URL: | https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqa3ZaNVlDXzVva2xxYncyeVpSaW5mNVEzUlNLd3xBQ3Jtc0ttTGZWbkF0cEd2b1VTcDBHY2hOSzFLSmhJMl81X2NScjFGWl9QVXlKR3NFaWk1NHdFaVZNV2dmN0RVejNLRXRsejM0WDJOZHJOVG4yRjdzY1NDdDJNOS13aU1seGF6elpMYWM4emdfMlVxVW5wYVJOZw&q=https%3A%2F%2Ftelegra.ph%2FVAPE-V4-LITE-CRACKED--DOWNLOAD-VAPE-V4-LITE-CRACKED-09-20&v=zqON_kTYE_0 |
Full analysis: | https://app.any.run/tasks/58292fe8-40b7-4c69-842b-e3f661ad2177 |
Verdict: | Malicious activity |
Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
Analysis date: | October 05, 2022, 03:19:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 9C9312299BE39F25C73D36024F2C087E |
SHA1: | ECC14D36BD6669F303744FE52E4607253076602F |
SHA256: | D172C4B9F5A70EEBACC6CD3E05A2BF570970DC77646550B5915019CBF2010A8E |
SSDEEP: | 6:2OLUxGKmKLqZ3I0XU+V2bQZfjYtXpv9/Vtiv+Bu935hW2zT2q3z0Or1Duj2uO6:2jGRfLxZfU3pTYR5924BZDS7O6 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2724 | "C:\Program Files\Internet Explorer\iexplore.exe" "https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqa3ZaNVlDXzVva2xxYncyeVpSaW5mNVEzUlNLd3xBQ3Jtc0ttTGZWbkF0cEd2b1VTcDBHY2hOSzFLSmhJMl81X2NScjFGWl9QVXlKR3NFaWk1NHdFaVZNV2dmN0RVejNLRXRsejM0WDJOZHJOVG4yRjdzY1NDdDJNOS13aU1seGF6elpMYWM4emdfMlVxVW5wYVJOZw&q=https%3A%2F%2Ftelegra.ph%2FVAPE-V4-LITE-CRACKED--DOWNLOAD-VAPE-V4-LITE-CRACKED-09-20&v=zqON_kTYE_0" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
1064 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2724 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2844 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2724 CREDAT:4003093 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2756 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
1188 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 83.0 Modules
| |||||||||||||||
1176 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1188.0.1832057186\379663438" -parentBuildID 20201112153044 -prefsHandle 1116 -prefMapHandle 1104 -prefsLen 1 -prefMapSize 238726 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1188 "\\.\pipe\gecko-crash-server-pipe.1188" 1184 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 83.0 Modules
| |||||||||||||||
1404 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1188.6.485286333\2130780721" -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 3008 -prefsLen 181 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1188 "\\.\pipe\gecko-crash-server-pipe.1188" 3024 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
468 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1188.13.449908484\327330269" -childID 2 -isForBrowser -prefsHandle 1916 -prefMapHandle 1932 -prefsLen 6644 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1188 "\\.\pipe\gecko-crash-server-pipe.1188" 1852 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
628 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1188.20.1582419806\459684951" -childID 3 -isForBrowser -prefsHandle 1784 -prefMapHandle 1776 -prefsLen 7470 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1188 "\\.\pipe\gecko-crash-server-pipe.1188" 3212 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
2704 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1188.21.997408788\159034479" -childID 4 -isForBrowser -prefsHandle 3636 -prefMapHandle 3632 -prefsLen 7470 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1188 "\\.\pipe\gecko-crash-server-pipe.1188" 3668 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
|
(PID) Process: | (2724) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 1 | |||
(PID) Process: | (2724) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchLowDateTime |
Value: | |||
(PID) Process: | (2724) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 30988393 | |||
(PID) Process: | (2724) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: | |||
(PID) Process: | (2724) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30988393 | |||
(PID) Process: | (2724) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (2724) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (2724) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (2724) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (2724) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2724 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442 | der | |
MD5:B8BDA0B382A7D056A4241B388338B778 | SHA256:7BAA967F6686CCE471826B20FFA5CB7FEB4BF3C5C0BF43F51F08E84EB5850DD2 | |||
1064 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | der | |
MD5:F7983D8FD8DDD6DF665E3E5EB736D1C4 | SHA256:173C1E435668AB7C8E2D30A020D2E63D66979911CDF19E0D50F68E697D2CAFC6 | |||
1064 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\redirect[1].htm | html | |
MD5:87C0C13CB1AE8D2C6786CD9E8077023A | SHA256:E94A44830D4FC1D7284679F05BBCB7190251D142DCF8084DA11F05EFB78A24C5 | |||
1064 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_14F2E352CCFE495001982FFDAAC3BE84 | binary | |
MD5:AB8BC88174DBDECB1A72349E1B2C7B9C | SHA256:6AEF182B886DAC5C2285D3B35F37E8E58CB3DAA0B399BCC2F6085BEF7C4A974F | |||
1064 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | binary | |
MD5:227AB206C300E2D2C1FA950CE897DA29 | SHA256:C6A1FFAA2C3C13373B9ACBC09CFBDFDC4128CAEB98D709675E34A9C8AE117C44 | |||
1064 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | binary | |
MD5:A0100A83CA79C7B0C665EFA77ADB814B | SHA256:5F85E0D8228AA4CB0FF4D5B3831A605F8E4361F186469C87403D08CBEE287D7E | |||
2724 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:4BE2B174C8E8D92927419FE834806773 | SHA256:251A39446D324379F3D33BE8B0BEDBC1F7B3975539C1F5BA286724EB0F3E0D3D | |||
1064 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | der | |
MD5:5A11C6099B9E5808DFB08C5C9570C92F | SHA256:91291A5EDC4E10A225D3C23265D236ECC74473D9893BE5BD07E202D95B3FB172 | |||
1064 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D | binary | |
MD5:23360AFF76A3C313779FEEE5E3D91128 | SHA256:36FBA27A9E7B632B3C1794C23A5AFFD92B30478A85A2AB080DEA1F8EA2E7CE56 | |||
1064 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_1ACD2B4A039DF3260017F7BF28EE7323 | der | |
MD5:F936B953FDF91692463E6745F5151375 | SHA256:21C4C1A25E3F41EA5D0262216D19CB081023A79500EAE7DAB8B8C1F5022AD18E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2724 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D | US | der | 1.47 Kb | whitelisted |
1064 | iexplore.exe | GET | 200 | 192.124.249.41:80 | http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D | US | der | 1.66 Kb | whitelisted |
1064 | iexplore.exe | GET | 200 | 172.217.17.131:80 | http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCECY%2B0YL3%2ByMOCtPdrqPffYg%3D | US | der | 471 b | whitelisted |
1064 | iexplore.exe | GET | 200 | 172.217.17.131:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D | US | der | 724 b | whitelisted |
2844 | iexplore.exe | GET | 200 | 104.18.32.68:80 | http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEQDqXkroZv5KiI1sJCfGNIam | US | der | 472 b | whitelisted |
2844 | iexplore.exe | GET | 200 | 104.18.32.68:80 | http://crl.comodoca.com/AAACertificateServices.crl | US | der | 506 b | whitelisted |
1064 | iexplore.exe | GET | 200 | 172.217.17.131:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | US | der | 1.41 Kb | whitelisted |
2724 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
1064 | iexplore.exe | GET | 200 | 192.124.249.41:80 | http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D | US | der | 1.69 Kb | whitelisted |
1064 | iexplore.exe | GET | 200 | 192.124.249.41:80 | http://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQC2T6rhHiP0ng%3D%3D | US | der | 1.74 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2724 | iexplore.exe | 13.107.21.200:443 | www.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
1064 | iexplore.exe | 149.154.164.13:443 | telegra.ph | Telegram Messenger Inc | GB | suspicious |
— | — | 13.107.21.200:443 | www.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
1064 | iexplore.exe | 142.250.187.110:443 | www.youtube.com | GOOGLE | US | whitelisted |
2724 | iexplore.exe | 209.197.3.8:80 | ctldl.windowsupdate.com | STACKPATH-CDN | US | whitelisted |
2724 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
1064 | iexplore.exe | 209.197.3.8:80 | ctldl.windowsupdate.com | STACKPATH-CDN | US | whitelisted |
1064 | iexplore.exe | 172.217.17.131:80 | ocsp.pki.goog | GOOGLE | US | whitelisted |
1064 | iexplore.exe | 172.217.169.195:443 | www.gstatic.com | GOOGLE | US | whitelisted |
1064 | iexplore.exe | 192.124.249.41:80 | ocsp.godaddy.com | SUCURI-SEC | US | suspicious |
Domain | IP | Reputation |
---|---|---|
www.youtube.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
www.gstatic.com |
| whitelisted |
telegra.ph |
| malicious |
ocsp.godaddy.com |
| whitelisted |
t.me |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1188 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
1188 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
1188 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
1188 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |