File name:

triage-report_105645-phishing-we-us-04150_AT_wework_com.zip

Full analysis: https://app.any.run/tasks/59d9c287-41d9-4489-a9d4-5b40f2680879
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Analysis date: April 15, 2025, 17:53:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
attachments
attc-eml
susp-attachments
obfuscated-js
connectwise
rmm-tool
screenconnect
remote
rat
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

294F4E13216319307536EB13EEE27CE2

SHA1:

D2359B8D7FA13C177925BA23AB50D8D899A8CEDB

SHA256:

509F3320DA7C5479A3447F934ADBF0F9FD0E16897A220F70A8238A4046CF4F1F

SSDEEP:

384:d3FcksJuA+0n7GJMJKthAeVN1sM37BuVG6IGLkMrf1bh3uriNzEKBksSTeiWgE2k:dakXAzn7Gm8N+MLcRIMxh+8Ehh1JECV+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • SCREENCONNECT has been detected (SURICATA)

      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.ClientService.exe (PID: 8984)
  • SUSPICIOUS

    • Email with suspicious attachment

      • WinRAR.exe (PID: 6268)
    • Reads Microsoft Outlook installation path

      • WinRAR.exe (PID: 6268)
    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6268)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 9016)
      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.WindowsClient.exe (PID: 8936)
      • ScreenConnect.WindowsClient.exe (PID: 9076)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 4376)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7892)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7624)
      • ScreenConnect.WindowsClient.exe (PID: 7544)
      • ScreenConnect.WindowsClient.exe (PID: 6584)
      • ScreenConnect.WindowsBackstageShell.exe (PID: 8948)
      • ScreenConnect.WindowsClient.exe (PID: 8472)
      • FileForTransfer.exe (PID: 1128)
      • ScreenConnect.ClientService.exe (PID: 8984)
      • ScreenConnect.WindowsClient.exe (PID: 2644)
      • ScreenConnect.WindowsClient.exe (PID: 8664)
      • ScreenConnect.WindowsClient.exe (PID: 6256)
    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 8232)
      • rundll32.exe (PID: 8708)
      • rundll32.exe (PID: 7104)
      • rundll32.exe (PID: 7828)
      • ScreenConnect.WindowsClient.exe (PID: 6584)
      • FileForTransfer.exe (PID: 1128)
      • rundll32.exe (PID: 5796)
    • Executes as Windows Service

      • VSSVC.exe (PID: 8244)
      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.ClientService.exe (PID: 8984)
    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 9140)
    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 9140)
    • Creates/Modifies COM task schedule object

      • msiexec.exe (PID: 9140)
    • Screenconnect has been detected

      • msiexec.exe (PID: 9140)
      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.ClientService.exe (PID: 7660)
      • rundll32.exe (PID: 8708)
      • rundll32.exe (PID: 7104)
      • rundll32.exe (PID: 7828)
      • ScreenConnect.ClientService.exe (PID: 8984)
      • ScreenConnect.ClientService.exe (PID: 8984)
    • SCREENCONNECT mutex has been found

      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.ClientService.exe (PID: 8984)
    • Creates or modifies Windows services

      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.ClientService.exe (PID: 8984)
    • Potential Corporate Privacy Violation

      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.ClientService.exe (PID: 8984)
    • Detects ScreenConnect RAT (YARA)

      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.WindowsClient.exe (PID: 8936)
    • There is functionality for taking screenshot (YARA)

      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.WindowsClient.exe (PID: 8936)
    • Reads the date of Windows installation

      • ScreenConnect.WindowsClient.exe (PID: 6584)
      • ScreenConnect.WindowsClient.exe (PID: 8472)
    • Application launched itself

      • ScreenConnect.WindowsClient.exe (PID: 6584)
  • INFO

    • Email with attachments

      • WinRAR.exe (PID: 6268)
    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 6268)
    • Application launched itself

      • msedge.exe (PID: 5064)
    • Checks supported languages

      • identity_helper.exe (PID: 7552)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 9016)
      • msiexec.exe (PID: 9140)
      • msiexec.exe (PID: 9188)
      • msiexec.exe (PID: 5400)
      • msiexec.exe (PID: 7956)
      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.WindowsClient.exe (PID: 8936)
      • ScreenConnect.WindowsClient.exe (PID: 9076)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 4376)
      • msiexec.exe (PID: 7864)
      • msiexec.exe (PID: 3332)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7892)
      • msiexec.exe (PID: 7836)
      • msiexec.exe (PID: 8664)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7624)
      • msiexec.exe (PID: 5668)
      • msiexec.exe (PID: 5404)
      • ScreenConnect.WindowsClient.exe (PID: 7544)
      • ScreenConnect.WindowsBackstageShell.exe (PID: 8948)
      • ScreenConnect.WindowsClient.exe (PID: 6584)
      • ScreenConnect.WindowsClient.exe (PID: 8472)
      • FileForTransfer.exe (PID: 1128)
      • msiexec.exe (PID: 5624)
      • msiexec.exe (PID: 3164)
      • ScreenConnect.ClientService.exe (PID: 8984)
      • ScreenConnect.WindowsClient.exe (PID: 2644)
      • ScreenConnect.WindowsClient.exe (PID: 8664)
      • ScreenConnect.WindowsClient.exe (PID: 6256)
    • Reads the computer name

      • identity_helper.exe (PID: 7552)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 9016)
      • msiexec.exe (PID: 9140)
      • msiexec.exe (PID: 9188)
      • msiexec.exe (PID: 5400)
      • msiexec.exe (PID: 7956)
      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.WindowsClient.exe (PID: 8936)
      • ScreenConnect.WindowsClient.exe (PID: 9076)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 4376)
      • msiexec.exe (PID: 7864)
      • msiexec.exe (PID: 3332)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7892)
      • msiexec.exe (PID: 7836)
      • msiexec.exe (PID: 8664)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7624)
      • msiexec.exe (PID: 5668)
      • msiexec.exe (PID: 5404)
      • ScreenConnect.WindowsClient.exe (PID: 7544)
      • ScreenConnect.WindowsBackstageShell.exe (PID: 8948)
      • ScreenConnect.WindowsClient.exe (PID: 6584)
      • ScreenConnect.WindowsClient.exe (PID: 8472)
      • FileForTransfer.exe (PID: 1128)
      • msiexec.exe (PID: 5624)
      • msiexec.exe (PID: 3164)
      • ScreenConnect.ClientService.exe (PID: 8984)
      • ScreenConnect.WindowsClient.exe (PID: 2644)
      • ScreenConnect.WindowsClient.exe (PID: 8664)
      • ScreenConnect.WindowsClient.exe (PID: 6256)
    • Reads Environment values

      • identity_helper.exe (PID: 7552)
    • Executable content was dropped or overwritten

      • msedge.exe (PID: 5344)
      • msedge.exe (PID: 5064)
      • msiexec.exe (PID: 9096)
      • msiexec.exe (PID: 9140)
      • msiexec.exe (PID: 9124)
      • msiexec.exe (PID: 8040)
      • msiexec.exe (PID: 8312)
      • msiexec.exe (PID: 8688)
      • msedge.exe (PID: 7808)
    • Reads the machine GUID from the registry

      • KirkIand&EIIis_E-Sign_Key.exe (PID: 9016)
      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.WindowsClient.exe (PID: 8936)
      • ScreenConnect.WindowsClient.exe (PID: 9076)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 4376)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7892)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7624)
      • ScreenConnect.WindowsClient.exe (PID: 7544)
      • ScreenConnect.WindowsBackstageShell.exe (PID: 8948)
      • ScreenConnect.WindowsClient.exe (PID: 6584)
      • ScreenConnect.WindowsClient.exe (PID: 8472)
      • FileForTransfer.exe (PID: 1128)
      • ScreenConnect.ClientService.exe (PID: 8984)
      • ScreenConnect.WindowsClient.exe (PID: 2644)
      • ScreenConnect.WindowsClient.exe (PID: 8664)
      • ScreenConnect.WindowsClient.exe (PID: 6256)
    • Create files in a temporary directory

      • KirkIand&EIIis_E-Sign_Key.exe (PID: 9016)
      • rundll32.exe (PID: 8232)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 4376)
      • rundll32.exe (PID: 8708)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7892)
      • rundll32.exe (PID: 7104)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7624)
      • rundll32.exe (PID: 7828)
    • Process checks computer location settings

      • KirkIand&EIIis_E-Sign_Key.exe (PID: 9016)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 4376)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7892)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7624)
    • CONNECTWISE has been detected

      • msiexec.exe (PID: 9096)
      • msiexec.exe (PID: 9140)
      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.WindowsClient.exe (PID: 8936)
      • ScreenConnect.WindowsClient.exe (PID: 9076)
      • msiexec.exe (PID: 9124)
      • msiexec.exe (PID: 8040)
      • msiexec.exe (PID: 8312)
      • ScreenConnect.WindowsClient.exe (PID: 7544)
      • ScreenConnect.WindowsBackstageShell.exe (PID: 8948)
      • ScreenConnect.WindowsClient.exe (PID: 6584)
      • ScreenConnect.WindowsClient.exe (PID: 8472)
      • msiexec.exe (PID: 8688)
      • ScreenConnect.ClientService.exe (PID: 8984)
      • ScreenConnect.WindowsClient.exe (PID: 2644)
      • ScreenConnect.WindowsClient.exe (PID: 8664)
      • ScreenConnect.WindowsClient.exe (PID: 6256)
    • Manages system restore points

      • SrTasks.exe (PID: 8424)
      • SrTasks.exe (PID: 456)
    • SCREENCONNECT has been detected

      • msiexec.exe (PID: 9140)
      • ScreenConnect.ClientService.exe (PID: 7660)
      • rundll32.exe (PID: 8708)
      • rundll32.exe (PID: 7104)
      • rundll32.exe (PID: 7828)
      • ScreenConnect.ClientService.exe (PID: 8984)
    • Creates a software uninstall entry

      • msiexec.exe (PID: 9140)
    • Reads the software policy settings

      • slui.exe (PID: 7260)
      • slui.exe (PID: 3300)
    • Reads CPU info

      • ScreenConnect.WindowsClient.exe (PID: 9076)
      • ScreenConnect.WindowsClient.exe (PID: 8664)
    • Checks proxy server information

      • slui.exe (PID: 3300)
    • Manual execution by a user

      • KirkIand&EIIis_E-Sign_Key.exe (PID: 8444)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 4376)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 3300)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7892)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 1764)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7624)
    • The sample compiled with english language support

      • msedge.exe (PID: 7808)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:04:15 17:53:00
ZipCRC: 0xdbcfba63
ZipCompressedSize: 13485
ZipUncompressedSize: 32432
ZipFileName: triage-report_105645-phishing-we-us-04150_AT_wework_com/original.eml
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
274
Monitored processes
126
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs sppextcomobj.exe no specs slui.exe outlook.exe ai.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs kirkiand&eiiis_e-sign_key.exe no specs kirkiand&eiiis_e-sign_key.exe msiexec.exe msiexec.exe msiexec.exe no specs rundll32.exe vssvc.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe no specs #SCREENCONNECT screenconnect.clientservice.exe #SCREENCONNECT screenconnect.windowsclient.exe no specs slui.exe screenconnect.windowsclient.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs kirkiand&eiiis_e-sign_key.exe no specs kirkiand&eiiis_e-sign_key.exe msedge.exe no specs msiexec.exe msiexec.exe no specs rundll32.exe msiexec.exe no specs kirkiand&eiiis_e-sign_key.exe no specs kirkiand&eiiis_e-sign_key.exe msiexec.exe msiexec.exe no specs rundll32.exe msiexec.exe no specs kirkiand&eiiis_e-sign_key.exe no specs kirkiand&eiiis_e-sign_key.exe msiexec.exe msiexec.exe no specs rundll32.exe msiexec.exe no specs msedge.exe no specs msedge.exe no specs screenconnect.windowsclient.exe no specs screenconnect.windowsbackstageshell.exe no specs screenconnect.windowsclient.exe msedge.exe no specs screenconnect.windowsclient.exe no specs filefortransfer.exe msiexec.exe msiexec.exe no specs rundll32.exe msedge.exe no specs msedge.exe no specs srtasks.exe no specs conhost.exe no specs msedge.exe no specs msiexec.exe no specs #SCREENCONNECT screenconnect.clientservice.exe screenconnect.windowsclient.exe no specs screenconnect.windowsclient.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs screenconnect.windowsclient.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
456C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:12C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1012"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=1516 --field-trial-handle=2344,i,17357009729192601572,13559256776933010933,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1096"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6096 --field-trial-handle=2344,i,17357009729192601572,13559256776933010933,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1128"C:\WINDOWS\SystemTemp\ScreenConnect\25.2.3.9216\Temp\FileForTransfer.exe" C:\Windows\SystemTemp\ScreenConnect\25.2.3.9216\Temp\FileForTransfer.exe
ScreenConnect.WindowsClient.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\windows\systemtemp\screenconnect\25.2.3.9216\temp\filefortransfer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1764"C:\Users\admin\Downloads\KirkIand&EIIis_E-Sign_Key.exe" C:\Users\admin\Downloads\KirkIand&EIIis_E-Sign_Key.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\downloads\kirkiand&eiiis_e-sign_key.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2096"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4116 --field-trial-handle=2344,i,17357009729192601572,13559256776933010933,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=8084 --field-trial-handle=2344,i,17357009729192601572,13559256776933010933,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2268"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7936 --field-trial-handle=2344,i,17357009729192601572,13559256776933010933,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2316"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7524 --field-trial-handle=2344,i,17357009729192601572,13559256776933010933,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2644"C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\ScreenConnect.WindowsClient.exe" "RunRole" "b1b8c6f4-6c37-41ec-a199-60f9fbad2014" "User"C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\ScreenConnect.WindowsClient.exeScreenConnect.ClientService.exe
User:
admin
Company:
ScreenConnect Software
Integrity Level:
MEDIUM
Description:
Version:
23.2.9.8466
Modules
Images
c:\program files (x86)\screenconnect client (73a0227d089fe193)\screenconnect.windowsclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
44 322
Read events
42 316
Write events
1 779
Delete events
227

Modification events

(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\triage-report_105645-phishing-we-us-04150_AT_wework_com.zip
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\OpenWithProgids
Operation:writeName:Outlook.File.eml.15
Value:
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{5FA29220-36A1-40F9-89C6-F4B384B7642E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF
Value:
0100000000000000CF7A634A2FAEDB01
Executable files
123
Suspicious files
847
Text files
157
Unknown types
1

