File name:

Message.eml

Full analysis: https://app.any.run/tasks/2a58f13f-0407-4215-bdcb-0fb815841fa3
Verdict: Malicious activity
Analysis date: May 24, 2025, 06:49:46
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
susp-attachments
attachments
attc-unc
attc-doc
spf-fail
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 (with BOM) text, with very long lines (367), with CRLF line terminators
MD5:

BA2261DDB58DCF0A090C085C31C590C9

SHA1:

C883DB858012BB106BB12D4B9BC8230EACE21899

SHA256:

34A35CED13A1F9C1DD178CDC8729D707EF256E854FBBDF1374511E772827042B

SSDEEP:

3072:UCswORSwI9puYGDVxBVl09bob0s5zWreJhM:UXwORWTgVbabHgzpPM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Email with suspicious attachment

      • OUTLOOK.EXE (PID: 4700)

  • INFO

    • Reads the software policy settings

      • slui.exe (PID: 4212)

    • Email verification fail (SPF, DKIM or DMARC)

      • OUTLOOK.EXE (PID: 4700)

    • Email with attachments

      • OUTLOOK.EXE (PID: 4700)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-8 encoded (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
6
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe sppextcomobj.exe no specs slui.exe ai.exe no specs winword.exe ai.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4212"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
4652"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "5F08A4FB-9A31-4C0D-A90F-B8A9D8F62B19" "57B13221-458C-472D-B9CD-4CC7FD0A9E04" "4700"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
4700"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml C:\Users\admin\AppData\Local\Temp\Message.emlC:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
16.0.16026.20146
6760C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
7644"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\IGOZ5Q6N\Guidebook - Scan global logistics a_s.doc" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
16.0.16026.20146
7780"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "94D636D8-C0DE-4F51-B73A-6758E135F768" "F7984EF9-919C-4BA8-92B2-0431983C1B53" "7644"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
13
Text files
8
Unknown types
1

Dropped files

PID
Process
Filename
Type
4700OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook1.pst
MD5:
SHA256:
4700OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:1C0AB93269BF3CCD172B7BF2C1CB3D19
SHA256:E2D6DCBBDFB732989E0D80DDADBCA1D84FE0665371F82C8BED213F75E5AECE1C
4700OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\IGOZ5Q6N\Guidebook - Scan global logistics a_s.docdocument
MD5:A4FAC70D4C826545ECB1F50D57410F49
SHA256:D216A0E58B2676157C317555E2903D69F2A81E02003B345AA609D138E11B18E4
4700OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmbinary
MD5:931CB8F594A1A627E93E873391F118E7
SHA256:04BD8EF75171DB97CC1E45C83FDB195E8DEFB2B394E39E74C102667BC2945831
4700OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TableViewPreviewPrefs_2_87999A53F5B5A64F888FA0469B747867.datxml
MD5:0E092DB99AEE99FDFF9B5B222C732CFD
SHA256:D1614AD99ADED9F6F5C1BE7FE7FFA5124BD04A526580DA3818EA8A954E852AA6
4700OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:B5994A71B0B572209839E67842AE3B32
SHA256:E50A2DA58D56D045A101FA93CD5968A9C4058E5AF3D1E58253BCD62AA700B6AC
4700OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\IGOZ5Q6N\Guidebook - Scan global logistics a_s (002).docdocument
MD5:A4FAC70D4C826545ECB1F50D57410F49
SHA256:D216A0E58B2676157C317555E2903D69F2A81E02003B345AA609D138E11B18E4
4700OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bintext
MD5:606ABE412DD18AC61D27F9A032611632
SHA256:D4EDD9BE0AC43A6D0F6BF376A94D3B6D20A8F173A5C6C5927E13473D3D868DD0
7644WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\Personalization\Governance\Anonymous\floodgatecampaigns.json.tmpbinary
MD5:A0CADF2A43271B1E2676F2946A728472
SHA256:C2016B42B5A9BCFC81CB14CB7C7AE54A60286139C5FF5780B26BD422051D0BC8
7644WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6C59A685-3BE2-4992-866F-65DD0A572FE4xml
MD5:419CA056FC4BED0F51FDC71BA35C84C9
SHA256:AED38E29F8D84E21FBAC2C0566505713E7FC7FD06567B87E79CC9ECFE4BA3DEC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
32
DNS requests
23
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4700
OUTLOOK.EXE
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7436
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7436
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2420
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5796
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4700
OUTLOOK.EXE
52.123.128.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
whitelisted
4700
OUTLOOK.EXE
2.16.168.119:443
omex.cdn.office.net
Akamai International B.V.
RU
whitelisted
4700
OUTLOOK.EXE
52.111.229.36:443
messaging.lifecycle.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
google.com
  • 142.250.185.110
whitelisted
ecs.office.com
  • 52.123.128.14
  • 52.123.129.14
whitelisted
omex.cdn.office.net
  • 2.16.168.119
  • 2.16.168.101
whitelisted
messaging.lifecycle.office.com
  • 52.111.229.36
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.5
  • 20.190.160.128
  • 20.190.160.132
  • 20.190.160.4
  • 20.190.160.131
  • 40.126.32.68
  • 40.126.32.134
  • 20.190.160.14
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Message.eml