URL: | http://dbaworkshop.blogspot.com/2013/05/How-to-perform-a-SCN-based-incomplete-recovery.html |
Full analysis: | https://app.any.run/tasks/14332f36-6bcb-44a6-ad9e-7ef11462626d |
Verdict: | Malicious activity |
Analysis date: | October 14, 2019, 16:30:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 685F5146B73F5FBEF08D33688961171A |
SHA1: | B250E00FB7AC8E358662F7F249BC93141A48E0F1 |
SHA256: | 7B706427BC17C15BB2A2772C2FE10D6C654113FD0651758F957DBE1E72E80499 |
SSDEEP: | 3:N1KaH4TOloSKMhKgsIqjc6/BdTSX0HIJ:CaHDKGEjc6rTSX0oJ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2548 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2068 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2548 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3116 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Version: 26,0,0,131 | ||||
3336 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
2152 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6feda9d0,0x6feda9e0,0x6feda9ec | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
2864 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2752 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
3388 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=992,10237195860911727325,9457289700858951769,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=10675019695617980417 --mojo-platform-channel-handle=1000 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Version: 75.0.3770.100 | ||||
1956 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=992,10237195860911727325,9457289700858951769,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=6267015359620162502 --mojo-platform-channel-handle=1580 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | chrome.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
3940 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,10237195860911727325,9457289700858951769,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=10901059232176452870 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2212 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
3280 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,10237195860911727325,9457289700858951769,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=16014622165681054102 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2392 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Version: 75.0.3770.100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2548 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2548 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2068 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\IC4L61VZ\210157244-ieretrofit[1].js | html | |
MD5:83A14CE8A07941331DFB5A615AF96CA9 | SHA256:C17B6213AB3A96180261DEC659C93EC2D6D3691A7FFE1AE09173C1BA124CC6C4 | |||
2068 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:D0AC1E6DCBF679C6AFC729F8CB9EC296 | SHA256:090054E516E8720428AB8DDF2EC115599D912EB8C99E76F42FC8833AB5A48FC3 | |||
2068 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:A11AC272163B8A2DDB4FF81829A5613C | SHA256:4B0CCC4DF04C05ECA0E4286F612BE3F87B03B667B6BE34C10B3CEBF5D23BE79D | |||
2068 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Q58AB90R\cb=gapi[1].loaded_0 | text | |
MD5:9592A9DDF920739FAD11ECB40E312905 | SHA256:AEF6EEB769CC25D6F1776C5F7E97AEF03258C9B5362D72F0D7955633EADF8F09 | |||
2068 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XM1XHYBY\plusone[1].js | html | |
MD5:632E7FD3CA61FEF2DD2B7A9F847E5F34 | SHA256:D996E8927AE45383450BD8314F8BC89259A528AAA698231FE91D2295872D0496 | |||
2068 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@google[1].txt | text | |
MD5:D914613A05ADAF7DD58BC6973A838B2E | SHA256:CE5C804313535445650F1121AEE0AFF9A4F2A007CA4D853E35D66AE309BC2D83 | |||
2068 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat | dat | |
MD5:BC00F101538A821ABCA75759D58FFCEF | SHA256:5BF18AA37534FDCE70123A75C1C307D2584A00FFF8D483A834B4997770FC1803 | |||
2068 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KR5MPS8U\widgets[1].js | text | |
MD5:1D8D0709ED691E2BC0472DBFC17C8ABD | SHA256:90476F48E0B8A9F9C5C11FD16F13FC6A8772FE281D12C8E63153A6F948CDD348 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2068 | iexplore.exe | GET | 404 | 64.233.166.82:80 | http://syntaxhighlighter.googlecode.com/svn/trunk/Scripts/shBrushVb.js | US | html | 1.55 Kb | suspicious |
2068 | iexplore.exe | GET | 404 | 64.233.166.82:80 | http://syntaxhighlighter.googlecode.com/svn/trunk/Scripts/shBrushPhp.js | US | html | 1.55 Kb | suspicious |
2068 | iexplore.exe | GET | 200 | 216.58.205.225:80 | http://dbaworkshop.blogspot.com/2013/05/How-to-perform-a-SCN-based-incomplete-recovery.html | US | html | 38.6 Kb | whitelisted |
2068 | iexplore.exe | GET | 301 | 108.174.11.81:80 | http://www.linkedin.com/img/webpromo/btn_viewmy_160x33.png | US | — | — | whitelisted |
2068 | iexplore.exe | GET | 404 | 64.233.166.82:80 | http://syntaxhighlighter.googlecode.com/svn/trunk/Scripts/shBrushJava.js | US | html | 1.56 Kb | suspicious |
2068 | iexplore.exe | GET | 404 | 64.233.166.82:80 | http://syntaxhighlighter.googlecode.com/svn/trunk/Scripts/shBrushCpp.js | US | html | 1.55 Kb | suspicious |
2068 | iexplore.exe | GET | 404 | 64.233.166.82:80 | http://syntaxhighlighter.googlecode.com/svn/trunk/Scripts/shBrushCss.js | US | html | 1.55 Kb | suspicious |
2068 | iexplore.exe | GET | 200 | 93.184.220.66:80 | http://platform.twitter.com/widgets.js | US | text | 28.0 Kb | whitelisted |
2068 | iexplore.exe | GET | 404 | 64.233.166.82:80 | http://syntaxhighlighter.googlecode.com/svn/trunk/Scripts/shCore.js | US | html | 1.55 Kb | suspicious |
2068 | iexplore.exe | GET | 404 | 64.233.166.82:80 | http://syntaxhighlighter.googlecode.com/svn/trunk/Scripts/shBrushXml.js | US | html | 1.55 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2548 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2068 | iexplore.exe | 64.233.166.82:80 | syntaxhighlighter.googlecode.com | Google Inc. | US | whitelisted |
2068 | iexplore.exe | 172.217.18.9:443 | www.blogger.com | Google Inc. | US | whitelisted |
2068 | iexplore.exe | 172.217.22.14:443 | apis.google.com | Google Inc. | US | whitelisted |
2068 | iexplore.exe | 216.58.205.225:80 | dbaworkshop.blogspot.com | Google Inc. | US | whitelisted |
2068 | iexplore.exe | 93.184.220.66:80 | platform.twitter.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2068 | iexplore.exe | 172.217.21.226:80 | pagead2.googlesyndication.com | Google Inc. | US | whitelisted |
2068 | iexplore.exe | 185.206.85.82:80 | codice.shinystat.com | Shiny S.r.l. | IT | unknown |
2068 | iexplore.exe | 108.174.11.81:443 | www.linkedin.com | LinkedIn Corporation | US | unknown |
2068 | iexplore.exe | 108.174.11.81:80 | www.linkedin.com | LinkedIn Corporation | US | unknown |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
dbaworkshop.blogspot.com |
| whitelisted |
www.blogger.com |
| shared |
dns.msftncsi.com |
| shared |
syntaxhighlighter.googlecode.com |
| suspicious |
apis.google.com |
| whitelisted |
platform.twitter.com |
| whitelisted |
pagead2.googlesyndication.com |
| whitelisted |
resources.blogblog.com |
| whitelisted |
www.blogblog.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1956 | chrome.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |
1956 | chrome.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |
1956 | chrome.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |
1956 | chrome.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |
1956 | chrome.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |
1956 | chrome.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |