URL: | https://t.co/fL3nnpaBVy |
Full analysis: | https://app.any.run/tasks/2da644d5-a946-4c5b-a087-170e7506f4d5 |
Verdict: | Malicious activity |
Analysis date: | May 20, 2022, 19:51:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | C38D6B61BB1C7227F6EC7303BBAC48EA |
SHA1: | 16288B52AE73347236F5C852FC0B5C6FF8D27565 |
SHA256: | 39E664B72928CAD00F7E544111DCD6FA3B0C30D3454749C6F1263D1C1BFA5081 |
SSDEEP: | 3:N8DIcLqc:28cL |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2972 | "C:\Program Files\Internet Explorer\iexplore.exe" "https://t.co/fL3nnpaBVy" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
876 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2972 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
2972 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | binary | |
MD5:C69035F9CF5CF5231423EF3DDB3DD4DE | SHA256:F1AB011159FD06EDE8ECE058A4D9CBA432F8316089642F20D7FE7E412811FB2E | |||
876 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565 | binary | |
MD5:46CB1EAD50F7E42958AD0ECC2049BA6C | SHA256:ECC86A061BC1C4CDC2EA17378D31B9D344AA6DE50FC4D203F755B94EE6CC0E67 | |||
2972 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:93F7ACAB10C8968D60A3C5698273DBF8 | SHA256:7A97FFA8241F46F9A79A3DC3FCEC1AC459820B072AB9A195B07E962DF8D2004D | |||
876 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\50CD3D75D026C82E2E718570BD6F44D0_0F3AE8259E12076D2FFAFC70FC4D8B36 | binary | |
MD5:B81084DDE5F3DD6CFCFB3930BAB5B9EE | SHA256:BF43226DEE2F0B2343BAD7A33689B1BF70D7FF9CE23225897B64FEB317E57DF6 | |||
876 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4C15C608532795FB74FE3371B33727BD | binary | |
MD5:6AA3167706976FD5A205368AF4461946 | SHA256:E288F75AC0AD2F540DE454039DC7118EF9D979D149A152770FF5AFBB6D074271 | |||
876 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | binary | |
MD5:33C4E1F32A1E1802101D40F563742E88 | SHA256:FAA800823D3CE4F43B2689DC5C64664454EF2332A8D24AD4C4DEE487ED90B7C0 | |||
876 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | compressed | |
MD5:B9F21D8DB36E88831E5352BB82C438B3 | SHA256:998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E | |||
876 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565 | der | |
MD5:A12BBD3C1E1202291A681C4A8DE456C6 | SHA256:F91B8E07DF51907716B9F629E44B02B82FE5B0C7B09859B1458642A096B52027 | |||
876 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | binary | |
MD5:011819449296DA0F1A04F51DA7124C9A | SHA256:25C18EFFC0A9CE8A679508FDAF7DD680FB8FB883787E18EE8DFD44B2BB49B8E2 | |||
2972 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | der | |
MD5:AC8FE9D561E9E7288AECF13F03AEA3D1 | SHA256:CECD911136F3CCBE6F4869CBCBD9FD15B3FA91CD2FD49B9655FA3BCF8E932C05 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
876 | iexplore.exe | GET | 200 | 142.250.185.195:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D | US | der | 724 b | whitelisted |
876 | iexplore.exe | GET | 302 | 85.202.169.148:80 | http://xn--d1af5ac.xn--p1ai/sp/rwt56htr5we67rhh5 | unknown | — | — | unknown |
876 | iexplore.exe | GET | 200 | 142.250.185.195:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | US | der | 1.41 Kb | whitelisted |
876 | iexplore.exe | GET | 200 | 209.197.3.8:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7a85ad4903b75cf8 | US | compressed | 60.0 Kb | whitelisted |
876 | iexplore.exe | GET | 200 | 96.16.145.230:80 | http://x1.c.lencr.org/ | US | der | 717 b | whitelisted |
876 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAfy81yHqHeveu%2FpR5k1Jb0%3D | US | der | 471 b | whitelisted |
2972 | iexplore.exe | GET | 200 | 194.165.16.55:80 | http://fjorist.ru/favicon.ico | MC | — | — | unknown |
876 | iexplore.exe | GET | 200 | 195.138.255.9:80 | http://e1.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBTvkAFw3ViPKmUeIVEf3NC7b1ErqwQUWvPtK%2Fw2wjd5uVIw6lRvz1XLLqwCEgPYAJNrYGfSL7AVZ3EAWeJmFQ%3D%3D | DE | der | 345 b | whitelisted |
876 | iexplore.exe | GET | 200 | 194.165.16.55:80 | http://fjorist.ru//?u=bt1k60t&o=xqt63qn&t=cid:3800&cid=3800-6266-20220520225232423374 | MC | html | 87.5 Kb | unknown |
876 | iexplore.exe | GET | 200 | 194.165.16.55:80 | http://fjorist.ru/media/mainstream/frame.html | MC | html | 39 b | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2972 | iexplore.exe | 209.197.3.8:80 | ctldl.windowsupdate.com | Highwinds Network Group, Inc. | US | whitelisted |
876 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
876 | iexplore.exe | 104.244.42.197:443 | t.co | Twitter Inc. | US | suspicious |
876 | iexplore.exe | 104.244.42.69:443 | t.co | Twitter Inc. | US | suspicious |
2972 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2972 | iexplore.exe | 131.253.33.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
876 | iexplore.exe | 142.250.185.195:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
— | — | 209.197.3.8:80 | ctldl.windowsupdate.com | Highwinds Network Group, Inc. | US | whitelisted |
876 | iexplore.exe | 142.250.185.142:443 | hosefu.page.link | Google Inc. | US | whitelisted |
— | — | 195.138.255.9:80 | e1.o.lencr.org | AS33891 Netzbetrieb GmbH | DE | suspicious |
Domain | IP | Reputation |
---|---|---|
t.co |
| shared |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
hosefu.page.link |
| malicious |
ocsp.pki.goog |
| whitelisted |
xn--d1af5ac.xn--p1ai |
| unknown |
maymimel.gq |
| suspicious |
x1.c.lencr.org |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .gq Domain |
876 | iexplore.exe | Potentially Bad Traffic | ET INFO Suspicious Domain (*.gq) in TLS SNI |
876 | iexplore.exe | Potentially Bad Traffic | ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.gq) |
876 | iexplore.exe | Potentially Bad Traffic | ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.gq) |
876 | iexplore.exe | Potentially Bad Traffic | ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz) |
876 | iexplore.exe | Potentially Bad Traffic | ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz) |
876 | iexplore.exe | Potentially Bad Traffic | ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz) |
876 | iexplore.exe | Potentially Bad Traffic | ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz) |
876 | iexplore.exe | Potentially Bad Traffic | ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz) |
876 | iexplore.exe | Potentially Bad Traffic | ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz) |