File name:

message (36).eml

Full analysis: https://app.any.run/tasks/1ed34047-ff20-4195-a55f-307da47a59ef
Verdict: Malicious activity
Analysis date: August 01, 2025, 05:53:45
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
spf-fail
attachments
attc-doc
qrcode
phishing
phish-url
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with CRLF line terminators
MD5:

E840C09465AF8F7B9768EE60F4FEA0A3

SHA1:

141EE453F76B59E15C948523B933EDCC39226A0B

SHA256:

377E105B03E491EECE1D095327E85CC9A7733C7AF0C59AFD98EE0835160E4ED6

SSDEEP:

1536:I8DNdjCR3+kA9xAfvakPdWMM3TatZp0JAAHSA3EdbCtgiQE9p:IyUwxYvaR/+tZGAh14eij9p

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Suspicious URL found

      • OUTLOOK.EXE (PID: 3820)

    • QR code contains URL with email

      • OUTLOOK.EXE (PID: 3820)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe ai.exe no specs winword.exe ai.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2808"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "5088222F-436A-437F-A7F9-BE49EC839ED0" "AD893909-C5D6-4980-9314-4209DCDBA833" "3820"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
3820"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\message (36).eml"C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\program files\microsoft office\root\office16\outlookservicing.dll
4700"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "6B52DA91-5EE0-4165-AB5B-2084527D2B34" "F2362888-A3B0-4612-B654-A8F9A00CB871" "6160"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\sechost.dll
6160"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\OBM7VSKL\Bonus-package-Sonepar.docx" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
Total events
23 821
Read events
22 349
Write events
1 330
Delete events
142

Modification events

(PID) Process:(3820) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ETWMonitor\{02CAC15F-D4BE-400E-9127-D54982AA4AE9}
Operation:delete keyName:(default)
Value:
(PID) Process:(3820) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ETWMonitor\{11ADBD74-7DF2-4E8E-802B-B3BCBFD04A78}
Operation:delete keyName:(default)
Value:
(PID) Process:(3820) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ETWMonitor\{287BF315-5A11-4B2F-B069-B761ADE25A49}
Operation:delete keyName:(default)
Value:
(PID) Process:(3820) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ETWMonitor\{691E1C12-2693-4D4A-852C-7478657BBE6E}
Operation:delete keyName:(default)
Value:
(PID) Process:(3820) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ETWMonitor\{6B6B571B-F4E3-4FBB-A83F-0790D11D19AB}
Operation:delete keyName:(default)
Value:
(PID) Process:(3820) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ETWMonitor\{AA8FA310-0939-4CE3-B9BB-AE05B2695110}
Operation:delete keyName:(default)
Value:
(PID) Process:(3820) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ETWMonitor
Operation:delete keyName:(default)
Value:
(PID) Process:(3820) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ULSMonitor
Operation:delete keyName:(default)
Value:
(PID) Process:(3820) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe
Operation:delete keyName:(default)
Value:
(PID) Process:(3820) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ULSMonitor
Operation:writeName:ULSTagIds0
Value:
17634580,18658649,18409363,18658650,17126295,9319450,17913998,18948102,18658648,16920930,23978014,18637650,18674530,18409416,18948101,16859363,8988293,17182980,9176926,8448079,17913999,17064074,5850463,17182941,17914002,5850305,5898880,5850582,17914003,17182979,17182943,6166345,17182942,22929429,17110992,6636694,17372899,17182981,5898881,5850583,5898849,7218753,5850062,5850584,17372928,17922253,6636695,17182982,5850061,17146274,17914001,6029780,17110988,17913997,17914000,5850525,8709129,20248016
Executable files
0
Suspicious files
111
Text files
52
Unknown types
13

Dropped files

PID
Process
Filename
Type
3820OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook1.pst
MD5:
SHA256:
3820OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:9067BADEA5AE8AF83897051C41DE96A8
SHA256:1E88B7D1522C82E1CA12E716721B0748AEC660F490F8909F3BBB7F82840F0998
3820OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:B0EE9CDD14884483A9DFE2072C9A628F
SHA256:493CB7B58A0711356AE6CDE0CCDEE04D406792AB9891BE76CEA8E0EE171DECB3
3820OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TableViewPreviewPrefs_2_FE66B4E296DE4743B3135FC6CCB49563.datxml
MD5:0E092DB99AEE99FDFF9B5B222C732CFD
SHA256:D1614AD99ADED9F6F5C1BE7FE7FFA5124BD04A526580DA3818EA8A954E852AA6
3820OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:760C0501574545A6B8EF6C288328DCC9
SHA256:323E376DCA9BF1A585BE61CE72C08EB4A841DC4B727B8C4AA94B347A77BE5220
3820OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbresbinary
MD5:4E93EF1EAC65B4B46CE99FEE2F192E23
SHA256:AC07A3C23C79851AAB4FEFF146A0FFCA79864159AFD9AFAFEDCCF6E1F84D3166
3820OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bintext
MD5:4132F0A833C5850460775F86F6D2B846
SHA256:CBE6FDF065220B5F7C624BF2737AF89C7D619EEAD0D9184DA15E8D757A738DBF
3820OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\OBM7VSKL\Bonus-package-Sonepar.docxdocument
MD5:3E52855BD679B0AF61597FEB1031F489
SHA256:2904A37F56093DED5A49CD464D7500B34A98238BC37A20F1192963BBE135321F
3820OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\OBM7VSKL\Bonus-package-Sonepar.docx:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
3820OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\OBM7VSKL\Bonus-package-Sonepar (002).docx:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
65
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3872
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
3820
OUTLOOK.EXE
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
US
binary
471 b
whitelisted
1268
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
6160
WINWORD.EXE
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
DE
binary
1.05 Kb
whitelisted
2168
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
420 b
whitelisted
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
DE
767 b
whitelisted
2168
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
DE
binary
408 b
whitelisted
6160
WINWORD.EXE
GET
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
DE
whitelisted
6160
WINWORD.EXE
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5876
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3820
OUTLOOK.EXE
52.123.129.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
whitelisted
3820
OUTLOOK.EXE
23.48.23.42:443
omex.cdn.office.net
Akamai International B.V.
DE
whitelisted
3820
OUTLOOK.EXE
52.111.231.8:443
messaging.lifecycle.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
3820
OUTLOOK.EXE
135.225.150.15:443
nleditor.osi.office.net
LUCENT-CIO
US
whitelisted
3872
svchost.exe
20.190.159.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.142
whitelisted
ecs.office.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted
omex.cdn.office.net
  • 23.48.23.42
  • 23.48.23.11
whitelisted
messaging.lifecycle.office.com
  • 52.111.231.8
whitelisted
nleditor.osi.office.net
  • 135.225.150.15
whitelisted
login.live.com
  • 20.190.159.71
  • 20.190.159.64
  • 40.126.31.71
  • 40.126.31.131
  • 20.190.159.0
  • 40.126.31.128
  • 20.190.159.130
  • 20.190.159.131
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
odc.officeapps.live.com
  • 52.109.76.144
whitelisted
self.events.data.microsoft.com
  • 13.89.178.27
whitelisted
officeclient.microsoft.com
  • 52.109.32.97
whitelisted

Threats

No threats detected
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
message (36).eml