URL: | http://uhceservice.com/ |
Full analysis: | https://app.any.run/tasks/c79552f7-994f-4e6f-8064-93d462ec84db |
Verdict: | Malicious activity |
Analysis date: | December 05, 2022, 20:25:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 44752A81CACD955183606D3DFC767F23 |
SHA1: | 11295692956961E35DF1A50B358694E3865B2FB4 |
SHA256: | 5C1B74A5D8E23F843B493FAB250126FD01448D699BA2645B51E255DC3BEDC152 |
SSDEEP: | 3:N1KLoA8:CkH |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2436 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://uhceservice.com/" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
568 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2436 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
(PID) Process: | (2436) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 1 | |||
(PID) Process: | (2436) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchLowDateTime |
Value: | |||
(PID) Process: | (2436) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 31000807 | |||
(PID) Process: | (2436) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: | |||
(PID) Process: | (2436) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 31000807 | |||
(PID) Process: | (2436) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (2436) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (2436) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (2436) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (2436) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
568 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\maincaf[1].js | text | |
MD5:3C7567521347BF95B105FFA7FDC7DA86 | SHA256:0E32BCA6B67DFDEED3F9B988DDCEC1ADF0502549A130A78C4ACE64C318A7EA29 | |||
2436 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86C | binary | |
MD5:B93BE7F7105A70ADA63DE982DC79E9F3 | SHA256:B91017BD0A01CC3FAEBAF964E7FD1D2634E7789FFB69459F1F891666F4F8F337 | |||
568 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\0ZQOAZ2O.txt | text | |
MD5:6BE29C742028CAF6432AFA3188662FBD | SHA256:438B09D11F9ABE6A477C512C65AC1143CA461E1E4BFF53D825441F9689537C0B | |||
568 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\J12XHBLC.htm | html | |
MD5:C8FD8E9B99E88BC4324EABDEDBE5D0C5 | SHA256:67DC76F5FAE4A80F5DFE5FFA8411701163994A740884F825C0ED0D34A6CA9914 | |||
568 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\caf[1].js | text | |
MD5:4E136CBCC7A57C82ECF7B7757F0DEE34 | SHA256:2499F63F73EBBB4A49F42669A55EB5C7B42799E591DCA36970BA9AB9BA17B9AF | |||
568 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:DFC8146F82E91B1F6965F75C83473EF9 | SHA256:658DA0A012DA2763E8D5543277867BD71B53C13108D0AB6ACBA9A1AFD27E2BC5 | |||
568 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\sale_form[1].js | text | |
MD5:64F809E06446647E192FCE8D1EC34E09 | SHA256:F52CBD664986AD7ED6E71C448E2D31D1A16463E4D9B7BCA0C6BE278649CCC4F3 | |||
568 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\1J72P9JL.txt | text | |
MD5:6BE29C742028CAF6432AFA3188662FBD | SHA256:438B09D11F9ABE6A477C512C65AC1143CA461E1E4BFF53D825441F9689537C0B | |||
2436 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\favicon[2].ico | image | |
MD5:DA597791BE3B6E732F0BC8B20E38EE62 | SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07 | |||
2436 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\69C6F6EC64E114822DF688DC12CDD86C | der | |
MD5:CC4A1C70F16AFDC865CFFC67CAEDE5A1 | SHA256:69227D14D500F270B8662234349D38AC2639FA6CC656CC687797D7DF0A747333 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
568 | iexplore.exe | GET | 200 | 142.250.185.67:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | US | der | 1.41 Kb | whitelisted |
568 | iexplore.exe | GET | 200 | 76.223.26.96:80 | http://ww9.uhceservice.com/ | US | html | 5.86 Kb | malicious |
568 | iexplore.exe | GET | 200 | 13.32.23.64:80 | http://d38psrni17bvxu.cloudfront.net/scripts/maincaf.js | US | text | 6.84 Kb | suspicious |
568 | iexplore.exe | GET | 200 | 142.250.185.67:80 | http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDZJO6dlgsrcRKeDfRzpInH | US | der | 472 b | whitelisted |
568 | iexplore.exe | GET | 200 | 142.250.185.67:80 | http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDbyHvBeZtpOQpKuNstwnpv | US | der | 472 b | whitelisted |
2436 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/DigiCertGlobalRootCA.crl | US | der | 779 b | whitelisted |
568 | iexplore.exe | GET | 200 | 142.250.185.68:80 | http://www.google.com/adsense/domains/caf.js | US | text | 52.2 Kb | whitelisted |
568 | iexplore.exe | POST | 201 | 76.223.26.96:80 | http://ww9.uhceservice.com/ls.php | US | compressed | 20 b | malicious |
568 | iexplore.exe | GET | 200 | 185.53.178.30:80 | http://c.parkingcrew.net/scripts/sale_form.js | DE | text | 761 b | whitelisted |
568 | iexplore.exe | GET | 200 | 142.250.181.227:80 | http://fonts.gstatic.com/s/portlligatslab/v21/LDIpaoiQNgArA8kR7ulhZ8P_NYOsg70R8A.woff | US | woff | 14.5 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 209.197.3.8:80 | ctldl.windowsupdate.com | STACKPATH-CDN | US | whitelisted |
2436 | iexplore.exe | 13.107.21.200:443 | www.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
— | — | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
568 | iexplore.exe | 173.239.5.6:80 | — | WEBAIR-INTERNET | US | malicious |
2436 | iexplore.exe | 204.79.197.200:443 | www.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
568 | iexplore.exe | 74.206.228.78:80 | — | WEBAIR-INTERNET | US | malicious |
— | — | 152.199.19.161:443 | iecvlist.microsoft.com | EDGECAST | US | whitelisted |
2436 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
568 | iexplore.exe | 142.250.185.68:80 | www.google.com | GOOGLE | US | whitelisted |
568 | iexplore.exe | 76.223.26.96:80 | ww9.uhceservice.com | AMAZON-02 | US | malicious |
Domain | IP | Reputation |
---|---|---|
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
crl3.digicert.com |
| whitelisted |
ww9.uhceservice.com |
| malicious |
www.google.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
568 | iexplore.exe | A Network Trojan was detected | ET MALWARE Win32/Zonebac Traffic Redirect |