Dropped files

PID
Process
Filename
Type
7672OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook1.pst
MD5:
SHA256:
7672OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:738DEBF266D5F546D0D129A8062AE1BB
SHA256:86C6BAAD3B84407DE2D8C7C3B5B9240D446536054E59172A8E3A7C800D02940A
6268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa6268.41648\original.emlbinary
MD5:DE9EDF56ED5617B53DBC066848A6868F
SHA256:DFA6B7FF377C621537695FD3802314A955820F663CA3B0D8DB87EB7221A8A9AA
5064msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF1109b1.TMP
MD5:
SHA256:
5064msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
5064msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1109b1.TMP
MD5:
SHA256:
5064msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
5064msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1109b1.TMP
MD5:
SHA256:
5064msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
7672OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\70FAFA5F-4779-4468-A7D1-0A0409A656B2xml
MD5:3B5BE0681FA0DCC5DB640EDC90610EAF
SHA256:F16A9F7B1A9D00D57EF58FD950856442BBA265BDB12C4880C62F159094778C48
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
41
TCP/UDP connections
227
DNS requests
242
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
8444
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
23.48.23.188:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7868
svchost.exe
HEAD
200
208.89.74.19:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fb6dd03b-99d7-4cc8-a878-91c8e655c2d3?P1=1744953267&P2=404&P3=2&P4=WAxMxKf2IduhSTlW1ZjvH1nv3Na9xi9%2bkq%2fLvcIcrzmnAltgNtr2LhZ%2ftBV9wOnk5zPGEuEr5QegUxilZ2rv1A%3d%3d
unknown
whitelisted
7672
OUTLOOK.EXE
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
7868
svchost.exe
GET
206
208.89.74.19:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fb6dd03b-99d7-4cc8-a878-91c8e655c2d3?P1=1744953267&P2=404&P3=2&P4=WAxMxKf2IduhSTlW1ZjvH1nv3Na9xi9%2bkq%2fLvcIcrzmnAltgNtr2LhZ%2ftBV9wOnk5zPGEuEr5QegUxilZ2rv1A%3d%3d
unknown
whitelisted
8444
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7868
svchost.exe
GET
206
208.89.74.19:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fb6dd03b-99d7-4cc8-a878-91c8e655c2d3?P1=1744953267&P2=404&P3=2&P4=WAxMxKf2IduhSTlW1ZjvH1nv3Na9xi9%2bkq%2fLvcIcrzmnAltgNtr2LhZ%2ftBV9wOnk5zPGEuEr5QegUxilZ2rv1A%3d%3d
unknown
whitelisted
7868
svchost.exe
HEAD
200
208.89.74.19:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cbc98ff-b69b-4fda-ad94-17ec2f9cf48b?P1=1744953268&P2=404&P3=2&P4=l8ZU4mjSgzcXDkkOrAGC7P3pnHPwwOe865E8M5kj0JsOWKsLfV6pw%2fXt%2bzmXFyHgBkHEbakg17MorYmqzVbTnw%3d%3d
unknown
whitelisted
7868
svchost.exe
GET
206
208.89.74.19:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fb6dd03b-99d7-4cc8-a878-91c8e655c2d3?P1=1744953267&P2=404&P3=2&P4=WAxMxKf2IduhSTlW1ZjvH1nv3Na9xi9%2bkq%2fLvcIcrzmnAltgNtr2LhZ%2ftBV9wOnk5zPGEuEr5QegUxilZ2rv1A%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.48.23.188:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
7672
OUTLOOK.EXE
52.109.76.240:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.48.23.188
  • 23.48.23.185
  • 23.48.23.190
  • 23.48.23.177
  • 23.48.23.181
  • 23.48.23.183
  • 23.48.23.184
  • 23.48.23.179
  • 23.48.23.192
whitelisted
google.com
  • 142.250.74.206
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.32.74
  • 40.126.32.138
  • 20.190.160.20
  • 20.190.160.2
  • 40.126.32.136
  • 20.190.160.67
  • 20.190.160.22
  • 20.190.160.65
  • 20.190.159.71
  • 40.126.31.128
  • 20.190.159.131
  • 40.126.31.69
  • 20.190.159.0
  • 20.190.159.128
  • 40.126.31.1
  • 40.126.31.2
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
officeclient.microsoft.com
  • 52.109.76.240
whitelisted
ecs.office.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted
roaming.officeapps.live.com
  • 52.109.68.129
whitelisted
omex.cdn.office.net
  • 23.50.131.87
  • 23.50.131.86
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] Azure Blob Storage (.blob .core .windows .net)
Not Suspicious Traffic
INFO [ANY.RUN] Azure Blob Storage (.blob .core .windows .net)
Not Suspicious Traffic
INFO [ANY.RUN] Azure Blob Storage (.blob .core .windows .net)
Not Suspicious Traffic
INFO [ANY.RUN] Azure Blob Storage (.blob .core .windows .net)
Not Suspicious Traffic
INFO [ANY.RUN] Azure Blob Storage (.blob .core .windows .net)
Not Suspicious Traffic
INFO [ANY.RUN] Azure Blob Storage (.blob .core .windows .net)
Misc activity
ET REMOTE_ACCESS Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain
Potential Corporate Privacy Violation
REMOTE [ANY.RUN] ScreenConnect Server Response
Potential Corporate Privacy Violation
REMOTE [ANY.RUN] ScreenConnect Server Response
Not Suspicious Traffic
INFO [ANY.RUN] Azure Blob Storage (.blob .core .windows .net)
No debug info