URL:

http://uhceservice.com/

Full analysis: https://app.any.run/tasks/c79552f7-994f-4e6f-8064-93d462ec84db
Verdict: Malicious activity
Analysis date: December 05, 2022, 20:25:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

44752A81CACD955183606D3DFC767F23

SHA1:

11295692956961E35DF1A50B358694E3865B2FB4

SHA256:

5C1B74A5D8E23F843B493FAB250126FD01448D699BA2645B51E255DC3BEDC152

SSDEEP:

3:N1KLoA8:CkH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2436"C:\Program Files\Internet Explorer\iexplore.exe" "http://uhceservice.com/"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
568"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2436 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
9 879
Read events
9 776
Write events
103
Delete events
0

Modification events

(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31000807
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31000807
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
8
Text files
15
Unknown types
6

Dropped files

PID
Process
Filename
Type
568iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\maincaf[1].jstext
MD5:3C7567521347BF95B105FFA7FDC7DA86
SHA256:0E32BCA6B67DFDEED3F9B988DDCEC1ADF0502549A130A78C4ACE64C318A7EA29
2436iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86Cbinary
MD5:B93BE7F7105A70ADA63DE982DC79E9F3
SHA256:B91017BD0A01CC3FAEBAF964E7FD1D2634E7789FFB69459F1F891666F4F8F337
568iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\0ZQOAZ2O.txttext
MD5:6BE29C742028CAF6432AFA3188662FBD
SHA256:438B09D11F9ABE6A477C512C65AC1143CA461E1E4BFF53D825441F9689537C0B
568iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\J12XHBLC.htmhtml
MD5:C8FD8E9B99E88BC4324EABDEDBE5D0C5
SHA256:67DC76F5FAE4A80F5DFE5FFA8411701163994A740884F825C0ED0D34A6CA9914
568iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\caf[1].jstext
MD5:4E136CBCC7A57C82ECF7B7757F0DEE34
SHA256:2499F63F73EBBB4A49F42669A55EB5C7B42799E591DCA36970BA9AB9BA17B9AF
568iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:DFC8146F82E91B1F6965F75C83473EF9
SHA256:658DA0A012DA2763E8D5543277867BD71B53C13108D0AB6ACBA9A1AFD27E2BC5
568iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\sale_form[1].jstext
MD5:64F809E06446647E192FCE8D1EC34E09
SHA256:F52CBD664986AD7ED6E71C448E2D31D1A16463E4D9B7BCA0C6BE278649CCC4F3
568iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\1J72P9JL.txttext
MD5:6BE29C742028CAF6432AFA3188662FBD
SHA256:438B09D11F9ABE6A477C512C65AC1143CA461E1E4BFF53D825441F9689537C0B
2436iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\favicon[2].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
2436iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\69C6F6EC64E114822DF688DC12CDD86Cder
MD5:CC4A1C70F16AFDC865CFFC67CAEDE5A1
SHA256:69227D14D500F270B8662234349D38AC2639FA6CC656CC687797D7DF0A747333
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
48
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
568
iexplore.exe
GET
200
142.250.185.67:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
568
iexplore.exe
GET
200
76.223.26.96:80
http://ww9.uhceservice.com/
US
html
5.86 Kb
malicious
568
iexplore.exe
GET
200
13.32.23.64:80
http://d38psrni17bvxu.cloudfront.net/scripts/maincaf.js
US
text
6.84 Kb
suspicious
568
iexplore.exe
GET
200
142.250.185.67:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDZJO6dlgsrcRKeDfRzpInH
US
der
472 b
whitelisted
568
iexplore.exe
GET
200
142.250.185.67:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDbyHvBeZtpOQpKuNstwnpv
US
der
472 b
whitelisted
2436
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/DigiCertGlobalRootCA.crl
US
der
779 b
whitelisted
568
iexplore.exe
GET
200
142.250.185.68:80
http://www.google.com/adsense/domains/caf.js
US
text
52.2 Kb
whitelisted
568
iexplore.exe
POST
201
76.223.26.96:80
http://ww9.uhceservice.com/ls.php
US
compressed
20 b
malicious
568
iexplore.exe
GET
200
185.53.178.30:80
http://c.parkingcrew.net/scripts/sale_form.js
DE
text
761 b
whitelisted
568
iexplore.exe
GET
200
142.250.181.227:80
http://fonts.gstatic.com/s/portlligatslab/v21/LDIpaoiQNgArA8kR7ulhZ8P_NYOsg70R8A.woff
US
woff
14.5 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
whitelisted
2436
iexplore.exe
13.107.21.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
568
iexplore.exe
173.239.5.6:80
WEBAIR-INTERNET
US
malicious
2436
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
568
iexplore.exe
74.206.228.78:80
WEBAIR-INTERNET
US
malicious
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
whitelisted
2436
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
568
iexplore.exe
142.250.185.68:80
www.google.com
GOOGLE
US
whitelisted
568
iexplore.exe
76.223.26.96:80
ww9.uhceservice.com
AMAZON-02
US
malicious

DNS requests

Domain
IP
Reputation
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
ww9.uhceservice.com
  • 76.223.26.96
  • 13.248.148.254
malicious
www.google.com
  • 142.250.185.68
whitelisted
fonts.googleapis.com
  • 142.250.186.138
whitelisted

Threats

PID
Process
Class
Message
568
iexplore.exe
A Network Trojan was detected
ET MALWARE Win32/Zonebac Traffic Redirect
No debug info