URL:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=931a6f90-ea86-4e3f-bd96-6b0dde18c104&response_type=code&response_mode=query&scope=openid+profile+email+https%253A%252F%252Fgraph.microsoft.com%252FUser.Read&prompt=none&redirect_url=https%253A%252F%252Fteams.live.com%252Fv2%252Fmeet%252Fmeet-now%253Fsource%253Dgather%2526launchAgent%253Dgather%2526correlationId%253D1369b8fd-192f-4f01-8b48-fe1d8885e452

Full analysis: https://app.any.run/tasks/e210b212-a862-457f-874a-672f1c6da448
Verdict: Malicious activity
Analysis date: May 15, 2026, 16:00:25
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
phishing
oauth-ms-phish
MD5:

72F35BAF77465B7342841BB7AD303ADF

SHA1:

240954E0046CA27B7F91762C2D686FC9E378A17E

SHA256:

B70A03C1AFDDFE08A77A7F6F54F23C2E6079BCB9389B04C68B4F74C0F9347024

SSDEEP:

6:2KPo+sywPy/3AEDXkC0v4VurV4ygqzLZJA0ZvMQBHvxqzvOKQkuCL4eKQX5p+2Av:2v+sLokTv4VuWpEZu0Ci5GOKN/EEQPjj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
161
Monitored processes
0
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details

Process information

No data
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
97
TCP/UDP connections
79
DNS requests
42
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4520
RUXIMICS.exe
GET
304
48.209.138.168:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/RUXIM?os=Windows&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3623&OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&FlightRing=Retail&AttrDataVer=188&App=RUXIM&AppVer=&DeviceFamily=Windows.Desktop
US
whitelisted
5336
MoUsoCoreWorker.exe
GET
304
48.209.138.168:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3593&FlightIds=&UpdateOfferedDays=344&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%206%20Model%2014%20Stepping%203&sku=48&ActivationChannel=Retail&AttrDataVer=188&IsMDMEnrolled=0&ProcessorCores=4&ProcessorModel=Intel%28R%29%20Core%28TM%29%20i5-6400%20CPU%20%40%202.70GHz&TotalPhysicalRAM=4096&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260246&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
7760
svchost.exe
HEAD
200
104.102.63.189:443
https://fs.microsoft.com/fs/windows/config.json
US
whitelisted
6048
svchost.exe
GET
200
23.216.77.30:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
4520
RUXIMICS.exe
GET
200
23.216.77.30:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
5336
MoUsoCoreWorker.exe
GET
200
23.216.77.30:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
7028
msedge.exe
GET
403
3.151.41.31:443
https://2qilgdroyi6xckv6iocdxxxjpm0axyic.lambda-url.us-east-2.on.aws/favicon.ico
US
text
16 b
unknown
7028
msedge.exe
GET
200
92.123.104.67:443
https://www.bing.com/bloomfilterfiles/ExpandedDomainsFilterGlobal.json
unknown
text
666 Kb
whitelisted
6048
svchost.exe
GET
200
48.209.138.168:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.3758&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4
US
text
3.41 Kb
whitelisted
6048
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4520
RUXIMICS.exe
48.209.138.168:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5336
MoUsoCoreWorker.exe
48.209.138.168:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6048
svchost.exe
48.209.138.168:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
224.0.0.251:5353
whitelisted
7028
msedge.exe
40.126.32.76:443
login.microsoftonline.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6048
svchost.exe
23.216.77.30:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
4520
RUXIMICS.exe
23.216.77.30:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5336
MoUsoCoreWorker.exe
23.216.77.30:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6048
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
7028
msedge.exe
18.117.46.189:443
2qilgdroyi6xckv6iocdxxxjpm0axyic.lambda-url.us-east-2.on.aws
AMAZON-02
US
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.251.14.138
  • 142.251.14.100
  • 142.251.14.101
  • 142.251.14.102
  • 142.251.14.139
  • 142.251.14.113
whitelisted
login.microsoftonline.com
  • 40.126.32.76
  • 40.126.32.140
  • 20.190.160.131
  • 20.190.160.2
  • 20.190.160.3
  • 20.190.160.67
  • 20.190.160.14
  • 20.190.160.4
whitelisted
crl.microsoft.com
  • 23.216.77.30
  • 23.216.77.25
  • 23.216.77.21
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 23.52.181.212
whitelisted
2qilgdroyi6xckv6iocdxxxjpm0axyic.lambda-url.us-east-2.on.aws
  • 18.117.46.189
  • 3.20.108.138
  • 18.217.200.249
  • 3.150.233.19
  • 3.19.20.254
  • 18.223.72.97
unknown
www.bing.com
  • 88.221.197.113
  • 88.221.197.169
  • 88.221.197.177
  • 88.221.197.184
  • 88.221.197.144
  • 88.221.197.83
  • 95.101.23.75
  • 95.101.23.98
  • 95.101.23.43
  • 95.101.23.83
  • 95.101.23.88
  • 95.101.23.80
  • 95.101.23.99
  • 95.101.23.104
  • 95.101.23.82
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
  • 48.209.138.189
whitelisted
login.live.com
  • 40.126.32.76
  • 20.190.160.4
  • 20.190.160.3
  • 40.126.32.133
  • 20.190.160.128
  • 20.190.160.65
  • 40.126.32.138
  • 20.190.160.132
  • 20.190.160.22
  • 20.190.160.131
  • 20.190.160.14
  • 40.126.32.140
  • 40.126.32.136
  • 20.190.160.5
  • 20.190.160.130
whitelisted
fs.microsoft.com
  • 104.102.63.189
whitelisted
msedge.b.tlu.dl.delivery.mp.microsoft.com
  • 199.232.210.172
  • 199.232.214.172
  • 2.16.168.102
  • 2.16.168.108
  • 2.16.168.112
whitelisted

Threats

PID
Process
Class
Message
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Microsoft OAuth redirect abuse related URL observed (error=login_required)
6048
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=931a6f90-ea86-4e3f-bd96-6b0dde18c104&response_type=code&response_mode=query&scope=openid+profile+email+https%253A%252F%252Fgraph.microsoft.com%252FUser.Read&prompt=none&redirect_url=https%253A%252F%252Fteams.live.com%252Fv2%252Fmeet%252Fmeet-now%253Fsource%253Dgather%2526launchAgent%253Dgather%2526correlationId%253D1369b8fd-192f-4f01-8b48-fe1d8885e452