download:

view_video.php

Full analysis: https://app.any.run/tasks/76b69a6d-4791-43a6-ab72-e8e487f9f6b3
Verdict: Malicious activity
Analysis date: April 26, 2020, 21:24:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/html
File info: HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
MD5:

0EA38AC24E44A6720A2ABBCA51D96624

SHA1:

C0D8EF886056AB5A3D44E2B9545A6D28E8C1C158

SHA256:

FAEBB5E7AAA367F09E4716B65ACAACAA57BD611C3D2BA95AE28FF6699C39AA56

SSDEEP:

6144:9QySMeiD3xbFJkS0h25G36xrod+d2KWLDhTbwsmA2UcC8tFDwiSiarVXnS11FCM:EGkS0h2DWLDhTbwsmA2UcC8zDz7a5S

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts Internet Explorer

      • rundll32.exe (PID: 3168)

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2908)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3600)
      • iexplore.exe (PID: 3092)
      • iexplore.exe (PID: 2572)

    • Changes internet zones settings

      • iexplore.exe (PID: 3600)

    • Application launched itself

      • iexplore.exe (PID: 3600)

    • Creates files in the user directory

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2908)
      • iexplore.exe (PID: 3600)
      • iexplore.exe (PID: 2572)
      • iexplore.exe (PID: 3092)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3092)
      • iexplore.exe (PID: 2572)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3600)
      • iexplore.exe (PID: 3092)
      • iexplore.exe (PID: 2572)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3600)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.aiml | Artificial Intelligence Markup Language (48.3)
.htm/html | HyperText Markup Language with DOCTYPE (41.6)
.html | HyperText Markup Language (9.9)

EXIF

HTML

ContentType: text/html; charset=UTF-8
HTTPEquivXUACompatible: IE=edge
msapplicationConfig: none
Description: Oglądaj Milfy City [v0.6e] Part 80 Headmaster Secret By LoveSkySan69 na Pornhub.com, najlepszą stronę dla hardcore'owych porno. Pornhub jest domem dla najbogatszych filmów z Laseczki darmowe filmy w kategorii, ze wszystkimi najpopularniejszymi gwiazdami porno. Jeśli chcesz, aby filmy wideo butt XXX, znajdziesz je tutaj.
Title: Milfy City [v0.6e] Part 80 Headmaster Secret by LoveSkySan69 - Pornhub.com
twitterCard: player
twitterSite: @pornhub
twitterCreator: @pornhub
twitterTitle: Milfy City [v0.6e] Part 80 Headmaster Secret By LoveSkySan69
twitterUrl: https://pl.pornhub.com/view_video.php?viewkey=ph5e9391233153d&utm_source=twitter&utm_medium=social
twitterImage: https://ci.phncdn.com/videos/202004/12/303063272/original/(m=e0YHGgaaaa)(mh=X1I29j4i6H8aeumD)11.jpg
twitterDomain: pornhub.com
twitterPlayer: 360
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs iexplore.exe iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2572"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3600 CREDAT:3151116 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
3221225547
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2908C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Exit code:
0
Version:
26,0,0,131
Modules
Images
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_activex.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3092"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3600 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3168"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\view_video.phpC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
3221225547
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imagehlp.dll
3600"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?LinkId=57426&Ext=phpC:\Program Files\Internet Explorer\iexplore.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
6 076
Read events
1 396
Write events
3 194
Delete events
1 486

Modification events

(PID) Process:(3092) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3092) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3092) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3168) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{17FE9752-0B5A-4665-84CD-569794602F5C} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF
Value:
01000000000000001843C01B111CD601
(PID) Process:(3600) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
766834920
(PID) Process:(3600) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30809105
(PID) Process:(3600) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3600) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3600) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3600) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
Executable files
0
Suspicious files
172
Text files
525
Unknown types
90

Dropped files

PID
Process
Filename
Type
3092iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabF824.tmp
MD5:
SHA256:
3092iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarF825.tmp
MD5:
SHA256:
3092iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\1G23L19Q.txt
MD5:
SHA256:
3092iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\R2QK6FFQ.txt
MD5:
SHA256:
3092iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\CLBSGE0V.txt
MD5:
SHA256:
3092iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\VN385B7U.txt
MD5:
SHA256:
3092iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\NA9NHRRU.txttext
MD5:30343311FD258080DEE20F78E06EDAF6
SHA256:5EC1AACFC7C4148417EABA2D06ECC5F43C376CDCD4F5FDF3E94BBC540075C23B
3092iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\727Lg9_HUEvgiUGiGz5osrE6zMg.gz[1].jstext
MD5:381C55A5FB242962EC0C5FB9F2D44B12
SHA256:9BAE7B8E3AE32346B905741720D0B1F2A9DE0530F0A5DEEF7268B8D5E16BD76F
3092iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\search[1].htmhtml
MD5:0B4F95CB1A89AF72DD56EF5688054D7F
SHA256:A074728C94D3B3F26C29892E1FAFD1535E6D31E9891D2C9A21E30B81ACADD8DD
3092iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203binary
MD5:74D7492B159EEB12F4A321B2A1671187
SHA256:83BA12653015C5214C52E6B56BCCEA5FB5A6E3D390A3ED418F2E5084D46EC2A1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
95
TCP/UDP connections
232
DNS requests
78
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3092
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3092
iexplore.exe
GET
302
104.111.238.86:80
http://go.microsoft.com/fwlink/?LinkId=57426&Ext=php
NL
whitelisted
3092
iexplore.exe
GET
301
2.16.186.24:80
http://shell.windows.com/fileassoc/fileassoc.asp?Ext=php
unknown
whitelisted
3092
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D
US
der
1.47 Kb
whitelisted
3092
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3092
iexplore.exe
GET
200
13.107.5.80:80
http://api.bing.com/qsml.aspx?query=Create+folders+%2F+append+data&maxwidth=32765&rowheight=20&sectionHeight=160&FORM=IE11SS&market=en-US
US
xml
211 b
whitelisted
3092
iexplore.exe
GET
200
104.18.24.243:80
http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAvTsRon4%2BRVzrdwAAAAC9Ow%3D
US
der
1.79 Kb
whitelisted
3092
iexplore.exe
GET
13.107.5.80:80
http://api.bing.com/qsml.aspx?query=p&maxwidth=32765&rowheight=20&sectionHeight=160&FORM=IE11SS&market=en-US
US
whitelisted
3600
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3092
iexplore.exe
GET
200
13.107.5.80:80
http://api.bing.com/qsml.aspx?query=Create+folders+%2F+append+data&maxwidth=32765&rowheight=20&sectionHeight=160&FORM=IE11SS&market=en-US
US
xml
211 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3092
iexplore.exe
2.16.186.24:80
shell.windows.com
Akamai International B.V.
whitelisted
3092
iexplore.exe
104.111.238.86:80
go.microsoft.com
Akamai International B.V.
NL
whitelisted
3092
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3092
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3600
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3092
iexplore.exe
20.190.129.133:443
login.microsoftonline.com
Microsoft Corporation
US
malicious
3092
iexplore.exe
40.90.23.154:443
login.live.com
Microsoft Corporation
US
unknown
3600
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3092
iexplore.exe
104.18.24.243:80
ocsp.msocsp.com
Cloudflare Inc
US
shared
3092
iexplore.exe
13.107.5.80:80
api.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
go.microsoft.com
  • 104.111.238.86
whitelisted
shell.windows.com
  • 2.16.186.24
  • 2.16.186.27
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
login.microsoftonline.com
  • 20.190.129.133
  • 40.126.1.145
  • 20.190.129.17
  • 20.190.129.19
  • 40.126.1.130
  • 20.190.129.128
  • 20.190.129.130
  • 20.190.129.160
whitelisted
ocsp.msocsp.com
  • 104.18.24.243
  • 104.18.25.243
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
login.live.com
  • 40.90.23.154
  • 40.90.137.120
  • 40.90.137.125
whitelisted
www2.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
pornhub.com
  • 66.254.114.41
whitelisted

Threats

PID
Process
Class
Message
3092
iexplore.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
view_video.php