analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://transmail.ftrans01.com/YSVCJT?id=87797=choFBQEEAwgORVUFUggADAcFXgMBUwYDUVAJVlQDCQMIVFcEAQUFAAkLU18BAQFcAwNEFkMCXgcEQBZXVB1VXFYmUlhYWlgfWlYJGgYHAwEECgtRBlcGV1MLDgQCT1hGRRYPGhZHRlBXSgkHXl0ZXkFAWQtFVgdMAl1VHWhgZnF7MgpcXU9CAg==&fl=WRJBRUoJGx5OUB4UWFJcXUFfWQxaSFgHFR1K&ext=ZT1LMjRGZkI5aUJtWjZFUUIlMkJEU1pqZXdNRkFnWmdhMlExS1NRbE5VeE9BQVJtYjJGNVlHdGtOM0p3UWxFa0tUc2tPUVV4SkYxYldGRVhHaTU2S3o4a0xseEVUWG80TGpzdFBqa3pQMXRmWHhRVU5qc29QRDgyTjBrU1JrNGxNUTBpTTNob2FRTUdCUTFtYkdONGJta05lUUlDQXdSamFtUnBlM2dsTVVCYmJrUSUyQkxEMCUyRmRXQndQRWhDV21zelB6UXFJalltYVU4JTNEJnI9aHR0cHMlM0ElMkYlMkZ1cHN0b3guY29tJTJGbWFya2V0LXRhbGslMkZndHQtb3JkZXJzLW5vdy1vbi11cHN0b3glMkYmYz03MTYxMjk3NjAmdG9rZW49RDFWWEFRWlZBUUElM0QmdHJ5PTEmJGZvbGxvd19yZWRpcmVjdD10cnVl

Full analysis: https://app.any.run/tasks/cad0a515-6269-4afe-a610-1ae2f38593c7
Verdict: Malicious activity
Analysis date: May 21, 2022, 02:21:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

051BA9944CFF3C9EB7C195EBCF7CBF21

SHA1:

4F5E0704DDE018915F32CD9C1B9C3A38E5885F48

SHA256:

69A0BBBE57BABB8244B11CE8BBF875811A4538512D8A93FC8F442660186829DD

SSDEEP:

12:/z2raD8cf51T6JB7sMVIM9qp7+zhXBcLN0nuQ8FCNBtR4Ldu20e1TWGp:b2rr+5h+B7sMVtcpyzhXqLNcF8EDswDa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3368)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 2604)
      • iexplore.exe (PID: 3368)
    • Reads the computer name

      • iexplore.exe (PID: 3368)
      • iexplore.exe (PID: 2604)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3368)
      • iexplore.exe (PID: 2604)
    • Application launched itself

      • iexplore.exe (PID: 2604)
    • Changes internet zones settings

      • iexplore.exe (PID: 2604)
    • Creates files in the user directory

      • iexplore.exe (PID: 2604)
      • iexplore.exe (PID: 3368)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2604)
      • iexplore.exe (PID: 3368)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3368)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2604)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 2604)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2604"C:\Program Files\Internet Explorer\iexplore.exe" "http://transmail.ftrans01.com/YSVCJT?id=87797=choFBQEEAwgORVUFUggADAcFXgMBUwYDUVAJVlQDCQMIVFcEAQUFAAkLU18BAQFcAwNEFkMCXgcEQBZXVB1VXFYmUlhYWlgfWlYJGgYHAwEECgtRBlcGV1MLDgQCT1hGRRYPGhZHRlBXSgkHXl0ZXkFAWQtFVgdMAl1VHWhgZnF7MgpcXU9CAg==&fl=WRJBRUoJGx5OUB4UWFJcXUFfWQxaSFgHFR1K&ext=ZT1LMjRGZkI5aUJtWjZFUUIlMkJEU1pqZXdNRkFnWmdhMlExS1NRbE5VeE9BQVJtYjJGNVlHdGtOM0p3UWxFa0tUc2tPUVV4SkYxYldGRVhHaTU2S3o4a0xseEVUWG80TGpzdFBqa3pQMXRmWHhRVU5qc29QRDgyTjBrU1JrNGxNUTBpTTNob2FRTUdCUTFtYkdONGJta05lUUlDQXdSamFtUnBlM2dsTVVCYmJrUSUyQkxEMCUyRmRXQndQRWhDV21zelB6UXFJalltYVU4JTNEJnI9aHR0cHMlM0ElMkYlMkZ1cHN0b3guY29tJTJGbWFya2V0LXRhbGslMkZndHQtb3JkZXJzLW5vdy1vbi11cHN0b3glMkYmYz03MTYxMjk3NjAmdG9rZW49RDFWWEFRWlZBUUElM0QmdHJ5PTEmJGZvbGxvd19yZWRpcmVjdD10cnVl"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3368"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2604 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
24 070
Read events
23 549
Write events
519
Delete events
2

