URL: | http://www.galvezcustoms.com |
Full analysis: | https://app.any.run/tasks/b65f41c2-ee3f-48d1-98e7-71605e9706fa |
Verdict: | Malicious activity |
Analysis date: | July 11, 2019, 17:23:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 5E8664D9DAA38102D6C64C1C2B7B8793 |
SHA1: | 9EED1BE10F7D67A654D0197C5CE9F02D6FC79F07 |
SHA256: | 8740CA7C4DE72EDFB4BF07591FCD897A007E881AF152A725FE0DEF7990E3D6E9 |
SSDEEP: | 3:N1KJS49AFr2:Cc482 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3092 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3352 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3092 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3092 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3092 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3352 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5UWK0KKQ\zcredirect[1].txt | — | |
MD5:— | SHA256:— | |||
3352 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@google[2].txt | — | |
MD5:— | SHA256:— | |||
3352 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5UWK0KKQ\google_com[1].txt | — | |
MD5:— | SHA256:— | |||
3352 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:0499D8A0582A7CEBE742CF845E5DA196 | SHA256:DD424E5F1960120CEC5F1D8A196DB23051998F9320DEEBC93823F846E79DC52E | |||
3352 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:1DE91AC4B0864205D054975ED2D6904B | SHA256:410C18E76B4639829AB930478E2F6D6FDA4593889978060E3D4C795D80260BBA | |||
3352 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini | ini | |
MD5:4A3DEB274BB5F0212C2419D3D8D08612 | SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38 | |||
3352 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GFS5E7SG\desktop.ini | ini | |
MD5:4A3DEB274BB5F0212C2419D3D8D08612 | SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38 | |||
3352 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019071120190712\index.dat | dat | |
MD5:B2328D14D593CE00DB9104542C09095D | SHA256:1D33FF658313830F3D70CB2D4E6F482FD3D7B84525DE37E56649CCCC5F94AB3F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3352 | iexplore.exe | GET | 200 | 89.35.39.65:80 | http://www.galvezcustoms.com/ | RO | html | 468 b | malicious |
3352 | iexplore.exe | GET | 200 | 52.22.6.59:80 | http://usd.odysseus-nua.com/zcredirect?visitid=99e02671-a400-11e9-8b7f-12f8115ae5c6&type=js&browserWidth=1276&browserHeight=560&iframeDetected=false | US | html | 930 b | malicious |
3092 | iexplore.exe | GET | 404 | 52.22.6.59:80 | http://usd.odysseus-nua.com/favicon.ico | US | html | 940 b | malicious |
3352 | iexplore.exe | GET | 200 | 52.22.6.59:80 | http://usd.odysseus-nua.com/zcvisitor/99e02671-a400-11e9-8b7f-12f8115ae5c6?campaignid=b7764eb5-8de2-11e9-8a1b-12077332b422 | US | html | 1010 b | malicious |
3352 | iexplore.exe | GET | 200 | 34.194.204.58:80 | http://usa.odysseus-nua.com/zcvisitor/d5d67df8-a400-11e9-b5e6-0aa5f9f2fee6?campaignid=1cf07970-5c58-11e9-b347-0a157bfa6bfc | US | html | 1010 b | shared |
3352 | iexplore.exe | GET | 302 | 89.35.39.65:80 | http://www.galvezcustoms.com/ | RO | text | 11 b | malicious |
3092 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
3092 | iexplore.exe | GET | 404 | 34.194.204.58:80 | http://usa.odysseus-nua.com/favicon.ico | US | html | 940 b | shared |
3352 | iexplore.exe | GET | 200 | 34.194.204.58:80 | http://usa.odysseus-nua.com/zcredirect?visitid=d5d67df8-a400-11e9-b5e6-0aa5f9f2fee6&type=js&browserWidth=1276&browserHeight=560&iframeDetected=false | US | html | 550 b | shared |
3352 | iexplore.exe | GET | 302 | 89.35.39.65:80 | http://www.galvezcustoms.com/?js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTU2Mjg3MzExMCwiaWF0IjoxNTYyODY1OTEwLCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIybW82a2d1cXZuM2Iwam5ia2cwNmZuNDkiLCJuYmYiOjE1NjI4NjU5MTB9.PwoxPoRAgys2-r9x_UCWiFK9dlIHcFhFPKY_RwoULcc&ts=1562865910367206&uuid=99aac7fa-a400-11e9-8c5e-8d56c707bef7 | RO | text | 11 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3352 | iexplore.exe | 172.217.16.206:443 | — | Google Inc. | US | whitelisted |
3092 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3092 | iexplore.exe | 52.22.6.59:80 | usd.odysseus-nua.com | Amazon.com, Inc. | US | malicious |
3352 | iexplore.exe | 138.68.103.129:443 | cryptrk.com | Digital Ocean, Inc. | DE | unknown |
3352 | iexplore.exe | 89.35.39.65:80 | www.galvezcustoms.com | Parfumuri Femei.com SRL | RO | malicious |
3352 | iexplore.exe | 52.22.6.59:80 | usd.odysseus-nua.com | Amazon.com, Inc. | US | malicious |
3352 | iexplore.exe | 172.217.18.164:443 | www.google.com | Google Inc. | US | whitelisted |
3352 | iexplore.exe | 89.35.39.65:443 | www.galvezcustoms.com | Parfumuri Femei.com SRL | RO | malicious |
3092 | iexplore.exe | 172.217.18.164:443 | www.google.com | Google Inc. | US | whitelisted |
3352 | iexplore.exe | 104.19.197.151:443 | cdnjs.cloudflare.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
www.galvezcustoms.com |
| malicious |
usd.odysseus-nua.com |
| unknown |
cryptrk.com |
| unknown |
www.google.com |
| whitelisted |
usa.odysseus-nua.com |
| shared |
trafficadmarket.com |
| malicious |
bitcoin-formula.com |
| unknown |
cdnjs.cloudflare.com |
| whitelisted |
mylivechat.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3352 | iexplore.exe | Misc activity | ADWARE [PTsecurity] Redirecting.Zemot (RBN ZeroPark 0-Click) |
3352 | iexplore.exe | Misc activity | ADWARE [PTsecurity] Redirecting.Zemot (RBN ZeroPark 0-Click) |