URL: | http://email.z9.qg-mail.com/c/eJwVjUtuxCAQRE9jdoOahnabBYtEUa4R8bVRsD3xkFnM6UOkWpT0Sq-uHOu95qPfaprofaIPh5AUIgXM7A0nAPAEBZgSckZjRXIFKGgv6tgiggKrLCq1SM-FE-poUEWajZ4MvKz8WW-7r03Gcxeb42UOs1q0mWMoyaIJmTXZwsgGSmHR3Nb7fdJvE36O9MvH73qs8tHzMx_7I26_rb_-bYOGEMTlWjxb8-kcfyXVKNfzKbpDS4YWHM1_aSA0fxvFRUM |
Full analysis: | https://app.any.run/tasks/04662f53-2c64-4520-bfde-1d042283de7c |
Verdict: | Malicious activity |
Analysis date: | January 10, 2022, 21:07:00 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | EF67236371D435A54A81262C67AAAB4E |
SHA1: | FFB98EC1C668A8005AB4D1EF22E22B32D552E4FD |
SHA256: | A6190ABE8394505404F3CE8D0E383084EFDB998B78A2E357ACD8AE43DB93B917 |
SSDEEP: | 6:CDAKGmzPaI6q2RMjcTHCJB1Y9YP8KicO8uFTFBuXqeZi7y90wrO7q6/k0Kd5Kl6e:LdEPazKjcOJDaHUmpBuniirABEdcg6N |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2160 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://email.z9.qg-mail.com/c/eJwVjUtuxCAQRE9jdoOahnabBYtEUa4R8bVRsD3xkFnM6UOkWpT0Sq-uHOu95qPfaprofaIPh5AUIgXM7A0nAPAEBZgSckZjRXIFKGgv6tgiggKrLCq1SM-FE-poUEWajZ4MvKz8WW-7r03Gcxeb42UOs1q0mWMoyaIJmTXZwsgGSmHR3Nb7fdJvE36O9MvH73qs8tHzMx_7I26_rb_-bYOGEMTlWjxb8-kcfyXVKNfzKbpDS4YWHM1_aSA0fxvFRUM" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3544 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2160 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3544 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\DHBKSOOD.txt | text | |
MD5:5F2EEE7B40A2351EA65BF8D76A3E77EE | SHA256:960958EB57C5B28C6B60695B421C90278BCC03D92FC5B4A60EA21D659B496FAE | |||
3544 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\K0M5PI24.txt | text | |
MD5:8CE8C86CB842358C2B49B21B30E8936A | SHA256:882912A5817A2FB731EFBF3D2E53DCBFDA02C08CF3A39D77DA38693094B5504E | |||
3544 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | der | |
MD5:690C853F37A280EC104526B676AF97EA | SHA256:D972CC505E7B0F85B202D4543364D74E6FE0802111B3705EF748E141D64BB32B | |||
3544 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\5O2TWH9O.txt | text | |
MD5:C8D4013A60E186CC86ACBCECB546ACC1 | SHA256:5B98AE1B20F01FF131675D8A50EA4B3AA6C8563A22CBD4D0DF99FCD43DF51D35 | |||
2160 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F | der | |
MD5:E77449B560C8625DAC3684AC2C0C05B6 | SHA256:710603AFD54CA88D56B828BD668A48A2DFD3590BFBDC0555270113CFA71DC769 | |||
3544 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\XY2E0905.txt | text | |
MD5:B0D609D01BE6A89955AC03D4E298A0CA | SHA256:3C513D8D2833F1E290D7737D745A4E0FC0950505933CDD3B8AE25559BCD38035 | |||
3544 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\GXX8J5ND.txt | text | |
MD5:A9CE19466EF39F4D565B63C281103093 | SHA256:DCC0E30B2F796B94AB7661CB204D49E38D46F4D5D75C6C669D724F673281D143 | |||
3544 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\67F6625BC22310D5C99DDE12020DBD90 | der | |
MD5:ED9812637AE0F850BCB6CDB32E9319A2 | SHA256:9900D836E1FB845E491F764245F7B16F4BC0BD2CB223EA106AD6FF1A5088EBFA | |||
3544 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\M0Y5JYLU.txt | text | |
MD5:0C4B7E953CE7CF8D6A6F2F808C5C7D07 | SHA256:35C5BCC725D2D6669DAEDA3809CE5A7AB475E4252C8C2269CDC6F5896BCEDC6F | |||
3544 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | binary | |
MD5:2D3A95DC9EE99C6023842417430C2FBD | SHA256:0FE3D62AF74343E3AFB0A8A220B11D2344A67AE0B275CEA524DB4FFF1B352CD8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2160 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/DigiCertGlobalRootCA.crl | US | der | 631 b | whitelisted |
3544 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
3544 | iexplore.exe | GET | 200 | 192.124.249.31:80 | http://crl.godaddy.com/gdroot-g2.crl | US | der | 462 b | whitelisted |
2160 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/Omniroot2025.crl | US | der | 7.68 Kb | whitelisted |
3544 | iexplore.exe | GET | 200 | 192.124.249.24:80 | http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D | US | der | 1.69 Kb | whitelisted |
3544 | iexplore.exe | GET | 302 | 52.205.132.94:80 | http://email.z9.qg-mail.com/c/eJwVjUtuxCAQRE9jdoOahnabBYtEUa4R8bVRsD3xkFnM6UOkWpT0Sq-uHOu95qPfaprofaIPh5AUIgXM7A0nAPAEBZgSckZjRXIFKGgv6tgiggKrLCq1SM-FE-poUEWajZ4MvKz8WW-7r03Gcxeb42UOs1q0mWMoyaIJmTXZwsgGSmHR3Nb7fdJvE36O9MvH73qs8tHzMx_7I26_rb_-bYOGEMTlWjxb8-kcfyXVKNfzKbpDS4YWHM1_aSA0fxvFRUM | US | html | 417 b | suspicious |
3544 | iexplore.exe | GET | 302 | 138.197.51.36:80 | http://tracking.stevenmschultz.com/bbb | US | html | 99 b | unknown |
3544 | iexplore.exe | GET | 200 | 2.16.106.171:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?54250d5b91e94eca | unknown | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3544 | iexplore.exe | 192.124.249.22:80 | ocsp.godaddy.com | Sucuri | US | suspicious |
— | — | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3544 | iexplore.exe | 2.16.106.171:80 | ctldl.windowsupdate.com | Akamai International B.V. | — | whitelisted |
2160 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
3544 | iexplore.exe | 138.197.51.36:80 | tracking.stevenmschultz.com | Digital Ocean, Inc. | US | unknown |
3544 | iexplore.exe | 134.209.69.162:443 | mcrmgo.com | — | US | unknown |
3544 | iexplore.exe | 52.205.132.94:80 | email.z9.qg-mail.com | Amazon.com, Inc. | US | suspicious |
3544 | iexplore.exe | 104.16.16.194:443 | anthonymorrison.clickfunnels.com | Cloudflare Inc | US | shared |
2160 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2160 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
email.z9.qg-mail.com |
| suspicious |
tracking.stevenmschultz.com |
| unknown |
mcrmgo.com |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.godaddy.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
crl.godaddy.com |
| whitelisted |
pwa.crmsecureorders.com |
| unknown |