Malware analysis Undeliverable Hp inc. - Employee Pay Raise and Organization Restructuring (80.2 KB).msg Malicious activity

Add for printing

File name:	Undeliverable Hp inc. - Employee Pay Raise and Organization Restructuring (80.2 KB).msg
Full analysis:	https://app.any.run/tasks/9844ab44-5352-485c-95ba-f7868bf7dd0c
Verdict:	Malicious activity
Analysis date:	January 07, 2026, 15:59:21
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	susp-attachments attachments attc-unc attc-eml qrcode attc-doc qr-redirect phishing phish-url susp-redirect
Indicators:
MIME:	application/vnd.ms-outlook
File info:	CDFV2 Microsoft Outlook Message
MD5:	ECB1FE47A230347F9B77A2E3EB760C7C
SHA1:	A162E7B929E0A540755C104D5B02D214887F0A52
SHA256:	244AF0DB82AEB5FBB94EC135487D8E4B27BC7BD5ADC34023DBA0BEF25311277C
SSDEEP:	3072:Q9MdpqecTCJRynt0IRnAlAEZx5CNa5rJ:R4CfIRnAlRx5R5r

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Suspicious URL found
  - OUTLOOK.EXE (PID: 7480)
- QR code contains URL with email
  - OUTLOOK.EXE (PID: 7480)
SUSPICIOUS
- Detected QR code with redirect chain
  - OUTLOOK.EXE (PID: 7480)
INFO
- Reads the computer name
  - TextInputHost.exe (PID: 7840)
- Checks supported languages
  - TextInputHost.exe (PID: 7840)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.msg	\|	Outlook Message (58.9)
.oft	\|	Outlook Form Template (34.4)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

152

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

4472

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

6556

"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\ZI4897DA\Hp inc.-HR-package.docx" /o ""

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

OUTLOOK.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Word

Version:

16.0.16026.20146

Modules

Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll

7184

"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "363708BC-5534-4907-9E94-3CF31300C0E8" "74C51C92-BE11-4498-8678-30F992B66464" "6556"

C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe

—

WINWORD.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.

Version:

0.12.2.0

Modules

Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll

7480

"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Undeliverable Hp inc. - Employee Pay Raise and Organization Restructuring (80.2 KB).msg"

C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Outlook

Version:

16.0.16026.20146

Modules

Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

7840

"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Version:

123.26505.0.0

Modules

Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll

7988

"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "CF2130AA-D57A-4558-AD36-AFC235D20C6A" "22E5A7AC-E9C7-4FA8-A074-7427580E707E" "7480"

C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe

—

OUTLOOK.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.

Version:

0.12.2.0

Modules

Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

24 418

Read events

22 983

Write events

1 293

Delete events

142

Modification events


(PID) Process:	(7480) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:	write	Name:	6
Value: 01941A000000001000B24E9A3E06000000000000000600000000000000
(PID) Process:	(7480) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\7480
Operation:	write	Name:	0
Value: 0B0E108195A8BEC3F09C4290405B5ECB720D742300468ECED6DEE9FD9FEE016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511B83AD2120B6F00750074006C006F006F006B002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:	(7480) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	write	Name:	SessionId
Value: C3D8E96E-C1AF-4750-8D52-F4E28119C131
(PID) Process:	(7480) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	write	Name:	BootDiagnosticsLogFile
Value: C:\Users\admin\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16026_20146-20240718T1116060318-1644.etl
(PID) Process:	(7480) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:	delete value	Name:	ProfileBeingOpened
Value:
(PID) Process:	(7480) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(7480) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:	write	Name:	OutlookBootFlag
Value: 1
(PID) Process:	(7480) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	en-US
Value: 2
(PID) Process:	(7480) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	de-de
Value: 2
(PID) Process:	(7480) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	fr-fr
Value: 2

Add for printing

Executable files

Suspicious files

125

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7480	OUTLOOK.EXE	C:\Users\admin\Documents\Outlook Files\Outlook1.pst		—
		MD5:—	SHA256:—
7480	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres		binary
		MD5:9703C112E528296751C1A8A5F39F62CD	SHA256:5ABE593D84BA614C4E30FA355570584A53AB90C3BAAF684045D65F3CEBBB3446
7480	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_WorkHours_1_DBE94A85F8649B4FBBEA7ED958BFE171.dat		xml
		MD5:9CA1DA1D62A9FF574E63B8946B541C96	SHA256:B6B10A07FAA634027F3780E77FC3B165DCF7D37E800195BFF5E147CCC492B828
7480	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin		text
		MD5:2EE8FF7FC6D1096E1EEA7122F83F0AC6	SHA256:1C6C185CDC1C8B4D665456431B73916B168A9674596182078852A31CEC37C766
7480	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres		binary
		MD5:B58AF23EFDDBD9707926225B4F880C12	SHA256:85FE155FEFD91AF7AF6AF72003EB689DDBC7869669AAECC9565B8A8D5C0103D6
6556	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3BE2446D-FAA9-4A1E-8415-3C39F875D67A		xml
		MD5:BE07CF720C580B992C49861049413389	SHA256:FF66A8C0E7A65DF2C1D9482842DA4946224492503B3BED8CA84076CDAF4E6F12
7480	OUTLOOK.EXE	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187		binary
		MD5:CDCF161DBF6D01E434D56690FDF15A05	SHA256:A1276DAEEEF6D03DCE03F95934ABC0A0F322CB1388BF8259D24AEAFEBEDC814D
7480	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres		binary
		MD5:4EBE0C7EA6510DE83EE2A1FA01425D19	SHA256:F384B09148B328F7443571496E479A95A59DB29D232A59E7692A77F638DB84B8
7480	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\ZI4897DA\Hp inc.-HR-package.docx		binary
		MD5:A693F4752BFAA726EC7D981AA089652A	SHA256:CA988E3C50F8BE976184B1F05DF2A6AAF4E93B6CAE37B678CE442B6DF339D7BB
7480	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\ZI4897DA\Hp inc.-HR-package (002).docx		binary
		MD5:A693F4752BFAA726EC7D981AA089652A	SHA256:CA988E3C50F8BE976184B1F05DF2A6AAF4E93B6CAE37B678CE442B6DF339D7BB

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

106

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7480	OUTLOOK.EXE	GET	200	52.123.128.14:443	https://ecs.office.com/config/v2/Office/outlook/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=outlook&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=outlook.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7bBEA89581-F0C3-429C-9040-5B5ECB720D74%7d&LabMachine=false	unknown	text	128 Kb	unknown
7480	OUTLOOK.EXE	GET	200	23.63.118.230:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted
7480	OUTLOOK.EXE	POST	200	52.110.17.38:443	https://roaming.officeapps.live.com/rs/RoamingSoapService.svc	unknown	text	654 b	whitelisted
6768	MoUsoCoreWorker.exe	GET	304	4.231.128.59:443	https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop	unknown	—	—	whitelisted
7480	OUTLOOK.EXE	GET	200	23.53.40.82:443	https://omex.cdn.office.net/addinclassifier/officesharedentities	unknown	text	128 Kb	whitelisted
7480	OUTLOOK.EXE	GET	200	52.111.243.12:443	https://messaging.lifecycle.office.com/getcustommessage16?app=6&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7BBEA89581-F0C3-429C-9040-5B5ECB720D74%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%22%7D	unknown	text	542 b	unknown
3176	svchost.exe	GET	200	23.63.118.230:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7480	OUTLOOK.EXE	POST	200	72.145.35.76:443	https://nleditor.osi.office.net/NlEditor/CloudSuggest/V1	unknown	text	155 b	whitelisted
3176	svchost.exe	POST	200	40.126.31.69:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	whitelisted
3176	svchost.exe	POST	200	40.126.31.69:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
356	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
792	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6768	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
7480	OUTLOOK.EXE	52.123.128.14:443	ecs.office.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3412	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7480	OUTLOOK.EXE	52.110.17.38:443	roaming.officeapps.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7480	OUTLOOK.EXE	23.63.118.230:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
7480	OUTLOOK.EXE	23.53.40.82:443	omex.cdn.office.net	AKAMAI-ASN1	NL	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	142.251.140.174	whitelisted
ecs.office.com	52.123.128.14 52.123.129.14	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
roaming.officeapps.live.com	52.110.17.38 52.110.17.39 52.110.17.11 52.110.17.74 52.110.17.49 52.110.17.66 52.110.17.61 52.110.17.47	whitelisted
ocsp.digicert.com	23.63.118.230 184.30.131.245	whitelisted
omex.cdn.office.net	23.53.40.82 23.53.40.25	whitelisted
messaging.lifecycle.office.com	52.111.243.12	whitelisted
nleditor.osi.office.net	72.145.35.76 4.251.34.76	whitelisted
login.live.com	40.126.31.69 20.190.159.75 20.190.159.129 20.190.159.73 40.126.31.2 20.190.159.4 40.126.31.1 20.190.159.64	whitelisted

Threats

No threats detected

Add for printing

Process	Message
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

Undeliverable Hp inc. - Employee Pay Raise and Organization Restructuring (80.2 KB).msg

ECB1FE47A230347F9B77A2E3EB760C7C

A162E7B929E0A540755C104D5B02D214887F0A52

244AF0DB82AEB5FBB94EC135487D8E4B27BC7BD5ADC34023DBA0BEF25311277C

3072:Q9MdpqecTCJRynt0IRnAlAEZx5CNa5rJ:R4CfIRnAlRx5R5r

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Suspicious URL found

QR code contains URL with email

SUSPICIOUS

Detected QR code with redirect chain

INFO

Reads the computer name

Checks supported languages

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings