analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf4211.TMP

Full analysis: https://app.any.run/tasks/10ac63e8-c748-4f28-99c6-18c53593e281
Verdict: Malicious activity
Analysis date: April 23, 2019, 09:50:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/octet-stream
File info: data
MD5:

131DC75F6D4142CA9244945A91A71E8D

SHA1:

145517F1571264BDC71A33342539CA9D921AC0DF

SHA256:

F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4

SSDEEP:

96:+ZkCzFqvsqvJCwo2ZkCzFqvsEHyqvJCworu1XH97GGlUVb:+ZHio2ZHKHnoru1NGh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts Internet Explorer

      • rundll32.exe (PID: 2188)

  • INFO

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2416)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2416)
      • iexplore.exe (PID: 3956)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3956)

    • Changes internet zones settings

      • iexplore.exe (PID: 2416)

    • Creates files in the user directory

      • iexplore.exe (PID: 3956)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 3956)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2416)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2188"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\d93f411851d7c929.customDestinations-ms~RFf4211.TMPC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2416"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3956"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2416 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
432
Read events
353
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
31
Unknown types
7

Dropped files

PID
Process
Filename
Type
3956iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@bing[2].txt
MD5:
SHA256:
3956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BG1BK6DX\search[1].txt
MD5:
SHA256:
3956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BG1BK6DX\search[1].htmhtml
MD5:E8D68D34D661E4BD8544B5701526AC92
SHA256:CE6A564A82A8AA7F3EA6CB14F583906C3AB7206E1DC6F43DE47ECE70460D8AA5
3956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Q76JFWNL\9a358300[1].jstext
MD5:26D5C5DD7C280FA90F88A152BB557441
SHA256:63BF2C3D1A4B69EC7D9681BEF931C76713DA9C94CC5C1CF9D9F8B142917C9362
3956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019042320190424\index.datdat
MD5:D30B8EACF177C54EFCF959BE7DA3B083
SHA256:7E37C48FA3E774FA7F19A53E0D4DAE9511E86C9AE5CB4263E11CF3AE6669FC3F
3956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DATdbf
MD5:D52DB6EBED3A4ED299CBDD902599D416
SHA256:4FC4B4DF6FBD2DC5CCF87E67C59EE49B7284819830E76DFD036CA85B121C250D
2416iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
3956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:349357A0968596B8006260FBBD095D1C
SHA256:7964F0480E44D44DD8CBCB41BC5810DEA57AC53C046A6D384E89BE59C21EA542
2416iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019042320190424\index.datdat
MD5:450748A62638FCF8FE31FD5355A0744D
SHA256:605990E9FBC2211E01D9315A0AD0861CDE8A3705A143382952B548190E81C002
3956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:6DBD5264B3328F78E40E4069DA86AD01
SHA256:39ACCA3149C1EAE03B4FE1A5F1CB4FF92367BEB0742ACE9B8655D6C64965F7B0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
15
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3956
iexplore.exe
GET
302
172.227.168.22:80
http://go.microsoft.com/fwlink/?LinkId=57426&Ext=TMP
US
whitelisted
3956
iexplore.exe
GET
301
2.16.186.24:80
http://shell.windows.com/fileassoc/fileassoc.asp?Ext=TMP
unknown
whitelisted
2416
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2416
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2416
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2416
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3956
iexplore.exe
2.16.186.24:80
shell.windows.com
Akamai International B.V.
whitelisted
3956
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
172.227.168.22:80
go.microsoft.com
Akamai International B.V.
US
whitelisted
3956
iexplore.exe
157.55.135.132:443
login.live.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
go.microsoft.com
  • 172.227.168.22
whitelisted
shell.windows.com
  • 2.16.186.24
  • 2.16.186.27
whitelisted
tse1.mm.bing.net
  • 204.79.197.200
  • 13.107.21.200
whitelisted
login.live.com
  • 157.55.135.132
  • 157.55.135.134
  • 157.55.134.136
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf4211.TMP