analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://www.directforklift.com/

Full analysis: https://app.any.run/tasks/7280b88f-b2b4-42c6-bfa7-4293236ec388
Verdict: Malicious activity
Analysis date: November 08, 2019, 15:57:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

8177531FC582FC049205340BDBCF8839

SHA1:

1447991AEF02FE3455CF53BBCC497F584CD14116

SHA256:

F7E89CC3029A8DB4B53D243B318CD13ABA8EBD6FC440E5F362AEF819F628DDA7

SSDEEP:

3:N8DSLRTXmMXn:2OLFXn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2764)

    • Application launched itself

      • iexplore.exe (PID: 2764)
      • chrome.exe (PID: 892)

    • Creates files in the user directory

      • iexplore.exe (PID: 1852)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1852)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1852)

    • Manual execution by user

      • taskmgr.exe (PID: 2064)
      • taskmgr.exe (PID: 2444)
      • chrome.exe (PID: 892)

    • Reads the hosts file

      • chrome.exe (PID: 892)
      • chrome.exe (PID: 2528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
24
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs taskmgr.exe no specs taskmgr.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2764"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1852"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2764 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
892"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3628"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6ed2a9d0,0x6ed2a9e0,0x6ed2a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
1268"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2068 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3032"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1024,3646963390055128760,10117338572934235107,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=17412246483562169976 --mojo-platform-channel-handle=1044 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
2528"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1024,3646963390055128760,10117338572934235107,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=15375249954917230464 --mojo-platform-channel-handle=1596 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2844"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1024,3646963390055128760,10117338572934235107,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=4466816549251868326 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2220 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2428"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1024,3646963390055128760,10117338572934235107,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8582797029601686171 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2440 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
1772"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1024,3646963390055128760,10117338572934235107,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1893643867474122648 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2468 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
993
Read events
846
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
35
Text files
115
Unknown types
15

Dropped files

PID
Process
Filename
Type
2764iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
2764iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1852iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Y1YWM98O\layout[1].csstext
MD5:C3AAD9105E39F6EB09691B00F582CD63
SHA256:F9B6D56EF29272878CF1105AA5AD87C664E8B2F28B56DAF6DF3C09650C679565
1852iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3MHI6W1M\api[1].jstext
MD5:361F1355263CC7A065BAEBD4A8F2CD54
SHA256:6128CE1D7ECFA96379F43F95AB69D273880C61A7483178DC7EDFB4F0E55CA10A
1852iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3MHI6W1M\4c470c87cd[1].jstext
MD5:88AB56E0B35245499DAEB1D50BAACE38
SHA256:3AF17D9240E6C4856B7AE2130B4859ED83D4E1D4AA8A46BF3AF60CDBCC6FBF8B
1852iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UA4KIFSK\menu[1].csstext
MD5:5218B4175C02261EBBB15F793E8BE3BF
SHA256:48B0B4906C6FE00B382349F1FCA989AD407314E7F699E2D103994743BB1D6719
1852iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Y1YWM98O\text[1].csstext
MD5:BAA135D069DBD574AD3C97955C08C24F
SHA256:E73407D8214C24C51230D6AE818731C8D774E104ABEAA8445C6BFFBD1364FBB5
1852iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UA4KIFSK\validator[1].jstext
MD5:9867F7F62A9CEFA898137B3428032BD0
SHA256:CDF0FC69BF5D1CD6F568EDC059F1DBE81CF6F1131A83DD088C243BB8DB3257E7
1852iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:B7E365D52D57DD5E4A232E1421FC3332
SHA256:45DCA01A2B94A2A9B8641CF00B7D4E28FB6E8F97F478FE7B3282266BBE1577CF
1852iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:044C553B2CCDDD7C06A8B8FF5720C3BE
SHA256:E438521EDA19D421F266BAA663D3B322260E248B8D097F38C79293F0169DF372
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
89
DNS requests
31
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2528
chrome.exe
GET
204
172.217.23.99:80
http://www.gstatic.com/generate_204
US
whitelisted
2528
chrome.exe
GET
302
172.217.16.142:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
509 b
whitelisted
2528
chrome.exe
GET
302
172.217.16.142:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
514 b
whitelisted
2528
chrome.exe
GET
200
103.2.116.76:80
http://r1---sn-f5p5-hxae.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=85.203.20.5&mm=28&mn=sn-f5p5-hxae&ms=nvh&mt=1573228886&mv=m&mvi=0&pl=24&shardbypass=yes
AU
crx
293 Kb
whitelisted
2528
chrome.exe
GET
200
103.2.116.78:80
http://r3---sn-f5p5-hxae.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=85.203.20.5&mm=28&mn=sn-f5p5-hxae&ms=nvh&mt=1573228945&mv=m&mvi=2&pl=24&shardbypass=yes
AU
crx
862 Kb
whitelisted
1852
iexplore.exe
GET
200
172.217.22.10:80
http://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/base/jquery-ui.css
US
text
5.63 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1852
iexplore.exe
172.217.16.132:443
www.google.com
Google Inc.
US
whitelisted
1852
iexplore.exe
172.217.22.10:80
ajax.googleapis.com
Google Inc.
US
whitelisted
1852
iexplore.exe
132.148.241.41:443
www.directforklift.com
GoDaddy.com, LLC
US
unknown
1852
iexplore.exe
172.217.22.10:443
ajax.googleapis.com
Google Inc.
US
whitelisted
1852
iexplore.exe
104.103.100.174:443
static.ctctcdn.com
Akamai Technologies, Inc.
NL
whitelisted
1852
iexplore.exe
23.111.9.35:443
use.fontawesome.com
netDNA
US
suspicious
1852
iexplore.exe
88.99.127.221:443
bmst.pw
Hetzner Online GmbH
DE
suspicious
2764
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2528
chrome.exe
172.217.23.99:443
www.gstatic.com
Google Inc.
US
whitelisted
2528
chrome.exe
172.217.18.174:443
apis.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.directforklift.com
  • 132.148.241.41
unknown
www.google.com
  • 172.217.16.132
whitelisted
ajax.googleapis.com
  • 172.217.22.10
whitelisted
use.fontawesome.com
  • 23.111.9.35
whitelisted
static.ctctcdn.com
  • 104.103.100.174
whitelisted
bmst.pw
  • 88.99.127.221
suspicious
clientservices.googleapis.com
  • 172.217.22.99
whitelisted
accounts.google.com
  • 172.217.16.173
shared
www.google.com.ua
  • 172.217.21.227
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.directforklift.com/