URL:

http://uhceservice.com/

Full analysis: https://app.any.run/tasks/c79552f7-994f-4e6f-8064-93d462ec84db
Verdict: Malicious activity
Analysis date: December 05, 2022, 20:25:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

44752A81CACD955183606D3DFC767F23

SHA1:

11295692956961E35DF1A50B358694E3865B2FB4

SHA256:

5C1B74A5D8E23F843B493FAB250126FD01448D699BA2645B51E255DC3BEDC152

SSDEEP:

3:N1KLoA8:CkH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2436"C:\Program Files\Internet Explorer\iexplore.exe" "http://uhceservice.com/"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
568"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2436 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
9 879
Read events
9 776
Write events
103
Delete events
0

Modification events

(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31000807
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31000807
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2436) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
8
Text files
15
Unknown types
6

Dropped files

PID
Process
Filename
Type
2436iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
2436iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\favicon[2].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
568iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\TW3JC7B9.htmhtml
MD5:C987012FF54472B0B17F8D52D156A6DD
SHA256:BCEF076451076202C7B72D98A5B4636285467110EBD7A179E924D121AC308778
2436iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\favicon[1].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
568iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\d4a6d4bd[1].htmhtml
MD5:8D7EE403185D30B6EB33B72EA7E0E134
SHA256:CA3EF9B142F944B0F616261D023F47B91B23BB7157AE42BEEFAEAF25B6C2F91B
568iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\arrows[1].pngimage
MD5:0CB2E5165DC9324EB462199F04E1FFA9
SHA256:67DFF0AAD873050F12609885F2264417CCDD0D438311000A704C89F0865F7865
568iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\LDIpaoiQNgArA8kR7ulhZ8P_NYOsg70R8A[1].woffwoff
MD5:8A7485A2BFAD1020E87E730FAF1BB4EF
SHA256:BA5A608E38133ACDFD6A100645AC7AB328D3D78E155C3EA68623657ECFFF7AB7
2436iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\69C6F6EC64E114822DF688DC12CDD86Cder
MD5:CC4A1C70F16AFDC865CFFC67CAEDE5A1
SHA256:69227D14D500F270B8662234349D38AC2639FA6CC656CC687797D7DF0A747333
568iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
568iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\caf[1].jstext
MD5:4E136CBCC7A57C82ECF7B7757F0DEE34
SHA256:2499F63F73EBBB4A49F42669A55EB5C7B42799E591DCA36970BA9AB9BA17B9AF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
48
DNS requests
17
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
568
iexplore.exe
GET
200
185.53.178.30:80
http://c.parkingcrew.net/scripts/sale_form.js
DE
text
761 b
whitelisted
568
iexplore.exe
GET
200
76.223.26.96:80
http://ww9.uhceservice.com/
US
html
5.86 Kb
malicious
568
iexplore.exe
GET
200
74.206.228.78:80
http://uhceservice.com/
US
html
247 b
whitelisted
568
iexplore.exe
GET
200
142.250.185.68:80
http://www.google.com/adsense/domains/caf.js
US
text
52.2 Kb
whitelisted
568
iexplore.exe
POST
200
74.206.228.78:80
http://uhceservice.com/
US
html
155 b
whitelisted
568
iexplore.exe
GET
200
142.250.186.138:80
http://fonts.googleapis.com/css?family=Port+Lligat+Slab
US
text
192 b
whitelisted
568
iexplore.exe
GET
200
13.32.23.64:80
http://d38psrni17bvxu.cloudfront.net/scripts/maincaf.js
US
text
6.84 Kb
malicious
568
iexplore.exe
GET
200
76.223.26.96:80
http://ww9.uhceservice.com/track.php?domain=uhceservice.com&toggle=browserjs&uid=MTY3MDI3MjAwMS4wOTM4OjcxNDkyOTdmYmVlYmJiMWQ5YjZiNDYyZTNiYjYwYjViYWMzMDNmODA3ZjcxM2Q5OGJhNWU5YjgwODc2MmFjZmU6NjM4ZTU0MDExNmU0Yw%3D%3D
US
binary
20 b
malicious
2436
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/DigiCertGlobalRootCA.crl
US
der
779 b
whitelisted
568
iexplore.exe
GET
200
13.32.23.64:80
http://d38psrni17bvxu.cloudfront.net/themes/cleanPeppermintBlack_657d9013/img/arrows.png
US
image
11.1 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2436
iexplore.exe
13.107.21.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
568
iexplore.exe
173.239.5.6:80
WEBAIR-INTERNET
US
malicious
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
suspicious
2436
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
568
iexplore.exe
74.206.228.78:80
WEBAIR-INTERNET
US
malicious
2436
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
568
iexplore.exe
76.223.26.96:80
ww9.uhceservice.com
AMAZON-02
US
malicious
2436
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
whitelisted
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
whitelisted
76.223.26.96:80
ww9.uhceservice.com
AMAZON-02
US
malicious

DNS requests

Domain
IP
Reputation
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
ww9.uhceservice.com
  • 76.223.26.96
  • 13.248.148.254
malicious
www.google.com
  • 142.250.185.68
whitelisted
fonts.googleapis.com
  • 142.250.186.138
whitelisted

Threats

PID
Process
Class
Message
568
iexplore.exe
A Network Trojan was detected
ET MALWARE Win32/Zonebac Traffic Redirect
No debug info