analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.yammer.com_prosegur.com_threads_1835493695578112-3Fallow-5Fapp-5Fredirect-3D1-26from-3Demail-26message-5Fid-3D1835493695578112-26trk-5Felmnt-3Dgoto-26trk-5Fevent-3Dde-5Fthrd-5Fclk-26trk-5Ffst-5Fthrd-5Fid-3D1835493695578112-26trk-5Fis-5Fstoryline-3Dfalse-26trk-5Fnetwork-3D69241-26trk-5Fnmbr-5Flks-3D1-26trk-5Fnmbr-5Frplys-3D1-26trk-5Fnmbr-5Fthrds-3D2-26trk-5Fnotif-5Fid-3Df5543d00065f2cd09ff1cecfc3aed87f0a3f6683b24db01d9c38754d16fd004a-26trk-5Foutlook-5Forigin-3Dglam-5Fstatic-26trk-5Fthrd-5Fclckd-5Fid-3D1835493695578112-26trk-5Fthrd-5Fpstn-3Dfst-26trk-5Fuser-3D883906027520%26d%3DDwMFaQ%26c%3DCVCjue1xFAdWlcQqpM6mY11X1YkBLRLie8BLA-Yhu3s%26r%3DZZzQSvC--3fnraIGaQqYZU7wNIgeQ1j8VMdjaWCDMK8%26m%3DkxRI5CsNTO_5MMR4y5L5ykr_fykDUWoErSLPEXuknDPqA8vshB3jDtObGGZmv4_M%26s%3DtEA71qtauAiF9kHHr7P0JfmrROOoUCMTVjCH2eEUw9I%26e%3D&data=05%7C01%7Cfabian-luis.sejas%40prosegur.com%7C7859b930c29f4134a3d308da6f3041a7%7C68485601fbbc47c6b1563e1a7e0a4434%7C0%7C0%7C637944550291679940%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EKlRyvNSvS%2BOZ8eDeXFTWbTr%2BYSfni%2B0BkwWzN9y9vw%3D&reserved=0

Full analysis: https://app.any.run/tasks/4d17c812-6caf-42d8-b5f4-11f66c2e614c
Verdict: Malicious activity
Analysis date: August 12, 2022, 18:59:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

419670842A63D824F609E3DD553FB4B7

SHA1:

D0553CADFE2543DB72A8952343F7EFE4EC483D0E

SHA256:

F3E4FB72AF6BBCD3B0BE4A90F3B14332D137A4B7DD63F137B348283E91004A38

SSDEEP:

24:2U9q4tHc/ADXbyfgfrnItCBUqv/DIAfG1dGHNpECiqk0nRn4SP7LhM:1q4c8m4jItC+qvbu1GzECDkyGSxM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3132)
  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 676)
      • iexplore.exe (PID: 3132)
    • Checks supported languages

      • iexplore.exe (PID: 3132)
      • iexplore.exe (PID: 676)
    • Changes internet zones settings

      • iexplore.exe (PID: 676)
    • Application launched itself

      • iexplore.exe (PID: 676)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 676)
      • iexplore.exe (PID: 3132)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3132)
    • Changes settings of System certificates

      • iexplore.exe (PID: 676)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3132)
      • iexplore.exe (PID: 676)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
676"C:\Program Files\Internet Explorer\iexplore.exe" "https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.yammer.com_prosegur.com_threads_1835493695578112-3Fallow-5Fapp-5Fredirect-3D1-26from-3Demail-26message-5Fid-3D1835493695578112-26trk-5Felmnt-3Dgoto-26trk-5Fevent-3Dde-5Fthrd-5Fclk-26trk-5Ffst-5Fthrd-5Fid-3D1835493695578112-26trk-5Fis-5Fstoryline-3Dfalse-26trk-5Fnetwork-3D69241-26trk-5Fnmbr-5Flks-3D1-26trk-5Fnmbr-5Frplys-3D1-26trk-5Fnmbr-5Fthrds-3D2-26trk-5Fnotif-5Fid-3Df5543d00065f2cd09ff1cecfc3aed87f0a3f6683b24db01d9c38754d16fd004a-26trk-5Foutlook-5Forigin-3Dglam-5Fstatic-26trk-5Fthrd-5Fclckd-5Fid-3D1835493695578112-26trk-5Fthrd-5Fpstn-3Dfst-26trk-5Fuser-3D883906027520%26d%3DDwMFaQ%26c%3DCVCjue1xFAdWlcQqpM6mY11X1YkBLRLie8BLA-Yhu3s%26r%3DZZzQSvC--3fnraIGaQqYZU7wNIgeQ1j8VMdjaWCDMK8%26m%3DkxRI5CsNTO_5MMR4y5L5ykr_fykDUWoErSLPEXuknDPqA8vshB3jDtObGGZmv4_M%26s%3DtEA71qtauAiF9kHHr7P0JfmrROOoUCMTVjCH2eEUw9I%26e%3D&data=05%7C01%7Cfabian-luis.sejas%40prosegur.com%7C7859b930c29f4134a3d308da6f3041a7%7C68485601fbbc47c6b1563e1a7e0a4434%7C0%7C0%7C637944550291679940%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EKlRyvNSvS%2BOZ8eDeXFTWbTr%2BYSfni%2B0BkwWzN9y9vw%3D&reserved=0"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3132"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:676 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
12 839
Read events
12 717
Write events
120
Delete events
2

Modification events

(PID) Process:(676) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(676) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(676) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30977661
(PID) Process:(676) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(676) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30977661
(PID) Process:(676) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(676) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(676) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(676) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(676) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
13
Text files
27
Unknown types
11

Dropped files

PID
Process
Filename
Type
3132iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\72BA427A91F50409B9EAC87F2B59B951_76153553DDC6D8AAD0F728B7701D7D60der
MD5:D8F9D060D34BD480074112022053CAEE
SHA256:018646A7CAE4B891E63776E7FA6D761DDADE087B9C429D44C1E5C7474A826306
3132iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:47C7AD319DB74D36AE264769C2855B38
SHA256:3AB8D9E73DB01887F2135A24B01CCD99D08CC8D62CD84F2BEA54C181C74A0392
3132iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49der
MD5:B5DB26BF7F8D02FAC377C8E343B930A1
SHA256:CB814FABB0DAF12D7AFA5CD5853B94F879481D25766C0BB03C1FC904994DD1A1
3132iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:BC6DF366E7E6DF86E8094CC74316DF63
SHA256:10104E5D28111321014B32E220FB729990D8F487B6E270024D0188F0A045E146
3132iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\PUDEU1PP.txttext
MD5:975B5EB2A8EA9A4DD21E9761F64D81AB
SHA256:6EE22D2F7C67F9D1ECE79463A04A11A0CCDE24C7636C13D0100E66D12091A5EA
3132iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3538626A1FCCCA43C7E18F220BDD9B02binary
MD5:BA62283AA656DEAE92BB5B99019BF4A3
SHA256:149A852DF93A34B949368BD5FB64BFEAA3689881898A4787FB4F38B82F6B9A03
3132iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\X28WOK8Q.txttext
MD5:07B1E390C4165F628E1A08E3B9667D69
SHA256:72FAB18A5F9954EE5770CC3E08513A5D5F751BD7E763D1032071D423A543155E
3132iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\1835493695578112[1].htmhtml
MD5:A96E3CBC66A4C8CFABD214AA4F0EBEB0
SHA256:CAB52F7D9B971EEBDEB099F1A7A7D76ED95779C7E323FE6942ACC64D69CD4FB3
3132iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\NAK3BANO.txttext
MD5:30DC82B14F06826FCAC0A3AD2475A630
SHA256:1AB995BD40B9B9F79470AE77298EFB0910323DEFC4BD1507CDD5871EE64914B0
3132iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\72BA427A91F50409B9EAC87F2B59B951_76153553DDC6D8AAD0F728B7701D7D60binary
MD5:387034FB3DDDB656229DE5DCA2A2E8ED
SHA256:818453325BDB315FB38281EF79A7E6056CB0AB42C369676C2A4A21D0194B15F0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
45
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3132
iexplore.exe
GET
200
172.64.155.188:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQh80WaEMqmyEvaHjlisSfVM4p8SAQUF9nWJSdn%2BTHCSUPZMDZEjGypT%2BsCEByrgD5piqUjHxqAhX8eRyo%3D
US
der
471 b
whitelisted
3132
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAGewca9P1l7sgwzOOVR2Hc%3D
US
der
471 b
whitelisted
3132
iexplore.exe
GET
200
104.18.32.68:80
http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
US
der
978 b
whitelisted
3132
iexplore.exe
GET
200
172.64.155.188:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEBN9U5yqfDGppDNwGWiEeo0%3D
US
der
2.18 Kb
whitelisted
3132
iexplore.exe
GET
200
172.64.155.188:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
1.42 Kb
whitelisted
3132
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3132
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
US
der
471 b
whitelisted
676
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3132
iexplore.exe
GET
200
104.18.24.243:80
http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRSHuNsR4EZqcsD%2BrdOV%2BEZevGBiwQUtXYMMBHOx5JCTUzHXCzIqQzoC2QCExIAKcNmf7PeyaDcpcoAAAApw2Y%3D
US
der
1.70 Kb
whitelisted
3132
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3b23d5856c057568
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
676
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
676
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3132
iexplore.exe
104.47.1.28:443
eur01.safelinks.protection.outlook.com
Microsoft Corporation
AT
whitelisted
3132
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3132
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3132
iexplore.exe
67.231.154.66:443
urldefense.proofpoint.com
Proofpoint, Inc.
US
malicious
3132
iexplore.exe
172.64.155.188:80
ocsp.comodoca.com
US
suspicious
3132
iexplore.exe
104.18.32.68:80
ocsp.comodoca.com
Cloudflare Inc
US
suspicious
13.107.6.159:443
www.yammer.com
Microsoft Corporation
US
whitelisted
96.16.146.233:443
static2.sharepointonline.com
Akamai Technologies, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
eur01.safelinks.protection.outlook.com
  • 104.47.1.28
  • 104.47.2.28
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
urldefense.proofpoint.com
  • 67.231.154.66
whitelisted
ocsp.comodoca.com
  • 172.64.155.188
  • 104.18.32.68
whitelisted
ocsp.usertrust.com
  • 104.18.32.68
  • 172.64.155.188
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
crl.usertrust.com
  • 104.18.32.68
  • 172.64.155.188
whitelisted

Threats

No threats detected
No debug info