URL: | http://ww.worf.at |
Full analysis: | https://app.any.run/tasks/22861843-b393-4618-b5ca-a84c75e2461b |
Verdict: | Malicious activity |
Analysis date: | May 29, 2020, 20:49:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | B76B540449893F65C69FAE106B364039 |
SHA1: | 66D866E846E4C2E7C34DC52A3A0370ED5017790E |
SHA256: | 48DC39C84E790F2A8FA4B5F5D85E4CFB8AE71CA69C1507924E663818ED01B826 |
SSDEEP: | 3:N1KJSmKXDL4n:CcmI4 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2920 | "C:\Program Files\Internet Explorer\iexplore.exe" http://ww.worf.at | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
2616 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2920 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2616 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\CabDBB8.tmp | — | |
MD5:— | SHA256:— | |||
2616 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\TarDBB9.tmp | — | |
MD5:— | SHA256:— | |||
2616 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\jr[1].htm | html | |
MD5:8ACCF3CFEA7995DBD4F8987A7BEEB0B4 | SHA256:3847E401B7B6AA108B9B728CD3366795E5E3F7DDDE19271D6E2FE44A41D0940C | |||
2616 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62 | binary | |
MD5:46544EACA30ACEA5DA96F874669F3D26 | SHA256:4554D0715961D45C1E96A4F3B6549DD6FA66C326B1736973D2299B351D9B9A47 | |||
2616 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\JXVLZNHU.txt | text | |
MD5:0E9D5250BAD80720740931C893872C81 | SHA256:33FABF3CAE5CA6F541D3273DA29C3DB1BFDE2C14147C1663AFF347DC0DEAA449 | |||
2616 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\1Z2BCCJ2.txt | — | |
MD5:— | SHA256:— | |||
2616 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894 | binary | |
MD5:AD0F0B34532DB4CC48A464DD71759AA4 | SHA256:D6F8680AE190A3C9BDCC59E0013C00017C8CBF68A869B0B1D307D4031C57BBE9 | |||
2616 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62 | der | |
MD5:C30E885A21D19AD207D195B57D62285F | SHA256:C4E228478330DD1FEB4A21EC8ED4BB858C4D820A3D32A9C15ECC95A15B736703 | |||
2616 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\5G1VDRL3.txt | text | |
MD5:7902E6194E71B4CD0D26FDAD06DF665B | SHA256:E3DF1AA445E6EE0EE3E631497E89B64BDCDEEABC89A30D0CFDEC7223B4C1DE66 | |||
2616 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894 | der | |
MD5:9EDA5FB06CD059FC962238EB5B5235A9 | SHA256:3BA98B51F41F850B64383185D61D9BB4BA6F7E9D9F89A6EC8EE470E675558A43 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2616 | iexplore.exe | GET | — | 103.224.182.250:80 | http://ww.worf.at/js/swfobject.js | AU | — | — | malicious |
2616 | iexplore.exe | GET | 302 | 54.236.137.187:80 | http://usa.eyvindr-eng.com/zcvisitor/e62fe112-a1ed-11ea-b86b-0aa1296af49b?campaignid=0764a590-0fc2-11ea-a806-0a157bfa6bfc | US | — | — | shared |
2616 | iexplore.exe | GET | 302 | 103.224.212.241:80 | http://park.above.com/jr.php?gz=fyAOaiAnd0k8nJmG12%2BKdeeO6UniG2Tm7AI88dXrA%2Bqxxrr0r58%2FbngM%2BaoQcKgJBapZQZyyj1iHYktSdTnQ5%2F%2FfrkXMp2reDTAe7KOTBRnlXFocQzSET3QkHf4r7XGYdILeLHN1yFAcDzt07Vk7OK7gVWpVrByEB0ZOPlhEFn%2BdtSfFd%2F9gDHjDC0%2BOo2BuM1%2FQZ1nTKBidn5OiwGC%2FfEi0o7m3USVq7lQPl5UwnhrVBIpaNZDD0r%2FbbfEPen1BUPBZyk6NONlZcu2FH3YHKslNHicaVAHr4ptyUCId6WwFHhsrC%2F2MjDYmbcW%2F%2Fsd%2BCBjNUWxdruJajEKIankrGlKiF5scoVR%2Fxnnnbm4nSdwvENwrT826CXnkBee5JFRNVWTrY2gROk3gefQaKWR0yu6buzvZKhhsJu3CKzYZTPEsHzau0W7yhjnffkEJlWimzpY1jetqyp4aBB3IRoI8qRJ1fyx69UFVKAabA8nlsEwDeWALnEtQm38kH84nwKfkDU47F47c1FoguhHZUtlzxeWSZw6cd5td4tOPur9HAI8IYMKyiLShnCa3qCTazMNz7vMGypry0HfMNlpkDNjpZ11hrjKUsplDuCLtnxFHHVVLKr33XEu3pof8O%2F5H1W3l2ZXceNfx9VylNF8unbl5sjec3ULt%2F28yp%2F3%2FQuKj12Q%3D&vs=1280:644&ds=1280:720&sl=-4:-4&os=f&nos=f&swfV=26.0.0&if=f&sc=f | AU | — | — | whitelisted |
