File name:

message (36).eml

Full analysis: https://app.any.run/tasks/1ed34047-ff20-4195-a55f-307da47a59ef
Verdict: Malicious activity
Analysis date: August 01, 2025, 05:53:45
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
spf-fail
attachments
attc-doc
qrcode
phishing
phish-url
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with CRLF line terminators
MD5:

E840C09465AF8F7B9768EE60F4FEA0A3

SHA1:

141EE453F76B59E15C948523B933EDCC39226A0B

SHA256:

377E105B03E491EECE1D095327E85CC9A7733C7AF0C59AFD98EE0835160E4ED6

SSDEEP:

1536:I8DNdjCR3+kA9xAfvakPdWMM3TatZp0JAAHSA3EdbCtgiQE9p:IyUwxYvaR/+tZGAh14eij9p

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • QR code contains URL with email

      • OUTLOOK.EXE (PID: 3820)

    • Suspicious URL found

      • OUTLOOK.EXE (PID: 3820)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe ai.exe no specs winword.exe ai.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2808"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "5088222F-436A-437F-A7F9-BE49EC839ED0" "AD893909-C5D6-4980-9314-4209DCDBA833" "3820"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
3820"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\message (36).eml"C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\program files\microsoft office\root\office16\outlookservicing.dll
4700"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "6B52DA91-5EE0-4165-AB5B-2084527D2B34" "F2362888-A3B0-4612-B654-A8F9A00CB871" "6160"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\sechost.dll
6160"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\OBM7VSKL\Bonus-package-Sonepar.docx" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
Total events
23 821
Read events
22 349
Write events
1 330
Delete events
142

Modification events

(PID) Process:(3820) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ETWMonitor\{02CAC15F-D4BE-400E-9127-D54982AA4AE9}
Operation:delete keyName:(default)
Value:
(PID) Process:(3820) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ETWMonitor\{11ADBD74-7DF2-4E8E-802B-B3BCBFD04A78}
Operation:delete keyName:(default)
Value:
(PID) Process:(3820) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ETWMonitor\{287BF315-5A11-4B2F-B069-B761ADE25A49}
Operation:delete keyName:(default)
Value:
(PID) Process:(3820) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ETWMonitor\{691E1C12-2693-4D4A-852C-7478657BBE6E}
Operation:delete keyName:(default)
Value:
(PID) Process:(3820) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ETWMonitor\{6B6B571B-F4E3-4FBB-A83F-0790D11D19AB}
Operation:delete keyName:(default)
Value:
(PID) Process:(3820) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ETWMonitor\{AA8FA310-0939-4CE3-B9BB-AE05B2695110}
Operation:delete keyName:(default)
Value:
(PID) Process:(3820) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ETWMonitor
Operation:delete keyName:(default)
Value:
(PID) Process:(3820) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ULSMonitor
Operation:delete keyName:(default)
Value:
(PID) Process:(3820) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe
Operation:delete keyName:(default)
Value:
(PID) Process:(3820) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ULSMonitor
Operation:writeName:ULSTagIds0
Value:
17634580,18658649,18409363,18658650,17126295,9319450,17913998,18948102,18658648,16920930,23978014,18637650,18674530,18409416,18948101,16859363,8988293,17182980,9176926,8448079,17913999,17064074,5850463,17182941,17914002,5850305,5898880,5850582,17914003,17182979,17182943,6166345,17182942,22929429,17110992,6636694,17372899,17182981,5898881,5850583,5898849,7218753,5850062,5850584,17372928,17922253,6636695,17182982,5850061,17146274,17914001,6029780,17110988,17913997,17914000,5850525,8709129,20248016
Executable files
0
Suspicious files
111
Text files
52
Unknown types
13

Dropped files

PID
Process
Filename
Type
3820OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook1.pst
MD5:
SHA256:
3820OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:9067BADEA5AE8AF83897051C41DE96A8
SHA256:1E88B7D1522C82E1CA12E716721B0748AEC660F490F8909F3BBB7F82840F0998
3820OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbresbinary
MD5:4E93EF1EAC65B4B46CE99FEE2F192E23
SHA256:AC07A3C23C79851AAB4FEFF146A0FFCA79864159AFD9AFAFEDCCF6E1F84D3166
3820OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:760C0501574545A6B8EF6C288328DCC9
SHA256:323E376DCA9BF1A585BE61CE72C08EB4A841DC4B727B8C4AA94B347A77BE5220
6160WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\Personalization\Governance\Anonymous\floodgatecampaigns.json.tmptss
MD5:B9A24623D03BDF34B86627B3C46DE384
SHA256:398B38D814B81B44E3F27704FC24606ECE6D1053A22E5BD380F1D5E9D487FBC3
6160WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\146735CD-A1E6-40A4-8FA9-65935CC6C5F7xml
MD5:5B58A813D709A407F42AEE33D0824EEF
SHA256:3373C783E6E8078CEC087F9173E805FDFAFE18DDD2A3C5066C10348B5BCD33FD
3820OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\OBM7VSKL\Bonus-package-Sonepar.docx:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
3820OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9der
MD5:E37AA8D9AD9AA293643F34EF15112374
SHA256:0D46EE724643511D7529734EB85124ABEACB3754E0ADECF403DD0B7BC8B8B705
3820OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
3820OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bintext
MD5:4132F0A833C5850460775F86F6D2B846
SHA256:CBE6FDF065220B5F7C624BF2737AF89C7D619EEAD0D9184DA15E8D757A738DBF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
65
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3872
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3820
OUTLOOK.EXE
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
1268
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2168
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2168
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6160
WINWORD.EXE
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
unknown
whitelisted
6160
WINWORD.EXE
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
6160
WINWORD.EXE
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
6160
WINWORD.EXE
GET
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5876
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3820
OUTLOOK.EXE
52.123.129.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
whitelisted
3820
OUTLOOK.EXE
23.48.23.42:443
omex.cdn.office.net
Akamai International B.V.
DE
whitelisted
3820
OUTLOOK.EXE
52.111.231.8:443
messaging.lifecycle.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
3820
OUTLOOK.EXE
135.225.150.15:443
nleditor.osi.office.net
LUCENT-CIO
US
whitelisted
3872
svchost.exe
20.190.159.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.142
whitelisted
ecs.office.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted
omex.cdn.office.net
  • 23.48.23.42
  • 23.48.23.11
whitelisted
messaging.lifecycle.office.com
  • 52.111.231.8
whitelisted
nleditor.osi.office.net
  • 135.225.150.15
whitelisted
login.live.com
  • 20.190.159.71
  • 20.190.159.64
  • 40.126.31.71
  • 40.126.31.131
  • 20.190.159.0
  • 40.126.31.128
  • 20.190.159.130
  • 20.190.159.131
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
odc.officeapps.live.com
  • 52.109.76.144
whitelisted
self.events.data.microsoft.com
  • 13.89.178.27
whitelisted
officeclient.microsoft.com
  • 52.109.32.97
whitelisted

Threats

No threats detected
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
message (36).eml