File name:

backup-message-172.16.20.182_9045-4428092.eml

Full analysis: https://app.any.run/tasks/5efc57bc-9607-4deb-9ae3-813a73d64b7f
Verdict: Malicious activity
Analysis date: April 29, 2025, 13:02:31
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
attachments
attc-arch
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with CRLF line terminators
MD5:

D2B8970E906BADB2EA83622EE3BBD7C9

SHA1:

6AF670A3E04EFA53305AC0BC00680516CFF8CA04

SHA256:

258A0DEC9190630D085C508AE152897BA68E7DCDAAFAACA0649CB8131663447D

SSDEEP:

12288:nPZ3jhPRHIZ9QRs9TnQJtT9fMdSjleE1FqqWZfqDU/WKnmB0s1N8r5CjIoSYIDGN:TRH6EsC5HxNW1CAWKnwIr5CjEDO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Документы от 29.04.2025.exe (PID: 1228)
      • Документы от 29.04.2025.exe (PID: 7372)
      • Документы от 29.04.2025.exe (PID: 7828)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 2908)

    • Executes application which crashes

      • Документы от 29.04.2025.exe (PID: 1228)
      • Документы от 29.04.2025.exe (PID: 7372)
      • Документы от 29.04.2025.exe (PID: 7828)

    • Uses RUNDLL32.EXE to load library

      • explorer.exe (PID: 5492)

  • INFO

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5492)

    • Reads the machine GUID from the registry

      • Документы от 29.04.2025.exe (PID: 1228)
      • Документы от 29.04.2025.exe (PID: 7372)
      • Документы от 29.04.2025.exe (PID: 7828)

    • Reads the computer name

      • Документы от 29.04.2025.exe (PID: 1228)
      • Документы от 29.04.2025.exe (PID: 7372)
      • Документы от 29.04.2025.exe (PID: 7828)

    • Manual execution by a user

      • Документы от 29.04.2025.exe (PID: 7372)
      • Документы от 29.04.2025.exe (PID: 7828)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6112)
      • WerFault.exe (PID: 7492)
      • WerFault.exe (PID: 4180)

    • Reads the software policy settings

      • slui.exe (PID: 7640)

    • Checks supported languages

      • Документы от 29.04.2025.exe (PID: 7372)
      • Документы от 29.04.2025.exe (PID: 1228)
      • Документы от 29.04.2025.exe (PID: 7828)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2908)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
156
Monitored processes
15
Malicious processes
1
Suspicious processes
3

Behavior graph

Click at the process to see the details
start outlook.exe sppextcomobj.exe no specs slui.exe ai.exe no specs winrar.exe документы от 29.04.2025.exe werfault.exe no specs документы от 29.04.2025.exe slui.exe werfault.exe no specs документы от 29.04.2025.exe werfault.exe no specs explorer.exe rundll32.exe rundll32.exe

Process information

PID
CMD
Path
Indicators
Parent process
1228"C:\Users\admin\AppData\Local\Temp\Rar$EXb2908.9527\Документы от 29.04.2025.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb2908.9527\Документы от 29.04.2025.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3762504530
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb2908.9527\документы от 29.04.2025.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2392"C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\cryptext.dll,CryptExtAddCERMachineOnlyAndHwnd MIIE7jCCA9agAwIBAgIMZTE4kjub5ilJZX9dMA0GCSqGSIb3DQEBBQUAMFExCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMScwJQYDVQQDEx5HbG9iYWxTaWduIENvZGVTaWduaW5nIENBIC0gRzMwHhcNMTcwODIxMDk1MDQ3WhcNMjAwODE3MTAwMTAxWjB8MQswCQYDVQQGEwJSVTEPMA0GA1UECBMGTW9zY293MQ8wDQYDVQQHEwZNb3Njb3cxEzARBgNVBAoTCllBTkRFWCBMTEMxEzARBgNVBAMTCllBTkRFWCBMTEMxITAfBgkqhkiG9w0BCQEWEnBraUB5YW5kZXgtdGVhbS5ydTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANLjFHKmc6s4+O8F9xQ1igBW1lql71Zowjlyes9Ecoq0tDB8D/EglcNOV5nWpcR4o6ENrBOxXHWz1OA2WAWdhNkacMBRZW7Z6Lc3P9Tv6MBIaYh+kb/BsBxF1wlv37rdX5dsXbEXu+4gEWdpFPz3+EGikiWRVRoCwKek9GvwRYfFp8xhzjHojelHOs/hAaAJVCIfNqCvNENYdSzUOVXde+dsf08e+D3QRyAH569IjNNP16UxX701j17Pi9esRAeo13kFPPa5c7K1Qs2q8bvFFm291p3fMkTtQbN726tNhyBWmSnUloWuAl/TO7MuPxC36XA3qULU83VKQu+QGIrIe7UCAwEAAaOCAZkwggGVMA4GA1UdDwEB/wQEAwIHgDCBigYIKwYBBQUHAQEEfjB8MEQGCCsGAQUFBzAChjhodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2NvZGVzaWduZzNvY3NwLmNydDA0BggrBgEFBQcwAYYoaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL2dzY29kZXNpZ25nMzBWBgNVHSAETzBNMEEGCSsGAQQBoDIBMjA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAIBgZngQwBBAEwCQYDVR0TBAIwADA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL2dzL2dzY29kZXNpZ25nMy5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYEFI5knPwpt53us49G3Uz0shkHQ0dHMB8GA1UdIwQYMBaAFLPT5tVxVn05WLN40iu496Ef/UubMA0GCSqGSIb3DQEBBQUAA4IBAQB3JKzQljXZYdn2Wz4laFhjG8Nso+BnPoiwPKEAhM2qkE37Xa4CQ8AFNXK10Pq1wFAx4m6GH4M0l50espEmKrzc0VXdBBLRoA4Ii5IUPGDVOE4bK/k0wFhjabMKipd9V67he4fVgirm1oDA63DDM3vxTvpzWwSAP+boDvlqWeoE0rpE1sqSKVDhzkD6G+76oq+FVnMf7OB4wEIAJtY200Khunk74+4EecBIk6awKMSRgSwK3lniiHuoz8Nv8UyKP3d5iHtj2mwBeL18s+o75SR7grgO5LZuwTklSTeIT+3sEMhigm7mHb3JVZWeKwoQwxD9S96xS42z5nB7IINHi/Kc 328476C:\Windows\System32\rundll32.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
2908"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\X9VIDTTJ\Документы от 29.04.2025.rar"C:\Program Files\WinRAR\WinRAR.exe
OUTLOOK.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4180C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7828 -s 1288C:\Windows\SysWOW64\WerFault.exeДокументы от 29.04.2025.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4652"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml C:\Users\admin\AppData\Local\Temp\backup-message-172.16.20.182_9045-4428092.emlC:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
5492C:\WINDOWS\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
6108"C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\cryptext.dll,CryptExtAddCERMachineOnlyAndHwnd MIIFAjCCA+qgAwIBAgIMPVNjDRHyBMK7myazMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTAwLgYDVQQDEydHbG9iYWxTaWduIENvZGVTaWduaW5nIENBIC0gU0hBMjU2IC0gRzMwHhcNMTcwODE3MTAwMTAxWhcNMjAwODE3MTAwMTAxWjB8MQswCQYDVQQGEwJSVTEPMA0GA1UECBMGTW9zY293MQ8wDQYDVQQHEwZNb3Njb3cxEzARBgNVBAoTCllBTkRFWCBMTEMxEzARBgNVBAMTCllBTkRFWCBMTEMxITAfBgkqhkiG9w0BCQEWEnBraUB5YW5kZXgtdGVhbS5ydTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL8sWV98XN3bl+G6NQ4sz82o1NsnjPhLKz+3VISTFuXSBsjDWzSBrHMqwA15JAZAu6XueBFNXX4kfi+jNTQfvFXlV5lB6ApdyiPcfhSiKjVFgmFZVH6LjjxiORj8v4Ndv65xdvjayyBIP10TJ15esiYelo2DeAZQi/4zQYceaTvt9dd2CM4nvsH+rKDRcSo1T1UPCosFt4MaLMroPoxWPvNlqEdvvMR932/nY2Ok5yeg9/6d4TisCvqdhOy5cJnrIJJg4+/bNJ9RUtbdX8JNbDBL7b3nkOn3pl/Z8afIfEBWIevNSlH66SZNWPTDq8D2J+xNPXvDb1aOLX4MerDDT/ECAwEAAaOCAaQwggGgMA4GA1UdDwEB/wQEAwIHgDCBlAYIKwYBBQUHAQEEgYcwgYQwSAYIKwYBBQUHMAKGPGh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzY29kZXNpZ25zaGEyZzNvY3NwLmNydDA4BggrBgEFBQcwAYYsaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL2dzY29kZXNpZ25zaGEyZzMwVgYDVR0gBE8wTTBBBgkrBgEEAaAyATIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQQBMAkGA1UdEwQCMAAwPwYDVR0fBDgwNjA0oDKgMIYuaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9nc2NvZGVzaWduc2hhMmczLmNybDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUeASr25l0lmSk1xfY4bVedXVyw00wHwYDVR0jBBgwFoAUDzrnrJSRdC2WAnODrZwuST8ZqlQwDQYJKoZIhvcNAQELBQADggEBAENVRjkoh5dl2qGoRyv5wDq6IGeCIwqss3l32wne7yo4pamlolxpSHeNjNbtynSDhK9WsBTjUfD2xi81G/eyXT7qgGPz2my0zw1xOojEXNvXL4UpB37e5jySe9NJrBavAnhMdb7Kr+uudaCKO0MbywNVmV0qeKtJDo6u3rfLgoSpdfV0tCFieA7/mgRufk7dNwrhCW2jJanLsS1SYS2Scj9hO72mcu4dLEMNrJdzByv8mtKqJIxn8SxJmlvOk7xE1xYJyDfriG3yMOl9QZ1RcwCBBD94IMHXqXD7/G++yz/jzxj6u+7MAzSSPytBhEysM4L85BB1eZououm5JvXrxX0= 197700C:\Windows\System32\rundll32.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
6112C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1228 -s 1300C:\Windows\SysWOW64\WerFault.exeДокументы от 29.04.2025.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7372"C:\Users\admin\Desktop\Документы от 29.04.2025.exe" C:\Users\admin\Desktop\Документы от 29.04.2025.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3762504530
Modules
Images
c:\users\admin\desktop\документы от 29.04.2025.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7492C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7372 -s 1292C:\Windows\SysWOW64\WerFault.exeДокументы от 29.04.2025.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
48 389
Read events
47 109
Write events
1 119
Delete events
161

Modification events

(PID) Process:(4652) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData
Operation:writeName:SessionId
Value:
E27FA368-F176-4A24-A801-6B948893C23A
(PID) Process:(4652) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:BootFailureCount
Value:
(PID) Process:(4652) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Preferences
Operation:delete valueName:ChangeProfileOnRestart
Value:
(PID) Process:(4652) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046
Operation:writeName:00030429
Value:
09000000
(PID) Process:(4652) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData
Operation:writeName:ProfileBeingOpened
Value:
Outlook
(PID) Process:(4652) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046
Operation:writeName:00030397
Value:
60000000
(PID) Process:(4652) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3\0
Operation:writeName:FilePath
Value:
officeclient.microsoft.com\CDE92838-7B63-458E-A52B-FB53DE621C88
(PID) Process:(4652) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3\0
Operation:writeName:StartDate
Value:
20F036FD06B9DB01
(PID) Process:(4652) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3\0
Operation:writeName:EndDate
Value:
20B0A027D0B9DB01
(PID) Process:(4652) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ETWMonitor\{02CAC15F-D4BE-400E-9127-D54982AA4AE9}
Operation:delete keyName:(default)
Value:
Executable files
2
Suspicious files
40
Text files
12
Unknown types
1

Dropped files

PID
Process
Filename
Type
4652OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook1.pst
MD5:
SHA256:
4652OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:1C20E6F0254A8330039290157F5E82E7
SHA256:2A7292FD840FE774BF44270793101B67FCA33ED8F0E7F2420ADFB3DC5B869C41
5492explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
4652OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\CDE92838-7B63-458E-A52B-FB53DE621C88xml
MD5:61B7848436D4409534781DE8FDF4EF36
SHA256:1519FF8347CF8A0F0E699F39863EC56E16C2B1312B4113DFB0A1748039DD7AA3
6112WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ADVVZV3XZWT4XRMQ_2bc37148df531a393affca896f7cdda810f14380_c3ac41ce_c9686edc-5195-4008-bcd8-50d7690129d7\Report.wer
MD5:
SHA256:
6112WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\Документы от 29.04.2025.exe.1228.dmp
MD5:
SHA256:
4652OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9binary
MD5:FB60FF789C58BC6CDCCF1F388665810F
SHA256:D0D379988D4ED6E4ACBE57E83246B62FE36DACBF96793173F626B7E31FDFB8E4
4652OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\olkC7B7.tmpbinary
MD5:AB45793FDB92A868DD91C0A9833ABBDF
SHA256:F7026425F0973EC41E9BE1C7EF8550D89481A82F50878CEF7F2F4D187F4FB204
4652OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9binary
MD5:3FC219BAC4EC57CF28D5C9A7A12D156E
SHA256:4B9A54940E78F37923481BCFE9FEDCB204992834FE8F17FC2709A2AD395FF891
4652OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:8F69AFC33E723EB3CDA2A0AFA01879B0
SHA256:1CC55727A06127492828BEB8A90FAE0721E90E65B006073A1DAEAD86F51C7A71
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
38
DNS requests
28
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6800
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6800
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5492
explorer.exe
GET
200
151.101.130.133:80
http://ocsp2.globalsign.com/gscodesignsha2g3/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBRKkjBge%2BJXnExRoXTQ63uIpEYZkgQUDzrnrJSRdC2WAnODrZwuST8ZqlQCDD1TYw0R8gTCu5smsw%3D%3D
unknown
whitelisted
5492
explorer.exe
GET
200
151.101.130.133:80
http://ocsp2.globalsign.com/rootr3/ME8wTTBLMEkwRzAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCDkgbagcm0ug%2FJgLUglrN
unknown
whitelisted
GET
200
23.48.23.162:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5492
explorer.exe
GET
200
151.101.66.133:80
http://crl.globalsign.com/gscodesignsha2g3.crl
unknown
whitelisted
5492
explorer.exe
GET
200
151.101.130.133:80
http://ocsp2.globalsign.com/gscodesignsha2g3/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBRKkjBge%2BJXnExRoXTQ63uIpEYZkgQUDzrnrJSRdC2WAnODrZwuST8ZqlQCDD1TYw0R8gTCu5smsw%3D%3D
unknown
whitelisted
5492
explorer.exe
GET
200
151.101.66.133:80
http://crl.globalsign.com/gscodesignsha2g3.crl
unknown
whitelisted
5492
explorer.exe
GET
200
151.101.66.133:80
http://ocsp.globalsign.com/rootr1/ME8wTTBLMEkwRzAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDkfDD%2F78IrsoD5b%2Bp1JR
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.162:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4652
OUTLOOK.EXE
52.109.89.18:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4652
OUTLOOK.EXE
52.123.130.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.162
  • 23.48.23.167
  • 23.48.23.150
  • 23.48.23.164
  • 23.48.23.176
  • 23.48.23.180
  • 23.48.23.173
  • 23.48.23.159
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
whitelisted
google.com
  • 142.250.186.174
whitelisted
officeclient.microsoft.com
  • 52.109.89.18
whitelisted
ecs.office.com
  • 52.123.130.14
  • 52.123.131.14
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.73
  • 20.190.159.129
  • 20.190.159.2
  • 40.126.31.3
  • 20.190.159.4
  • 40.126.31.67
  • 40.126.31.69
  • 20.190.159.131
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
roaming.officeapps.live.com
  • 52.109.68.129
whitelisted
omex.cdn.office.net
  • 2.16.168.113
  • 2.16.168.119
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
backup-message-172.16.20.182_9045-4428092.eml