URL: | https://valdia.quatiappcn.pw/6283c5d47d9c24192c2124f5.js |
Full analysis: | https://app.any.run/tasks/8b92dd6b-f482-4d85-9914-673685aa627e |
Verdict: | Malicious activity |
Analysis date: | May 20, 2022, 20:47:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | D63EF6AFAAB9B6939098519696D8209B |
SHA1: | 473715E196B4F099D44E5B0605DE9938AC1A55E3 |
SHA256: | 06B30EBEE8495ACB12F649E82B43536B43CE7C6CA4FFF74FD5FC1E11B48C70E3 |
SSDEEP: | 3:N8+TUQERF/ch5TNoG5aLPW:2cERY5TNbES |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2932 | "C:\Program Files\Internet Explorer\iexplore.exe" "https://valdia.quatiappcn.pw/6283c5d47d9c24192c2124f5.js" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3264 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2932 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
1332 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\6283c5d47d9c24192c2124f5.js" | C:\Windows\System32\WScript.exe | — | iexplore.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3836 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3264 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\6283c5d47d9c24192c2124f5.js.fu71hxc.partial | text | |
MD5:30B227CA46D7B3286CC7608512F19F28 | SHA256:C03BE24D2781357F6DAFA0A1F398CDD02E73E6C472216A58F9490A49FB598F83 | |||
2932 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\6283c5d47d9c24192c2124f5.js | text | |
MD5:30B227CA46D7B3286CC7608512F19F28 | SHA256:C03BE24D2781357F6DAFA0A1F398CDD02E73E6C472216A58F9490A49FB598F83 | |||
2932 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{1BC2BC91-D87E-11EC-8C9F-1203334A04AF}.dat | binary | |
MD5:E139973F06991D37B93A8FA67FFB7D9B | SHA256:C54A400C8035261BB16E8BCAF6B6A2B2FAA324D6FB81058612CCD6E1D2C31246 | |||
3264 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | binary | |
MD5:D415292051151AA33C986486A94EF218 | SHA256:118A14DD03E227F80A62CB1C6012199E6E829973487B16A608ADB1EEAC4C2C16 | |||
2932 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{1BC2BC8F-D87E-11EC-8C9F-1203334A04AF}.dat | binary | |
MD5:4690B2E85DB6387E2EBE62B79A3AF590 | SHA256:2BBF8D8A87B3C0D9AC544F4F0F4EDE2060E443E7B0BB36E70A5056DBFAF6900E | |||
3264 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | der | |
MD5:41FBBFEF77C9E15DF36E1CB541503D98 | SHA256:1C596FD0B7231E43E672CB027BE6117200830DD98929F060C3A97F8EFC4EAE17 | |||
2932 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | der | |
MD5:FA526918A211E850A6078FB1D00B2045 | SHA256:396B94C667643AFA59D155EF4D812DA6F4D67DD50CEC97194E1CA3A1B3ECE3FE | |||
3264 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:AA7F883143816C4F6E9AD94970F13E38 | SHA256:D3E06F291CAF01DC143C2B5BCB654CB91DD1EBAB1E99823F3BCD1089EEBF1A74 | |||
3264 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\6283c5d47d9c24192c2124f5[1].js | text | |
MD5:30B227CA46D7B3286CC7608512F19F28 | SHA256:C03BE24D2781357F6DAFA0A1F398CDD02E73E6C472216A58F9490A49FB598F83 | |||
2932 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFDE5ADFA25689AAEA.TMP | gmc | |
MD5:F64F2B484D6229A8376D14ED56010120 | SHA256:EAFE9384E2DECEC360F5CD74E245B6C95B3849702C955429E228A0DB27CA9A5D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3264 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
2932 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
3264 | iexplore.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?53acdcc8e58d37ad | US | compressed | 4.70 Kb | whitelisted |
3264 | iexplore.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?99f7046d211feafd | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2932 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2932 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3264 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3264 | iexplore.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3264 | iexplore.exe | 188.114.97.10:443 | valdia.quatiappcn.pw | Cloudflare Inc | US | malicious |
Domain | IP | Reputation |
---|---|---|
valdia.quatiappcn.pw |
| malicious |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |