URL:

outlook.office.com/owa/?isExtension=true&sharedHeader=1&client_flight=outlookedge&login_hint=jaramos@eem.pt&state=1&redirectTo=aHR0cHM6Ly9vdXRsb29rLm9mZmljZS5jb20vbWFpbC9BQU1tQUh0RFFURkNSVGMzTmkwNU9EVXdMVFE0UVVFdFFVRTNNaTAxUmpaQk5rTkdRVEV4UkRsOUFDNEFBQUFBQU43MldwUnVYa1pOaHF2Wmx2QmE1QzhCQVAwV3NwWmpybXRIaG5XTWwwNU9PcllBQUFBVE1VTUFBQT09L2lkL0FBUW1BSHREUVRGQ1JUYzNOaTA1T0RVd0xUUTRRVUV0UVVFM01pMDFSalpCTmtOR1FURXhSRGw5QUJBQVVFeW1kZXE0VmtDS25UZ2RrZFRVQ0E9PS9pdGVtSWQvQUFNbUFIdERRVEZDUlRjM05pMDVPRFV3TFRRNFFVRXRRVUUzTWkwMVJqWkJOa05HUVRFeFJEbDlBRVlBQUFBQUFONzJXcFJ1WGtaTmhxdlpsdkJhNUM4SEFQMFdzcFpqcm10SGhuV01sMDVPT3JZQUFBQVRNVU1BQUd4MmlsQmhKRUJIdmJhMExnYlJNTzhBQjArdmxxRUFBQT09P2lzRXh0ZW5zaW9uPXRydWUmc2hhcmVkSGVhZGVyPTEmY2xpZW50X2ZsaWdodD1vdXRsb29rZWRnZQ

Full analysis: https://app.any.run/tasks/ab184006-4c81-4330-b776-de45ddadc182
Verdict: Malicious activity
Analysis date: April 29, 2024, 10:18:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
phishing
Indicators:
MD5:

C4F86D3A8935428D9F1EE9BF1C08B7FD

SHA1:

87A7413835D5A8B7480EEBB3B76108D64F3D70A8

SHA256:

0D33EF2C5BB2695807B54FEEA7019EE7097809A408A4E55424183EC1D19FA294

SSDEEP:

12:ZzT+uC/lGiIovPyFH+ZKzoyn3nl6L9ZqS6dXny3FencdMwEtyCMfepQworrf8n:ZzTMGFoXGVVVEHeC3FecdMjyL2Vof8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • PHISHING has been detected (SURICATA)

      • iexplore.exe (PID: 4020)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Checks supported languages

      • wmpnscfg.exe (PID: 2024)

    • Reads the computer name

      • wmpnscfg.exe (PID: 2024)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2024)

    • Application launched itself

      • iexplore.exe (PID: 3964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe #PHISHING iexplore.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2024"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3964"C:\Program Files\Internet Explorer\iexplore.exe" "outlook.office.com/owa/?isExtension=true&sharedHeader=1&client_flight=outlookedge&login_hint=jaramos@eem.pt&state=1&redirectTo=aHR0cHM6Ly9vdXRsb29rLm9mZmljZS5jb20vbWFpbC9BQU1tQUh0RFFURkNSVGMzTmkwNU9EVXdMVFE0UVVFdFFVRTNNaTAxUmpaQk5rTkdRVEV4UkRsOUFDNEFBQUFBQU43MldwUnVYa1pOaHF2Wmx2QmE1QzhCQVAwV3NwWmpybXRIaG5XTWwwNU9PcllBQUFBVE1VTUFBQT09L2lkL0FBUW1BSHREUVRGQ1JUYzNOaTA1T0RVd0xUUTRRVUV0UVVFM01pMDFSalpCTmtOR1FURXhSRGw5QUJBQVVFeW1kZXE0VmtDS25UZ2RrZFRVQ0E9PS9pdGVtSWQvQUFNbUFIdERRVEZDUlRjM05pMDVPRFV3TFRRNFFVRXRRVUUzTWkwMVJqWkJOa05HUVRFeFJEbDlBRVlBQUFBQUFONzJXcFJ1WGtaTmhxdlpsdkJhNUM4SEFQMFdzcFpqcm10SGhuV01sMDVPT3JZQUFBQVRNVU1BQUd4MmlsQmhKRUJIdmJhMExnYlJNTzhBQjArdmxxRUFBQT09P2lzRXh0ZW5zaW9uPXRydWUmc2hhcmVkSGVhZGVyPTEmY2xpZW50X2ZsaWdodD1vdXRsb29rZWRnZQ"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
4020"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3964 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
13 987
Read events
13 853
Write events
97
Delete events
37

Modification events

(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31103518
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31103518
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
10
Text files
35
Unknown types
1

Dropped files

PID
Process
Filename
Type
4020iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:B94E0EBCCC24C135EFFBC0CDB89CA425
SHA256:C62A93706A28DE71A0482786715388FB4311A24A5EA4943C7DE902B19E953010
4020iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_1941775A515122A167E3FBACF08992E1binary
MD5:3F0FED861E7FFA0188F4F48371E51833
SHA256:F47A8600F8F0B055D4D500215FB10000BD860AA1FF8CC58C59111D3FA1F314F5
4020iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\convergedlogin_pcustomizationloader_7f0a8c2a247460fad87f[1].jstext
MD5:5252837FFA272234E1CBF2D3D83EF32C
SHA256:DF2E852C347ECF82F70A0C8A4B91713FBB0914D58F2CBAB01316BFE646ABEE7C
4020iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776der
MD5:A1852EE38CD3084A003EDCDCF6E5AB26
SHA256:85A5C9FFA349561E5F1E1C81E24F96A88A48110FBA4FE630FDAF415267E02561
4020iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\authorize[1].htmhtml
MD5:EA1A14052FF45141EFF1161ED9DE210B
SHA256:71121CA6823FDD6198E8356088A801913A03231F852B162C7CFC46BECF8E3FC7
4020iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\Y1955KNZ.txttext
MD5:AF1629AD466F227CA7E1A7E569798C3F
SHA256:216341FE2C0C72A980FD351D783F8295E79E0B7081F5A0D19C031EABF7AD9048
3964iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon_a_eupayfgghqiai7k9sol6lg2[1].icoimage
MD5:12E3DAC858061D088023B2BD48E2FA96
SHA256:90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
4020iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\9BLGRAQF.txttext
MD5:2E8EDEEB62145049EE0C4E2D848B1F11
SHA256:02648CAE3176FBC34641FB4530C25145901B1DC4E16D085A0FE041B421DE0D44
4020iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_1941775A515122A167E3FBACF08992E1binary
MD5:BA0233DA7B2BEA2383D5C1C6205D42E6
SHA256:68C0E63160DED3532654F0A518C3EA6581120F5E772CD452C0D96A7FD816130B
4020iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\F28N89R0.txttext
MD5:702466DB6A9AAC95214CA964BD656B2A
SHA256:823B50545EFF7DC3149EFB9E6433F49CA43FD0F447A65CFB2A7064ECE5D9E8AC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
32
DNS requests
17
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4020
iexplore.exe
GET
301
40.99.157.18:80
http://outlook.office.com/owa/?isExtension=true&sharedHeader=1&client_flight=outlookedge&login_hint=jaramos@eem.pt&state=1&redirectTo=aHR0cHM6Ly9vdXRsb29rLm9mZmljZS5jb20vbWFpbC9BQU1tQUh0RFFURkNSVGMzTmkwNU9EVXdMVFE0UVVFdFFVRTNNaTAxUmpaQk5rTkdRVEV4UkRsOUFDNEFBQUFBQU43MldwUnVYa1pOaHF2Wmx2QmE1QzhCQVAwV3NwWmpybXRIaG5XTWwwNU9PcllBQUFBVE1VTUFBQT09L2lkL0FBUW1BSHREUVRGQ1JUYzNOaTA1T0RVd0xUUTRRVUV0UVVFM01pMDFSalpCTmtOR1FURXhSRGw5QUJBQVVFeW1kZXE0VmtDS25UZ2RrZFRVQ0E9PS9pdGVtSWQvQUFNbUFIdERRVEZDUlRjM05pMDVPRFV3TFRRNFFVRXRRVUUzTWkwMVJqWkJOa05HUVRFeFJEbDlBRVlBQUFBQUFONzJXcFJ1WGtaTmhxdlpsdkJhNUM4SEFQMFdzcFpqcm10SGhuV01sMDVPT3JZQUFBQVRNVU1BQUd4MmlsQmhKRUJIdmJhMExnYlJNTzhBQjArdmxxRUFBQT09P2lzRXh0ZW5zaW9uPXRydWUmc2hhcmVkSGVhZGVyPTEmY2xpZW50X2ZsaWdodD1vdXRsb29rZWRnZQ
unknown
unknown
4020
iexplore.exe
GET
304
87.248.205.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?99c9fdafe1a1de72
unknown
unknown
4020
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEA8XGkjG8iOAkhjNLtbdwOg%3D
unknown
unknown
4020
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
3964
iexplore.exe
GET
304
87.248.205.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0d685e1cf011c38b
unknown
unknown
3964
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
unknown
3964
iexplore.exe
GET
304
87.248.205.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?32a7a8361135dd15
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1088
svchost.exe
224.0.0.252:5355
unknown
4020
iexplore.exe
40.99.157.18:80
outlook.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
DE
unknown
4020
iexplore.exe
40.99.157.18:443
outlook.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
DE
unknown
4020
iexplore.exe
87.248.205.0:80
ctldl.windowsupdate.com
LLNW
US
unknown
4020
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4020
iexplore.exe
20.190.159.64:443
login.microsoftonline.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4020
iexplore.exe
152.199.23.37:443
aadcdn.msftauth.net
EDGECAST
US
unknown

DNS requests

Domain
IP
Reputation
outlook.office.com
  • 40.99.157.18
  • 52.98.253.82
  • 40.99.157.34
whitelisted
ctldl.windowsupdate.com
  • 87.248.205.0
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.microsoftonline.com
  • 20.190.159.64
  • 20.190.159.0
  • 40.126.31.67
  • 20.190.159.4
  • 20.190.159.68
  • 20.190.159.73
  • 20.190.159.75
  • 40.126.31.73
whitelisted
aadcdn.msftauth.net
  • 152.199.23.37
whitelisted
outlook.office365.com
  • 52.98.253.82
  • 40.99.157.34
  • 40.99.157.18
whitelisted
login.live.com
  • 20.190.159.23
  • 20.190.159.2
  • 20.190.159.73
  • 40.126.31.67
  • 40.126.31.69
  • 40.126.31.73
  • 20.190.159.0
  • 20.190.159.64
whitelisted
r4.res.office365.com
  • 96.16.54.99
  • 96.16.54.82
  • 96.16.54.83
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 2.18.29.170
  • 2.18.29.178
  • 2.18.29.169
  • 2.18.29.184
  • 2.18.29.171
  • 2.18.29.177
  • 2.18.29.176
  • 2.18.29.179
  • 2.18.29.185
whitelisted

Threats

PID
Process
Class
Message
4020
iexplore.exe
Possible Social Engineering Attempted
PHISHING [ANY.RUN] A suspicious URI containing an email address
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
outlook.office.com/owa/?isExtension=true&sharedHeader=1&client_flight=outlookedge&login_hint=jaramos@eem.pt&state=1&redirectTo=aHR0cHM6Ly9vdXRsb29rLm9mZmljZS5jb20vbWFpbC9BQU1tQUh0RFFURkNSVGMzTmkwNU9EVXdMVFE0UVVFdFFVRTNNaTAxUmpaQk5rTkdRVEV4UkRsOUFDNEFBQUFBQU43MldwUnVYa1pOaHF2Wmx2QmE1QzhCQVAwV3NwWmpybXRIaG5XTWwwNU9PcllBQUFBVE1VTUFBQT09L2lkL0FBUW1BSHREUVRGQ1JUYzNOaTA1T0RVd0xUUTRRVUV0UVVFM01pMDFSalpCTmtOR1FURXhSRGw5QUJBQVVFeW1kZXE0VmtDS25UZ2RrZFRVQ0E9PS9pdGVtSWQvQUFNbUFIdERRVEZDUlRjM05pMDVPRFV3TFRRNFFVRXRRVUUzTWkwMVJqWkJOa05HUVRFeFJEbDlBRVlBQUFBQUFONzJXcFJ1WGtaTmhxdlpsdkJhNUM4SEFQMFdzcFpqcm10SGhuV01sMDVPT3JZQUFBQVRNVU1BQUd4MmlsQmhKRUJIdmJhMExnYlJNTzhBQjArdmxxRUFBQT09P2lzRXh0ZW5zaW9uPXRydWUmc2hhcmVkSGVhZGVyPTEmY2xpZW50X2ZsaWdodD1vdXRsb29rZWRnZQ