File name: | secured_04587169ZEKDFAJRW.htm |
Full analysis: | https://app.any.run/tasks/c356885d-19ac-479b-acff-1ab1c8c95972 |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 16:24:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/html |
File info: | HTML document, ASCII text, with very long lines |
MD5: | 5C6E3C5B7253D671CE746BD17F6B1CF8 |
SHA1: | D0357AACAE1373FC2E08ED2BBB8B02B242960F89 |
SHA256: | 384EC363221FDA3D0A8FC12A929BC225D2F0903D3E76D8E68C5D1E30CD6E21BF |
SSDEEP: | 96:ehz6o0RDMP3R53X/NYHiNOb9TR6vr/4JA462tb:1XRDMrNYQWsz/ss2tb |
.html | | | HyperText Markup Language (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3556 | "C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\admin\Desktop\secured_04587169ZEKDFAJRW.htm.html" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3804 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3556 CREDAT:144385 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3816 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3556 CREDAT:333057 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
460 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\admin\Desktop\secured_04587169ZEKDFAJRW.htm.html | C:\Program Files\Google\Chrome\Application\chrome.exe | Explorer.EXE | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 86.0.4240.198 | ||||
1060 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=86.0.4240.198 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x6e8bd988,0x6e8bd998,0x6e8bd9a4 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 86.0.4240.198 | ||||
2408 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1028,1124123049328735460,11780192210459936101,131072 --enable-features=PasswordImport --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1060 /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 | ||||
2432 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1028,1124123049328735460,11780192210459936101,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1424 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | chrome.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 86.0.4240.198 | ||||
2156 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,1124123049328735460,11780192210459936101,131072 --enable-features=PasswordImport --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1828 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 | ||||
2772 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,1124123049328735460,11780192210459936101,131072 --enable-features=PasswordImport --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1936 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 | ||||
3144 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,1124123049328735460,11780192210459936101,131072 --enable-features=PasswordImport --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2288 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 |
PID | Process | Filename | Type | |
---|---|---|---|---|
460 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-62F67EDD-1CC.pma | — | |
MD5:— | SHA256:— | |||
3556 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\{4B8D5C98-1A5B-11ED-8C90-12A9866C77DE}.dat | binary | |
MD5:D145EEB457FD5695D7E3F57D7506DC07 | SHA256:AEB0996407970D1E5D6FBA6D49055F1044F907B6822C745E6DFC300F4C394BA4 | |||
3556 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\{4B8D5C99-1A5B-11ED-8C90-12A9866C77DE}.dat | binary | |
MD5:C4CBB230CEC782BD0D100F8EBC5DE82D | SHA256:15D92A3586D9463231F21F1A42E0E40B4C89041C69157F6F16960CBF4D5EE698 | |||
3556 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{40E83CC7-1A5B-11ED-8C90-12A9866C77DE}.dat | binary | |
MD5:D56013C0B278ABD05FF720501CD98576 | SHA256:19828FF16B285046A4D32A3A4911635B1B9AFBFBFFDABAFADC547910030726E0 | |||
3556 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{40E83CC5-1A5B-11ED-8C90-12A9866C77DE}.dat | binary | |
MD5:02799AF80A16ED2C66D3F29DE65ECA40 | SHA256:4581B49DC763D5BA8BE167033244172C86CA9F8496FC0937FB5F3620EA90B6EA | |||
3556 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{40E83CC6-1A5B-11ED-8C90-12A9866C77DE}.dat | binary | |
MD5:449208F6B2FBBAD6C14ABD9A4C69F87B | SHA256:390D80557212AC1514AC16A345AEF6C3B0BF0120099BBE53BD33C305C5410E22 | |||
3556 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{42C873D0-1D90-11EB-BA2C-12A9866C77DE}.dat | binary | |
MD5:555648A7612ABD12457FE0B83C41A41F | SHA256:CBFFA30C57649045DDC212370111A5E0DB620EF1CAA321FDB98459E398EE0B69 | |||
3556 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF9BC631C34829056D.TMP | gmc | |
MD5:6C180CE22BA433D7016F8986B106C7EC | SHA256:6DFF89D674FFF7E35FCE399488FE178F2A1133595D27A2DF9D03B86D0025C2CA | |||
3556 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF4F543EC399E63097.TMP | gmc | |
MD5:23DEAB3EA907DC5E0F81BEDB79423809 | SHA256:2E3666A31F1CFD4B45C32EE753EC812C3D1A24803A1A7A95AAEB01E9B5DCA31B | |||
3556 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFE885797D4CE958AF.TMP | gmc | |
MD5:A6B80FCCCD9B749D68B40742608E8022 | SHA256:7C85E022A7E821A0BA02C50193F391DAB09DB9D08520651E06277056D92AC460 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2432 | chrome.exe | GET | 302 | 142.250.181.238:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx | US | html | 612 b | whitelisted |
384 | svchost.exe | GET | 304 | 67.27.158.126:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?12e9e0ec09484912 | US | — | — | whitelisted |
3556 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/DigiCertGlobalRootCA.crl | US | der | 631 b | whitelisted |
3556 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/Omniroot2025.crl | US | der | 7.78 Kb | whitelisted |
2432 | chrome.exe | GET | 200 | 67.27.158.126:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d4581c04c043f3ec | US | compressed | 60.2 Kb | whitelisted |
3556 | iexplore.exe | GET | 200 | 67.27.158.126:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d294d8294014cb87 | US | compressed | 4.70 Kb | whitelisted |
2432 | chrome.exe | GET | 200 | 84.15.64.172:80 | http://r1---sn-cpux-30oe.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mh=e_&mip=85.206.166.82&mm=28&mn=sn-cpux-30oe&ms=nvh&mt=1660321228&mv=m&mvi=1&pcm2cms=yes&pl=22&rmhost=r2---sn-cpux-30oe.gvt1.com&shardbypass=sd&smhost=r1---sn-cpux-8ovs.gvt1.com | LT | crx | 242 Kb | whitelisted |
928 | svchost.exe | HEAD | — | 142.250.181.238:80 | http://redirector.gvt1.com/edgedl/release2/chrome_component/acym664js5xux6kw2viy4atw4uda_2022.8.8.1144/ggkkehgbnfjpeggfpleeakpidbkibbmn_2022.8.8.1144_all_olesxce7qq7cy7sctjkoeb4tce.crx3 | US | — | — | whitelisted |
2432 | chrome.exe | POST | 302 | 162.0.229.247:80 | http://fltsmu94.chasehotelgroupi.tk/wild/post.php | CA | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3556 | iexplore.exe | 131.253.33.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
3556 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2432 | chrome.exe | 67.27.158.126:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | malicious |
3556 | iexplore.exe | 67.27.158.126:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | malicious |
2432 | chrome.exe | 172.217.16.131:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
3556 | iexplore.exe | 13.107.22.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
2432 | chrome.exe | 142.250.181.225:443 | clients2.googleusercontent.com | Google Inc. | US | whitelisted |
2432 | chrome.exe | 94.158.246.181:443 | isnxfey.chasehotelgrou.ga | — | — | suspicious |
2432 | chrome.exe | 142.250.185.142:443 | clients2.google.com | Google Inc. | US | whitelisted |
2432 | chrome.exe | 172.217.23.109:443 | accounts.google.com | Google Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
accounts.google.com |
| shared |
clients2.google.com |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
clients2.googleusercontent.com |
| whitelisted |
isnxfey.chasehotelgrou.ga |
| suspicious |
8259734.chasehotelgrou.ga |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .ga Domain |
2432 | chrome.exe | Potentially Bad Traffic | ET INFO Suspicious Domain (*.ga) in TLS SNI |
2432 | chrome.exe | Potentially Bad Traffic | ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.ga) |
2432 | chrome.exe | Potentially Bad Traffic | ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.ga) |
2432 | chrome.exe | Potentially Bad Traffic | ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.ga) |
— | — | Potentially Bad Traffic | ET DNS Query to a .tk domain - Likely Hostile |
2432 | chrome.exe | A Network Trojan was detected | ET CURRENT_EVENTS Possible Successful Phish to .tk domain Aug 26 2016 |
2432 | chrome.exe | Potentially Bad Traffic | ET POLICY HTTP Request to a *.tk domain |
2432 | chrome.exe | A Network Trojan was detected | ET CURRENT_EVENTS Possible Successful Generic Phish Jan 14 2016 |