URL: | http://x69fk.com |
Full analysis: | https://app.any.run/tasks/d472f56f-7f33-4e72-af0f-0d8352262fb6 |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 18:03:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 4AA9B950265680DAFE6AEE173F243C79 |
SHA1: | 481BDFD7F045CA34AE53F608980284AFEA84D86B |
SHA256: | 05A0888AF02C8B3447C7876DE032D301CA53E5A653950D3E3DAF534A5AA72C82 |
SSDEEP: | 3:N1KGTcS2:CGT4 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1284 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://x69fk.com" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3432 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1284 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2960 | -modal 131368 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\NDF468B.tmp -ep NetworkDiagnosticsWeb | C:\Windows\system32\msdt.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Diagnostics Troubleshooting Wizard Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2316 | C:\Windows\System32\sdiagnhost.exe -Embedding | C:\Windows\System32\sdiagnhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Scripted Diagnostics Native Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1404 | "C:\Windows\system32\ipconfig.exe" /all | C:\Windows\system32\ipconfig.exe | — | sdiagnhost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: IP Configuration Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1252 | "C:\Windows\system32\ROUTE.EXE" print | C:\Windows\system32\ROUTE.EXE | — | sdiagnhost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Route Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2736 | "C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf | C:\Windows\system32\makecab.exe | — | sdiagnhost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Cabinet Maker Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (1284) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 1 | |||
(PID) Process: | (1284) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchLowDateTime |
Value: | |||
(PID) Process: | (1284) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 30977653 | |||
(PID) Process: | (1284) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: | |||
(PID) Process: | (1284) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30977653 | |||
(PID) Process: | (1284) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (1284) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (1284) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (1284) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (1284) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1284 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:2464DC11DC38E2650A1AC05B7861D974 | SHA256:16C13900CACD55CBB89E97E8CC7B0F2C50D63F10243F6046A57AE6F452977EDC | |||
1284 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F | binary | |
MD5:5A7E8EC98628A09127C62E1359676F18 | SHA256:34AD994A9986BE49DA07758D7150787A790390E6C4F023584A6508C3061A2820 | |||
3432 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | binary | |
MD5:87F4ABEE4CD93780B28C9FA989B00B34 | SHA256:8D37A06B85FE940830E36860D84D7460A38B14D5306F19F98BB6FD6C271419E3 | |||
3432 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | compressed | |
MD5:589C442FC7A0C70DCA927115A700D41E | SHA256:2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A | |||
3432 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C3D32BF2CD2E38D6E0365925A85491BC | binary | |
MD5:C4359512F2FB0809BE434D9043C81034 | SHA256:C2E8478A21EBAAAF90F4888A8AE19C7FC001EA011B0864E706B6AC4B50DDE693 | |||
3432 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\1ROUAJ12.txt | text | |
MD5:12FDD6B72B8B0E3D614F2190BDF8FDC0 | SHA256:459F61BE9EAB9BBC0DE8CAB3A07A01EC7C5446076B0EBA44F4754249D0F3DD83 | |||
3432 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\IH3A53IT.txt | text | |
MD5:9E8E6746CB8413511E4633A847B86A36 | SHA256:C5A5752D70E807894931F51F1CE1923965F3AFB1FC59DDF298B281419458215B | |||
1284 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F | der | |
MD5:58A71F87AF282C6F1BE4382B43CF019A | SHA256:5FFD69796323104DA230E13AC796184F4A4651AC8B943E17D4FBBC680BA3D6FB | |||
3432 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | der | |
MD5:EC8FF3B1DED0246437B1472C69DD1811 | SHA256:E634C2D1ED20E0638C95597ADF4C9D392EBAB932D3353F18AF1E4421F4BB9CAB | |||
3432 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\TarD88F.tmp | cat | |
MD5:7EE994C83F2744D702CBA18693ED1758 | SHA256:5DB917AB6DC8A42A43617850DFBE2C7F26A7F810B229B349E9DD2A2D615671D2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3432 | iexplore.exe | GET | 302 | 213.32.49.255:80 | http://x69fk.com/ | FR | — | — | suspicious |
3432 | iexplore.exe | GET | 302 | 213.32.49.255:80 | http://www.x69fk.com/main3 | FR | — | — | suspicious |
3432 | iexplore.exe | GET | 200 | 67.27.159.254:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7789e9ce4f4fe252 | US | compressed | 60.2 Kb | whitelisted |
3432 | iexplore.exe | GET | 200 | 96.16.145.230:80 | http://x1.c.lencr.org/ | US | der | 717 b | whitelisted |
3432 | iexplore.exe | GET | 302 | 213.32.49.255:80 | http://www.x69fk.com/main3 | FR | — | — | suspicious |
708 | svchost.exe | GET | 302 | 213.32.49.255:80 | http://x69fk.com/ | FR | — | — | suspicious |
3432 | iexplore.exe | GET | 302 | 213.32.49.255:80 | http://x69fk.com/ | FR | — | — | suspicious |
708 | svchost.exe | GET | 302 | 213.32.49.255:80 | http://www.x69fk.com/main3 | FR | — | — | suspicious |
1284 | iexplore.exe | GET | 200 | 67.27.159.254:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?09e3987e4879c330 | US | compressed | 4.70 Kb | whitelisted |
3432 | iexplore.exe | GET | 200 | 184.24.77.56:80 | http://e1.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBTvkAFw3ViPKmUeIVEf3NC7b1ErqwQUWvPtK%2Fw2wjd5uVIw6lRvz1XLLqwCEgQlD2iIV5iX%2FpVnoKd5iXHS2A%3D%3D | US | der | 344 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3432 | iexplore.exe | 188.114.97.3:443 | burntrk.com | Cloudflare Inc | US | malicious |
1284 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
3432 | iexplore.exe | 213.32.49.255:80 | x69fk.com | OVH SAS | FR | malicious |
1284 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1284 | iexplore.exe | 67.27.159.254:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | malicious |
3432 | iexplore.exe | 67.27.159.254:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | malicious |
3432 | iexplore.exe | 184.24.77.56:80 | e1.o.lencr.org | Time Warner Cable Internet LLC | US | unknown |
3432 | iexplore.exe | 142.250.185.99:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
— | — | 13.107.21.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
3432 | iexplore.exe | 96.16.145.230:80 | x1.c.lencr.org | Akamai Technologies, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
x69fk.com |
| suspicious |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
www.x69fk.com |
| suspicious |
burntrk.com |
| malicious |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
x1.c.lencr.org |
| whitelisted |
x2.c.lencr.org |
| whitelisted |
e1.o.lencr.org |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
708 | svchost.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |