URL: | https://email.dhlgpi.com/link.php?M=400452&N=1400&L=32325&F=H |
Full analysis: | https://app.any.run/tasks/d18928ed-0e85-4f85-a14f-d1748959645a |
Verdict: | Malicious activity |
Analysis date: | December 05, 2022, 22:43:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 660ED75CF7DBE0885DB4E3784BD52A95 |
SHA1: | 947F55671EEA7A55E2608C8781B1AED82CCB36BA |
SHA256: | B4D53FE21B5CA0D9047F172E2282C911960F07847FCBE6EA0E363E4AE58D35A2 |
SSDEEP: | 3:N8k2u4YRVIRd7XWBtn:2kxRIRdT6tn |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1328 | "C:\Program Files\Internet Explorer\iexplore.exe" "https://email.dhlgpi.com/link.php?M=400452&N=1400&L=32325&F=H" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2972 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1328 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3752 | "C:\Program Files\Opera\opera.exe" | C:\Program Files\Opera\opera.exe | Explorer.EXE | ||||||||||||
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser Exit code: 0 Version: 1748 Modules
|
(PID) Process: | (1328) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 1 | |||
(PID) Process: | (1328) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchLowDateTime |
Value: 343366208 | |||
(PID) Process: | (1328) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 31000827 | |||
(PID) Process: | (1328) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: 643524958 | |||
(PID) Process: | (1328) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 31000827 | |||
(PID) Process: | (1328) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (1328) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (1328) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (1328) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (1328) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3752 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opr1629.tmp | xml | |
MD5:DE4A17CC10C54796148075DDD79B95B3 | SHA256:FFCC9FB215AEAAEEF4090A4759A78BBE812E414AB12C43E255AC70E625828C0A | |||
3752 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml | xml | |
MD5:DE4A17CC10C54796148075DDD79B95B3 | SHA256:FFCC9FB215AEAAEEF4090A4759A78BBE812E414AB12C43E255AC70E625828C0A | |||
3752 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat | binary | |
MD5:723153139924C7262597F4D3B5845070 | SHA256:D0522F4037B4E0B9D85C109326F7B081F59B074F4280B35D68629984F2D958D2 | |||
3752 | opera.exe | C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00003.tmp | xml | |
MD5:7966F3F842F1E41B71A94EE31B6DED29 | SHA256:1298A8BC01D74ACDDF2825B82EB242D005C0A816617A7E187FCC0B7BA8E23272 | |||
3752 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini | text | |
MD5:41171535A84809AD5434047E608726D2 | SHA256:DA2E59AF599B06479D2744092003E07BA2AE9BFD2E005CB0EF50A2D0381D3650 | |||
1328 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:DEA0587FB8AFA754B5A3CEB13D60DB80 | SHA256:F059A588AEE4F1A3B5097BD185B2B4DAD74D26ED6119CFE0E981E5D2B579D421 | |||
3752 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opr15BB.tmp | text | |
MD5:41171535A84809AD5434047E608726D2 | SHA256:DA2E59AF599B06479D2744092003E07BA2AE9BFD2E005CB0EF50A2D0381D3650 | |||
3752 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat | binary | |
MD5:59761E989F564F76A3A4B778DB7ABCF1 | SHA256:AF879942D234D85C0CE75921DBDDA50E2F6D135BD961F259106131751359052B | |||
3752 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opicacrt6.dat | binary | |
MD5:82F1A2B1176A5ECC457D32301E2AD833 | SHA256:A783052804DD4C232BE2ED3DC00C430CB67A20370890E235562ED2B27B5A602E | |||
3752 | opera.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-ms~RF10720d7.TMP | binary | |
MD5:DBC8C3C79F0DFF4745A5E25E13611AEF | SHA256:70C54F2C53CF246603B8DE4755D95C5AA51BF4B232340BEA5879724A1F84F675 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1328 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/Omniroot2025.crl | US | der | 7.78 Kb | whitelisted |
1328 | iexplore.exe | GET | — | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | — | — | whitelisted |
3752 | opera.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 740 b | whitelisted |
1328 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/DigiCertGlobalRootCA.crl | US | der | 779 b | whitelisted |
1328 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D | US | der | 1.47 Kb | whitelisted |
1328 | iexplore.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2d468724c325a5de | US | compressed | 4.70 Kb | whitelisted |
2972 | iexplore.exe | GET | 200 | 142.250.74.195:80 | http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDZJO6dlgsrcRKeDfRzpInH | US | der | 472 b | whitelisted |
1328 | iexplore.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?67cc66f09702b6b4 | US | compressed | 4.70 Kb | whitelisted |
2972 | iexplore.exe | GET | 200 | 142.250.74.195:80 | http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDreCS75DAIaRKqvCi%2FvL9c | US | der | 472 b | whitelisted |
2972 | iexplore.exe | GET | 200 | 142.250.74.195:80 | http://ocsp.pki.goog/s/gts1p5/pPW9rRUZe8E/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTsSieX%2BJFZNROWeLPoyKIdCXsxLgQU1fyeDd8eyt0Il5duK8VfxSv17LgCEEKU1XtRhewnDmtFW7iwqKw%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1328 | iexplore.exe | 204.79.197.200:443 | www.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
2972 | iexplore.exe | 188.114.97.3:443 | dhlgpi.com | CLOUDFLARENET | NL | malicious |
2972 | iexplore.exe | 188.114.96.3:443 | dhlgpi.com | CLOUDFLARENET | NL | malicious |
3752 | opera.exe | 185.26.182.93:443 | certs.opera.com | Opera Software AS | — | whitelisted |
1328 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
3752 | opera.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
1328 | iexplore.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | EDGECAST | GB | whitelisted |
1328 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | EDGECAST | US | whitelisted |
2972 | iexplore.exe | 142.250.185.202:443 | fonts.googleapis.com | GOOGLE | US | whitelisted |
2972 | iexplore.exe | 104.16.86.20:443 | cdn.jsdelivr.net | CLOUDFLARENET | — | shared |
Domain | IP | Reputation |
---|---|---|
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
certs.opera.com |
| whitelisted |
crl3.digicert.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
dhl-news.com |
| unknown |
ocsp.pki.goog |
| whitelisted |