URL:

http://0.tcp.ap.ngrok.io

Full analysis: https://app.any.run/tasks/ffe54d8b-e9f4-4188-8942-e515ad7ff576
Verdict: Malicious activity
Analysis date: February 12, 2022, 09:31:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

0D3B1889A08FEFF3100BD851F2A71689

SHA1:

0C06BE60C2023BD6E1BD222DB837D2E2DB28CF67

SHA256:

4A90916868C9653215F03669C190595E90463E2A6180DFD94D679D7505E86BD8

SSDEEP:

3:N1KYIACH:CYDCH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3808)

  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 1068)
      • iexplore.exe (PID: 3808)

    • Checks supported languages

      • iexplore.exe (PID: 3808)
      • iexplore.exe (PID: 1068)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1068)
      • iexplore.exe (PID: 3808)

    • Changes internet zones settings

      • iexplore.exe (PID: 1068)

    • Application launched itself

      • iexplore.exe (PID: 1068)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3808)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 1068)
      • iexplore.exe (PID: 3808)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1068"C:\Program Files\Internet Explorer\iexplore.exe" "http://0.tcp.ap.ngrok.io"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3808"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1068 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
10
Text files
5
Unknown types
5

Dropped files

PID
Process
Filename
Type
1068iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:
SHA256:
3808iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:
SHA256:
1068iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:
SHA256:
1068iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
3808iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0419C7E0285D4A448EAC15050B516996der
MD5:
SHA256:
1068iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3808iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:ACAEDA60C79C6BCAC925EEB3653F45E0
SHA256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
3808iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab9AD4.tmpcompressed
MD5:ACAEDA60C79C6BCAC925EEB3653F45E0
SHA256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
3808iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0419C7E0285D4A448EAC15050B516996binary
MD5:
SHA256:
1068iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[1].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
21
DNS requests
12
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1068
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
1068
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3808
iexplore.exe
GET
307
13.229.3.203:80
http://0.tcp.ap.ngrok.io/
SG
html
62 b
malicious
1068
iexplore.exe
GET
200
23.32.238.178:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f3373b11fbd7af2e
US
compressed
4.70 Kb
whitelisted
3808
iexplore.exe
GET
200
23.32.238.201:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?be841d5049b9cc8d
US
compressed
59.9 Kb
whitelisted
3808
iexplore.exe
GET
200
92.123.195.35:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgNLM3IJ3iuH%2BnefkGHhlTfXxA%3D%3D
unknown
der
503 b
shared
3808
iexplore.exe
GET
200
104.89.32.83:80
http://x1.c.lencr.org/
NL
der
717 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
104.89.32.83:80
x1.c.lencr.org
Akamai Technologies, Inc.
NL
suspicious
3808
iexplore.exe
92.123.195.35:80
r3.o.lencr.org
Akamai International B.V.
whitelisted
1068
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3808
iexplore.exe
13.229.3.203:80
0.tcp.ap.ngrok.io
Amazon.com, Inc.
SG
malicious
1068
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3808
iexplore.exe
13.229.3.203:443
0.tcp.ap.ngrok.io
Amazon.com, Inc.
SG
malicious
23.32.238.178:80
ctldl.windowsupdate.com
XO Communications
US
suspicious
3808
iexplore.exe
23.32.238.201:80
ctldl.windowsupdate.com
XO Communications
US
suspicious
1068
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
0.tcp.ap.ngrok.io
  • 13.229.3.203
malicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ctldl.windowsupdate.com
  • 23.32.238.178
  • 23.32.238.201
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
x1.c.lencr.org
  • 104.89.32.83
whitelisted
r3.o.lencr.org
  • 92.123.195.35
  • 92.123.195.107
shared
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY DNS Query to a *.ngrok domain (ngrok.io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://0.tcp.ap.ngrok.io