URL: | http://skylod.com |
Full analysis: | https://app.any.run/tasks/42ca28cb-ae95-4b78-968c-d9d36497a654 |
Verdict: | Malicious activity |
Analysis date: | January 24, 2022, 20:33:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | F8894FF2E5061C4B87A77673DAE25F44 |
SHA1: | 1AC2C85A2AD37EE755FC05A0E733A4F12A189DF9 |
SHA256: | 3C1E349C51E890289C89B82D195711E21F41E77DCF804E3F147807960440BA93 |
SSDEEP: | 3:N1KNOjI:Cc0 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3944 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://skylod.com" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3664 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3944 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
(PID) Process: | (3944) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 1 | |||
(PID) Process: | (3944) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchLowDateTime |
Value: | |||
(PID) Process: | (3944) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 30937441 | |||
(PID) Process: | (3944) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: | |||
(PID) Process: | (3944) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30937441 | |||
(PID) Process: | (3944) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (3944) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (3944) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (3944) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (3944) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3664 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B | binary | |
MD5:72570EC2D37D3EED7887D474DD47A9E8 | SHA256:1C50A987F529F9165303979E17A4A0AC7626215FA9B58BF4A0747EF5D482EAE0 | |||
3944 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | binary | |
MD5:F60907B98467A94266D5649815BE95FA | SHA256:87A8971A226581911F2B3B7CE7B25C1690A1CB1A09622FBAD0EA8292C200B36E | |||
3664 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B | der | |
MD5:12A51915194FA6C77B0C358FA6799B55 | SHA256:C5AD5286E8745EA198229C67D0D7CE3E4805467BC6D6DE330621F6AC0B992D01 | |||
3664 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\zhubo162925[1].jpg | image | |
MD5:07C3BAEAF65E180BB4DA884981864B47 | SHA256:6E35CE80FDEE2627990DD01ED1EC26CA18392156B171B97FED1DF4EDDCBB464A | |||
3944 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | der | |
MD5:FC990EAA7247546FB67C18916A4CAC9B | SHA256:294F5BE9159C87842AD3173FE7CDA168C9F2010C6D428085A8AC30EF436CA993 | |||
3664 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_005284E085E122BD76B51F33745F7753 | binary | |
MD5:D3662817253611904BB51D276FE70C4A | SHA256:C4374A64F389B316767924C0657E7BAF53AF88663574D60FEB3AC4452DE9D450 | |||
3664 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DD76941B08ECB69B450D4C1AE579DB94_3F39A7EC102D7330818E9601B0AF5FE8 | binary | |
MD5:3F45F72BC31CA3FDFA1031BA29CD1397 | SHA256:89E8C00B28A77AB5941B529D14E69ABCD38186A27DC4632E2A10F5C375576291 | |||
3944 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:FE604284D0DEF14B785DF7CF93A41B10 | SHA256:AB91A706492A7708859740586D88A6458A6D7D3A844AB311EF22D8E669F29B74 | |||
3664 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\f[1].txt | text | |
MD5:BD76F3BDFF7D2A3ECA8C73C9BE9F0C5F | SHA256:CAB2B647919BAE9D8E61A7F93EE7B6D5163C343B5B214AFC98390F4D25E04D3C | |||
3664 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\index[1].htm | html | |
MD5:1584197ADAC7B42C5410D41F9750345F | SHA256:A1F55328EEC1A3A6C52EC429F937162F8ADF061FED1CC717AEB62AE838F27DDF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3664 | iexplore.exe | GET | 301 | 45.39.123.7:80 | http://skylod.com/ | US | — | — | malicious |
