URL: | http://vm1.confme.xyz |
Full analysis: | https://app.any.run/tasks/091e9563-fc1c-4a33-af24-72afb0be095a |
Verdict: | Malicious activity |
Analysis date: | March 31, 2020, 04:27:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 201CDFD51A9CED694B6443366CA828D0 |
SHA1: | BBAE62AEC3E8F53C73D8F3CD59C781C9550A848D |
SHA256: | CE8226F54C2FDDD0081A8D78FCC7E6E9238266C8DBD84BB87D7D619F5BE8AC77 |
SSDEEP: | 3:N1KIl/dun:CI/u |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3344 | "C:\Program Files\Internet Explorer\iexplore.exe" http://vm1.confme.xyz | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3608 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3344 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3608 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab7519.tmp | — | |
MD5:— | SHA256:— | |||
3608 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar751A.tmp | — | |
MD5:— | SHA256:— | |||
3608 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\BSTVR2RZ.txt | — | |
MD5:— | SHA256:— | |||
3608 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\W6Z0KQNJ.txt | — | |
MD5:— | SHA256:— | |||
3608 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\style[1].css | text | |
MD5:96F84D0985AF87B4D4F6AE8816F9C5C5 | SHA256:93A1109ADA0CD55DEDEAF7E9C4251A7F91AC3C3E1AB85E25E37B6CD4E47D504B | |||
3608 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\HWYJH8NS.htm | html | |
MD5:95A873751E8D10026B626E74239442E3 | SHA256:53CE1475D311A00EDF08021838A0072ED0DF0A0657B8DBF43EE3C4BD6BFCFCAD | |||
3608 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B | der | |
MD5:E550DA03AEE5B546B436CD553D3233B9 | SHA256:9ABFD4E29B96CCA442502B1DE6071FE0293455DF22B4EFF19FA3E6DF060947E7 | |||
3608 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\ads[1].htm | html | |
MD5:2E9F3047D6C1EAEEF749E6156776F1A8 | SHA256:D7DE121522FD7A2020E355CF7C342F86C89BD4270DBF777C7DAB420A0728A5DC | |||
3608 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\mSJSMnuUlO5jqlM1Lv6DtxzymMcKcrTOGoxDcQTqP6o[1].js | text | |
MD5:DF23FA8F1F4F3ED85A1D2533787C99B1 | SHA256:992252327B9494EE63AA53352EFE83B71CF298C70A72B4CE1A8C437104EA3FAA | |||
3608 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\jsparkcaf[1].js | html | |
MD5:88C45A1C6EF82BB9F8A582DB0B7520D4 | SHA256:39052BFBBB413D047E36A5609BDB6545E5268AB3FFF791F245324C9B2AC8A9BD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3608 | iexplore.exe | GET | 200 | 198.54.117.197:80 | http://vm1.confme.xyz/ | US | html | 1.60 Kb | malicious |
3608 | iexplore.exe | GET | 200 | 185.53.179.29:80 | http://parkingcrew.net/jsparkcaf.php?regcn=243142&_v=2&_h=vm1.confme.xyz&_t=1585628882038 | DE | html | 4.20 Kb | whitelisted |
3608 | iexplore.exe | GET | 200 | 143.204.202.114:80 | http://i.cdnpark.com/themes/assets/style.css | US | text | 343 b | whitelisted |
3608 | iexplore.exe | POST | 201 | 185.53.178.30:80 | http://js.parkingcrew.net/ls.php | DE | — | — | whitelisted |
3608 | iexplore.exe | GET | 200 | 172.217.21.195:80 | http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEC4G%2Bv2mHN8jAgAAAABcZ3g%3D | US | der | 471 b | whitelisted |
3608 | iexplore.exe | GET | 200 | 216.58.208.36:80 | http://www.google.com/adsense/domains/caf.js | US | text | 56.0 Kb | whitelisted |
3608 | iexplore.exe | GET | 200 | 172.217.21.195:80 | http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEFOOHQjK5IlqCAAAAAAyCmA%3D | US | der | 471 b | whitelisted |
3608 | iexplore.exe | GET | 200 | 172.217.21.195:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
3608 | iexplore.exe | GET | 200 | 143.204.202.114:80 | http://i.cdnpark.com/themes/registrar/images/logo_namecheap.png | US | image | 4.80 Kb | whitelisted |
3608 | iexplore.exe | GET | 200 | 172.217.21.195:80 | http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEC4G%2Bv2mHN8jAgAAAABcZ3g%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3608 | iexplore.exe | 185.53.179.29:80 | parkingcrew.net | Team Internet AG | DE | malicious |
— | — | 198.54.117.197:80 | vm1.confme.xyz | Namecheap, Inc. | US | malicious |
3608 | iexplore.exe | 216.58.208.36:443 | www.google.com | Google Inc. | US | whitelisted |
3608 | iexplore.exe | 216.58.208.36:80 | www.google.com | Google Inc. | US | whitelisted |
3608 | iexplore.exe | 143.204.202.114:80 | i.cdnpark.com | — | US | suspicious |
3608 | iexplore.exe | 185.53.178.30:80 | js.parkingcrew.net | Team Internet AG | DE | suspicious |
3344 | iexplore.exe | 198.54.117.197:80 | vm1.confme.xyz | Namecheap, Inc. | US | malicious |
3344 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3608 | iexplore.exe | 172.217.21.195:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
3344 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
vm1.confme.xyz |
| malicious |
i.cdnpark.com |
| whitelisted |
parkingcrew.net |
| whitelisted |
www.google.com |
| whitelisted |
js.parkingcrew.net |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
afs.googleusercontent.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3608 | iexplore.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
3608 | iexplore.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
3608 | iexplore.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
3608 | iexplore.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
3608 | iexplore.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
3608 | iexplore.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
3608 | iexplore.exe | Misc activity | SUSPICIOUS [PTsecurity] Parkingcrew Monetize Tracker Checkin |
3608 | iexplore.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
3608 | iexplore.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
3608 | iexplore.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |