File name: | url.txt |
Full analysis: | https://app.any.run/tasks/0b193821-4242-4d5b-bb7d-c76e2d86c39a |
Verdict: | Malicious activity |
Analysis date: | April 25, 2019, 14:27:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with no line terminators |
MD5: | E21D00A36D61CD78C2BA6A27C99E615B |
SHA1: | 698547348F698C4C6B6B6BAB8FD960FD40BA86AE |
SHA256: | DAB4CF34DE8B032C951B3E7BB06EE78CA4D40A54760CF46E8761059A91721742 |
SSDEEP: | 3:N1Kf7h62gHBjPsK:CDhfgVsK |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2812 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\url.txt | C:\Windows\system32\NOTEPAD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2052 | "C:\Program Files\Internet Explorer\iexplore.exe" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2596 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2052 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2052) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (2052) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2052) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2052) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones |
Operation: | write | Name: | SecuritySafe |
Value: 1 | |||
(PID) Process: | (2052) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (2052) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000006E000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
(PID) Process: | (2052) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active |
Operation: | write | Name: | {541995A1-6766-11E9-B3B3-5254004A04AF} |
Value: 0 | |||
(PID) Process: | (2052) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
Operation: | write | Name: | Type |
Value: 4 | |||
(PID) Process: | (2052) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
Operation: | write | Name: | Count |
Value: 1 | |||
(PID) Process: | (2052) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
Operation: | write | Name: | Time |
Value: E3070400040019000E001C000100D003 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2052 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2052 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2596 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\42P01DL0\fwdssp_com[1].txt | — | |
MD5:— | SHA256:— | |||
2596 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JV2GFHUW\fwdssp_com[1].txt | — | |
MD5:— | SHA256:— | |||
2596 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:2B7BB2D8027B95CC46CBFEDB77E74AB6 | SHA256:1F4CB3A577D3384F790C3347E601C2CDC0939B9C05C74BD904EB734C9759F9A6 | |||
2052 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\StructuredQuery.log | text | |
MD5:5DE761A84A175EDC06300321AFFB494E | SHA256:95AF46F1C7A892CDB63EBD9DF3BE139EB64BDA4B22D01AD81741FA87D165DE18 | |||
2596 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\42P01DL0\fwdssp_com[1].htm | html | |
MD5:94EBC4D97C9B1DEF8D293C0B2C740337 | SHA256:4ACBC0971029E30B1DA3D7658591DAD597F85EE8D6899BE679C65F8B794D4D9F | |||
2596 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1HK3S99R\min[1].js | text | |
MD5:5563332AD6AF63C9C94CEF15761BE544 | SHA256:4EFEC11A42893D4DF0249174CBE5AFAE24A5734F5DED35C5E84C56BF9F473EC2 | |||
2596 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JV2GFHUW\fwdssp_com[1].htm | html | |
MD5:A8886DE8C35E154352D93B8630EA063A | SHA256:1DB72F6A2C175782DC5520187D46B9612CC33D64F85DE2DA38AC67734548FD4C | |||
2596 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1LZ5OGI6\suspendedpage[1].htm | html | |
MD5:0357AA49EA850B11B99D09A2479C321B | SHA256:0FF0B7FCB090C65D0BDCB2AF4BBD2C30F33356B3CE9B117186FA20391EF840A3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2596 | iexplore.exe | GET | — | 192.232.218.170:80 | http://ayrislogic.com/cgi-sys/suspendedpage.cgi | US | — | — | unknown |
2596 | iexplore.exe | GET | 302 | 192.232.218.170:80 | http://ayrislogic.com/wp-admin/DOC/YTiIvWyI/ | US | html | 295 b | unknown |
2596 | iexplore.exe | GET | 302 | 192.232.218.170:80 | http://ayrislogic.com/wp-admin/DOC/YTiIvWyI/ | US | html | 295 b | unknown |
2596 | iexplore.exe | GET | 200 | 208.91.196.46:80 | http://fwdssp.com/?domain=ayrislogic.com&dn=ayrislogic.com&fp=Z5JhEkAvHywWOPc1TvfnSrt3uhXjokrCjMX9N5jnRMgd4QSE4X6M6pTERRZQKvGtKj7CtGX7nna5vR%2BK%2BtCDPSTdZkZgHB8iMG2B0xsoPuiUs06ZYTxvWo4Kok2yf%2Fg2dsiBXbawM9ULQwWxJ4j6%2BGk0hRq6z5H5OtYpQP7QHp4%3D&prvtof=%2FZYK1PVJekBwKkwnbqJxCoaHXbpOZgV2hSHmLpi8Ogvw20E%2BO4xRuPKhlITFsFY790oPqafhvJiPfXDJssaBXQ%3D%3D&poru=2bpCqmLiySqqTwLGaAlvKEAVyXsRNUkGGJn86vhBGduLUpF%2BMBTRwzRQKiRFRH1LW%2FifOPRA0GQPgHBgg0Q38YcbHutN7760kXBsqdlpNgs%3D& | VG | html | 6.72 Kb | whitelisted |
2596 | iexplore.exe | GET | 200 | 192.232.218.170:80 | http://ayrislogic.com/cgi-sys/suspendedpage.cgi | US | html | 322 b | unknown |
2596 | iexplore.exe | GET | 200 | 2.16.186.64:80 | http://i3.cdn-image.com/__media__/js/min.js?v2.2 | unknown | text | 2.97 Kb | whitelisted |
2596 | iexplore.exe | GET | 200 | 208.91.196.46:80 | http://fwdssp.com/?dn=referer_detect&pid=5POL4F2O4 | VG | html | 1.72 Kb | whitelisted |
2596 | iexplore.exe | GET | 200 | 2.16.186.106:80 | http://i2.cdn-image.com/__media__/pics/12471/bodybg.png | unknown | image | 94.9 Kb | whitelisted |
2596 | iexplore.exe | GET | 302 | 208.91.196.4:80 | http://searchdiscovered.com/__media__/pics/657/error-bg.gif | VG | html | 243 b | malicious |
2596 | iexplore.exe | GET | 200 | 2.16.186.64:80 | http://i3.cdn-image.com/__media__/pics/12471/logo.png | unknown | image | 3.86 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2052 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2596 | iexplore.exe | 192.232.218.170:80 | ayrislogic.com | Unified Layer | US | unknown |
2596 | iexplore.exe | 208.91.196.4:80 | searchdiscovered.com | Confluence Networks Inc | VG | malicious |
2596 | iexplore.exe | 2.16.186.64:80 | i3.cdn-image.com | Akamai International B.V. | — | whitelisted |
2052 | iexplore.exe | 192.232.218.170:80 | ayrislogic.com | Unified Layer | US | unknown |
2596 | iexplore.exe | 2.16.186.106:80 | i3.cdn-image.com | Akamai International B.V. | — | whitelisted |
2596 | iexplore.exe | 208.91.196.46:80 | fwdssp.com | Confluence Networks Inc | VG | malicious |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
ayrislogic.com |
| unknown |
fwdssp.com |
| whitelisted |
i3.cdn-image.com |
| whitelisted |
i4.cdn-image.com |
| whitelisted |
searchdiscovered.com |
| malicious |
i2.cdn-image.com |
| whitelisted |
i1.cdn-image.com |
| whitelisted |
freeresultsguide.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2596 | iexplore.exe | Misc activity | ADWARE [PTsecurity] InstantAccess |