URL: | http://mail.75rogrscust-etrs.com/ROGERS/index.php/files/files/files/files/files/files/files/files/files/files/files/doc |
Full analysis: | https://app.any.run/tasks/183b3045-9ef9-44c1-98ca-78b2ca35bdfe |
Verdict: | Malicious activity |
Analysis date: | April 23, 2019, 15:47:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | D83AC9CB207678F7FF89B90A585382BC |
SHA1: | AF26AB08C0116205B7579B362DAD7ED14472D417 |
SHA256: | 79786377BDDC5D67730BA752B969D7FB9AEDF4A88A95BDF26768C6AC58730210 |
SSDEEP: | 3:N1KTLKCXm4QLRaiKMkHYImffffffffffX:CR2OikHYL |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2928 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3188 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2928 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2928 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2928 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3188 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XECVHYW6\fwdssp_com[1].txt | — | |
MD5:— | SHA256:— | |||
3188 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FEBMDMAD\fwdssp_com[1].txt | — | |
MD5:— | SHA256:— | |||
3188 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:085D93A5E3187CB779C3AF6733744E6B | SHA256:7B7DBCD5C71BD20DAA9FB03C244EC218F28F1ABAE70F2D4CA0D54057B439D726 | |||
3188 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YSRBWKB0\suspendedpage[1].htm | html | |
MD5:CDE938937ED62ECAEF91572879F25F7F | SHA256:81C3BF0E0990030F5AF502C896EA05ED1C21AC83F3173C5E633B86DD50C1D7F7 | |||
3188 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6FTAYW3C\min[1].js | text | |
MD5:5563332AD6AF63C9C94CEF15761BE544 | SHA256:4EFEC11A42893D4DF0249174CBE5AFAE24A5734F5DED35C5E84C56BF9F473EC2 | |||
3188 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:A016F27CC121B2155D57F23D49226711 | SHA256:6DE53E35F3D8EB8C10C05F69C597B345C1D7634620A399E63774DDB3745ADC34 | |||
3188 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XECVHYW6\fwdssp_com[1].htm | html | |
MD5:A8826B74E9F7EE016A7F2907E93DA51B | SHA256:CC87D520096E02854A5416C39B292FD269FE830292E7B3726689180612B6E777 | |||
3188 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FEBMDMAD\fwdssp_com[1].htm | html | |
MD5:6B311F54E785126D1F8AC9ED49F7B1BC | SHA256:677676F31DC606064A3DEEDFDDF8522A8D26B238D24544D0BDAA333BD2FA2B57 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3188 | iexplore.exe | GET | 200 | 208.91.196.46:80 | http://fwdssp.com/?domain=75rogrscust-etrs.com&dn=75rogrscust-etrs.com&fp=HjIr6cRwn8WcwfKxlHFsQFYaVovYm4t%2BhzDMPG91zKA61axHmiEbPKxVm%2Fj9SorBQhQYEed7iPEO06MxKZeJcLd4fLjRQmBK5s9gNTPkH%2B6IHM830mCIohyStCM1n%2FXSrx1G0jGPn9JPZnBUjOrxadPZcZo2F2xmkP%2FtIDoqH5zs1lvAu0gkApISv8XbKun6&prvtof=FrBzFD9aBKp2iFUs7fCzSRdWqcNpMv%2BtteVekZ%2FwEQ2b1lHwcLExQFiIOlAE%2FJb4rWtR2ro3wUaSB%2BuBAIzxx1CbCBMuAUNochrJYwOVIMI%3D&poru=f8HWIZZWAFCIe2aZDpYqAgtai2sKfiYsiEsbuPWU6pnrM3KfNJ9AvwV%2FWM1c0aHQqcxSKsyz8JoqM6%2Fr8GV2bWj2Od1PRwBYtwqj8%2FNHLBY%3D& | VG | html | 6.93 Kb | whitelisted |
3188 | iexplore.exe | GET | 200 | 2.16.186.106:80 | http://i1.cdn-image.com/__media__/js/min.js?v2.2 | unknown | text | 2.97 Kb | whitelisted |
3188 | iexplore.exe | GET | 302 | 162.144.12.143:80 | http://mail.75rogrscust-etrs.com/ROGERS/index.php/files/files/files/files/files/files/files/files/files/files/files/doc | US | html | 317 b | malicious |
3188 | iexplore.exe | GET | 200 | 2.16.186.64:80 | http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot? | unknown | eot | 110 Kb | whitelisted |
3188 | iexplore.exe | GET | 200 | 208.91.196.46:80 | http://fwdssp.com/px.js?ch=1 | VG | text | 346 b | whitelisted |
3188 | iexplore.exe | GET | 200 | 2.16.186.64:80 | http://i3.cdn-image.com/__media__/pics/12471/logo.png | unknown | image | 3.86 Kb | whitelisted |
3188 | iexplore.exe | GET | 200 | 162.144.12.143:80 | http://mail.75rogrscust-etrs.com/cgi-sys/suspendedpage.cgi | US | html | 437 b | malicious |
3188 | iexplore.exe | GET | 200 | 208.91.196.46:80 | http://fwdssp.com/?dn=referer_detect&pid=5POL4F2O4 | VG | html | 1.81 Kb | whitelisted |
3188 | iexplore.exe | GET | 200 | 2.16.186.64:80 | http://i4.cdn-image.com/__media__/pics/12471/libg.png | unknown | image | 1.07 Kb | whitelisted |
3188 | iexplore.exe | GET | 200 | 208.91.196.46:80 | http://fwdssp.com/px.js?ch=2 | VG | text | 346 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2928 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
— | — | 208.91.196.4:80 | searchdiscovered.com | Confluence Networks Inc | VG | malicious |
3188 | iexplore.exe | 2.16.186.64:80 | i1.cdn-image.com | Akamai International B.V. | — | whitelisted |
3188 | iexplore.exe | 2.16.186.106:80 | i1.cdn-image.com | Akamai International B.V. | — | whitelisted |
3188 | iexplore.exe | 162.144.12.143:80 | mail.75rogrscust-etrs.com | Unified Layer | US | malicious |
2928 | iexplore.exe | 162.144.12.143:80 | mail.75rogrscust-etrs.com | Unified Layer | US | malicious |
3188 | iexplore.exe | 208.91.196.4:80 | searchdiscovered.com | Confluence Networks Inc | VG | malicious |
3188 | iexplore.exe | 208.91.196.46:80 | fwdssp.com | Confluence Networks Inc | VG | malicious |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
mail.75rogrscust-etrs.com |
| malicious |
fwdssp.com |
| whitelisted |
i1.cdn-image.com |
| whitelisted |
i4.cdn-image.com |
| whitelisted |
searchdiscovered.com |
| malicious |
i3.cdn-image.com |
| whitelisted |
freeresultsguide.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3188 | iexplore.exe | Misc activity | ADWARE [PTsecurity] InstantAccess |