— | — | GET | 200 | 52.222.157.6:80 | http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D | US | der | 1.51 Kb | whitelisted |
2616 | iexplore.exe | GET | 200 | 103.224.212.241:80 | http://park.above.com/jr.php?gz=fyAOaiAnd0k8nJmG12%2BKdeeO6UniG2Tm7AI88dXrA%2Bqxxrr0r58%2FbngM%2BaoQcKgJBapZQZyyj1iHYktSdTnQ5%2F%2FfrkXMp2reDTAe7KOTBRnlXFocQzSET3QkHf4r7XGYdILeLHN1yFAcDzt07Vk7OK7gVWpVrByEB0ZOPlhEFn%2BdtSfFd%2F9gDHjDC0%2BOo2BuM1%2FQZ1nTKBidn5OiwGC%2FfEi0o7m3USVq7lQPl5UwnhrVBIpaNZDD0r%2FbbfEPen1BUPBZyk6NONlZcu2FH3YHKslNHicaVAHr4ptyUCId6WwFHhsrC%2F2MjDYmbcW%2F%2Fsd%2BCBjNUWxdruJajEKIankrGlKiF5scoVR%2Fxnnnbm4nSdwvENwrT826CXnkBee5JFRNVWTrY2gROk3gefQaKWR0yu6buzvZKhhsJu3CKzYZTPEsHzau0W7yhjnffkEJlWimzpY1jetqyp4aBB3IRoI8qRJ1fyx69UFVKAabA8nlsEwDeWALnEtQm38kH84nwKfkDU47F47c1FoguhHZUtlzxeWSZw6cd5td4tOPur9HAI8IYMKyiLShnCa3qCTazMNz7vMGypry0HfMNlpkDNjpZ11hrjKUsplDuCLtnxFHHVVLKr33XEu3pof8O%2F5H1W3l2ZXceNfx9VylNF8unbl5sjec3ULt%2F28yp%2F3%2FQuKj12Q%3D&vs=1280%3A644&ds=1280%3A720&sl=-4%3A-4&os=f&nos=f&swfV=26.0.0&if=f&sc=f&ckReS=1590785373.6065789 | AU | html | 286 b | whitelisted |
2616 | iexplore.exe | GET | 200 | 172.217.22.99:80 | http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEBqGiw2vm8c0CAAAAAA%2BvZc%3D | US | der | 471 b | whitelisted |
— | — | GET | 200 | 52.222.157.21:80 | http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D | US | der | 1.70 Kb | whitelisted |
— | — | GET | 200 | 52.222.157.62:80 | http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D | US | der | 1.39 Kb | shared |
— | — | GET | 200 | 52.222.157.62:80 | http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D | US | der | 1.39 Kb | shared |
2616 | iexplore.exe | GET | 200 | 2.16.186.35:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | unknown | der | 1.37 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2616 | iexplore.exe | 52.222.149.178:443 | link.searchemoji.global | Amazon.com, Inc. | US | whitelisted |
2616 | iexplore.exe | 103.224.212.241:80 | park.above.com | Trellian Pty. Limited | AU | unknown |
— | — | 52.222.157.6:80 | ocsp.rootg2.amazontrust.com | Amazon.com, Inc. | US | whitelisted |
— | — | 52.222.157.33:80 | o.ss2.us | Amazon.com, Inc. | US | whitelisted |
2616 | iexplore.exe | 103.224.182.250:80 | ww.worf.at | Trellian Pty. Limited | AU | unknown |
— | — | 52.222.157.21:80 | o.ss2.us | Amazon.com, Inc. | US | whitelisted |
2616 | iexplore.exe | 54.236.137.187:80 | usa.eyvindr-eng.com | Amazon.com, Inc. | US | shared |
2616 | iexplore.exe | 2.16.186.35:80 | isrg.trustid.ocsp.identrust.com | Akamai International B.V. | — | whitelisted |
2616 | iexplore.exe | 172.217.23.174:80 | — | Google Inc. | US | whitelisted |
— | — | 52.222.157.62:80 | ocsp.rootg2.amazontrust.com | Amazon.com, Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
ww.worf.at |
| malicious |
park.above.com |
| whitelisted |
link.searchemoji.global |
| whitelisted |
o.ss2.us |
| whitelisted |
ocsp.rootg2.amazontrust.com |
| whitelisted |
ocsp.rootca1.amazontrust.com |
| shared |
usa.eyvindr-eng.com |
| shared |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
eutrx.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2616 | iexplore.exe | Misc activity | ADWARE [PTsecurity] Redirecting.Zemot (RBN ZeroPark 0-Click) |