URL: | http://gcerea3eejr.sectornotas.cloud/V18UPCAHWP/PH4kAPCAHeBpviBiD5F9/247876/PHOT247876416 |
Full analysis: | https://app.any.run/tasks/1c700c2e-7284-41e1-90d7-589b7e1d2b8c |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 17:04:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 2118C5F01B61AE997E84062BA98C0838 |
SHA1: | 646BF794804419EAB08610B4BBB1D584FA1AA240 |
SHA256: | 526EAD491DA1FE62B815270F184BDFDB9CBCC5C27CD0906A7811BBC30EBF0715 |
SSDEEP: | 3:N1KZGyhHAajRKb+2Twi1d37Ph3tMkSU:C4ya1+2Twi/LPpmbU |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3420 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://gcerea3eejr.sectornotas.cloud/V18UPCAHWP/PH4kAPCAHeBpviBiD5F9/247876/PHOT247876416" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3932 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3420 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3932 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\VTWVVIE1.txt | text | |
MD5:63C310DD0ABC7C82A91476EA5966D6EF | SHA256:ADEECE14F5B00D8AEE62586097B2B29CEBF1148E098CDE31032F44A24EA34563 | |||
3932 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177 | binary | |
MD5:EE79CE782A44CF921EAB2A05D3D656D5 | SHA256:2E024CA26A8679381E4D59DD7AD14AA6D3899459E74DE6B53405A50683F4F9F0 | |||
3420 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | der | |
MD5:EE87BB11E233C12009CC11725035DBDC | SHA256:D82930A5B051B3C3F1639C24E83BDDF41D5AA66E467A0944D1AC3D59AE6330C5 | |||
3420 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF32AD62A1E0DCFB71.TMP | gmc | |
MD5:F2BFD34D057DFD298AAD5A794240629C | SHA256:B97E9CED7E35023AD7057DFFFE81F9A4CD567BD4FFB53E59B21968D03888CBE6 | |||
3932 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\QD2OR16Q.txt | text | |
MD5:68CFC10F96AF6A69E2B103763D6CFA15 | SHA256:3DD85302A072D43810E221F9EA33529EAA2C341E7DC6C54A70B98F28B3E8FC85 | |||
3932 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\57T69YQ5.txt | text | |
MD5:F1D798A5B59615B0EAE5EC3CC27B125D | SHA256:F1B9FF35C4BF30DEBE6B75FBA675E9A9EB93DF4B078F3D666D63E8221F6B5863 | |||
3420 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | binary | |
MD5:A03F6D86CED60C5548D5E148A5ACEA60 | SHA256:9027C1D6A945EEF89094718B482E6F41BAEE616AD0BE10B40E6B19A35F799466 | |||
3932 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\U674WWNA.txt | text | |
MD5:E2C6513B782194134EBC194C30BB1A46 | SHA256:EF39E1251D439A388BE8949562E2B363643F6CC66CEBD5F338D34EF6822632B4 | |||
3420 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:88A9E0CA70314A25E3F88B8FF887189C | SHA256:C35E1562F8BF65280C503CEA13C6A6677DE91A9A39D0E8FACC6FD90B99A60509 | |||
3420 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | der | |
MD5:290A85BD3E7285CDEDA1602A9E12A7DF | SHA256:17AE86541BE373B2DB8A4B77D7E7626966637E5A6052F290A3B598A56F5123C9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3932 | iexplore.exe | GET | 302 | 188.114.96.3:80 | http://gcerea3eejr.sectornotas.cloud/V18UPCAHWP/PH4kAPCAHeBpviBiD5F9/247876/PHOT247876416 | US | — | — | malicious |
3420 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
3420 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
3420 | iexplore.exe | GET | 200 | 67.27.158.254:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f3725d75dfb232d2 | US | compressed | 4.70 Kb | whitelisted |
3420 | iexplore.exe | GET | 200 | 8.248.137.254:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f431af0d2329b163 | US | compressed | 4.70 Kb | whitelisted |
3932 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAxq6XzO1ZmDhpCgCp6lMhQ%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3932 | iexplore.exe | 188.114.97.3:80 | gcerea3eejr.sectornotas.cloud | Cloudflare Inc | US | malicious |
3420 | iexplore.exe | 131.253.33.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
3420 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3420 | iexplore.exe | 67.27.158.254:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | malicious |
3420 | iexplore.exe | 8.248.137.254:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | suspicious |
3932 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
— | — | 184.51.8.209:443 | download.microsoft.com | Akamai Technologies, Inc. | US | whitelisted |
3932 | iexplore.exe | 184.51.8.209:443 | download.microsoft.com | Akamai Technologies, Inc. | US | whitelisted |
3420 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3932 | iexplore.exe | 188.114.96.3:80 | gcerea3eejr.sectornotas.cloud | Cloudflare Inc | US | malicious |
Domain | IP | Reputation |
---|---|---|
gcerea3eejr.sectornotas.cloud |
| malicious |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
download.microsoft.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .cloud TLD |
3932 | iexplore.exe | Potentially Bad Traffic | ET INFO HTTP Request to Suspicious *.cloud Domain |