URL:

https://tfaforms.com

Full analysis: https://app.any.run/tasks/3ed3a72f-c09f-423c-bb30-ce50e8a213cc
Verdict: Malicious activity
Analysis date: December 05, 2022, 21:41:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

8DB692A938CB02BE8DBC0A44811FF689

SHA1:

3248C0AF1AF3DB52A597AB82862694CD235616DE

SHA256:

D582D6AB1F9B89A62F3CB368A5D33504E4DF54A08B3C430E57B6774FFF17B37E

SSDEEP:

3:N8LqK72:2w

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 404)
    • Application launched itself

      • iexplore.exe (PID: 856)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
856"C:\Program Files\Internet Explorer\iexplore.exe" "https://tfaforms.com"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
404"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:856 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
16 156
Read events
16 028
Write events
128
Delete events
0

Modification events

(PID) Process:(856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31000818
(PID) Process:(856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31000818
(PID) Process:(856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
16
Text files
59
Unknown types
15

Dropped files

PID
Process
Filename
Type
404iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:048844669BAEB69BBDB8FA499BDF6AB4
SHA256:F2CF5F6E80CFE2ADCAEE56639CA122443DC0DE60B5987AF883A865917648125E
404iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\WP2Z7RZE.txttext
MD5:50EB4195F7397D68C2B17018C8B3D619
SHA256:863C9FBED3FB8DC96D5B28944079C6F0CD2BCB8106C6D2E773D95C28088500E4
404iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D6243C18F0F8F9AEC6638DD210F1984_9F77718FCB1E6D882CD1845976A9E5F6binary
MD5:7DFAA14AF63FCA995F57BCABB9844771
SHA256:9EE861292577CF0382791CE3446FA6AADF8ED1FBBDF50743494024BF9D4DD38C
404iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\J12XHBLC.txttext
MD5:F8553118A54A8AC28BA4C610A93EA42B
SHA256:1C7F89FCC033C3E11A769FE4769101AF77DED7E64A680010C978E3DE53279F6E
404iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\1CVIZKCB.txttext
MD5:6FDF94BD84EDB50CC645CDAA4D6D84E9
SHA256:DF0696BB991F58805F19A9E0AF8F6C3E9F0F899138A1F43F87B048F5266177AC
404iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\620BEF1064BD8E252C599957B3C91896binary
MD5:FCA11086A5DF9508122888BEEF44EFC4
SHA256:06ED68F42D06898929D61538D8B09E0C3FC4D493CBBCC8E382FD2ADD057E7017
404iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\0NFYD38B.htmhtml
MD5:2997FC327E521707ED9EEDBCC34F12CB
SHA256:807B1DBF789233D53B000D16206ABE51F73A0BE4175FBFCB97FE32ECE1A6A95A
404iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\2M86RNLK.txttext
MD5:E197BC11A2E18CC5742D4D38CD9A2ED1
SHA256:4AB647BC55D365D37D4CA36EA651B013377A698FD5DBA15A2FA76E756C1553CB
404iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\620BEF1064BD8E252C599957B3C91896der
MD5:4F75DFFA6D9C79B1BC41345F214D361C
SHA256:6CFD249D68E878BF3A0EE094519AEDF4BE02B3A8B36163B04D33DE281129AD22
404iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
52
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
404
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAo1CNVcKSsBffitZcAP9%2BQ%3D
US
der
471 b
whitelisted
404
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAKewfGO%2BI%2BbmshQbI1PuQ4%3D
US
der
471 b
whitelisted
856
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
856
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
404
iexplore.exe
GET
200
13.225.84.175:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
US
der
1.51 Kb
whitelisted
404
iexplore.exe
GET
200
96.16.145.230:80
http://x1.c.lencr.org/
US
der
717 b
whitelisted
404
iexplore.exe
GET
200
67.27.235.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a2fb9fa03a6a4c4e
US
compressed
4.70 Kb
whitelisted
404
iexplore.exe
GET
200
13.225.84.142:80
http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEA98zCtBN8u%2FnYNUSFQe050%3D
US
der
471 b
whitelisted
404
iexplore.exe
GET
200
67.27.235.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f32bac92ac218ba0
US
compressed
61.4 Kb
whitelisted
404
iexplore.exe
GET
13.225.84.145:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D
US
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
856
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
856
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
404
iexplore.exe
34.195.204.92:443
AMAZON-AES
US
unknown
404
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
13.225.84.58:80
crl.rootca1.amazontrust.com
AMAZON-02
US
whitelisted
856
iexplore.exe
67.27.235.126:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious
404
iexplore.exe
141.193.213.21:443
www.formassembly.com
Cloudflare London, LLC
US
whitelisted
404
iexplore.exe
67.27.235.126:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious
404
iexplore.exe
54.211.52.235:443
AMAZON-AES
US
unknown
404
iexplore.exe
13.225.84.175:80
ocsp.rootg2.amazontrust.com
AMAZON-02
US
whitelisted

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 67.27.235.126
  • 8.248.139.254
  • 8.253.204.121
  • 8.248.143.254
  • 8.253.207.120
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
o.ss2.us
  • 13.225.84.42
  • 13.225.84.97
  • 13.225.84.68
  • 13.225.84.66
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ocsp.rootg2.amazontrust.com
  • 13.225.84.175
  • 13.225.84.145
  • 13.225.84.49
  • 13.225.84.13
whitelisted
ocsp.rootca1.amazontrust.com
  • 13.225.84.175
  • 13.225.84.145
  • 13.225.84.49
  • 13.225.84.13
shared
crl.rootca1.amazontrust.com
  • 13.225.84.58
  • 13.225.84.14
  • 13.225.84.120
  • 13.225.84.149
whitelisted
ocsp.sca1b.amazontrust.com
  • 13.225.84.142
  • 13.225.84.104
  • 13.225.84.107
  • 13.225.84.88
whitelisted
c.la2-c2-ia5.salesforceliveagent.com
  • 13.110.46.112
  • 13.110.65.112
  • 13.110.45.112
unknown

Threats

No threats detected
No debug info