URL: | http://www.rules.securestudies.com |
Full analysis: | https://app.any.run/tasks/9f85e407-4f7f-4343-8e70-d3a79c624fbb |
Verdict: | Malicious activity |
Analysis date: | January 14, 2022, 21:35:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | FBB6BDEDCFD03815CBE3EBE9BF07D537 |
SHA1: | 4086751B160E6EAD1DD06C9F4B45B35880D92389 |
SHA256: | 335B0D26489434D11F891B2C7E2A62729586D6D9399604488E9B350994B9A511 |
SSDEEP: | 3:N1KJS4A56CzRqW2:Cc4A56j |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1252 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://www.rules.securestudies.com" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3096 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1252 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
(PID) Process: | (1252) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 1 | |||
(PID) Process: | (1252) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchLowDateTime |
Value: | |||
(PID) Process: | (1252) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 30935438 | |||
(PID) Process: | (1252) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: | |||
(PID) Process: | (1252) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30935438 | |||
(PID) Process: | (1252) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (1252) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (1252) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (1252) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (1252) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3096 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\QCSSGFRX.txt | text | |
MD5:3DDDF6E20B803F656A7302DC810E4B44 | SHA256:C55B0D156EC9C346D07F02ACB16C4137241B70C4FA746F274A719FC1AB3D3574 | |||
1252 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:99EA9FE823BDAE693BB60EE0649BF7A0 | SHA256:345325BA57FFFDC65E14BE08D49263DC1AED5981E80997BAC799745F38C4026D | |||
3096 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\qsml[1].xml | xml | |
MD5:73F5D0D80252AC284783419C5F37D4EF | SHA256:C671E07B085951F32D4503350385A0BF3BC4C19C0C886DF61C7C0961CB1B554C | |||
1252 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | binary | |
MD5:E79B95A635F88544C273D92E374A8885 | SHA256:52CF49BA8ADB249D509ACEE1AF671DD3F28B8359BA9E02167FC3D065626BF68D | |||
1252 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | binary | |
MD5:410B6184CAA83B9D154D351871EAD473 | SHA256:49FC10B4EFC0DFF1756EF26DC83C5B79D5890BC86281951F7A157AF9E9974A07 | |||
3096 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\3FH6XT9Z.txt | text | |
MD5:9AEB91265200A7696E8D5544B9881F03 | SHA256:1527848865CFB6C10DE44CACCB994A565A9EA8FE7F4F32E1D37552531715CA49 | |||
3096 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\S4UJTGXM.txt | text | |
MD5:0DD5574E5928999B2C5A6320E0AF4B89 | SHA256:9DE4EC609DB97AA3702CD96129464D7C0FC9F0136BA2679970E627C0D5F00404 | |||
3096 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\91YXUMOI.txt | text | |
MD5:FC6B5F1FBCFE9BB9D94EB7C6670033DE | SHA256:A1515E86BA19055A1331740CBA7490C9DB911D6EB6A7EE6CE59077B2FD6A6F4B | |||
3096 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\qsml[1].htm | xml | |
MD5:73F5D0D80252AC284783419C5F37D4EF | SHA256:C671E07B085951F32D4503350385A0BF3BC4C19C0C886DF61C7C0961CB1B554C | |||
1252 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | der | |
MD5:AC68ACF50745357D4EA92B214D9E7132 | SHA256:AE3F7FDE380D2D90571A61378E52B1BC284B4C4C6A1E099F6F022395EBED6154 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1252 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
1252 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
3096 | iexplore.exe | GET | 403 | 66.119.41.96:80 | http://rules.securestudies.com/ | US | html | 162 b | unknown |
1252 | iexplore.exe | GET | 200 | 2.16.106.171:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d85cd64283bf8617 | unknown | compressed | 4.70 Kb | whitelisted |
1252 | iexplore.exe | GET | 200 | 2.16.106.171:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?827d66014578e129 | unknown | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1252 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
3096 | iexplore.exe | 13.107.5.80:443 | api.bing.com | Microsoft Corporation | US | whitelisted |
1252 | iexplore.exe | 2.16.106.171:80 | ctldl.windowsupdate.com | Akamai International B.V. | — | whitelisted |
1252 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3096 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
— | — | 66.119.41.96:80 | rules.securestudies.com | Savvis | US | unknown |
1252 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3096 | iexplore.exe | 66.119.41.96:80 | rules.securestudies.com | Savvis | US | unknown |
— | — | 192.168.100.2:53 | — | — | — | whitelisted |
3096 | iexplore.exe | 20.190.159.136:443 | login.microsoftonline.com | Microsoft Corporation | US | suspicious |
Domain | IP | Reputation |
---|---|---|
www.rules.securestudies.com |
| unknown |
www.microsoft.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
rules.securestudies.com |
| unknown |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
login.microsoftonline.com |
| whitelisted |