URL: | http://redirme.com/n23 |
Full analysis: | https://app.any.run/tasks/9d5fcc39-6448-4407-b2b4-4197b5ad106d |
Verdict: | Malicious activity |
Analysis date: | May 21, 2022, 02:59:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | E328844AF073A90F25CF66A0AD76F785 |
SHA1: | 104AC033978B5064F6A7EEF728681A56904CFE6E |
SHA256: | 46B90A470F8835276F5A0A6A3A119640ACE93E766660B67CD9B24225AA8D72A6 |
SSDEEP: | 3:N1KMftXW:CMfM |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1912 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://redirme.com/n23" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 4294967295 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2956 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1912 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 4294967295 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3292 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\antifag.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\antifag.exe | iexplore.exe | ||||||||||||
User: admin Company: anonymous Integrity Level: MEDIUM Description: anti fag virus Exit code: 0 Version: 6.6.6 Modules
| |||||||||||||||
548 | "C:\Users\admin\AppData\Roaming\svchost.exe" | C:\Users\admin\AppData\Roaming\svchost.exe | antifag.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Program Version: 1.0.0.0 Modules
| |||||||||||||||
3568 | "C:\Windows\System32\ipconfig.exe" /release | C:\Windows\System32\ipconfig.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: IP Configuration Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
404 | "C:\Windows\System32\netsh.exe" firewall set opmode disable | C:\Windows\System32\netsh.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2292 | "C:\Windows\System32\ipconfig.exe" /release | C:\Windows\System32\ipconfig.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: IP Configuration Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1804 | "C:\Windows\System32\netsh.exe" firewall set opmode disable | C:\Windows\System32\netsh.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3876 | "C:\Windows\System32\ipconfig.exe" /release | C:\Windows\System32\ipconfig.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: IP Configuration Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3948 | "C:\Windows\System32\netsh.exe" firewall set opmode disable | C:\Windows\System32\netsh.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
2956 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | binary | |
MD5:DF0F59FD2A475C3867216BA9F9BA16D4 | SHA256:C15369A28D38224EEC41154E4E6F4E775A0E7DF5AEEFB915F34E26B8FD90FBC1 | |||
2956 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\40RGNKNE.txt | text | |
MD5:D631A6A50B064F919FB7521C9F878123 | SHA256:8C08FD04F0177FD29C6A1D8EB1F66E5CD90E55FE95A53DF96C9794051C76D5E7 | |||
2956 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_609ACDACD474234BBB2272FC20821323 | binary | |
MD5:6BDA3EB5E96149AAEECDBC446B231F9D | SHA256:74F68BAB27CCF9FAD3D17F8545EF6FF7930B5987D3E4073F0FAEB5CD1B6162C0 | |||
2956 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\LCO29A4V.txt | text | |
MD5:4A1AF00A99484A8F22D240548E5D87A9 | SHA256:F8C6B84E0F92C89BACFECAE80D01328FC7D29B46111F29A73014DCE7FAF1CAAC | |||
2956 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_665120A0D9C414754DD0F4487D79F885 | binary | |
MD5:5E35934277EF7535400DB4E0C80CD546 | SHA256:0672C366809E507B372C4F14208DAC8CC1A62F570075B20C53C00DADE3ACB2E6 | |||
2956 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\MY5AQ9HF.txt | text | |
MD5:5B3ED6B36A4424A4F4E2CEA4B32FA8A3 | SHA256:507537DC13F403995574ED87D7AE9089D9E94E02A1A884567F902AE0DA004DC2 | |||
2956 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | der | |
MD5:47020B685E77ECD74ABC9ADCE105AD13 | SHA256:558C89968EE2679A433CC03190339A000DEDD32D1E7A21B9929DD7631C4211BD | |||
2956 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:8A2741720A57E504C586EF7E7DAA497A | SHA256:465BB0C5EEF9EC9498F297A1E58F3C43DE3D15926E69EBC1E2A031B1BBC59AC0 | |||
2956 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\antifag[1].htm | html | |
MD5:17E414A23C60510904378B339011F288 | SHA256:271B579BB9BD6D840F02947279032D1BCEAF4491778FDCC4A5228324C1DFBC30 | |||
2956 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | der | |
MD5:876BB087B3EB935A4DA2E5E7B74DC034 | SHA256:0B332FABB7D73FBA30142FB2A062431AC432BD49FBF7BD71416B00A368770E64 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2956 | iexplore.exe | GET | 200 | 142.250.186.163:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D | US | der | 724 b | whitelisted |
2956 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
2956 | iexplore.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?97a1382d4b79da6c | US | compressed | 4.70 Kb | whitelisted |
2956 | iexplore.exe | GET | 200 | 142.250.186.163:80 | http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCdUrA%2FwvrytArhIvu6cF3d | US | der | 472 b | whitelisted |
2956 | iexplore.exe | GET | 200 | 142.250.186.163:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | US | der | 1.41 Kb | whitelisted |
2956 | iexplore.exe | GET | 200 | 142.250.186.163:80 | http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDwQ9JNOs3IcArkp%2FBu7NbU | US | der | 472 b | whitelisted |
1912 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
2956 | iexplore.exe | GET | 301 | 37.34.50.244:80 | http://redirme.com/n23 | NL | binary | 20 b | unknown |
2956 | iexplore.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a6ce02787dda06d2 | US | compressed | 4.70 Kb | whitelisted |
1996 | chrome.exe | GET | 200 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx | US | crx | 242 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2956 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2956 | iexplore.exe | 37.34.50.244:80 | redirme.com | CloudVPS B.V. | NL | unknown |
2956 | iexplore.exe | 142.250.181.234:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
2956 | iexplore.exe | 172.67.195.247:443 | tmpfiles.org | — | US | malicious |
— | — | 192.168.100.2:53 | — | — | — | whitelisted |
2956 | iexplore.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2956 | iexplore.exe | 142.250.186.78:443 | www.google-analytics.com | Google Inc. | US | whitelisted |
2956 | iexplore.exe | 142.250.185.168:443 | www.googletagmanager.com | Google Inc. | US | suspicious |
2956 | iexplore.exe | 142.250.186.163:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
1912 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
redirme.com |
| unknown |
tmpfiles.org |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
www.googletagmanager.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
www.google-analytics.com |
| whitelisted |
api.bing.com |
| whitelisted |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|