File name:

Undeliverable Intertek Action Required Employee Pay Raise and Strategic Organizational Restructuring ID-6A9yYJpZjAN7gpig7yAk.msg

Full analysis: https://app.any.run/tasks/7d6ca176-42a4-444e-a552-67c3e406c876
Verdict: Malicious activity
Analysis date: September 03, 2025, 17:01:42
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
attachments
attc-eml
spf-fail
attc-doc
qrcode
phishing
phish-url
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

01496B93B6B9EB1FFE912163346D0F3C

SHA1:

BF45DEFBD84622E1EF0941CD8D921C06AAA5EDD8

SHA256:

3A99A76773B2AF368AD78EBCFD2F58B043CAAA917E2338D6E0816F8F83D7DA59

SSDEEP:

3072:CXzHQgCP0t1pU17izU171NAWQl37Y6+2jT70CjKsHrB:mtez9an+CT704

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Suspicious URL found

      • OUTLOOK.EXE (PID: 2320)

    • QR code contains URL with email

      • OUTLOOK.EXE (PID: 2320)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe ai.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2320"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f C:\Users\admin\AppData\Local\Temp\7d6ca176-42a4-444e-a552-67c3e406c876.msgC:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3100"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "F2CD7C9B-04BF-48FF-B058-B29820957602" "6EE844B4-DC19-4C2D-AEF3-1EC3A628D2C0" "2320"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
8 746
Read events
8 386
Write events
310
Delete events
50

Modification events

(PID) Process:(2320) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2320) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2320) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2320) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2320) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046
Operation:writeName:00030429
Value:
09000000
(PID) Process:(2320) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData
Operation:writeName:ProfileBeingOpened
Value:
Outlook
(PID) Process:(2320) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046
Operation:writeName:00030397
Value:
60000000
(PID) Process:(2320) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Licensing
Operation:delete valueName:EligibleForExtendedGrace
Value:
(PID) Process:(2320) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\outlook
Operation:writeName:BuildNumber
Value:
16.0.16026
(PID) Process:(2320) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook
Operation:writeName:Expires
Value:
int64_t|0
Executable files
0
Suspicious files
6
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2320OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook1.pst
MD5:
SHA256:
2320OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbresbinary
MD5:BE8B294AB0DF57EC99BB6D16EB863585
SHA256:44E0DC5E6009A4CFCEE30F507E841330B2ADC8F446AEC6B9D136564E0C30B578
2320OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmbinary
MD5:9DA7EDF4C81DADB4CC5F545D804AAEC1
SHA256:26FB6A3AAF200FD4F6D33D8B9792B0B95A4083C5183F642995A3A96F9A6C3F39
2320OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:B5CE46B3B0F076682FF6417156074BBA
SHA256:8AD94FC1CFEFCF3BF701B19DE976A42BFC43C33EF343F3823F7BFEFCC091594B
2320OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\msoCEC4.tmpimage
MD5:ED3C1C40B68BA4F40DB15529D5443DEC
SHA256:039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
2320OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187binary
MD5:6AAD4915E8CC358BD58AFEE62E761576
SHA256:AFBBDF256F5DA5BD7E1591B494A983A09E85EE84907AA9AEBB721593509C4EC6
2320OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
2320OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TableViewPreviewPrefs_2_24BF3BB1B871BD4AA1D5E7036CF6458C.datxml
MD5:0E092DB99AEE99FDFF9B5B222C732CFD
SHA256:D1614AD99ADED9F6F5C1BE7FE7FFA5124BD04A526580DA3818EA8A954E852AA6
2320OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bintext
MD5:18A154F8488472E3DC163994A90A2FA7
SHA256:F2CE5D06261FFE742979E82222819668DED3285C5415D0D217A70654ECABA310
2320OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187binary
MD5:D0F76FB94134DA255A771F0B31F5CD54
SHA256:41F85EBAB8C50152F93A1A82348D9D8986CDB29146B9DABE540339FE57BB6125
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
20
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2980
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
1268
svchost.exe
GET
200
2.16.164.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
1268
svchost.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
2320
OUTLOOK.EXE
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
US
binary
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
188
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2320
OUTLOOK.EXE
52.123.129.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
whitelisted
2320
OUTLOOK.EXE
23.50.131.86:443
omex.cdn.office.net
Akamai International B.V.
DE
whitelisted
2320
OUTLOOK.EXE
52.111.236.4:443
messaging.lifecycle.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2320
OUTLOOK.EXE
4.251.34.76:443
nleditor.osi.office.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2980
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 172.217.18.14
whitelisted
ecs.office.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted
omex.cdn.office.net
  • 23.50.131.86
  • 23.50.131.87
whitelisted
messaging.lifecycle.office.com
  • 52.111.236.4
whitelisted
nleditor.osi.office.net
  • 4.251.34.76
whitelisted
login.live.com
  • 20.190.159.2
  • 20.190.159.23
  • 40.126.31.131
  • 20.190.159.129
  • 20.190.159.73
  • 40.126.31.1
  • 20.190.159.64
  • 20.190.159.130
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
crl.microsoft.com
  • 2.16.164.25
  • 2.16.164.34
  • 2.16.164.107
  • 2.16.164.58
  • 2.16.164.83
  • 2.16.164.24
  • 2.16.164.49
  • 2.16.164.9
  • 2.16.164.32
whitelisted
www.microsoft.com
  • 69.192.161.161
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Undeliverable Intertek Action Required Employee Pay Raise and Strategic Organizational Restructuring ID-6A9yYJpZjAN7gpig7yAk.msg