3664 | iexplore.exe | GET | 200 | 183.131.207.66:80 | http://ia.51.la/go1?id=21246393&rt=1643056465269&rl=1280*720&lang=en-US&ct=unknow&pf=1&ins=1&vd=1&ce=1&cd=24&ds=%25E9%25A6%2599%25E6%25B8%25AF%25E4%25B8%2589%25E7%25BA%25A7%25E7%2589%2587%25E7%2594%25B5%25E5%25BD%25B1_%25E8%258F%25A0%25E8%2590%259D%25E8%258F%25A0%25E8%2590%259D%25E8%259C%259C%25E6%2592%25AD%25E6%2594%25BE%25E8%25A7%2582%25E7%259C%258B%25E5%259C%25A8%25E7%25BA%25BF%25E8%25A7%2586%25E9%25A2%2591_%25E4%25BA%259A%25E6%25B4%25B2%25E7%25B2%25BE%25E5%2593%2581%25E7%25A7%2581%25E6%258B%258D%252C%25E4%25BA%259A&ing=2&ekc=&sid=1643056465269&tt=%25E6%258B%2589%25E8%2590%25A8%25E6%2582%25A3%25E5%25A4%2587%25E7%2594%25B5%25E5%25AD%2590%25E6%259C%2589%25E9%2599%2590%25E5%2585%25AC%25E5%258F%25B8&kw=%25E9%25A6%2599%25E6%25B8%25AF%25E4%25B8%2589%25E7%25BA%25A7%25E7%2589%2587%25E7%2594%25B5%25E5%25BD%25B1_%25E8%258F%25A0%25E8%2590%259D%25E8%258F%25A0%25E8%2590%259D%25E8%259C%259C%25E6%2592%25AD%25E6%2594%25BE%25E8%25A7%2582%25E7%259C%258B%25E5%259C%25A8%25E7%25BA%25BF%25E8%25A7%2586%25E9%25A2%2591_%25E4%25BA%259A%25E6%25B4%25B2%25E7%25B2%25BE%25E5%2593%2581%25E7%25A7%2581%25E6%258B%258D%252C%25E4%25BA%259A%25E6%25B4%25B2%25E7%25B2%25BE%25E5%2593%2581%25E7%25BE%258E%25E5%25A5%25B3%25E5%259B%25BD%25E4%25BA%25A7&cu=http%253A%252F%252Fwww.skylod.com%252Findex.php&pu= | CN | — | — | whitelisted |
3664 | iexplore.exe | GET | 200 | 183.131.207.66:80 | http://ia.51.la/go1?id=21228985&rt=1643056465223&rl=1280*720&lang=en-US&ct=unknow&pf=1&ins=1&vd=1&ce=1&cd=24&ds=%25E9%25A6%2599%25E6%25B8%25AF%25E4%25B8%2589%25E7%25BA%25A7%25E7%2589%2587%25E7%2594%25B5%25E5%25BD%25B1_%25E8%258F%25A0%25E8%2590%259D%25E8%258F%25A0%25E8%2590%259D%25E8%259C%259C%25E6%2592%25AD%25E6%2594%25BE%25E8%25A7%2582%25E7%259C%258B%25E5%259C%25A8%25E7%25BA%25BF%25E8%25A7%2586%25E9%25A2%2591_%25E4%25BA%259A%25E6%25B4%25B2%25E7%25B2%25BE%25E5%2593%2581%25E7%25A7%2581%25E6%258B%258D%252C%25E4%25BA%259A&ing=1&ekc=&sid=1643056465223&tt=%25E6%258B%2589%25E8%2590%25A8%25E6%2582%25A3%25E5%25A4%2587%25E7%2594%25B5%25E5%25AD%2590%25E6%259C%2589%25E9%2599%2590%25E5%2585%25AC%25E5%258F%25B8&kw=%25E9%25A6%2599%25E6%25B8%25AF%25E4%25B8%2589%25E7%25BA%25A7%25E7%2589%2587%25E7%2594%25B5%25E5%25BD%25B1_%25E8%258F%25A0%25E8%2590%259D%25E8%258F%25A0%25E8%2590%259D%25E8%259C%259C%25E6%2592%25AD%25E6%2594%25BE%25E8%25A7%2582%25E7%259C%258B%25E5%259C%25A8%25E7%25BA%25BF%25E8%25A7%2586%25E9%25A2%2591_%25E4%25BA%259A%25E6%25B4%25B2%25E7%25B2%25BE%25E5%2593%2581%25E7%25A7%2581%25E6%258B%258D%252C%25E4%25BA%259A%25E6%25B4%25B2%25E7%25B2%25BE%25E5%2593%2581%25E7%25BE%258E%25E5%25A5%25B3%25E5%259B%25BD%25E4%25BA%25A7&cu=http%253A%252F%252Fwww.skylod.com%252Findex.php&pu= | CN | — | — | whitelisted |
3664 | iexplore.exe | GET | 200 | 45.39.123.7:80 | http://www.skylod.com/index.php | US | html | 676 b | malicious |
3944 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
3664 | iexplore.exe | GET | 200 | 172.67.25.30:80 | http://fmlb.netlbtu.com/images/2021/12/30/zhubo162833.jpg | US | image | 73.9 Kb | suspicious |
3664 | iexplore.exe | GET | 200 | 104.18.20.226:80 | http://ocsp.globalsign.com/gsgccr3dvtlsca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQoKOHJRQbCE%2B3DXqwFiztBxLYdhwQUDZjAc3%2Brvb3ZR0tJrQpKDKw%2Bx3wCDBymHVleR8DMka2C6g%3D%3D | US | der | 1.39 Kb | whitelisted |
3664 | iexplore.exe | GET | 200 | 45.39.123.7:80 | http://www.skylod.com/tj.js | US | compressed | 676 b | malicious |
3664 | iexplore.exe | GET | 200 | 107.186.32.22:80 | http://mdys1.top/ | US | html | 5.53 Kb | suspicious |
3664 | iexplore.exe | GET | 200 | 172.67.25.30:80 | http://fmlb.netlbtu.com/images/2021/12/30/zhubo163209.jpg | US | image | 81.4 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3664 | iexplore.exe | 45.39.123.7:80 | skylod.com | EGIHosting | US | unknown |
3944 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
3664 | iexplore.exe | 218.12.76.151:443 | js.users.51.la | CHINA UNICOM China169 Backbone | CN | malicious |
— | — | 192.168.100.2:53 | — | — | — | whitelisted |
3944 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3944 | iexplore.exe | 67.27.159.126:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | suspicious |
3664 | iexplore.exe | 107.186.32.22:80 | mdys1.top | EGIHosting | US | suspicious |
3664 | iexplore.exe | 104.18.20.226:80 | ocsp.globalsign.com | Cloudflare Inc | US | shared |
3664 | iexplore.exe | 172.67.25.30:80 | fmlb.netlbtu.com | — | US | suspicious |
3664 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.microsoft.com |
| whitelisted |
skylod.com |
| unknown |
www.skylod.com |
| malicious |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
js.users.51.la |
| whitelisted |
ocsp.globalsign.com |
| whitelisted |
ocsp2.globalsign.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
3664 | iexplore.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |