URL: | https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbVdMR19ueUJaX0NVcjFmdFNZYWdiRnE0cXRUUXxBQ3Jtc0ttY2F1d1dvUnFFY0lVUFF4Zi1ZSjc0TUViU3YzRTBJaldZd09lSzdwa2szejFnNHZaYW9rQWJBbFVoNWhUNl9xbk1SLW8zVGNIOEpzMFpvZkJTWWRwM2c5V0EwUUl6b0g3Vi1hT0N6bmkyeWhGT29Fbw&q=https%3A%2F%2Fcutt.ly%2FLHSPgSp&v=5ym6xiyTbaQ |
Full analysis: | https://app.any.run/tasks/ca4e4061-a9aa-4a44-b99c-1942da8b4223 |
Verdict: | Malicious activity |
Analysis date: | May 20, 2022, 20:15:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 0EBEF50F4EB2CC92786D4A54AB36FC4C |
SHA1: | 5A16C3BAE2DA4769E6AF972E89391BFA05BB5398 |
SHA256: | 96C459C4784767BDCECC432FD852D9E08E07DB98204C94262170E325818330BA |
SSDEEP: | 6:2OLUxGKmKLqZ6kcNhGv3z/fBRgkECeE7zphf4lxN3zXdz2lBdn:2jGRfGNhGrDH/eCzpOr5Rz2Vn |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2220 | "C:\Program Files\Internet Explorer\iexplore.exe" "https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbVdMR19ueUJaX0NVcjFmdFNZYWdiRnE0cXRUUXxBQ3Jtc0ttY2F1d1dvUnFFY0lVUFF4Zi1ZSjc0TUViU3YzRTBJaldZd09lSzdwa2szejFnNHZaYW9rQWJBbFVoNWhUNl9xbk1SLW8zVGNIOEpzMFpvZkJTWWRwM2c5V0EwUUl6b0g3Vi1hT0N6bmkyeWhGT29Fbw&q=https%3A%2F%2Fcutt.ly%2FLHSPgSp&v=5ym6xiyTbaQ" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3000 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2220 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
1176 | "C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\Revit Repack.zip" "C:\Users\admin\Downloads\Revit Repack\" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
2932 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) Modules
| |||||||||||||||
2040 | "C:\Users\admin\Downloads\Revit Repack\Revit Installer x64.exe" | C:\Users\admin\Downloads\Revit Repack\Revit Installer x64.exe | Explorer.EXE | ||||||||||||
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 8.4.0.0 Modules
| |||||||||||||||
1172 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | — | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1800 | "C:\Windows\System32\cmd.exe" /c timeout 11 | C:\Windows\System32\cmd.exe | — | Revit Installer x64.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2308 | timeout 11 | C:\Windows\system32\timeout.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1864 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Downloads\Revit Repack\data\psmachine.dll" | C:\Program Files\Notepad++\notepad++.exe | Explorer.EXE | ||||||||||||
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.91 Modules
| |||||||||||||||
584 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGEAZABtAGkAbgBcAEQAbwB3AG4AbABvAGEAZABzAFwAUgBlAHYAaQB0ACAAUgBlAHAAYQBjAGsAXABSAGUAdgBpAHQAIABJAG4AcwB0AGEAbABsAGUAcgAgAHgANgA0AC4AZQB4AGUAIgAgAC0ARgBvAHIAYwBlAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Revit Installer x64.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3000 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_7172467AE25B54F1B9D87A9343356E9B | binary | |
MD5:688A097774FE218D8CD4BD25C0E5E216 | SHA256:A5B0BAA33B7CD4450D59DF58261E807C7C3F7969A5064DF9601C0C14E6E9D174 | |||
3000 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | binary | |
MD5:2850A558A68CB60C92E211763563A714 | SHA256:15AAB85306DB4C65CC6BE786951370510BA0933332EA6365B0F8A54CB0B54F1B | |||
3000 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_C86B7000B5CEB7F9146D51D7AB048AFE | der | |
MD5:5BFC31B17D56F5049BF8AB6E79BE9E21 | SHA256:286CEE0C52C2F03B952DCADD43B2240B3F95C1EAB7166094716F8577F7D3CDF6 | |||
3000 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:5E3B9CDBFF5BE6A0ADD7764A99928C0B | SHA256:68FA5FB348ED8CEB3CF45DBEC423D7D446CA5D003B736190E5B41F6FF2D226CE | |||
2220 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | der | |
MD5:AC8FE9D561E9E7288AECF13F03AEA3D1 | SHA256:CECD911136F3CCBE6F4869CBCBD9FD15B3FA91CD2FD49B9655FA3BCF8E932C05 | |||
3000 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_7172467AE25B54F1B9D87A9343356E9B | der | |
MD5:F7A987233EC6C363F5225C5654BAD626 | SHA256:5DF2AF937E6007C6BFCEF4AC91AD9F85AF357C8EE0BDEBE97DABD121BEC16E42 | |||
3000 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | der | |
MD5:5A11C6099B9E5808DFB08C5C9570C92F | SHA256:91291A5EDC4E10A225D3C23265D236ECC74473D9893BE5BD07E202D95B3FB172 | |||
3000 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\redirect[1].htm | html | |
MD5:D030D519353F567A26FD0073C5561473 | SHA256:A132D26BBFC62D5B948BE861624B9F923EEBCF823DC3928E7C63AD06ED076228 | |||
3000 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_7BD24FBCF7F89F33B2FA5E0C8CE277C8 | der | |
MD5:D4170C25BD7B13DB11923E04D507F7AC | SHA256:5272DF79C5040C43605556C045F6CB17AD24B2502D479BC83D920D09F2E97CBF | |||
3000 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | binary | |
MD5:FE4769A14EAF4BF3D2B11D2B21172743 | SHA256:F1D7C5FB30E572E88852CC734AE88DC0DED29038AAD8D859551774FBDA952168 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3000 | iexplore.exe | GET | — | 142.250.186.163:80 | http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDwQ9JNOs3IcArkp%2FBu7NbU | US | — | — | whitelisted |
3000 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAwIlmU1uUKpc1Jl5Pl1QLw%3D | US | der | 471 b | whitelisted |
3000 | iexplore.exe | GET | 200 | 172.64.155.188:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D | US | der | 471 b | whitelisted |
2220 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
3000 | iexplore.exe | GET | 200 | 142.250.186.163:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D | US | der | 724 b | whitelisted |
3000 | iexplore.exe | GET | 200 | 142.250.186.163:80 | http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCdUrA%2FwvrytArhIvu6cF3d | US | der | 472 b | whitelisted |
3000 | iexplore.exe | GET | 200 | 18.161.94.159:80 | http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D | US | der | 1.51 Kb | whitelisted |
3000 | iexplore.exe | GET | 200 | 142.250.186.163:80 | http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCHXS%2FWwGsOSRJbmAIB8NC3 | US | der | 472 b | whitelisted |
3000 | iexplore.exe | GET | 200 | 23.216.77.80:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fa4f8d92ff8ec5b9 | US | compressed | 4.70 Kb | whitelisted |
3000 | iexplore.exe | GET | 200 | 18.161.94.229:80 | http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D | US | der | 1.39 Kb | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2220 | iexplore.exe | 131.253.33.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
3000 | iexplore.exe | 142.250.181.227:443 | www.gstatic.com | Google Inc. | US | whitelisted |
3000 | iexplore.exe | 142.250.184.238:443 | www.youtube.com | Google Inc. | US | whitelisted |
3000 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2220 | iexplore.exe | 142.250.184.238:443 | www.youtube.com | Google Inc. | US | whitelisted |
3000 | iexplore.exe | 142.250.186.163:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
3000 | iexplore.exe | 23.216.77.80:80 | ctldl.windowsupdate.com | NTT DOCOMO, INC. | US | suspicious |
3000 | iexplore.exe | 23.216.77.69:80 | ctldl.windowsupdate.com | NTT DOCOMO, INC. | US | suspicious |
2220 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3000 | iexplore.exe | 104.22.1.232:443 | cutt.ly | Cloudflare Inc | US | suspicious |
Domain | IP | Reputation |
---|---|---|
www.youtube.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
www.gstatic.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
cutt.ly |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
www.mediafire.com |
| shared |
ocsp.comodoca.com |
| whitelisted |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|