URL: | https://www.youtube.com/redirect?event=video_description&v=EjcyiOXWnlc&redir_token=vpypJkdPcBMmRljjeZ_IjO7urzB8MTU4NTcwMDIwOEAxNTg1NjEzODA4&q=https%3A%2F%2Flink-to.net%2F59342%2FProxy |
Full analysis: | https://app.any.run/tasks/36b6ba18-51ca-4b67-98f1-89d4e0b0df50 |
Verdict: | Malicious activity |
Analysis date: | March 31, 2020, 00:18:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | FBA4F6489E4C2B19369F2F84BEB9CE0E |
SHA1: | BC5283FE4CE93BE717EA84407AEAA28FF476C79E |
SHA256: | 844DA678CF1670F57CFF7052315F294BF50E8F90D3F2795A9EA923EF3081D91C |
SSDEEP: | 3:N8DSLUxGTKXtRAZBv6NVLMq1YhcFOFvpCPds1AZCRCyRlNRRRWCXjInGXjgc:2OLUxGKmKDLMcYhcFEvpCls1AqRBR3zv |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3144 | "C:\Program Files\Internet Explorer\iexplore.exe" "https://www.youtube.com/redirect?event=video_description&v=EjcyiOXWnlc&redir_token=vpypJkdPcBMmRljjeZ_IjO7urzB8MTU4NTcwMDIwOEAxNTg1NjEzODA4&q=https%3A%2F%2Flink-to.net%2F59342%2FProxy" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
676 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3144 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 3221225547 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
548 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3144 CREDAT:1316126 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
604 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Exit code: 0 Version: 26,0,0,131 Modules
| |||||||||||||||
2564 | "C:\Program Files\Opera\opera.exe" | C:\Program Files\Opera\opera.exe | explorer.exe | ||||||||||||
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser Exit code: 0 Version: 1748 Modules
| |||||||||||||||
3544 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | ||||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 Modules
| |||||||||||||||
4008 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6cc9a9d0,0x6cc9a9e0,0x6cc9a9ec | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 Modules
| |||||||||||||||
3932 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1708 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 Modules
| |||||||||||||||
2784 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1024,13069874439812393916,1601744482073193147,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=12638344132930116351 --mojo-platform-channel-handle=1032 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Version: 75.0.3770.100 Modules
| |||||||||||||||
2636 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1024,13069874439812393916,1601744482073193147,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=9340011360139547367 --mojo-platform-channel-handle=1632 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | chrome.exe | ||||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
676 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab5FDB.tmp | — | |
MD5:— | SHA256:— | |||
676 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar5FDC.tmp | — | |
MD5:— | SHA256:— | |||
676 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\PGXAICWX.txt | — | |
MD5:— | SHA256:— | |||
676 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\ServiceLogin[1].htm | — | |
MD5:— | SHA256:— | |||
676 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B | der | |
MD5:E550DA03AEE5B546B436CD553D3233B9 | SHA256:9ABFD4E29B96CCA442502B1DE6071FE0293455DF22B4EFF19FA3E6DF060947E7 | |||
676 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BE8B021F9E811DFC8C8A28572A17C05A_0B97942EE72A6E3F514E8E84F294CC72 | der | |
MD5:F26B1B29960D99AD1C44E71E3D2ABE4C | SHA256:7910B27AFDEE20EA27C4FA19221B1B63E00235E261E1A3FB9F1FB3456CBBB7AC | |||
676 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\3PCSQWH5.txt | text | |
MD5:578DDC94E44EE6EDF255A1D5B53754E3 | SHA256:6488B2300B7D46E69D1A36A13B927A0BC6E867703D41ADBEBE4BACA86B7E00F1 | |||
676 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BE8B021F9E811DFC8C8A28572A17C05A_81686C64A160FA1C4EEDBAA548457591 | der | |
MD5:F6BDC12D38D8C5BAE3FA095730288409 | SHA256:AA502AD2BDEF41C9997F7E87D53568176D30954F4C765EFD16AE1A022143E2BF | |||
676 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT | smt | |
MD5:0B4084CB767485FC6AF0312433DCD3D6 | SHA256:6258927C56F777DDDE1F13D9BB5C54D569A520ADA6BBC1E77CE30188BBA6F2E6 | |||
676 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BE8B021F9E811DFC8C8A28572A17C05A_0B97942EE72A6E3F514E8E84F294CC72 | binary | |
MD5:03AF938171698E496E53E991A39BC11A | SHA256:5836DB355E55B01D94E28F1F6CD7BDC8684C7FD39DD493954EEFA2E0492396FB |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
676 | iexplore.exe | GET | 200 | 172.217.23.163:80 | http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDL%2FQslYWVuogIAAAAAXGdc | US | der | 472 b | whitelisted |
676 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D | US | der | 1.47 Kb | whitelisted |
676 | iexplore.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrJdiQ%2Ficg9B19asFe73bPYs%2BreAQUdXGnGUgZvJ2d6kFH35TESHeZ03kCEFslzmkHxCZVZtM5DJmpVK0%3D | US | der | 313 b | whitelisted |
676 | iexplore.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.trust-provider.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEENSAj%2F6qJAfE5%2Fj9OXBRE4%3D | US | der | 471 b | whitelisted |
676 | iexplore.exe | GET | 200 | 172.217.23.163:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
676 | iexplore.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrJdiQ%2Ficg9B19asFe73bPYs%2BreAQUdXGnGUgZvJ2d6kFH35TESHeZ03kCEFslzmkHxCZVZtM5DJmpVK0%3D | US | der | 313 b | whitelisted |
676 | iexplore.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrJdiQ%2Ficg9B19asFe73bPYs%2BreAQUdXGnGUgZvJ2d6kFH35TESHeZ03kCEFslzmkHxCZVZtM5DJmpVK0%3D | US | der | 313 b | whitelisted |
676 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrBBNpPfHTPX6Jy6BVzyBPnBWMnQQUPnQtH89FdQR%2BP8Cihz5MQ4NRE8YCEAQ%2FCTodcd0uo5FZpw3NFis%3D | US | der | 278 b | whitelisted |
676 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D | US | der | 1.47 Kb | whitelisted |
676 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrBBNpPfHTPX6Jy6BVzyBPnBWMnQQUPnQtH89FdQR%2BP8Cihz5MQ4NRE8YCEAQ%2FCTodcd0uo5FZpw3NFis%3D | US | der | 278 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
676 | iexplore.exe | 172.217.23.163:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
676 | iexplore.exe | 172.217.22.35:443 | fonts.gstatic.com | Google Inc. | US | whitelisted |
676 | iexplore.exe | 216.58.207.78:443 | www.youtube.com | Google Inc. | US | whitelisted |
3144 | iexplore.exe | 216.58.207.78:443 | www.youtube.com | Google Inc. | US | whitelisted |
676 | iexplore.exe | 216.58.206.14:443 | www.youtube.com | Google Inc. | US | whitelisted |
676 | iexplore.exe | 172.217.16.205:443 | accounts.google.com | Google Inc. | US | whitelisted |
676 | iexplore.exe | 104.18.45.33:443 | link-to.net | Cloudflare Inc | US | shared |
676 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
676 | iexplore.exe | 104.16.86.20:443 | cdn.jsdelivr.net | Cloudflare Inc | US | shared |
676 | iexplore.exe | 209.197.3.24:443 | code.jquery.com | Highwinds Network Group, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.youtube.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
accounts.google.com |
| shared |
s.ytimg.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
link-to.net |
| malicious |
ocsp.digicert.com |
| whitelisted |
linkvertise.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2564 | opera.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
2564 | opera.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
2564 | opera.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
2564 | opera.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
2564 | opera.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
740 | ProxyTool - Linkvertise Downloader_3086758609.exe | A Network Trojan was detected | ADWARE [PTsecurity] InstallCore |
3332 | Proxy checker.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] Socks4 Connection |
3332 | Proxy checker.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] Socks4 Connection |
3332 | Proxy checker.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] Socks4 Connection |
3332 | Proxy checker.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] Socks4 Connection |