File name:

phishing10-fb67a41d189011b3bf102cc963f5867c.eml

Full analysis: https://app.any.run/tasks/b708d528-0311-4893-8d6b-7330600ddfd7
Verdict: Malicious activity
Analysis date: April 01, 2023, 16:01:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with CRLF line terminators
MD5:

FB67A41D189011B3BF102CC963F5867C

SHA1:

CB33CB2820114CB4BB58B3884C32D73C8076573A

SHA256:

D1FFA4754A125B451213389176B5740B76F87D6479E0B32735B33F5E5FCA72B9

SSDEEP:

49152:6NJ68Yc0cCq1MfHPf8Twpujps/SnW+Qjt41k/+34Rf9MzXSNER70nYdhP7LKN4YQ:U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from MS Office

      • OUTLOOK.EXE (PID: 1900)

  • SUSPICIOUS

    • Searches for installed software

      • OUTLOOK.EXE (PID: 1900)

    • Reads the Internet Settings

      • OUTLOOK.EXE (PID: 1900)

  • INFO

    • Checks supported languages

      • OUTLOOK.EXE (PID: 1900)

    • Reads the computer name

      • OUTLOOK.EXE (PID: 1900)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 1900)

    • The process checks LSA protection

      • OUTLOOK.EXE (PID: 1900)

    • Reads the machine GUID from the registry

      • OUTLOOK.EXE (PID: 1900)

    • Create files in a temporary directory

      • OUTLOOK.EXE (PID: 1900)

    • Process checks computer location settings

      • OUTLOOK.EXE (PID: 1900)

    • Checks proxy server information

      • OUTLOOK.EXE (PID: 1900)

    • The process uses the downloaded file

      • OUTLOOK.EXE (PID: 1900)
      • WinRAR.exe (PID: 964)

    • Creates files or folders in the user directory

      • OUTLOOK.EXE (PID: 1900)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe winrar.exe

Process information

PID
CMD
Path
Indicators
Parent process
964"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\NYOFYAJN\restricted.zip"C:\Program Files\WinRAR\WinRAR.exe
OUTLOOK.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
1900"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\phishing10-fb67a41d189011b3bf102cc963f5867c.eml"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
Modules
Images
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
11 582
Read events
10 778
Write events
764
Delete events
40

Modification events

(PID) Process:(1900) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(1900) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
On
(PID) Process:(1900) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
On
(PID) Process:(1900) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
On
(PID) Process:(1900) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
On
(PID) Process:(1900) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
On
(PID) Process:(1900) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
On
(PID) Process:(1900) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
On
(PID) Process:(1900) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
On
(PID) Process:(1900) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
On
Executable files
2
Suspicious files
34
Text files
28
Unknown types
10

Dropped files

PID
Process
Filename
Type
1900OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRF770.tmp.cvr
MD5:
SHA256:
1900OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
1900OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:
SHA256:
1900OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:
SHA256:
1900OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A5A79636.datimage
MD5:CE964D0E7FFCB4B24C18E471965C0182
SHA256:6793690773C33BD4ED17B295467C657613EE49DE26367655CEB212C10EA015FA
1900OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{FEAF5D0E-E912-49F4-97FD-F668EDF42960}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:4C61C12EDBC453D7AE184976E95258E1
SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F
1900OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_BDAE33005EC45D4FB5258D02D19877DB.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
1900OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\tmpFD8C.tmpbinary
MD5:FD57324D5FF360FA98279D38DE4A2A0F
SHA256:37FCD7F41281B24A96B4E81F21DF310A956F0A381F38488098AF16C2830244DE
1900OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\NYOFYAJN\restricted (2).zip:Zone.Identifier:$DATAtext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
1900OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Outlook\NoMail.srssrs
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1900
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1900
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
phishing10-fb67a41d189011b3bf102cc963f5867c.eml