URL: | https://valdia.quatiappcn.pw |
Full analysis: | https://app.any.run/tasks/4ab5efc6-30b3-4fe6-871c-5ca242fa51b3 |
Verdict: | Malicious activity |
Analysis date: | January 24, 2022, 16:25:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | ED8905BCCE4543585F0EE1F98931BD64 |
SHA1: | B6382D57A6EA53EC4CCE113DF5D546FBF7BBFD23 |
SHA256: | 1F01D02B3D257A9861D0571BC19DB7952258522FB2413737AF23667ECBBE0714 |
SSDEEP: | 3:N8+TUQERF/chS:2cERYS |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3148 | "C:\Program Files\Internet Explorer\iexplore.exe" "https://valdia.quatiappcn.pw" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3860 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3148 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3148 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | binary | |
MD5:47CDD1DC94F528AE2C4C0F2554C3A93A | SHA256:1587409D6A22E2665BDA564F745FE1934671AAFB6048A08210AECCB8E72C1466 | |||
3860 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | der | |
MD5:494A7483CEAF488A79CB45418E88ECCD | SHA256:9A65904F97742B3D8844EFAFCE7D9E9DA7C1B96A8FDE541E718768AE68293D50 | |||
3148 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF842952360CA1BC54.TMP | gmc | |
MD5:DE00C75F8F5CFAC97965B0A4D132C756 | SHA256:BF6A84CEB8DBF5DBC111EBF92355BCEECA9DFEA0BD6F116B29D770BA037C62C5 | |||
3148 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:619662B996F68D54A0C92F7E67EC3CCC | SHA256:C1E84F35DEE8F0321F61CE9101DBD74FBD64507BBAB0B7F6F3528835816F1E0C | |||
3148 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{3BE461A7-7D32-11EC-A20C-12A9866C77DE}.dat | binary | |
MD5:3051AD3CEB590C77BD2783645E79F0F2 | SHA256:5A9C626C383E2289EE4984C3DD5895A47EEC808368755155B889B6E932D27C60 | |||
3148 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | image | |
MD5:DA597791BE3B6E732F0BC8B20E38EE62 | SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07 | |||
3148 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF06EECD6FD91FB140.TMP | gmc | |
MD5:21E6C2B4814439AC896D82C76B49FDB0 | SHA256:ED71F7CCC27E260E777365CBC305102D36459CBEDE8D97E16BC87CA32A8FE565 | |||
3148 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | der | |
MD5:111DCDB55A88510DB3C1E141A0EA1538 | SHA256:022A2CD07C65A61F3419427C0D278028CC8FD3C40D593279C2035D881013973B | |||
3860 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | binary | |
MD5:C8702B43A5DE977C6CD81D2785E5A84E | SHA256:09E7D6BCBD20BB6E6BCC3BAA332B638C7A9B87CC535A9E12F42B2A8E0A254B1A | |||
3148 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{4547A404-7D32-11EC-A20C-12A9866C77DE}.dat | binary | |
MD5:4BF09E77B49061E5657E94745749BBBA | SHA256:6BF07A0FE3D006CAA9F55A9D11FBB7F80D705B40E5A83B2238FBC78504198936 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3148 | iexplore.exe | GET | — | 2.16.106.171:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?aca855439deafb4e | unknown | — | — | whitelisted |
3860 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
3148 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
3148 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
3148 | iexplore.exe | GET | 200 | 2.16.106.171:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5ece1ce4496c7b8b | unknown | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3148 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3860 | iexplore.exe | 104.21.53.100:443 | valdia.quatiappcn.pw | Cloudflare Inc | US | suspicious |
3148 | iexplore.exe | 131.253.33.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
3148 | iexplore.exe | 2.16.106.171:80 | ctldl.windowsupdate.com | Akamai International B.V. | — | whitelisted |
3860 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3860 | iexplore.exe | 172.67.211.252:443 | valdia.quatiappcn.pw | — | US | suspicious |
3148 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
valdia.quatiappcn.pw |
| malicious |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |