
      • iexplore.exe (PID: 3796)
      • mspaint.exe (PID: 3348)
    • Checks supported languages

      • iexplore.exe (PID: 2536)
      • iexplore.exe (PID: 3552)
      • notepad.exe (PID: 2020)
      • chrome.exe (PID: 1416)
      • chrome.exe (PID: 3092)
      • chrome.exe (PID: 3456)
      • chrome.exe (PID: 3648)
      • chrome.exe (PID: 1440)
      • chrome.exe (PID: 3176)
      • chrome.exe (PID: 908)
      • chrome.exe (PID: 2568)
      • chrome.exe (PID: 2544)
      • iexplore.exe (PID: 1112)
      • chrome.exe (PID: 2968)
      • chrome.exe (PID: 1016)
      • iexplore.exe (PID: 1420)
      • iexplore.exe (PID: 3652)
      • iexplore.exe (PID: 2736)
      • reg.exe (PID: 1852)
      • reg.exe (PID: 1936)
      • iexplore.exe (PID: 3244)
      • iexplore.exe (PID: 3756)
      • iexplore.exe (PID: 3976)
      • iexplore.exe (PID: 3460)
      • iexplore.exe (PID: 952)
      • iexplore.exe (PID: 3040)
      • iexplore.exe (PID: 2616)
      • iexplore.exe (PID: 1196)
      • iexplore.exe (PID: 3716)
      • iexplore.exe (PID: 1604)
      • mmc.exe (PID: 4024)
      • iexplore.exe (PID: 3440)
      • iexplore.exe (PID: 3316)
      • iexplore.exe (PID: 780)
      • iexplore.exe (PID: 3152)
      • msconfig.exe (PID: 1876)
      • iexplore.exe (PID: 3104)
      • iexplore.exe (PID: 2692)
      • mspaint.exe (PID: 3372)
      • iexplore.exe (PID: 3796)
      • mspaint.exe (PID: 3348)
    • Application launched itself

      • iexplore.exe (PID: 3552)
      • chrome.exe (PID: 3092)
      • iexplore.exe (PID: 1112)
      • iexplore.exe (PID: 3652)
      • iexplore.exe (PID: 3244)
      • iexplore.exe (PID: 3976)
      • iexplore.exe (PID: 952)
      • iexplore.exe (PID: 2616)
      • iexplore.exe (PID: 3716)
      • iexplore.exe (PID: 1604)
      • iexplore.exe (PID: 3152)
    • Changes internet zones settings

      • iexplore.exe (PID: 3552)
      • iexplore.exe (PID: 1112)
      • iexplore.exe (PID: 3652)
      • iexplore.exe (PID: 3244)
      • iexplore.exe (PID: 3976)
      • iexplore.exe (PID: 952)
      • iexplore.exe (PID: 2616)
      • iexplore.exe (PID: 3716)
      • iexplore.exe (PID: 1604)
      • iexplore.exe (PID: 3152)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2536)
      • MEMZ-Destructive.exe (PID: 760)
      • iexplore.exe (PID: 3552)
      • iexplore.exe (PID: 1420)
      • iexplore.exe (PID: 1112)
      • iexplore.exe (PID: 2736)
      • iexplore.exe (PID: 3756)
      • iexplore.exe (PID: 3460)
      • iexplore.exe (PID: 3040)
      • iexplore.exe (PID: 1196)
      • iexplore.exe (PID: 3440)
      • iexplore.exe (PID: 3316)
      • iexplore.exe (PID: 780)
      • iexplore.exe (PID: 3104)
      • iexplore.exe (PID: 2692)
      • iexplore.exe (PID: 3796)
      • iexplore.exe (PID: 3152)
    • Reads the date of Windows installation

      • iexplore.exe (PID: 3552)
      • iexplore.exe (PID: 1112)
      • iexplore.exe (PID: 3652)
      • iexplore.exe (PID: 3244)
      • iexplore.exe (PID: 3976)
      • iexplore.exe (PID: 952)
      • iexplore.exe (PID: 2616)
      • iexplore.exe (PID: 3716)
      • iexplore.exe (PID: 1604)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3552)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2536)
      • iexplore.exe (PID: 3552)
      • chrome.exe (PID: 3456)
      • iexplore.exe (PID: 1420)
      • iexplore.exe (PID: 1112)
      • iexplore.exe (PID: 2736)
      • Skype.exe (PID: 268)
      • iexplore.exe (PID: 3756)
      • iexplore.exe (PID: 3460)
      • iexplore.exe (PID: 3040)
      • iexplore.exe (PID: 3440)
      • iexplore.exe (PID: 1196)
      • iexplore.exe (PID: 780)
      • iexplore.exe (PID: 3104)
      • iexplore.exe (PID: 2692)
      • iexplore.exe (PID: 3316)
      • iexplore.exe (PID: 3796)
      • iexplore.exe (PID: 3152)
    • Manual execution by user

      • chrome.exe (PID: 3092)
      • Skype.exe (PID: 268)
    • Reads the hosts file

      • chrome.exe (PID: 3092)
      • chrome.exe (PID: 3456)
      • Skype.exe (PID: 268)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1420)
      • iexplore.exe (PID: 2736)
      • iexplore.exe (PID: 3756)
      • iexplore.exe (PID: 3460)
      • iexplore.exe (PID: 3040)
      • iexplore.exe (PID: 1196)
      • iexplore.exe (PID: 3440)
      • iexplore.exe (PID: 3316)
      • iexplore.exe (PID: 780)
      • iexplore.exe (PID: 3104)
      • iexplore.exe (PID: 2692)
      • iexplore.exe (PID: 3796)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1420)
      • iexplore.exe (PID: 3756)
      • iexplore.exe (PID: 3152)
    • Changes settings of System certificates

      • iexplore.exe (PID: 1420)
      • iexplore.exe (PID: 3756)
      • iexplore.exe (PID: 3152)
    • Creates files in the user directory

      • iexplore.exe (PID: 1420)
      • iexplore.exe (PID: 3756)
      • iexplore.exe (PID: 3460)
      • iexplore.exe (PID: 3152)
    • Dropped object may contain Bitcoin addresses

      • Skype.exe (PID: 268)
    • Reads CPU info

      • iexplore.exe (PID: 3756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
107
Monitored processes
55
Malicious processes
3
Suspicious processes
5

Behavior graph

Click at the process to see the details
drop and start drop and start start iexplore.exe iexplore.exe memz-destructive.exe no specs memz-destructive.exe memz-destructive.exe no specs memz-destructive.exe no specs memz-destructive.exe no specs memz-destructive.exe no specs memz-destructive.exe no specs memz-destructive.exe no specs notepad.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs iexplore.exe iexplore.exe iexplore.exe no specs iexplore.exe skype.exe skype.exe no specs reg.exe skype.exe no specs reg.exe no specs skype.exe no specs skype.exe no specs iexplore.exe no specs iexplore.exe skype.exe no specs iexplore.exe no specs iexplore.exe iexplore.exe no specs iexplore.exe iexplore.exe no specs iexplore.exe iexplore.exe no specs iexplore.exe mmc.exe no specs iexplore.exe no specs iexplore.exe iexplore.exe iexplore.exe msconfig.exe no specs iexplore.exe iexplore.exe mspaint.exe no specs iexplore.exe mspaint.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3552"C:\Program Files\Internet Explorer\iexplore.exe" "https://github.com/OwO-Studio/MEMZ-4.0/raw/master/MEMZ-Destructive.exe"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sechost.dll
2536"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3552 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
720"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\MEMZ-Destructive.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\MEMZ-Destructive.exeiexplore.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\b6qgx7lp\memz-destructive.exe
c:\windows\system32\ntdll.dll
760"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\MEMZ-Destructive.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\MEMZ-Destructive.exe
iexplore.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\b6qgx7lp\memz-destructive.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
2388"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\MEMZ-Destructive.exe" /watchdogC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\MEMZ-Destructive.exeMEMZ-Destructive.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\b6qgx7lp\memz-destructive.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
2932"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\MEMZ-Destructive.exe" /watchdogC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\MEMZ-Destructive.exeMEMZ-Destructive.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\b6qgx7lp\memz-destructive.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3384"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\MEMZ-Destructive.exe" /watchdogC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\MEMZ-Destructive.exeMEMZ-Destructive.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\b6qgx7lp\memz-destructive.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
1796"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\MEMZ-Destructive.exe" /watchdogC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\MEMZ-Destructive.exeMEMZ-Destructive.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\b6qgx7lp\memz-destructive.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
588"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\MEMZ-Destructive.exe" /watchdogC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\MEMZ-Destructive.exeMEMZ-Destructive.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\b6qgx7lp\memz-destructive.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2756"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\MEMZ-Destructive.exe" /mainC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\MEMZ-Destructive.exeMEMZ-Destructive.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\b6qgx7lp\memz-destructive.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
Total events
108 691
Read events
107 370
Write events
1 301
Delete events
20

Modification events

(PID) Process:(3552) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3552) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
362616976
(PID) Process:(3552) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30895169
(PID) Process:(3552) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
662776820
(PID) Process:(3552) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30895169
(PID) Process:(3552) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3552) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3552) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3552) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3552) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
3
Suspicious files
90
Text files
196
Unknown types
73

Dropped files

PID
Process
Filename
Type
2536iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5ABder
MD5:FB6B9AF8BE7C037BBE1B26460CB0821B
SHA256:535C5B9ED4E031B27A85ABB232C36CEB2562E4DC1F831BFB728AAA41DE95EA13
3552iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:BBBED8E4AA85E2C5466EB3DB02B90F8A
SHA256:13D605D95FCBA3C948DF0F253620048856CF00BB189BA7CCC09D4D1F502E2A94
3552iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF6C59500C87CEF999.TMPgmc
MD5:91735F750E31A10676F3E5E6A745555F
SHA256:A4893A1531D3F99E6506B9AC37D67B7CF15A40FE21FB6AF46D2570FAFA63EF24
2536iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3der
MD5:E9004D3D402701FA695D4FFFAF96C684
SHA256:BB982A3E769E40211CCACEDA7DD6452401630D820E1BC0D87257D7314F0672E5
2536iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1der
MD5:961EC5F3158BF72536ECA0F1704B1705
SHA256:FF894597A20FF8F1CE73DFE8E538EA56D6C33E47EEAEDE5DC0EA544C6BEAA802
2536iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3binary
MD5:25A425748171DD290149CDB7EEB7C6AF
SHA256:C585DAA61863AA1D5A48D1B33B53C3D04D00D436A44AFBE833CDFEDF570E6CA3
2536iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1binary
MD5:B601FB53E4AB75090080F2CA912AC4BC
SHA256:A48EC0FEA58E1ACDC2D9EF91A33B1D9F8E8F1185F9B95FA3196E45B8C7CF4EEB
3552iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{53428B69-D834-11EB-A754-12A9866C77DE}.datbinary
MD5:E7F8C31A9A41B23D912DB79666EDEC60
SHA256:72163016B49F3498F62E1A983694FC081C294F08841910A796179D9005E166BA
2536iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:0EDB9FFDDE832B1690E8895F37C362B4
SHA256:55173D8C9387A4B843E3910CF7CAA89B3A98FA278A877D740358054F387CE9F2
2536iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5ABbinary
MD5:DECAFA94BB84AB770D95C4EAA60FA5A0
SHA256:2DDE5072ED760ABDAAB8678A8E029592554AB8B793E1EA80DB7C61B85A33A270
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
53
TCP/UDP connections
183
DNS requests
78
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2536
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTGMlruL6P9M9B3if1rTM7wyj%2FQKQQUUGGmoNI1xBEqII0fD6xC8M0pz0sCEA6L83cNktGW8Lth%2BTxBZr4%3D
US
der
279 b
whitelisted
1420
iexplore.exe
GET
302
142.250.186.68:80
http://google.co.ck/search?q=how+2+remove+a+virus
US
html
352 b
whitelisted
1420
iexplore.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCa%2BkMO6O7i%2FwoAAAAA3KDI
US
der
472 b
whitelisted
1420
iexplore.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
1420
iexplore.exe
GET
429
142.250.185.196:80
http://www.google.com/sorry/index?continue=http://google.co.ck/search%3Fq%3Dhow%2B2%2Bremove%2Ba%2Bvirus&q=EgQtXOQPGLuH6IYGIhBx8Iz1wTgHpOXZCeOCpojhMgFy
US
html
2.78 Kb
malicious
3756
iexplore.exe
GET
151.101.1.132:80
http://motherboard.vice.com/read/watch-this-malware-turn-a-computer-into-a-digital-hellscape
US
whitelisted
2536
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAZnA1u7FP1jr8DWqFNO%2FhY%3D
US
der
471 b
whitelisted
1420
iexplore.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
2536
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
1112
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2536
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2536
iexplore.exe
8.248.117.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
malicious
3456
chrome.exe
142.250.185.237:443
accounts.google.com
Google Inc.
US
suspicious
3456
chrome.exe
172.217.16.142:443
clients2.google.com
Google Inc.
US
whitelisted
3456
chrome.exe
172.217.16.131:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3552
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2536
iexplore.exe
185.199.110.133:443
raw.githubusercontent.com
GitHub, Inc.
NL
malicious
3552
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2536
iexplore.exe
140.82.121.3:443
github.com
US
suspicious
3456
chrome.exe
142.250.74.206:443
apis.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
github.com
  • 140.82.121.3
malicious
ctldl.windowsupdate.com
  • 8.248.117.254
  • 8.253.95.120
  • 8.248.143.254
  • 8.248.119.254
  • 8.248.145.254
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
raw.githubusercontent.com
  • 185.199.110.133
  • 185.199.108.133
  • 185.199.111.133
  • 185.199.109.133
shared
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
clientservices.googleapis.com
  • 172.217.16.131
whitelisted
clients2.google.com
  • 172.217.16.142
whitelisted
accounts.google.com
  • 142.250.185.237
shared
www.google.com
  • 142.250.185.196
  • 142.250.185.164
malicious

Threats

No threats detected
No debug info