URL: | http://fwf.su |
Full analysis: | https://app.any.run/tasks/60f20571-31e3-408d-853c-72baf2906c69 |
Verdict: | Malicious activity |
Analysis date: | August 08, 2020, 07:59:18 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 7AD9B58122B11FBE3F29A63ADE27DC7C |
SHA1: | FC954DEBC6C0A75FA4523C5BFA08C1A9A1857107 |
SHA256: | 8AA43756BA1295A0004EE65FE076A9158445EC7BBA94A5F54E30E9E33ABBCDB1 |
SSDEEP: | 3:N1KY+WQ:CY+WQ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2664 | "C:\Program Files\Internet Explorer\iexplore.exe" http://fwf.su | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
924 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2664 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3612 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
2848 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6e89a9d0,0x6e89a9e0,0x6e89a9ec | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
1452 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3604 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
3736 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1020,17575309210115232400,18368900533140169120,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=1306261369832159019 --mojo-platform-channel-handle=1044 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Version: 75.0.3770.100 | ||||
744 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1020,17575309210115232400,18368900533140169120,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=11644921944773133878 --mojo-platform-channel-handle=1628 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | chrome.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
848 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,17575309210115232400,18368900533140169120,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3474999687005122064 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2256 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
280 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,17575309210115232400,18368900533140169120,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2128300387794261105 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2492 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
2196 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,17575309210115232400,18368900533140169120,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=449669257233557827 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2484 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
924 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\CabD477.tmp | — | |
MD5:— | SHA256:— | |||
924 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\TarD478.tmp | — | |
MD5:— | SHA256:— | |||
924 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\style[1].css | text | |
MD5:2D5DE31090E3AA0B14EAC2A9F96AE273 | SHA256:1F12854C80AFD1C18ADE0A7C26F00CAC5CDB917CB6DDEE36BBA33F00DFC50814 | |||
924 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 | der | |
MD5:9E1EB3DDA03ED5B39D68CB26399E3C2E | SHA256:161399C3C4D0942A0AFE35D59B26D984D24C6E502253CDBDAECCDD9A0B53380E | |||
924 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EC857EA77AAC13CEFF12FA12A84DC3FB | der | |
MD5:D9C0BD15B828CC12C0A7983A826AD5F1 | SHA256:2769708934467FE9FA9AE0A06746F298A2DDBEF2DB307FFE47451B6FEEDA580C | |||
924 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\NO8W9RNS.txt | text | |
MD5:B500A5D414169FAEE533F6498DB2177C | SHA256:34D5B8C802578417A404B0C4C0EB5089AD13474362F6FD040D92A8768F5ABCFA | |||
924 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B | der | |
MD5:1C400D233070530C717A810D7F9BC99E | SHA256:58B407B0DDF17FBF78FCB2E2DAD4FABAADA9BD88641F19941480951A200AE4E0 | |||
924 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\0LWMMVL3.htm | html | |
MD5:A7369EBC2A72D17689493EA927DFE932 | SHA256:F14A5702B80B837CAD1203A4611681DF5A0B97AACE3854E4485B12221F75B467 | |||
924 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 | binary | |
MD5:50C356C3287D61482A4946D613CEF31F | SHA256:F7360BD6F7DF65CAB10B702C68054BA36AED8F4A6B1E924487748FFA688B783D | |||
924 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EC857EA77AAC13CEFF12FA12A84DC3FB | binary | |
MD5:2D190EAD3C9A814AB3A727DD3EEECD04 | SHA256:CD72014631D02ED9B3707426CF19912EB13C2CDBCC290354228CBBB1DBE5B323 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
924 | iexplore.exe | GET | — | 84.252.146.184:80 | http://fwf.su/instagram_review.jpg | RU | — | — | suspicious |
924 | iexplore.exe | GET | — | 84.252.146.184:80 | http://fwf.su/instagram_review-2.jpg | RU | — | — | suspicious |
924 | iexplore.exe | GET | 302 | 5.101.152.189:80 | http://okolijoh.pisiboi.beget.tech/6gLsX4 | RU | — | — | malicious |
924 | iexplore.exe | GET | 200 | 84.252.146.184:80 | http://fwf.su/ | RU | html | 12.1 Kb | suspicious |
924 | iexplore.exe | GET | 200 | 2.16.107.80:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | unknown | der | 1.37 Kb | whitelisted |
924 | iexplore.exe | GET | 404 | 84.252.146.184:80 | http://fwf.su/rafaello.png | RU | html | 1.22 Kb | suspicious |
924 | iexplore.exe | GET | 404 | 84.252.146.184:80 | http://fwf.su/rosa-v-kolbe-bright-1.jpg | RU | html | 1.22 Kb | suspicious |
924 | iexplore.exe | GET | 404 | 84.252.146.184:80 | http://fwf.su/jquery.fancybox.min.css | RU | html | 1.22 Kb | suspicious |
924 | iexplore.exe | GET | 404 | 84.252.146.184:80 | http://fwf.su/application.min.js-1.js | RU | html | 1.22 Kb | suspicious |
924 | iexplore.exe | GET | 200 | 2.16.107.114:80 | http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgQFqOVv9SQRh8o48BtBPyckdQ%3D%3D | unknown | der | 527 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
924 | iexplore.exe | 84.252.146.184:80 | fwf.su | LLC masterhost | RU | suspicious |
924 | iexplore.exe | 5.101.152.189:80 | okolijoh.pisiboi.beget.tech | Beget Ltd | RU | malicious |
924 | iexplore.exe | 2.16.107.114:80 | ocsp.int-x3.letsencrypt.org | Akamai International B.V. | — | suspicious |
924 | iexplore.exe | 79.110.24.33:443 | naughty-avenues1.com | — | RO | unknown |
924 | iexplore.exe | 184.24.77.59:80 | isrg.trustid.ocsp.identrust.com | Time Warner Cable Internet LLC | US | suspicious |
924 | iexplore.exe | 216.58.207.74:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
924 | iexplore.exe | 2.16.107.80:80 | isrg.trustid.ocsp.identrust.com | Akamai International B.V. | — | suspicious |
924 | iexplore.exe | 216.58.207.35:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
924 | iexplore.exe | 216.58.206.3:443 | fonts.gstatic.com | Google Inc. | US | whitelisted |
744 | chrome.exe | 172.217.18.99:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
fwf.su |
| suspicious |
okolijoh.pisiboi.beget.tech |
| malicious |
naughty-avenues1.com |
| unknown |
isrg.trustid.ocsp.identrust.com |
| whitelisted |
ocsp.int-x3.letsencrypt.org |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query for .su TLD (Soviet Union) Often Malware Related |
924 | iexplore.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
924 | iexplore.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
924 | iexplore.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
924 | iexplore.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
924 | iexplore.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
924 | iexplore.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
924 | iexplore.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
924 | iexplore.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
924 | iexplore.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |