URL: | http://transmail.ftrans01.com/YSVCJT?id=87797=choFBQEEAwgORVUFUggADAcFXgMBUwYDUVAJVlQDCQMIVFcEAQUFAAkLU18BAQFcAwNEFkMCXgcEQBZXVB1VXFYmUlhYWlgfWlYJGgYHAwEECgtRBlcGV1MLDgQCT1hGRRYPGhZHRlBXSgkHXl0ZXkFAWQtFVgdMAl1VHWhgZnF7MgpcXU9CAg==&fl=WRJBRUoJGx5OUB4UWFJcXUFfWQxaSFgHFR1K&ext=ZT1LMjRGZkI5aUJtWjZFUUIlMkJEU1pqZXdNRkFnWmdhMlExS1NRbE5VeE9BQVJtYjJGNVlHdGtOM0p3UWxFa0tUc2tPUVV4SkYxYldGRVhHaTU2S3o4a0xseEVUWG80TGpzdFBqa3pQMXRmWHhRVU5qc29QRDgyTjBrU1JrNGxNUTBpTTNob2FRTUdCUTFtYkdONGJta05lUUlDQXdSamFtUnBlM2dsTVVCYmJrUSUyQkxEMCUyRmRXQndQRWhDV21zelB6UXFJalltYVU4JTNEJnI9aHR0cHMlM0ElMkYlMkZ1cHN0b3guY29tJTJGbWFya2V0LXRhbGslMkZndHQtb3JkZXJzLW5vdy1vbi11cHN0b3glMkYmYz03MTYxMjk3NjAmdG9rZW49RDFWWEFRWlZBUUElM0QmdHJ5PTEmJGZvbGxvd19yZWRpcmVjdD10cnVl |
Full analysis: | https://app.any.run/tasks/cad0a515-6269-4afe-a610-1ae2f38593c7 |
Verdict: | Malicious activity |
Analysis date: | May 21, 2022, 02:21:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 051BA9944CFF3C9EB7C195EBCF7CBF21 |
SHA1: | 4F5E0704DDE018915F32CD9C1B9C3A38E5885F48 |
SHA256: | 69A0BBBE57BABB8244B11CE8BBF875811A4538512D8A93FC8F442660186829DD |
SSDEEP: | 12:/z2raD8cf51T6JB7sMVIM9qp7+zhXBcLN0nuQ8FCNBtR4Ldu20e1TWGp:b2rr+5h+B7sMVtcpyzhXqLNcF8EDswDa |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2604 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://transmail.ftrans01.com/YSVCJT?id=87797=choFBQEEAwgORVUFUggADAcFXgMBUwYDUVAJVlQDCQMIVFcEAQUFAAkLU18BAQFcAwNEFkMCXgcEQBZXVB1VXFYmUlhYWlgfWlYJGgYHAwEECgtRBlcGV1MLDgQCT1hGRRYPGhZHRlBXSgkHXl0ZXkFAWQtFVgdMAl1VHWhgZnF7MgpcXU9CAg==&fl=WRJBRUoJGx5OUB4UWFJcXUFfWQxaSFgHFR1K&ext=ZT1LMjRGZkI5aUJtWjZFUUIlMkJEU1pqZXdNRkFnWmdhMlExS1NRbE5VeE9BQVJtYjJGNVlHdGtOM0p3UWxFa0tUc2tPUVV4SkYxYldGRVhHaTU2S3o4a0xseEVUWG80TGpzdFBqa3pQMXRmWHhRVU5qc29QRDgyTjBrU1JrNGxNUTBpTTNob2FRTUdCUTFtYkdONGJta05lUUlDQXdSamFtUnBlM2dsTVVCYmJrUSUyQkxEMCUyRmRXQndQRWhDV21zelB6UXFJalltYVU4JTNEJnI9aHR0cHMlM0ElMkYlMkZ1cHN0b3guY29tJTJGbWFya2V0LXRhbGslMkZndHQtb3JkZXJzLW5vdy1vbi11cHN0b3glMkYmYz03MTYxMjk3NjAmdG9rZW49RDFWWEFRWlZBUUElM0QmdHJ5PTEmJGZvbGxvd19yZWRpcmVjdD10cnVl" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3368 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2604 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
(PID) Process: | (2604) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 1 | |||
(PID) Process: | (2604) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchLowDateTime |
Value: | |||
(PID) Process: | (2604) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 30960825 | |||
(PID) Process: | (2604) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: | |||
(PID) Process: | (2604) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30960825 | |||
(PID) Process: | (2604) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (2604) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (2604) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (2604) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (2604) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3368 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62 | binary | |
MD5:3C75D5D7580112FFFF3CBB92CB9F3BD3 | SHA256:E4A142DB180A439E6DFC7AEB00821FF96ECB7E3F631FB841D69DAF6313AA423E | |||
3368 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D6243C18F0F8F9AEC6638DD210F1984_AF992614E7EAA57565DD1B88B29DAA93 | der | |
MD5:584A213E7F180C0C7BA484ABEED31E05 | SHA256:B1C2FFF2FACE40AC1F258D35FA06A808A67E259848D3F4268C35A58E561B05D5 | |||
3368 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62 | der | |
MD5:4A8C7F6C5AE2A37D5E6CCB1BBC0AF569 | SHA256:7AB918B977BBA5FDFEE3E8E570F1BE8680969932AD717C34A1A736348B7946A9 | |||
2604 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | der | |
MD5:AC8FE9D561E9E7288AECF13F03AEA3D1 | SHA256:CECD911136F3CCBE6F4869CBCBD9FD15B3FA91CD2FD49B9655FA3BCF8E932C05 | |||
3368 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FC5A820A001B41D68902E051F36A5282_51F25B91941AC5D4102805EE5305917D | der | |
MD5:3143C8FEFC6CE7F7A29835BC632FB1CE | SHA256:AD19E00866C6894D7FACAD94A272C501A0F3FCD3ECCB0F9FF62787E66A316A2B | |||
3368 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894 | binary | |
MD5:C8027C64D783AC678C58AFB59DC3A904 | SHA256:3E148F3A872AB886CEDD5812AA768AE1B0E88A24B4710A1178E943A9CDFAF5EB | |||
3368 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D6243C18F0F8F9AEC6638DD210F1984_AF992614E7EAA57565DD1B88B29DAA93 | binary | |
MD5:1F0BEF6F4D637EA5D37E1D730408FF80 | SHA256:F3F3BBD8578DF39CC2B5CCEA7F57DE0456D9073603E85328FA945DFB5F9C6F81 | |||
3368 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FC5A820A001B41D68902E051F36A5282_51F25B91941AC5D4102805EE5305917D | binary | |
MD5:13E577454F09F9FABDF23EB34129068F | SHA256:1C8C50C75BD593EBDCE3224FCDBF6EB1DD2E0509554E3E1D1BF45C396EC41786 | |||
3368 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894 | der | |
MD5:EA14882BC25E3D89D7705A3E8B311D7E | SHA256:F348DA10BEF4F6AAC2AF202A368C4032B53447643B6FBEB62030BA083FA96A62 | |||
3368 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:3AF1D6F528A113400715131FA2BFEAC5 | SHA256:CB7A256B3D2836BB9DA0F6690B8384D587397B0D24EC6F6D8D09DB8FA2333901 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3368 | iexplore.exe | GET | — | 142.250.186.99:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | US | — | — | whitelisted |
3368 | iexplore.exe | GET | 302 | 68.183.246.7:80 | http://transmail.ftrans01.com/YSVCJT?id=87797=choFBQEEAwgORVUFUggADAcFXgMBUwYDUVAJVlQDCQMIVFcEAQUFAAkLU18BAQFcAwNEFkMCXgcEQBZXVB1VXFYmUlhYWlgfWlYJGgYHAwEECgtRBlcGV1MLDgQCT1hGRRYPGhZHRlBXSgkHXl0ZXkFAWQtFVgdMAl1VHWhgZnF7MgpcXU9CAg==&fl=WRJBRUoJGx5OUB4UWFJcXUFfWQxaSFgHFR1K&ext=ZT1LMjRGZkI5aUJtWjZFUUIlMkJEU1pqZXdNRkFnWmdhMlExS1NRbE5VeE9BQVJtYjJGNVlHdGtOM0p3UWxFa0tUc2tPUVV4SkYxYldGRVhHaTU2S3o4a0xseEVUWG80TGpzdFBqa3pQMXRmWHhRVU5qc29QRDgyTjBrU1JrNGxNUTBpTTNob2FRTUdCUTFtYkdONGJta05lUUlDQXdSamFtUnBlM2dsTVVCYmJrUSUyQkxEMCUyRmRXQndQRWhDV21zelB6UXFJalltYVU4JTNEJnI9aHR0cHMlM0ElMkYlMkZ1cHN0b3guY29tJTJGbWFya2V0LXRhbGslMkZndHQtb3JkZXJzLW5vdy1vbi11cHN0b3glMkYmYz03MTYxMjk3NjAmdG9rZW49RDFWWEFRWlZBUUElM0QmdHJ5PTEmJGZvbGxvd19yZWRpcmVjdD10cnVl | US | — | — | suspicious |
3368 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAwIlmU1uUKpc1Jl5Pl1QLw%3D | US | der | 471 b | whitelisted |
2604 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
3368 | iexplore.exe | GET | 200 | 65.9.58.194:80 | http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D | US | der | 1.70 Kb | whitelisted |
3368 | iexplore.exe | GET | 200 | 142.250.186.99:80 | http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCdUrA%2FwvrytArhIvu6cF3d | US | der | 472 b | whitelisted |
3368 | iexplore.exe | GET | 200 | 192.124.249.36:80 | http://ocsp.starfieldtech.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT1ZqtwV0O1KcYi0gdzcFkHM%2BuArAQUJUWBaFAmOD07LSy%2BzWrZtj2zZmMCCAoLbQoKgi1X | US | der | 1.80 Kb | whitelisted |
3368 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTubeiRal9hlMRbT70r8I4mClph2gQUEsmImy%2FJRHp9EvHfQANCmJLHJNYCEAuCxpQgS5NTrTrvXenudNU%3D | US | der | 471 b | whitelisted |
3368 | iexplore.exe | GET | 200 | 192.124.249.36:80 | http://ocsp.starfieldtech.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCAzkUhA%3D%3D | US | der | 1.70 Kb | whitelisted |
3368 | iexplore.exe | GET | 200 | 18.66.9.27:80 | http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D | US | der | 1.51 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3368 | iexplore.exe | 68.183.246.7:80 | transmail.ftrans01.com | DSL Extreme | US | suspicious |
2604 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
2604 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3368 | iexplore.exe | 18.66.248.25:443 | wizrocketmail.net | Massachusetts Institute of Technology | US | suspicious |
3368 | iexplore.exe | 65.9.58.194:80 | o.ss2.us | AT&T Services, Inc. | US | suspicious |
3368 | iexplore.exe | 54.230.206.94:443 | upstox.com | Amazon.com, Inc. | US | unknown |
3368 | iexplore.exe | 18.66.242.45:80 | ocsp.rootca1.amazontrust.com | Massachusetts Institute of Technology | US | whitelisted |
3368 | iexplore.exe | 18.64.84.138:80 | ocsp.sca1b.amazontrust.com | Massachusetts Institute of Technology | US | whitelisted |
3368 | iexplore.exe | 18.66.9.27:80 | ocsp.rootg2.amazontrust.com | Massachusetts Institute of Technology | US | whitelisted |
3368 | iexplore.exe | 142.250.74.195:443 | www.gstatic.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
transmail.ftrans01.com |
| suspicious |
wizrocketmail.net |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
o.ss2.us |
| whitelisted |
ocsp.rootg2.amazontrust.com |
| whitelisted |
ocsp.rootca1.amazontrust.com |
| shared |
ocsp.digicert.com |
| whitelisted |
ocsp.sca1b.amazontrust.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3368 | iexplore.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
3368 | iexplore.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
3368 | iexplore.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
3368 | iexplore.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |