URL: | http://vip.qajacefo.xyz/tracker?s_id=7&aff_id=149 |
Full analysis: | https://app.any.run/tasks/d1784f57-6e20-4bcf-ad40-787e1d717db4 |
Verdict: | Malicious activity |
Analysis date: | November 08, 2019, 12:45:04 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | C3668128E56B6C0FED6A48B7A72E429E |
SHA1: | 5E290301E09419FCDE3C24863DEFD95175B97C22 |
SHA256: | 7F090891121364CBE50F8C5898379D788FDEFBDCF46427A0E391878476641C0D |
SSDEEP: | 3:N1KISUEPF4GESMbRc:CISURTS26 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
504 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://vip.qajacefo.xyz/tracker?s_id=7&aff_id=149" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2408 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:504 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (504) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (504) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (504) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (504) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones |
Operation: | write | Name: | SecuritySafe |
Value: 1 | |||
(PID) Process: | (504) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (504) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
(PID) Process: | (504) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active |
Operation: | write | Name: | {A024EC25-0225-11EA-AB41-5254004A04AF} |
Value: 0 | |||
(PID) Process: | (504) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
Operation: | write | Name: | Type |
Value: 4 | |||
(PID) Process: | (504) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
Operation: | write | Name: | Count |
Value: 2 | |||
(PID) Process: | (504) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
Operation: | write | Name: | Time |
Value: E3070B00050008000C002D0016001402 |
PID | Process | Filename | Type | |
---|---|---|---|---|
504 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
504 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2408 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8B8V1LRM\prl_qajacefo_xyz[1].htm | — | |
MD5:— | SHA256:— | |||
2408 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:49BEC86AF2B097C608DC8B6C94BC0B97 | SHA256:CAF0D40A72354590985A27476CEFA0F4A23CBD55C3F3624AD584834C45E558B2 | |||
2408 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GK8SGUJV\stylef2ad[1].css | text | |
MD5:FCF8D253EC2318FB71A46D6EBB3C6ABD | SHA256:C63F719B5B369E133EBCD4FE8654D332F06C062A52EA1C37707013876C6A1D9C | |||
2408 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8B8V1LRM\check-nl[1].jpg | image | |
MD5:DD88F6A5406B94AC5BC16160FE71B4E1 | SHA256:3550667EB87A9D334A0C788B9396E61D654BDA518944DD3BFAD8DD95DC958948 | |||
2408 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat | dat | |
MD5:9C56844918D024BA005901FC513949D4 | SHA256:94DDDB93AA9AFD9195B83F416CD7EEA7ABD78B17478ABF0AC2A074C440270C74 | |||
2408 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IJJVF75\sidenews3b[1].jpg | image | |
MD5:4931D451A83B1333EB2DEF3B06A7F7C1 | SHA256:7F2EC89E3BA6A18595EED05EED0B3041FA14DF84185FB7EA821C9F484B3DCCF1 | |||
2408 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@qajacefo[1].txt | text | |
MD5:25F29B738D22EA4E07A7E5842D33FD78 | SHA256:FDC152004ACDAB26C3E2DD14656F5E5BB2ACD04DD93B69FCAF3254DF3C040227 | |||
2408 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8B8V1LRM\bootstrap.min[1].css | text | |
MD5:718BD84487FF664450E607A22BD88819 | SHA256:5ECA7E266D572326160B9BF8D76A54666C27C0D9FD8E448BFA4138BE69EBD3C6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2408 | iexplore.exe | GET | 302 | 104.31.79.119:80 | http://vip.qajacefo.xyz/tracker?s_id=7&aff_id=149 | US | — | — | suspicious |
2408 | iexplore.exe | GET | 200 | 104.31.79.119:80 | http://prl.qajacefo.xyz/prelands/834/images/sidenews3b.jpg | US | image | 40.8 Kb | suspicious |
2408 | iexplore.exe | GET | 200 | 104.31.79.119:80 | http://prl.qajacefo.xyz/prelands/834/images/sidenews2.jpg | US | image | 324 Kb | suspicious |
2408 | iexplore.exe | GET | 200 | 104.31.79.119:80 | http://prl.qajacefo.xyz/prelands/834/css/reset.css | US | text | 543 b | suspicious |
2408 | iexplore.exe | GET | 200 | 104.31.79.119:80 | http://prl.qajacefo.xyz/prelands/834/images/aufam_nl.jpg | US | image | 458 Kb | suspicious |
2408 | iexplore.exe | GET | 200 | 104.31.79.119:80 | http://prl.qajacefo.xyz/prelands/834/images/check-nl.jpg | US | image | 96.5 Kb | suspicious |
2408 | iexplore.exe | GET | 200 | 104.31.79.119:80 | http://prl.qajacefo.xyz/?pl=834.7066c0d851aa1872149f61ef3a66ff25&n=aHR0cDovL25sLmJpdGNvaW5ydXNoLWFwcC52aXAucWFqYWNlZm8ueHl6P3Nlc3Npb249NTJiYmVhOGRkYzc3NDE5ZGJlZjVhN2U4NzQ2ZWQ4MGYmYWZmX2lkPTE0OSZmcHA9MQ== | US | html | 9.28 Kb | suspicious |
2408 | iexplore.exe | GET | 200 | 104.31.79.119:80 | http://prl.qajacefo.xyz/prelands/834/css/bootstrap.min.css | US | text | 18.8 Kb | suspicious |
2408 | iexplore.exe | GET | — | 104.31.78.119:80 | http://prl.qajacefo.xyz/prelands/834/images/gavin.jpg | US | — | — | suspicious |
2408 | iexplore.exe | GET | 200 | 104.31.79.119:80 | http://prl.qajacefo.xyz/prelands/834/images/twitter_buzz.gif | US | image | 3.64 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
504 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
— | — | 104.31.79.119:80 | vip.qajacefo.xyz | Cloudflare Inc | US | suspicious |
2408 | iexplore.exe | 104.31.78.119:80 | vip.qajacefo.xyz | Cloudflare Inc | US | suspicious |
2408 | iexplore.exe | 104.31.79.119:80 | vip.qajacefo.xyz | Cloudflare Inc | US | suspicious |
2408 | iexplore.exe | 104.31.85.190:443 | bitcoin-news.vip | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
vip.qajacefo.xyz |
| suspicious |
www.bing.com |
| whitelisted |
prl.qajacefo.xyz |
| suspicious |
bitcoin-news.vip |
| suspicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2408 | iexplore.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
2408 | iexplore.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
2408 | iexplore.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
2408 | iexplore.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
2408 | iexplore.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
2408 | iexplore.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
2408 | iexplore.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
2408 | iexplore.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
2408 | iexplore.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
2408 | iexplore.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |