analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://uhceservice.com/

Full analysis: https://app.any.run/tasks/c79552f7-994f-4e6f-8064-93d462ec84db
Verdict: Malicious activity
Analysis date: December 05, 2022, 20:25:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

44752A81CACD955183606D3DFC767F23

SHA1:

11295692956961E35DF1A50B358694E3865B2FB4

SHA256:

5C1B74A5D8E23F843B493FAB250126FD01448D699BA2645B51E255DC3BEDC152

SSDEEP:

3:N1KLoA8:CkH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2436"C:\Program Files\Internet Explorer\iexplore.exe" "http://uhceservice.com/"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
568"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2436 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
9 879
Read events
9 776
Write events
103
Delete events
0

Modification events

(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31000807
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31000807
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
8
Text files
15
Unknown types
6

Dropped files

PID
Process
Filename
Type
2436iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86Cbinary
MD5:B93BE7F7105A70ADA63DE982DC79E9F3
SHA256:B91017BD0A01CC3FAEBAF964E7FD1D2634E7789FFB69459F1F891666F4F8F337
568iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\1J72P9JL.txttext
MD5:6BE29C742028CAF6432AFA3188662FBD
SHA256:438B09D11F9ABE6A477C512C65AC1143CA461E1E4BFF53D825441F9689537C0B
568iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\caf[1].jstext
MD5:4E136CBCC7A57C82ECF7B7757F0DEE34
SHA256:2499F63F73EBBB4A49F42669A55EB5C7B42799E591DCA36970BA9AB9BA17B9AF
568iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\maincaf[1].jstext
MD5:3C7567521347BF95B105FFA7FDC7DA86
SHA256:0E32BCA6B67DFDEED3F9B988DDCEC1ADF0502549A130A78C4ACE64C318A7EA29
2436iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\69C6F6EC64E114822DF688DC12CDD86Cder
MD5:CC4A1C70F16AFDC865CFFC67CAEDE5A1
SHA256:69227D14D500F270B8662234349D38AC2639FA6CC656CC687797D7DF0A747333
568iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\0ZQOAZ2O.txttext
MD5:6BE29C742028CAF6432AFA3188662FBD
SHA256:438B09D11F9ABE6A477C512C65AC1143CA461E1E4BFF53D825441F9689537C0B
568iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:DFC8146F82E91B1F6965F75C83473EF9
SHA256:658DA0A012DA2763E8D5543277867BD71B53C13108D0AB6ACBA9A1AFD27E2BC5
568iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAder
MD5:92BEFA03A7C35124AD47591735DF0972
SHA256:BA7E165D3126A33D77E5822F10675D2E029A399E43331E32968BB171107B2E2C
568iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\d4a6d4bd[1].htmhtml
MD5:8D7EE403185D30B6EB33B72EA7E0E134
SHA256:CA3EF9B142F944B0F616261D023F47B91B23BB7157AE42BEEFAEAF25B6C2F91B
2436iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\favicon[2].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
48
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2436
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/DigiCertGlobalRootCA.crl
US
der
779 b
whitelisted
568
iexplore.exe
GET
200
76.223.26.96:80
http://ww9.uhceservice.com/
US
html
5.86 Kb
malicious
568
iexplore.exe
GET
200
142.250.185.68:80
http://www.google.com/adsense/domains/caf.js
US
text
52.2 Kb
whitelisted
568
iexplore.exe
GET
200
13.32.23.64:80
http://d38psrni17bvxu.cloudfront.net/scripts/maincaf.js
US
text
6.84 Kb
suspicious
568
iexplore.exe
GET
200
142.250.185.67:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
568
iexplore.exe
GET
200
142.250.181.227:80
http://fonts.gstatic.com/s/portlligatslab/v21/LDIpaoiQNgArA8kR7ulhZ8P_NYOsg70R8A.woff
US
woff
14.5 Kb
whitelisted
568
iexplore.exe
GET
200
185.53.178.30:80
http://c.parkingcrew.net/scripts/sale_form.js
DE
text
761 b
whitelisted
568
iexplore.exe
GET
200
142.250.186.138:80
http://fonts.googleapis.com/css?family=Port+Lligat+Slab
US
text
192 b
whitelisted
568
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ae6729bb04e7d544
US
compressed
4.70 Kb
whitelisted
568
iexplore.exe
GET
200
142.250.185.67:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
whitelisted
568
iexplore.exe
173.239.5.6:80
WEBAIR-INTERNET
US
malicious
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
whitelisted
2436
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
2436
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2436
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
whitelisted
568
iexplore.exe
76.223.26.96:80
ww9.uhceservice.com
AMAZON-02
US
malicious
76.223.26.96:80
ww9.uhceservice.com
AMAZON-02
US
malicious
2436
iexplore.exe
13.107.21.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
ww9.uhceservice.com
  • 76.223.26.96
  • 13.248.148.254
malicious
www.google.com
  • 142.250.185.68
whitelisted
fonts.googleapis.com
  • 142.250.186.138
whitelisted

Threats

PID
Process
Class
Message
568
iexplore.exe
A Network Trojan was detected
ET MALWARE Win32/Zonebac Traffic Redirect
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://uhceservice.com/