Modification events

(PID) Process:(2604) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(2604) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(2604) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30960825
(PID) Process:(2604) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(2604) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30960825
(PID) Process:(2604) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2604) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2604) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2604) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2604) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
46
Text files
123
Unknown types
49

Dropped files

PID
Process
Filename
Type
3368iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62binary
MD5:3C75D5D7580112FFFF3CBB92CB9F3BD3
SHA256:E4A142DB180A439E6DFC7AEB00821FF96ECB7E3F631FB841D69DAF6313AA423E
3368iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D6243C18F0F8F9AEC6638DD210F1984_AF992614E7EAA57565DD1B88B29DAA93der
MD5:584A213E7F180C0C7BA484ABEED31E05
SHA256:B1C2FFF2FACE40AC1F258D35FA06A808A67E259848D3F4268C35A58E561B05D5
3368iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62der
MD5:4A8C7F6C5AE2A37D5E6CCB1BBC0AF569
SHA256:7AB918B977BBA5FDFEE3E8E570F1BE8680969932AD717C34A1A736348B7946A9
2604iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:AC8FE9D561E9E7288AECF13F03AEA3D1
SHA256:CECD911136F3CCBE6F4869CBCBD9FD15B3FA91CD2FD49B9655FA3BCF8E932C05
3368iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FC5A820A001B41D68902E051F36A5282_51F25B91941AC5D4102805EE5305917Dder
MD5:3143C8FEFC6CE7F7A29835BC632FB1CE
SHA256:AD19E00866C6894D7FACAD94A272C501A0F3FCD3ECCB0F9FF62787E66A316A2B
3368iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894binary
MD5:C8027C64D783AC678C58AFB59DC3A904
SHA256:3E148F3A872AB886CEDD5812AA768AE1B0E88A24B4710A1178E943A9CDFAF5EB
3368iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D6243C18F0F8F9AEC6638DD210F1984_AF992614E7EAA57565DD1B88B29DAA93binary
MD5:1F0BEF6F4D637EA5D37E1D730408FF80
SHA256:F3F3BBD8578DF39CC2B5CCEA7F57DE0456D9073603E85328FA945DFB5F9C6F81
3368iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FC5A820A001B41D68902E051F36A5282_51F25B91941AC5D4102805EE5305917Dbinary
MD5:13E577454F09F9FABDF23EB34129068F
SHA256:1C8C50C75BD593EBDCE3224FCDBF6EB1DD2E0509554E3E1D1BF45C396EC41786
3368iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894der
MD5:EA14882BC25E3D89D7705A3E8B311D7E
SHA256:F348DA10BEF4F6AAC2AF202A368C4032B53447643B6FBEB62030BA083FA96A62
3368iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:3AF1D6F528A113400715131FA2BFEAC5
SHA256:CB7A256B3D2836BB9DA0F6690B8384D587397B0D24EC6F6D8D09DB8FA2333901
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
176
DNS requests
63
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3368
iexplore.exe
GET
142.250.186.99:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
whitelisted
3368
iexplore.exe
GET
302
68.183.246.7:80
http://transmail.ftrans01.com/YSVCJT?id=87797=choFBQEEAwgORVUFUggADAcFXgMBUwYDUVAJVlQDCQMIVFcEAQUFAAkLU18BAQFcAwNEFkMCXgcEQBZXVB1VXFYmUlhYWlgfWlYJGgYHAwEECgtRBlcGV1MLDgQCT1hGRRYPGhZHRlBXSgkHXl0ZXkFAWQtFVgdMAl1VHWhgZnF7MgpcXU9CAg==&fl=WRJBRUoJGx5OUB4UWFJcXUFfWQxaSFgHFR1K&ext=ZT1LMjRGZkI5aUJtWjZFUUIlMkJEU1pqZXdNRkFnWmdhMlExS1NRbE5VeE9BQVJtYjJGNVlHdGtOM0p3UWxFa0tUc2tPUVV4SkYxYldGRVhHaTU2S3o4a0xseEVUWG80TGpzdFBqa3pQMXRmWHhRVU5qc29QRDgyTjBrU1JrNGxNUTBpTTNob2FRTUdCUTFtYkdONGJta05lUUlDQXdSamFtUnBlM2dsTVVCYmJrUSUyQkxEMCUyRmRXQndQRWhDV21zelB6UXFJalltYVU4JTNEJnI9aHR0cHMlM0ElMkYlMkZ1cHN0b3guY29tJTJGbWFya2V0LXRhbGslMkZndHQtb3JkZXJzLW5vdy1vbi11cHN0b3glMkYmYz03MTYxMjk3NjAmdG9rZW49RDFWWEFRWlZBUUElM0QmdHJ5PTEmJGZvbGxvd19yZWRpcmVjdD10cnVl
US
suspicious
3368
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAwIlmU1uUKpc1Jl5Pl1QLw%3D
US
der
471 b
whitelisted
2604
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3368
iexplore.exe
GET
200
65.9.58.194:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
US
der
1.70 Kb
whitelisted
3368
iexplore.exe
GET
200
142.250.186.99:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCdUrA%2FwvrytArhIvu6cF3d
US
der
472 b
whitelisted
3368
iexplore.exe
GET
200
192.124.249.36:80
http://ocsp.starfieldtech.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT1ZqtwV0O1KcYi0gdzcFkHM%2BuArAQUJUWBaFAmOD07LSy%2BzWrZtj2zZmMCCAoLbQoKgi1X
US
der
1.80 Kb
whitelisted
3368
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTubeiRal9hlMRbT70r8I4mClph2gQUEsmImy%2FJRHp9EvHfQANCmJLHJNYCEAuCxpQgS5NTrTrvXenudNU%3D
US
der
471 b
whitelisted
3368
iexplore.exe
GET
200
192.124.249.36:80
http://ocsp.starfieldtech.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCAzkUhA%3D%3D
US
der
1.70 Kb
whitelisted
3368
iexplore.exe
GET
200
18.66.9.27:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
US
der
1.51 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3368
iexplore.exe
68.183.246.7:80
transmail.ftrans01.com
DSL Extreme
US
suspicious
2604
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2604
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3368
iexplore.exe
18.66.248.25:443
wizrocketmail.net
Massachusetts Institute of Technology
US
suspicious
3368
iexplore.exe
65.9.58.194:80
o.ss2.us
AT&T Services, Inc.
US
suspicious
3368
iexplore.exe
54.230.206.94:443
upstox.com
Amazon.com, Inc.
US
unknown
3368
iexplore.exe
18.66.242.45:80
ocsp.rootca1.amazontrust.com
Massachusetts Institute of Technology
US
whitelisted
3368
iexplore.exe
18.64.84.138:80
ocsp.sca1b.amazontrust.com
Massachusetts Institute of Technology
US
whitelisted
3368
iexplore.exe
18.66.9.27:80
ocsp.rootg2.amazontrust.com
Massachusetts Institute of Technology
US
whitelisted
3368
iexplore.exe
142.250.74.195:443
www.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
transmail.ftrans01.com
  • 68.183.246.7
suspicious
wizrocketmail.net
  • 18.66.248.25
  • 18.66.248.68
  • 18.66.248.46
  • 18.66.248.83
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ctldl.windowsupdate.com
  • 8.248.149.254
  • 8.248.147.254
  • 8.248.141.254
  • 8.253.95.121
  • 67.27.158.126
whitelisted
o.ss2.us
  • 65.9.58.194
  • 65.9.58.231
  • 65.9.58.56
  • 65.9.58.66
whitelisted
ocsp.rootg2.amazontrust.com
  • 18.66.9.27
  • 18.66.9.156
  • 18.66.9.48
  • 18.66.9.49
whitelisted
ocsp.rootca1.amazontrust.com
  • 18.66.242.45
  • 18.66.242.155
  • 18.66.242.62
  • 18.66.242.58
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ocsp.sca1b.amazontrust.com
  • 18.64.84.138
  • 18.64.84.220
  • 18.64.84.33
  • 18.64.84.37
whitelisted

Threats

PID
Process
Class
Message
3368
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3368
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3368
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3368
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
No debug info