URL: | http://metin2mod.tk/?page_id=6 |
Full analysis: | https://app.any.run/tasks/0d606fa9-0ad6-4e94-b3ee-0b75d72c2ce6 |
Verdict: | Malicious activity |
Analysis date: | June 27, 2022, 07:24:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 281B247C14B7EA1D5C2FD4CC75A73D1A |
SHA1: | 6B528C29F1FF990A18D98D466205763BC67FAD06 |
SHA256: | 4F00D44A2BB433653E6A67B77CF5A49FA15BFFC71ABE0CF44AEB4D3D042ECA53 |
SSDEEP: | 3:N1KT1Lt6MB+:CZLtnB+ |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2684 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://metin2mod.tk/?page_id=6" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
912 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2684 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2608 | "C:\Program Files\Opera\opera.exe" | C:\Program Files\Opera\opera.exe | Explorer.EXE | ||||||||||||
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser Exit code: 0 Version: 1748 Modules
| |||||||||||||||
2812 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | Explorer.EXE | ||||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 86.0.4240.198 Modules
| |||||||||||||||
3072 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=86.0.4240.198 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x6f19d988,0x6f19d998,0x6f19d9a4 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 86.0.4240.198 Modules
| |||||||||||||||
3648 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1052,14096856180708568554,14834952099704867000,131072 --enable-features=PasswordImport --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1056 /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 Modules
| |||||||||||||||
3256 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1052,14096856180708568554,14834952099704867000,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1336 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | chrome.exe | ||||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 86.0.4240.198 Modules
| |||||||||||||||
3940 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,14096856180708568554,14834952099704867000,131072 --enable-features=PasswordImport --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1900 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 Modules
| |||||||||||||||
3980 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,14096856180708568554,14834952099704867000,131072 --enable-features=PasswordImport --lang=en-US --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1940 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 Modules
| |||||||||||||||
3520 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,14096856180708568554,14834952099704867000,131072 --enable-features=PasswordImport --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2324 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 Modules
|
(PID) Process: | (2684) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 1 | |||
(PID) Process: | (2684) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchLowDateTime |
Value: | |||
(PID) Process: | (2684) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 30968310 | |||
(PID) Process: | (2684) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: 52735444 | |||
(PID) Process: | (2684) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30968311 | |||
(PID) Process: | (2684) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (2684) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (2684) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (2684) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (2684) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2684 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFEDFE31ACD3474E66.TMP | gmc | |
MD5:D32C1D993C872791FE687D254BF35413 | SHA256:006C2279A6DA680F2808A3DBC3AA8AFC15AED8F744AEF94C311DC03C9D3F93F7 | |||
2684 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF5FA1099D1D4B8A8F.TMP | gmc | |
MD5:4CB8F116A9E56D9AC803C41979185F4B | SHA256:C702F380E60DBFE826D63E4D970C208CE13D467BBEE00C1A16A9614275EF5AD9 | |||
2608 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat | binary | |
MD5:73BF9617C5FB4356C3C25A8B0A1A6BD1 | SHA256:C2EDCC1E04988FE54C1615C51197FEF999C420F0FC0B3F18F73D2A58A7FC7175 | |||
2608 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini | text | |
MD5:F0DE56E6CCB98D5660403B4B11005556 | SHA256:542D709637434291B81BB00E0C47670F7E4DFB53B75FD372232C11DA3C564C0A | |||
2608 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml | xml | |
MD5:D30B4FB9EC40F795FA3814323401C130 | SHA256:A385E0C8F5691D380C2C9D11CB2DD55114AF4F9E1C98771ECC41B46C6D78A3FA | |||
2608 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat | binary | |
MD5:1AA8644C9261DC10F7247F6A145C1DD2 | SHA256:58A8933F65361633C6AB194000D312DC9D566F717B1A16814A0DBEE24A60EBE3 | |||
2608 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opicacrt6.dat | binary | |
MD5:82F1A2B1176A5ECC457D32301E2AD833 | SHA256:A783052804DD4C232BE2ED3DC00C430CB67A20370890E235562ED2B27B5A602E | |||
2608 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.bak | text | |
MD5:46A734B275C8C258D9D6F508E73B36AD | SHA256:B80192EDC377DD212C9E488E1983FBCD68CF83330576EFD7579B7AB30FA3672B | |||
2608 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\oprC64F.tmp | text | |
MD5:F0DE56E6CCB98D5660403B4B11005556 | SHA256:542D709637434291B81BB00E0C47670F7E4DFB53B75FD372232C11DA3C564C0A | |||
2684 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF8CAE6D3B298883DF.TMP | gmc | |
MD5:C9FC4E7D74A203A38E59AF217D3931F2 | SHA256:C75A10213EFD19D22D7FDCEE5264FB19E1F9927A5BDC9752635356BF0608B3F1 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2608 | opera.exe | GET | — | 46.105.98.67:80 | http://metin2mod.tk/wp-content/themes/simone/js/navigation.js?ver=20120206 | FR | — | — | suspicious |
2608 | opera.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 592 b | whitelisted |
2608 | opera.exe | GET | — | 46.105.98.67:80 | http://metin2mod.tk/wp-content/themes/simone/images/pattern.svg | FR | — | — | suspicious |
2608 | opera.exe | GET | — | 46.105.98.67:80 | http://metin2mod.tk/wp-content/themes/simone/js/superfish.min.js?ver=20140328 | FR | — | — | suspicious |
2608 | opera.exe | GET | — | 46.105.98.67:80 | http://metin2mod.tk/wp-content/plugins/popups/public/assets/css/public.css?ver=1.9.3.8 | FR | — | — | suspicious |
2608 | opera.exe | GET | 200 | 46.105.98.67:80 | http://metin2mod.tk/?page_id=6 | FR | html | 5.24 Kb | suspicious |
2608 | opera.exe | GET | — | 46.105.98.67:80 | http://metin2mod.tk/wp-includes/js/jquery/jquery.js?ver=1.12.4 | FR | — | — | suspicious |
2608 | opera.exe | GET | — | 46.105.98.67:80 | http://metin2mod.tk/images/new2.gif | FR | — | — | suspicious |
2608 | opera.exe | GET | — | 46.105.98.67:80 | http://metin2mod.tk/wp-content/themes/simone/fonts/font-awesome/css/font-awesome.min.css?ver=5.1.13 | FR | — | — | suspicious |
2608 | opera.exe | GET | — | 46.105.98.67:80 | http://metin2mod.tk/wp-content/themes/simone/js/hide-search.js?ver=20120206 | FR | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2684 | iexplore.exe | 209.197.3.8:80 | ctldl.windowsupdate.com | Highwinds Network Group, Inc. | US | whitelisted |
2608 | opera.exe | 142.250.185.234:80 | fonts.googleapis.com | Google Inc. | US | whitelisted |
2684 | iexplore.exe | 13.107.22.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
2608 | opera.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2684 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2608 | opera.exe | 185.26.182.94:443 | certs.opera.com | Opera Software AS | — | whitelisted |
2608 | opera.exe | 82.145.216.15:80 | sitecheck2.opera.com | Opera Software AS | — | suspicious |
2608 | opera.exe | 185.26.182.93:443 | certs.opera.com | Opera Software AS | — | whitelisted |
912 | iexplore.exe | 46.105.98.67:80 | metin2mod.tk | OVH SAS | FR | suspicious |
2608 | opera.exe | 46.105.98.67:80 | metin2mod.tk | OVH SAS | FR | suspicious |
Domain | IP | Reputation |
---|---|---|
metin2mod.tk |
| suspicious |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
certs.opera.com |
| whitelisted |
crl3.digicert.com |
| whitelisted |
sitecheck2.opera.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
pagead2.googlesyndication.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a .tk domain - Likely Hostile |
2608 | opera.exe | Potentially Bad Traffic | ET POLICY HTTP Request to a *.tk domain |
2608 | opera.exe | Potentially Bad Traffic | ET POLICY HTTP Request to a *.tk domain |
2608 | opera.exe | Potentially Bad Traffic | ET POLICY HTTP Request to a *.tk domain |
2608 | opera.exe | Potentially Bad Traffic | ET POLICY HTTP Request to a *.tk domain |
2608 | opera.exe | Potentially Bad Traffic | ET POLICY HTTP Request to a *.tk domain |
2608 | opera.exe | Potentially Bad Traffic | ET POLICY HTTP Request to a *.tk domain |
2608 | opera.exe | Potentially Bad Traffic | ET POLICY HTTP Request to a *.tk domain |
2608 | opera.exe | Potentially Bad Traffic | ET POLICY HTTP Request to a *.tk domain |
2608 | opera.exe | Potentially Bad Traffic | ET POLICY HTTP Request to a *.tk domain |