URL: | https://tfaforms.com |
Full analysis: | https://app.any.run/tasks/3ed3a72f-c09f-423c-bb30-ce50e8a213cc |
Verdict: | Malicious activity |
Analysis date: | December 05, 2022, 21:41:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 8DB692A938CB02BE8DBC0A44811FF689 |
SHA1: | 3248C0AF1AF3DB52A597AB82862694CD235616DE |
SHA256: | D582D6AB1F9B89A62F3CB368A5D33504E4DF54A08B3C430E57B6774FFF17B37E |
SSDEEP: | 3:N8LqK72:2w |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
856 | "C:\Program Files\Internet Explorer\iexplore.exe" "https://tfaforms.com" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
404 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:856 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
(PID) Process: | (856) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 1 | |||
(PID) Process: | (856) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchLowDateTime |
Value: | |||
(PID) Process: | (856) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 31000818 | |||
(PID) Process: | (856) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: | |||
(PID) Process: | (856) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 31000818 | |||
(PID) Process: | (856) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (856) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (856) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (856) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (856) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
856 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442 | binary | |
MD5:5648F6CE1EB88B1D4F7C56A7ED654B5E | SHA256:3C5E87B88A53DF78BCBD8FCAF72707C77E5CB3E1BE64FED8C43C93F0534C4BD7 | |||
404 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:048844669BAEB69BBDB8FA499BDF6AB4 | SHA256:F2CF5F6E80CFE2ADCAEE56639CA122443DC0DE60B5987AF883A865917648125E | |||
856 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442 | der | |
MD5:503AD061073A29CEE4CB12D552F6A5B3 | SHA256:D2A97423F8B71CA1DAAC39F8A037DCA022303C1ADFBD49995EFF3B36AFFF33F9 | |||
404 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\1CVIZKCB.txt | text | |
MD5:6FDF94BD84EDB50CC645CDAA4D6D84E9 | SHA256:DF0696BB991F58805F19A9E0AF8F6C3E9F0F899138A1F43F87B048F5266177AC | |||
404 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\2M86RNLK.txt | text | |
MD5:E197BC11A2E18CC5742D4D38CD9A2ED1 | SHA256:4AB647BC55D365D37D4CA36EA651B013377A698FD5DBA15A2FA76E756C1553CB | |||
404 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D6243C18F0F8F9AEC6638DD210F1984_9F77718FCB1E6D882CD1845976A9E5F6 | binary | |
MD5:7DFAA14AF63FCA995F57BCABB9844771 | SHA256:9EE861292577CF0382791CE3446FA6AADF8ED1FBBDF50743494024BF9D4DD38C | |||
404 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894 | der | |
MD5:EAA4DCE3EAE1609F49EBAE7323D80FEF | SHA256:DF398498CCD10951E5B64A54A0D10547E36A78D1CBCA6369EE8AABC83363AD83 | |||
404 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894 | binary | |
MD5:D63E8A487C67BE1246B8EE526EDC0DCD | SHA256:2D8D5D3E69B66EDA06312071C72D646AB9DB3FD7CB1897D49D65AB09323B820B | |||
404 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\0NFYD38B.htm | html | |
MD5:2997FC327E521707ED9EEDBCC34F12CB | SHA256:807B1DBF789233D53B000D16206ABE51F73A0BE4175FBFCB97FE32ECE1A6A95A | |||
404 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\J12XHBLC.txt | text | |
MD5:F8553118A54A8AC28BA4C610A93EA42B | SHA256:1C7F89FCC033C3E11A769FE4769101AF77DED7E64A680010C978E3DE53279F6E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
404 | iexplore.exe | GET | 200 | 13.225.84.42:80 | http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D | US | der | 1.70 Kb | whitelisted |
856 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D | US | der | 1.47 Kb | whitelisted |
404 | iexplore.exe | GET | 200 | 13.225.84.175:80 | http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D | US | der | 1.51 Kb | whitelisted |
404 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAo1CNVcKSsBffitZcAP9%2BQ%3D | US | der | 471 b | whitelisted |
404 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAKewfGO%2BI%2BbmshQbI1PuQ4%3D | US | der | 471 b | whitelisted |
404 | iexplore.exe | GET | — | 184.24.77.54:80 | http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgP30lYTYr%2FPH8zTvOquw5%2FCzA%3D%3D | US | — | — | shared |
404 | iexplore.exe | GET | 200 | 67.27.235.126:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a2fb9fa03a6a4c4e | US | compressed | 4.70 Kb | whitelisted |
404 | iexplore.exe | GET | 200 | 13.225.84.142:80 | http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEA98zCtBN8u%2FnYNUSFQe050%3D | US | der | 471 b | whitelisted |
404 | iexplore.exe | GET | 200 | 96.16.145.230:80 | http://x1.c.lencr.org/ | US | der | 717 b | whitelisted |
404 | iexplore.exe | GET | 200 | 13.225.84.58:80 | http://crl.rootca1.amazontrust.com/rootca1.crl | US | der | 493 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
856 | iexplore.exe | 204.79.197.200:443 | www.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
404 | iexplore.exe | 34.195.204.92:443 | — | AMAZON-AES | US | unknown |
— | — | 13.225.84.58:80 | crl.rootca1.amazontrust.com | AMAZON-02 | US | whitelisted |
404 | iexplore.exe | 13.225.84.42:80 | o.ss2.us | AMAZON-02 | US | unknown |
— | — | 13.225.84.142:80 | ocsp.sca1b.amazontrust.com | AMAZON-02 | US | whitelisted |
404 | iexplore.exe | 13.110.46.112:443 | c.la2-c2-ia5.salesforceliveagent.com | SALESFORCE | US | unknown |
404 | iexplore.exe | 13.225.84.175:80 | ocsp.rootg2.amazontrust.com | AMAZON-02 | US | whitelisted |
856 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
404 | iexplore.exe | 54.211.52.235:443 | — | AMAZON-AES | US | unknown |
404 | iexplore.exe | 67.27.235.126:80 | ctldl.windowsupdate.com | LEVEL3 | US | suspicious |
Domain | IP | Reputation |
---|---|---|
ctldl.windowsupdate.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
o.ss2.us |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
ocsp.rootg2.amazontrust.com |
| whitelisted |
ocsp.rootca1.amazontrust.com |
| shared |
crl.rootca1.amazontrust.com |
| whitelisted |
ocsp.sca1b.amazontrust.com |
| whitelisted |
c.la2-c2-ia5.salesforceliveagent.com |
| unknown |