File name:

facturas N° EX46240573.eml

Full analysis: https://app.any.run/tasks/f49547f6-5c95-4932-b188-0fcc71fb0fb0
Verdict: Malicious activity
Threats:

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Malware Trends Tracker     >>>
Analysis date: June 05, 2024, 19:51:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
spam
guloader
Indicators:
MIME: message/rfc822
File info: SMTP mail, ISO-8859 text, with CRLF line terminators
MD5:

A1FFA9A76D5FBCF191B87DE4CFC7718F

SHA1:

2982FEB8B031AABB1128E3C6177A52CDC8DA0AEE

SHA256:

2BB1E00A2B58FC5F4BAA43D76C790273648D6C09E05C4633D6119ABC87EA56B3

SSDEEP:

24576:QkP51QqpIMGfRp9AokEeXhK+hHYNQzFZOkSH+eWLuVdevM:7Jpck+eVaRMKWM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from MS Outlook

      • OUTLOOK.EXE (PID: 3968)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 3068)
      • powershell.exe (PID: 3744)
      • powershell.exe (PID: 1128)
      • powershell.exe (PID: 4048)
      • powershell.exe (PID: 1640)
      • powershell.exe (PID: 3612)

    • Drops the executable file immediately after the start

      • powershell.exe (PID: 3068)
      • powershell.exe (PID: 3744)

    • GULOADER SHELLCODE has been detected (YARA)

      • wab.exe (PID: 3812)

    • GULOADER has been detected (YARA)

      • wab.exe (PID: 3812)

  • SUSPICIOUS

    • Suspicious files were dropped or overwritten

      • WinRAR.exe (PID: 2464)
      • powershell.exe (PID: 3068)
      • powershell.exe (PID: 3744)

    • Starts POWERSHELL.EXE for commands execution

      • facturas N° EX46240573.bat (PID: 2360)
      • facturas N° EX46240573.bat (PID: 2064)
      • facturas N° EX46240573.bat (PID: 1520)
      • facturas N° EX46240573.bat (PID: 308)
      • facturas N° EX46240573.bat (PID: 3220)
      • facturas N° EX46240573.bat (PID: 3640)

    • Evaluates numerical expressions in cmd (potential data obfuscation)

      • powershell.exe (PID: 3068)
      • powershell.exe (PID: 3744)
      • powershell.exe (PID: 1128)
      • powershell.exe (PID: 3612)
      • powershell.exe (PID: 1640)
      • powershell.exe (PID: 4048)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 3068)
      • powershell.exe (PID: 3744)
      • powershell.exe (PID: 1128)
      • powershell.exe (PID: 3612)
      • powershell.exe (PID: 1640)
      • powershell.exe (PID: 4048)

    • Converts a string into array of characters (POWERSHELL)

      • powershell.exe (PID: 3068)
      • powershell.exe (PID: 3744)
      • powershell.exe (PID: 1128)
      • powershell.exe (PID: 3612)
      • powershell.exe (PID: 1640)
      • powershell.exe (PID: 4048)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 3068)
      • powershell.exe (PID: 3744)
      • powershell.exe (PID: 1128)
      • powershell.exe (PID: 3612)
      • powershell.exe (PID: 1640)
      • powershell.exe (PID: 4048)

    • Gets information about processes (POWERSHELL)

      • powershell.exe (PID: 3068)
      • powershell.exe (PID: 3744)
      • powershell.exe (PID: 1128)
      • powershell.exe (PID: 4048)
      • powershell.exe (PID: 3612)
      • powershell.exe (PID: 1640)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3068)
      • powershell.exe (PID: 3744)

    • Reads the Internet Settings

      • wab.exe (PID: 3812)

    • Reads security settings of Internet Explorer

      • wab.exe (PID: 3812)

    • Checks Windows Trust Settings

      • wab.exe (PID: 3812)

    • Reads settings of System Certificates

      • wab.exe (PID: 3812)

    • Adds/modifies Windows certificates

      • wab.exe (PID: 3812)

  • INFO

    • Manual execution by a user

      • isoburn.exe (PID: 1132)
      • rundll32.exe (PID: 1836)
      • isoburn.exe (PID: 1548)
      • facturas N° EX46240573.bat (PID: 2360)
      • rundll32.exe (PID: 1928)
      • cmd.exe (PID: 4056)
      • wmpnscfg.exe (PID: 1604)
      • facturas N° EX46240573.bat (PID: 2064)
      • cmd.exe (PID: 3496)
      • facturas N° EX46240573.bat (PID: 1520)
      • facturas N° EX46240573.bat (PID: 3640)
      • facturas N° EX46240573.bat (PID: 308)
      • facturas N° EX46240573.bat (PID: 3220)

    • The process uses the downloaded file

      • OUTLOOK.EXE (PID: 3968)

    • Reads the computer name

      • facturas N° EX46240573.bat (PID: 2360)
      • wab.exe (PID: 3812)
      • wmpnscfg.exe (PID: 1604)
      • facturas N° EX46240573.bat (PID: 2064)
      • facturas N° EX46240573.bat (PID: 1520)
      • facturas N° EX46240573.bat (PID: 3640)
      • facturas N° EX46240573.bat (PID: 308)
      • facturas N° EX46240573.bat (PID: 3220)

    • Creates files or folders in the user directory

      • facturas N° EX46240573.bat (PID: 2360)
      • wab.exe (PID: 3812)

    • Checks supported languages

      • facturas N° EX46240573.bat (PID: 2360)
      • wab.exe (PID: 3812)
      • wmpnscfg.exe (PID: 1604)
      • facturas N° EX46240573.bat (PID: 2064)
      • facturas N° EX46240573.bat (PID: 1520)
      • facturas N° EX46240573.bat (PID: 3640)
      • facturas N° EX46240573.bat (PID: 308)
      • facturas N° EX46240573.bat (PID: 3220)
      • wab.exe (PID: 3760)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2464)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2464)

    • Create files in a temporary directory

      • facturas N° EX46240573.bat (PID: 2360)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 3068)
      • powershell.exe (PID: 3744)
      • powershell.exe (PID: 1128)
      • powershell.exe (PID: 3612)
      • powershell.exe (PID: 4048)
      • powershell.exe (PID: 1640)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 3068)
      • powershell.exe (PID: 3744)
      • powershell.exe (PID: 1128)
      • powershell.exe (PID: 3612)
      • powershell.exe (PID: 4048)
      • powershell.exe (PID: 1640)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 3068)
      • powershell.exe (PID: 3744)
      • powershell.exe (PID: 1128)
      • powershell.exe (PID: 4048)
      • powershell.exe (PID: 3612)
      • powershell.exe (PID: 1640)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3068)
      • powershell.exe (PID: 3744)
      • powershell.exe (PID: 1128)
      • powershell.exe (PID: 4048)
      • powershell.exe (PID: 3612)
      • powershell.exe (PID: 1640)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 3068)
      • powershell.exe (PID: 3744)
      • powershell.exe (PID: 1128)
      • powershell.exe (PID: 3612)
      • powershell.exe (PID: 1640)
      • powershell.exe (PID: 4048)

    • Reads the machine GUID from the registry

      • wab.exe (PID: 3812)

    • Checks proxy server information

      • wab.exe (PID: 3812)

    • Reads the software policy settings

      • wab.exe (PID: 3812)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

guloader

(PID) Process(3812) wab.exe
C2 (1)https://majoshaza.hu/efpKDVBsJA38.bin
Strings (40)%Sris% -windowstyle minimized $Belzebub=(Get-ItemProperty -Path 'HKCU:\Fjerkrorganisationerne\').Champignonernes;%Sris% ($Belzebub)
%Sris% -windowstyle minimized $Haesblaesende=(Get-ItemProperty -Path 'HKCU:\Fjerkrorganisationerne\').Champignonernes;%Sris% ($Haesblaesende)
Fjerkrorganisationerne\
Champignonernes
c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Sris
Environment
\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
:__
psapi.dll
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
wininet.dll
Msi.dll
user32
KERNELBASE.DLL
advapi32
shell32
windir=
SYSTEM\ControlSet001\Enum\ACPI\PNP0C0C
TEMP=
CONOUT$
CONIN$
mshtml.dll
TEMP=
ProgramFiles=
/c REG ADD HKCU\
/f /v
/t REG_EXPAND_SZ /d
cmd.exe
\system32\
\syswow64\
\windows mail\wab.exe
\Windows Photo Viewer\ImagingDevices.exe
\windows mail\wabmig.exe
Startup key
Software\Microsoft\Windows\CurrentVersion\Run
C:\Program Files\qga\qga.exe
C:\Program Files\Qemu-ga\qemu-ga.exe
Publisher
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 1) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
84
Monitored processes
30
Malicious processes
8
Suspicious processes
6

Behavior graph

Click at the process to see the details
start outlook.exe isoburn.exe no specs isoburn.exe no specs rundll32.exe no specs isoburn.exe no specs rundll32.exe no specs winrar.exe facturas n° ex46240573.bat no specs powershell.exe cmd.exe no specs cmd.exe #GULOADER wab.exe cmd.exe wmpnscfg.exe no specs facturas n° ex46240573.bat no specs powershell.exe facturas n° ex46240573.bat no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs facturas n° ex46240573.bat no specs facturas n° ex46240573.bat no specs facturas n° ex46240573.bat no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs wab.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
308"C:\Users\admin\Desktop\facturas N° EX46240573.bat" C:\Users\admin\Desktop\facturas N° EX46240573.batexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
4294967295
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\facturas n° ex46240573.bat
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
552"C:\Windows\System32\isoburn.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\WIYJ4K4O\facturas N� EX46240573.img"C:\Windows\System32\isoburn.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Disc Image Burning Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\isoburn.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1128"powershell.exe" -windowstyle hidden "$Ekspressionismens7=Get-Content 'C:\Users\admin\AppData\Local\Temp\positurs\Seashell176\Interpoint.Bal';$Tullibee=$Ekspressionismens7.SubString(53040,3);.$Tullibee($Ekspressionismens7)"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exefacturas N° EX46240573.bat
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1132"C:\Windows\System32\isoburn.exe" "C:\Users\admin\Desktop\facturas N� EX46240573.img"C:\Windows\System32\isoburn.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Disc Image Burning Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\isoburn.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1520"C:\Users\admin\Desktop\facturas N° EX46240573.bat" C:\Users\admin\Desktop\facturas N° EX46240573.batexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
4294967295
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\facturas n° ex46240573.bat
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
1548"C:\Windows\System32\isoburn.exe" "C:\Users\admin\Desktop\facturas N� EX46240573.img"C:\Windows\System32\isoburn.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Disc Image Burning Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\isoburn.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1604"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1640"powershell.exe" -windowstyle hidden "$Ekspressionismens7=Get-Content 'C:\Users\admin\AppData\Local\Temp\positurs\Seashell176\Interpoint.Bal';$Tullibee=$Ekspressionismens7.SubString(53040,3);.$Tullibee($Ekspressionismens7)"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exefacturas N° EX46240573.bat
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1836"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\facturas N� EX46240573.imgC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
1928"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\facturas N� EX46240573.imgC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
Total events
50 534
Read events
49 649
Write events
815
Delete events
70

Modification events

(PID) Process:(3968) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3968) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(3968) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(3968) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(3968) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(3968) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(3968) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(3968) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(3968) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
(PID) Process:(3968) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
Off
Executable files
3
Suspicious files
38
Text files
8
Unknown types
1

Dropped files

PID
Process
Filename
Type
3968OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR3E62.tmp.cvr
MD5:
SHA256:
3968OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
3968OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\tmp3F9C.tmpbinary
MD5:60C9441D6F5B4245D36722CBE5F957E7
SHA256:E7E66924701A3ACBCDBCB98782CBBA27C45C2AAB2FDDC5D6DF1849E38040D021
3968OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:4AB35D6DBE2949DACC1354D81DBFDF6D
SHA256:0B5124F720AAE818CE269D00B90B4CBADB7F4BD64BF3D4B805FB718751EA19D4
3968OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
3968OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~WRL0001.tmpdocument
MD5:5A154DF961EE464DEAD4DA3A0E713FE3
SHA256:C8F044761493937003C21164C6687D4F30A45A2E68568FA921A346BDA28F40DC
3968OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{012FBDB4-441B-418B-A844-F3AC1DEB0984}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:4C61C12EDBC453D7AE184976E95258E1
SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F
2360facturas N° EX46240573.batC:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\logges.initext
MD5:89715B58DA53F7246CA44AE8AB87DABA
SHA256:D547AC636A1050637C66BC147384EF2F1C0BDF6DC923D3EF7DAD98F7F6ADBED0
3968OUTLOOK.EXEC:\Users\admin\Desktop\facturas N� EX46240573.imgcompressed
MD5:0265C8674EE8079FB1D9C63EE828E553
SHA256:218A13AD076B70FC269012143FE6EBEB5883F651A99F60CB58C31B2EB421DFAB
3968OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\WIYJ4K4O\facturas N� EX46240573.img:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
10
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3812
wab.exe
GET
304
23.50.131.209:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?72ac35960d490a8c
unknown
unknown
1088
svchost.exe
GET
304
23.50.131.215:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?91e4205cfb4a00a1
unknown
unknown
3812
wab.exe
GET
200
72.246.169.163:80
http://x1.c.lencr.org/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
unknown
224.0.0.252:5355
unknown
3968
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3812
wab.exe
94.199.49.32:443
majoshaza.hu
23VNet Kft.
HU
unknown
3812
wab.exe
23.50.131.209:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
3812
wab.exe
72.246.169.163:80
x1.c.lencr.org
AKAMAI-AS
DE
unknown
1088
svchost.exe
23.50.131.215:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
majoshaza.hu
  • 94.199.49.32
unknown
ctldl.windowsupdate.com
  • 23.50.131.209
  • 23.50.131.210
  • 23.50.131.213
  • 23.50.131.203
  • 23.50.131.221
  • 23.50.131.199
  • 23.50.131.200
  • 23.50.131.216
  • 23.50.131.215
  • 23.50.131.196
  • 23.50.131.202
  • 23.50.131.223
  • 23.50.131.201
  • 23.50.131.217
whitelisted
x1.c.lencr.org
  • 72.246.169.163
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
facturas N° EX46240573.eml