URL: | http://wintercold.info |
Full analysis: | https://app.any.run/tasks/25e5fead-092e-4e6b-b54e-2d204b896753 |
Verdict: | Malicious activity |
Analysis date: | February 11, 2019, 08:52:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | E8345FCA4E38B0B9E9DF2BF5DC8BFCB6 |
SHA1: | F641F93CC190E1BC691C7661A94C8C59850170AA |
SHA256: | 9ACD31D5F593AE89B556F6E119BFF50414113F7CA7527C6D7C717F7FC9E086D5 |
SSDEEP: | 3:N1KJM6r:CC6r |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2996 | "C:\Program Files\Opera\opera.exe" http://wintercold.info | C:\Program Files\Opera\opera.exe | explorer.exe | ||||||||||||
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser Version: 1748 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
2996 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\oprEED8.tmp | — | |
MD5:— | SHA256:— | |||
2996 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\oprEED9.tmp | — | |
MD5:— | SHA256:— | |||
2996 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\oprEF29.tmp | — | |
MD5:— | SHA256:— | |||
2996 | opera.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\358MFZFREC7IO4JTASI2.temp | — | |
MD5:— | SHA256:— | |||
2996 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\oprFDDF.tmp | — | |
MD5:— | SHA256:— | |||
2996 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\oprD71.tmp | — | |
MD5:— | SHA256:— | |||
2996 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr4664.tmp | — | |
MD5:— | SHA256:— | |||
2996 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.bak | text | |
MD5:C6BB9F4ECB7995E1C8BF8D4B2B5E0369 | SHA256:AFF3CCAE88267386AECE32D6C93F89E91B9705B3852C4DBD057EACF2BF0C9292 | |||
2996 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr523C.tmp | — | |
MD5:— | SHA256:— | |||
2996 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat | binary | |
MD5:01F059CFEA78283A21CB6902C385C51D | SHA256:EA0355134C727FD20A6CEC14B89C93A62557EBDB7A78A5C1F165594CFBA47118 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2996 | opera.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAOXQPQlVpLtFek%2BmcpabOk%3D | US | der | 471 b | whitelisted |
2996 | opera.exe | GET | — | 198.54.117.211:80 | http://www.wintercold.info/favicon.ico | US | — | — | malicious |
2996 | opera.exe | GET | 302 | 162.255.119.170:80 | http://wintercold.info/ | US | html | 50 b | suspicious |
2996 | opera.exe | GET | 200 | 66.225.197.197:80 | http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 543 b | whitelisted |
2996 | opera.exe | GET | 200 | 198.54.117.211:80 | http://www.wintercold.info/ | US | html | 4.82 Kb | malicious |
2996 | opera.exe | GET | 200 | 172.217.18.100:80 | http://www.google.com/adsense/domains/caf.js | US | text | 52.6 Kb | whitelisted |
2996 | opera.exe | GET | 400 | 185.26.182.93:80 | http://sitecheck2.opera.com/?host=wintercold.info&hdn=XTDyhh/ssmaokQ1oX8sR%2Bw== | unknown | html | 166 b | whitelisted |
2996 | opera.exe | GET | 200 | 172.217.18.100:80 | http://www.google.com/dp/ads?max_radlink_len=40&r=m&client=dp-teaminternet09_3ph&channel=bucket044&hl=en&adtest=off&type=3&pcsa=false&optimize_terms=on&swp=as-drid-2744431292869648&uiopt=true&oe=UTF-8&ie=UTF-8&fexp=21404%2C17300002&format=r10%7Cs&num=0&output=afd_ads&domain_name=www.wintercold.info&v=3&adext=as1%2Csr1&bsl=8&u_his=1&u_tz=0&dt=1549875203215&u_w=1280&u_h=720&biw=1280&bih=591&psw=1280&psh=309&frm=0&uio=ff2sa16fa2sl1sr1-st22sa14lt33-&jsv=10510&rurl=http%3A%2F%2Fwww.wintercold.info%2F | US | html | 5.98 Kb | whitelisted |
2996 | opera.exe | GET | 200 | 13.32.223.230:80 | http://i.cdnpark.com/themes/registrar/style_namecheap.css | US | text | 1.73 Kb | whitelisted |
2996 | opera.exe | GET | 200 | 185.53.178.30:80 | http://js.parkingcrew.net/track.php?domain=wintercold.info&toggle=browserjs&uid=MTU0OTg3NTIwMi43NzY1OjEzNDRhYjNiNTUxNGIyNmRmNWJkMjlhZjkxMjJkOWU0NGNiMTg5MWYxMTFjNTUyMzE0YWFlYjhkN2VkNWVmOWI6NWM2MTM4MDJiZDk0MQ%3D%3D | DE | binary | 20 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2996 | opera.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2996 | opera.exe | 198.54.117.211:80 | www.wintercold.info | Namecheap, Inc. | US | malicious |
2996 | opera.exe | 82.145.215.40:443 | certs.opera.com | Opera Software AS | — | whitelisted |
2996 | opera.exe | 185.26.182.93:80 | sitecheck2.opera.com | Opera Software AS | — | whitelisted |
2996 | opera.exe | 162.255.119.170:80 | wintercold.info | Namecheap, Inc. | US | suspicious |
2996 | opera.exe | 13.32.223.230:80 | i.cdnpark.com | Amazon.com, Inc. | US | unknown |
2996 | opera.exe | 66.225.197.197:80 | crl4.digicert.com | CacheNetworks, Inc. | US | whitelisted |
2996 | opera.exe | 172.217.18.100:80 | www.google.com | Google Inc. | US | whitelisted |
2996 | opera.exe | 216.58.207.66:443 | adservice.google.com | Google Inc. | US | whitelisted |
2996 | opera.exe | 185.53.179.29:80 | parkingcrew.net | Team Internet AG | DE | malicious |
Domain | IP | Reputation |
---|---|---|
wintercold.info |
| suspicious |
sitecheck2.opera.com |
| whitelisted |
certs.opera.com |
| whitelisted |
crl4.digicert.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
www.wintercold.info |
| malicious |
parkingcrew.net |
| whitelisted |
i.cdnpark.com |
| whitelisted |
dns.msftncsi.com |
| shared |
www.google.com |
| whitelisted |