URL: | https://refreshdealtoys-dot-yamm-track.appspot.com/Redirect?ukey=1Q4dD814GD8QiZNOLFSoTgM3-ckViMbhh8_NybszQvWo-0&key=YAMMID-86486195&link=http%3A%2F%2Frefreshdealtoys.com |
Full analysis: | https://app.any.run/tasks/e1f6185d-d909-46e7-aaa5-0be18c8a3737 |
Verdict: | Malicious activity |
Analysis date: | November 14, 2018, 09:43:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 44E801F6B3E259DEE9A1308DB9C1D0E7 |
SHA1: | C2B9BE6FBDD63F5D3232F0A64D3A1983E3DE6B4F |
SHA256: | 765290402BAAA1FFB2CE861C66EF11610CFD515FF6B7422B61B6B7148B90BEAA |
SSDEEP: | 3:N8qhfKn8KTV8gkhBWAG4A66rQ2qCoWKzM9rcgDOQX3RRqWJsXjQDQWThfKn2:2qhf2bZ8thBWANEQ3WoMJcgDRX33HszM |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3324 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3952 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3324 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2452 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Version: 26,0,0,131 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3324 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3324 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3952 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\refreshdealtoys_com[1].txt | — | |
MD5:— | SHA256:— | |||
3952 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@refreshdealtoys[2].txt | — | |
MD5:— | SHA256:— | |||
3952 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat | dat | |
MD5:865FA008CD03C071A666E20DA3A9E69E | SHA256:52A6BD162A4F40F06EAE9DAC24719FFDAA2A4235620AE60C0A5298DF3460E339 | |||
3952 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\theme-my-login[1].css | text | |
MD5:3149FAB925AEDC6CCE5D652D97AE9171 | SHA256:492FFF6E7DCC681F98EDC1FE5B0C645E8D670AC9BF5D3C0E9F3FC4CF7D4DCBF2 | |||
3952 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@refreshdealtoys[1].txt | text | |
MD5:614337D549358D10A559919AC72AEB30 | SHA256:37CF75BAE99ABCDA170CC9E47EF00CBF03225030C3E60D6C18E88EE9D9323C82 | |||
3952 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\swap[1].js | text | |
MD5:392D66C5B9D599E7DC167292C25DDC51 | SHA256:782E0CE693412ED6B8E9A04E9FE2C8AB3C26809577E1FCAAE113A2D3ADE42256 | |||
3952 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\style[1].css | text | |
MD5:80B97341E925FA71E3AC386783219057 | SHA256:7787B003112FE9191C2EF7BE35F5FF7CB42AD497AA9CF2EBFFB303A5747CC9A8 | |||
3952 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\responsive[1].js | text | |
MD5:B0D315250620DED402D51EFB6F8954EC | SHA256:CF619A06BB5D1C83D015DFDB4E0CD1FA29F19DE5B8630DC31429F52F7FC1AFE9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3952 | iexplore.exe | GET | 200 | 104.196.17.25:80 | http://refreshdealtoys.com/ | US | html | 6.80 Kb | unknown |
3952 | iexplore.exe | GET | 200 | 94.31.29.96:80 | http://g2yy82vwz4p2kt3ud2y17jp9.wpengine.netdna-cdn.com/wp-content/themes/ogk/css/font/pxbold.eot? | GB | eot | 20.4 Kb | suspicious |
3952 | iexplore.exe | GET | 200 | 94.31.29.96:80 | http://g2yy82vwz4p2kt3ud2y17jp9.wpengine.netdna-cdn.com/wp-content/themes/ogk/js/ogk.js | GB | text | 1.29 Kb | suspicious |
3952 | iexplore.exe | GET | 200 | 94.31.29.96:80 | http://g2yy82vwz4p2kt3ud2y17jp9.wpengine.netdna-cdn.com/wp-content/themes/ogk/css/main.css | GB | text | 9.32 Kb | suspicious |
3952 | iexplore.exe | GET | 200 | 104.196.17.25:80 | http://refreshdealtoys.com/wp-includes/js/wp-emoji-release.min.js?ver=4.9.8 | US | text | 4.78 Kb | unknown |
3952 | iexplore.exe | GET | 200 | 94.31.29.96:80 | http://g2yy82vwz4p2kt3ud2y17jp9.wpengine.netdna-cdn.com/wp-content/plugins/theme-my-login/theme-my-login.css?ver=6.4.10 | GB | text | 1.09 Kb | suspicious |
3952 | iexplore.exe | GET | 200 | 94.31.29.96:80 | http://g2yy82vwz4p2kt3ud2y17jp9.wpengine.netdna-cdn.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=4.9.2 | GB | text | 688 b | suspicious |
3952 | iexplore.exe | GET | 200 | 216.58.215.234:80 | http://ajax.googleapis.com/ajax/libs/jquery/1.8.1/jquery.min.js?ver=1.8.1 | US | text | 32.6 Kb | whitelisted |
3952 | iexplore.exe | GET | 200 | 94.31.29.96:80 | http://g2yy82vwz4p2kt3ud2y17jp9.wpengine.netdna-cdn.com/wp-content/themes/ogk/css/font/pxreg.eot? | GB | eot | 20.2 Kb | suspicious |
3952 | iexplore.exe | GET | 200 | 94.31.29.96:80 | http://g2yy82vwz4p2kt3ud2y17jp9.wpengine.netdna-cdn.com/wp-content/themes/ogk/css/font/pxthin.eot? | GB | eot | 19.7 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3324 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3952 | iexplore.exe | 216.58.215.234:80 | ajax.googleapis.com | Google Inc. | US | whitelisted |
3952 | iexplore.exe | 23.111.8.24:80 | cdn.callrail.com | netDNA | US | unknown |
3952 | iexplore.exe | 216.58.215.238:80 | www.google-analytics.com | Google Inc. | US | whitelisted |
3952 | iexplore.exe | 172.217.168.20:443 | refreshdealtoys-dot-yamm-track.appspot.com | Google Inc. | US | whitelisted |
3952 | iexplore.exe | 104.196.17.25:80 | refreshdealtoys.com | Google Inc. | US | unknown |
3952 | iexplore.exe | 94.31.29.96:80 | g2yy82vwz4p2kt3ud2y17jp9.wpengine.netdna-cdn.com | netDNA | GB | unknown |
3952 | iexplore.exe | 104.244.42.130:80 | api.twitter.com | Twitter Inc. | US | unknown |
3952 | iexplore.exe | 172.217.168.19:80 | my.clickdesk.com | Google Inc. | US | whitelisted |
3952 | iexplore.exe | 52.85.182.165:443 | d1gwclp1pmzk26.cloudfront.net | Amazon.com, Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
refreshdealtoys-dot-yamm-track.appspot.com |
| suspicious |
refreshdealtoys.com |
| unknown |
g2yy82vwz4p2kt3ud2y17jp9.wpengine.netdna-cdn.com |
| unknown |
ajax.googleapis.com |
| whitelisted |
cdn.callrail.com |
| whitelisted |
my.clickdesk.com |
| whitelisted |
www.google-analytics.com |
| whitelisted |
api.twitter.com |
| whitelisted |
d1gwclp1pmzk26.cloudfront.net |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3952 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY Outdated Flash Version M1 |