URL: | http://rischyo.cf |
Full analysis: | https://app.any.run/tasks/cf33855d-0a6c-4195-bd30-ec03554f7e44 |
Verdict: | Malicious activity |
Analysis date: | October 04, 2022, 23:15:32 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 36DCBA563E23AC671978A3698CD2C0D9 |
SHA1: | B3551AF928083BA2E490C592C7ED38638F422913 |
SHA256: | DFD9412E2B4097E2CD4F9312E578C2BDFD3A8BAA0F0C378C7A26A380F7C093A4 |
SSDEEP: | 3:N1KMK+D:CMK+D |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3232 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://rischyo.cf" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3956 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3232 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3232 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | binary | |
MD5:B4CED41DD21C3C906125DBA361F8BA77 | SHA256:6509444A267B01F088BCABAC4A7A9B7184C65B25D580BB6AFA08642E311D12A7 | |||
3956 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\CWBP02P4.txt | text | |
MD5:2957E884D4F0305D103A68F8473F3685 | SHA256:1182AE1A697C159E08AC2127A5A98CE0172CDE5F4D6AE0E4210B228F9A84A373 | |||
3232 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442 | binary | |
MD5:50DDE51C97B6395F32FA0C209803E115 | SHA256:2A0CD29D320BD4E5196C9C65861C0EBDB60CF93F9E57C150AA356926D5E985EB | |||
3956 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\451025123A22EB28E59EC89C0BD4D0AC_9B7EC2A7658032C5E257DD7F9C9949C5 | binary | |
MD5:4D5816C6701FADBFB266C58DA4FE6B83 | SHA256:78FC783BEF752F3500251DB19822075ECAD69FCD6C84A14F032C3BFB29AE93D0 | |||
3956 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\rc4-cipher-is-no-longer-supported-in-internet-explorer-11-or-microsoft-edge-f8687bc1-1f88-9abe-5c81-b00c26290f36[1].htm | html | |
MD5:00013BF2F00CAD55EB78EADEA779A7A5 | SHA256:1E1679E4D1F5C3D39FF14D52CE4A4F3A65ACF9B5896B8AA0201A1C93D5D4325B | |||
3956 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | binary | |
MD5:C4F48170939190D31D574ECD5293C145 | SHA256:61B260B04486AC2CA88BA8F077390CFB261BEEBBF6A18295C42C776AC64875BE | |||
3232 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\favicon[3].ico | image | |
MD5:DA597791BE3B6E732F0BC8B20E38EE62 | SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07 | |||
3232 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver50FF.tmp | xml | |
MD5:CBD0581678FA40F0EDCBC7C59E0CAD10 | SHA256:159BD4343F344A08F6AF3B716B6FA679859C1BD1D7030D26FF5EF0255B86E1D9 | |||
3232 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml | xml | |
MD5:CBD0581678FA40F0EDCBC7C59E0CAD10 | SHA256:159BD4343F344A08F6AF3B716B6FA679859C1BD1D7030D26FF5EF0255B86E1D9 | |||
3956 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\articleCss[1].css | text | |
MD5:94A8583DE8712A80BE362867E4C73BFE | SHA256:50207905302B5B9BEECD1C25436E7CDD55BBBCB77080A1C17BE46C2B3808423E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3956 | iexplore.exe | GET | — | 5.199.143.110:80 | http://rischyo.cf/ | DE | — | — | suspicious |
3956 | iexplore.exe | GET | — | 5.199.143.110:80 | http://rischyo.cf/ | DE | — | — | suspicious |
3956 | iexplore.exe | GET | — | 5.199.143.110:80 | http://rischyo.cf/ | DE | — | — | suspicious |
3956 | iexplore.exe | GET | — | 5.199.143.110:80 | http://rischyo.cf/ | DE | — | — | suspicious |
3956 | iexplore.exe | GET | — | 5.199.143.110:80 | http://rischyo.cf/ | DE | — | — | suspicious |
3956 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D | US | der | 471 b | whitelisted |
3232 | iexplore.exe | GET | 200 | 209.197.3.8:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6c6eb969260ca870 | US | compressed | 4.70 Kb | whitelisted |
3232 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
3956 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D | US | der | 471 b | whitelisted |
3956 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA9bw6F2y3ieICDHiTyBZ7Q%3D | US | der | 1.47 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3232 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | EDGECAST | US | whitelisted |
3232 | iexplore.exe | 209.197.3.8:80 | ctldl.windowsupdate.com | STACKPATH-CDN | US | whitelisted |
3956 | iexplore.exe | 5.199.143.110:80 | rischyo.cf | myLoc managed IT AG | DE | suspicious |
3232 | iexplore.exe | 204.79.197.200:443 | www.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3232 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
3956 | iexplore.exe | 5.199.143.110:443 | rischyo.cf | myLoc managed IT AG | DE | suspicious |
3956 | iexplore.exe | 104.125.30.92:443 | go.microsoft.com | AKAMAI-AS | DE | unknown |
3956 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
3956 | iexplore.exe | 152.199.19.160:443 | ajax.aspnetcdn.com | EDGECAST | US | whitelisted |
3956 | iexplore.exe | 2.18.233.62:443 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
Domain | IP | Reputation |
---|---|---|
rischyo.cf |
| suspicious |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
support.microsoft.com |
| whitelisted |
oneocsp.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .cf Domain |
3956 | iexplore.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
3956 | iexplore.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |