File name:

triage-report_105645-phishing-we-us-04150_AT_wework_com.zip

Full analysis: https://app.any.run/tasks/59d9c287-41d9-4489-a9d4-5b40f2680879
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: April 15, 2025, 17:53:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
attachments
attc-eml
susp-attachments
obfuscated-js
connectwise
rmm-tool
screenconnect
remote
rat
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

294F4E13216319307536EB13EEE27CE2

SHA1:

D2359B8D7FA13C177925BA23AB50D8D899A8CEDB

SHA256:

509F3320DA7C5479A3447F934ADBF0F9FD0E16897A220F70A8238A4046CF4F1F

SSDEEP:

384:d3FcksJuA+0n7GJMJKthAeVN1sM37BuVG6IGLkMrf1bh3uriNzEKBksSTeiWgE2k:dakXAzn7Gm8N+MLcRIMxh+8Ehh1JECV+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SCREENCONNECT has been detected (SURICATA)

      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.ClientService.exe (PID: 8984)

  • SUSPICIOUS

    • Email with suspicious attachment

      • WinRAR.exe (PID: 6268)

    • Reads Microsoft Outlook installation path

      • WinRAR.exe (PID: 6268)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6268)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 9016)
      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.WindowsClient.exe (PID: 8936)
      • ScreenConnect.WindowsClient.exe (PID: 9076)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 4376)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7892)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7624)
      • ScreenConnect.WindowsBackstageShell.exe (PID: 8948)
      • ScreenConnect.WindowsClient.exe (PID: 7544)
      • ScreenConnect.WindowsClient.exe (PID: 6584)
      • ScreenConnect.WindowsClient.exe (PID: 8472)
      • FileForTransfer.exe (PID: 1128)
      • ScreenConnect.WindowsClient.exe (PID: 2644)
      • ScreenConnect.ClientService.exe (PID: 8984)
      • ScreenConnect.WindowsClient.exe (PID: 8664)
      • ScreenConnect.WindowsClient.exe (PID: 6256)

    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 8232)
      • rundll32.exe (PID: 8708)
      • rundll32.exe (PID: 7104)
      • rundll32.exe (PID: 7828)
      • ScreenConnect.WindowsClient.exe (PID: 6584)
      • FileForTransfer.exe (PID: 1128)
      • rundll32.exe (PID: 5796)

    • Executes as Windows Service

      • VSSVC.exe (PID: 8244)
      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.ClientService.exe (PID: 8984)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 9140)

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 9140)

    • Creates/Modifies COM task schedule object

      • msiexec.exe (PID: 9140)

    • Screenconnect has been detected

      • msiexec.exe (PID: 9140)
      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.ClientService.exe (PID: 7660)
      • rundll32.exe (PID: 8708)
      • rundll32.exe (PID: 7104)
      • rundll32.exe (PID: 7828)
      • ScreenConnect.ClientService.exe (PID: 8984)
      • ScreenConnect.ClientService.exe (PID: 8984)

    • SCREENCONNECT mutex has been found

      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.ClientService.exe (PID: 8984)

    • Creates or modifies Windows services

      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.ClientService.exe (PID: 8984)

    • There is functionality for taking screenshot (YARA)

      • ScreenConnect.WindowsClient.exe (PID: 8936)
      • ScreenConnect.ClientService.exe (PID: 7660)

    • Detects ScreenConnect RAT (YARA)

      • ScreenConnect.WindowsClient.exe (PID: 8936)
      • ScreenConnect.ClientService.exe (PID: 7660)

    • Potential Corporate Privacy Violation

      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.ClientService.exe (PID: 8984)

    • Reads the date of Windows installation

      • ScreenConnect.WindowsClient.exe (PID: 6584)
      • ScreenConnect.WindowsClient.exe (PID: 8472)

    • Application launched itself

      • ScreenConnect.WindowsClient.exe (PID: 6584)

  • INFO

    • Email with attachments

      • WinRAR.exe (PID: 6268)

    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 6268)

    • Reads the computer name

      • KirkIand&EIIis_E-Sign_Key.exe (PID: 9016)
      • identity_helper.exe (PID: 7552)
      • msiexec.exe (PID: 9140)
      • msiexec.exe (PID: 5400)
      • msiexec.exe (PID: 7956)
      • msiexec.exe (PID: 9188)
      • ScreenConnect.WindowsClient.exe (PID: 8936)
      • ScreenConnect.WindowsClient.exe (PID: 9076)
      • ScreenConnect.ClientService.exe (PID: 7660)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 4376)
      • msiexec.exe (PID: 7864)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7892)
      • msiexec.exe (PID: 3332)
      • msiexec.exe (PID: 7836)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7624)
      • msiexec.exe (PID: 8664)
      • msiexec.exe (PID: 5668)
      • msiexec.exe (PID: 5404)
      • ScreenConnect.WindowsClient.exe (PID: 7544)
      • ScreenConnect.WindowsBackstageShell.exe (PID: 8948)
      • ScreenConnect.WindowsClient.exe (PID: 6584)
      • ScreenConnect.WindowsClient.exe (PID: 8472)
      • FileForTransfer.exe (PID: 1128)
      • msiexec.exe (PID: 5624)
      • msiexec.exe (PID: 3164)
      • ScreenConnect.ClientService.exe (PID: 8984)
      • ScreenConnect.WindowsClient.exe (PID: 2644)
      • ScreenConnect.WindowsClient.exe (PID: 6256)
      • ScreenConnect.WindowsClient.exe (PID: 8664)

    • Checks supported languages

      • identity_helper.exe (PID: 7552)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 9016)
      • msiexec.exe (PID: 9140)
      • msiexec.exe (PID: 9188)
      • msiexec.exe (PID: 5400)
      • msiexec.exe (PID: 7956)
      • ScreenConnect.WindowsClient.exe (PID: 9076)
      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.WindowsClient.exe (PID: 8936)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 4376)
      • msiexec.exe (PID: 7864)
      • msiexec.exe (PID: 3332)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7892)
      • msiexec.exe (PID: 7836)
      • msiexec.exe (PID: 8664)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7624)
      • msiexec.exe (PID: 5668)
      • msiexec.exe (PID: 5404)
      • ScreenConnect.WindowsClient.exe (PID: 7544)
      • ScreenConnect.WindowsBackstageShell.exe (PID: 8948)
      • ScreenConnect.WindowsClient.exe (PID: 6584)
      • FileForTransfer.exe (PID: 1128)
      • msiexec.exe (PID: 5624)
      • msiexec.exe (PID: 3164)
      • ScreenConnect.ClientService.exe (PID: 8984)
      • ScreenConnect.WindowsClient.exe (PID: 8664)
      • ScreenConnect.WindowsClient.exe (PID: 2644)
      • ScreenConnect.WindowsClient.exe (PID: 6256)
      • ScreenConnect.WindowsClient.exe (PID: 8472)

    • Application launched itself

      • msedge.exe (PID: 5064)

    • Create files in a temporary directory

      • KirkIand&EIIis_E-Sign_Key.exe (PID: 9016)
      • rundll32.exe (PID: 8232)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 4376)
      • rundll32.exe (PID: 8708)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7892)
      • rundll32.exe (PID: 7104)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7624)
      • rundll32.exe (PID: 7828)

    • Reads Environment values

      • identity_helper.exe (PID: 7552)

    • Reads the machine GUID from the registry

      • KirkIand&EIIis_E-Sign_Key.exe (PID: 9016)
      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.WindowsClient.exe (PID: 8936)
      • ScreenConnect.WindowsClient.exe (PID: 9076)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 4376)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7892)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7624)
      • ScreenConnect.WindowsBackstageShell.exe (PID: 8948)
      • ScreenConnect.WindowsClient.exe (PID: 7544)
      • ScreenConnect.WindowsClient.exe (PID: 6584)
      • FileForTransfer.exe (PID: 1128)
      • ScreenConnect.WindowsClient.exe (PID: 8472)
      • ScreenConnect.ClientService.exe (PID: 8984)
      • ScreenConnect.WindowsClient.exe (PID: 2644)
      • ScreenConnect.WindowsClient.exe (PID: 8664)
      • ScreenConnect.WindowsClient.exe (PID: 6256)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 5064)
      • msedge.exe (PID: 5344)
      • msiexec.exe (PID: 9096)
      • msiexec.exe (PID: 9140)
      • msiexec.exe (PID: 9124)
      • msiexec.exe (PID: 8040)
      • msiexec.exe (PID: 8312)
      • msiexec.exe (PID: 8688)
      • msedge.exe (PID: 7808)

    • Process checks computer location settings

      • KirkIand&EIIis_E-Sign_Key.exe (PID: 9016)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 4376)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7892)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7624)

    • Manages system restore points

      • SrTasks.exe (PID: 8424)
      • SrTasks.exe (PID: 456)

    • CONNECTWISE has been detected

      • msiexec.exe (PID: 9096)
      • msiexec.exe (PID: 9140)
      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.WindowsClient.exe (PID: 8936)
      • ScreenConnect.WindowsClient.exe (PID: 9076)
      • msiexec.exe (PID: 9124)
      • msiexec.exe (PID: 8040)
      • msiexec.exe (PID: 8312)
      • ScreenConnect.WindowsClient.exe (PID: 7544)
      • ScreenConnect.WindowsBackstageShell.exe (PID: 8948)
      • ScreenConnect.WindowsClient.exe (PID: 6584)
      • ScreenConnect.WindowsClient.exe (PID: 8472)
      • msiexec.exe (PID: 8688)
      • ScreenConnect.WindowsClient.exe (PID: 2644)
      • ScreenConnect.WindowsClient.exe (PID: 8664)
      • ScreenConnect.ClientService.exe (PID: 8984)
      • ScreenConnect.WindowsClient.exe (PID: 6256)

    • SCREENCONNECT has been detected

      • msiexec.exe (PID: 9140)
      • ScreenConnect.ClientService.exe (PID: 7660)
      • rundll32.exe (PID: 8708)
      • rundll32.exe (PID: 7104)
      • rundll32.exe (PID: 7828)
      • ScreenConnect.ClientService.exe (PID: 8984)

    • Reads the software policy settings

      • slui.exe (PID: 7260)
      • slui.exe (PID: 3300)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 9140)

    • Reads CPU info

      • ScreenConnect.WindowsClient.exe (PID: 9076)
      • ScreenConnect.WindowsClient.exe (PID: 8664)

    • Checks proxy server information

      • slui.exe (PID: 3300)

    • Manual execution by a user

      • KirkIand&EIIis_E-Sign_Key.exe (PID: 8444)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 4376)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 3300)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7892)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 7624)
      • KirkIand&EIIis_E-Sign_Key.exe (PID: 1764)

    • The sample compiled with english language support

      • msedge.exe (PID: 7808)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:04:15 17:53:00
ZipCRC: 0xdbcfba63
ZipCompressedSize: 13485
ZipUncompressedSize: 32432
ZipFileName: triage-report_105645-phishing-we-us-04150_AT_wework_com/original.eml
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
274
Monitored processes
126
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs sppextcomobj.exe no specs slui.exe outlook.exe ai.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs kirkiand&eiiis_e-sign_key.exe no specs kirkiand&eiiis_e-sign_key.exe msiexec.exe msiexec.exe msiexec.exe no specs rundll32.exe vssvc.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe no specs #SCREENCONNECT screenconnect.clientservice.exe #SCREENCONNECT screenconnect.windowsclient.exe no specs slui.exe screenconnect.windowsclient.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs kirkiand&eiiis_e-sign_key.exe no specs kirkiand&eiiis_e-sign_key.exe msedge.exe no specs msiexec.exe msiexec.exe no specs rundll32.exe msiexec.exe no specs kirkiand&eiiis_e-sign_key.exe no specs kirkiand&eiiis_e-sign_key.exe msiexec.exe msiexec.exe no specs rundll32.exe msiexec.exe no specs kirkiand&eiiis_e-sign_key.exe no specs kirkiand&eiiis_e-sign_key.exe msiexec.exe msiexec.exe no specs rundll32.exe msiexec.exe no specs msedge.exe no specs msedge.exe no specs screenconnect.windowsclient.exe no specs screenconnect.windowsbackstageshell.exe no specs screenconnect.windowsclient.exe msedge.exe no specs screenconnect.windowsclient.exe no specs filefortransfer.exe msiexec.exe msiexec.exe no specs rundll32.exe msedge.exe no specs msedge.exe no specs srtasks.exe no specs conhost.exe no specs msedge.exe no specs msiexec.exe no specs #SCREENCONNECT screenconnect.clientservice.exe screenconnect.windowsclient.exe no specs screenconnect.windowsclient.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs screenconnect.windowsclient.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
456C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:12C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1012"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=1516 --field-trial-handle=2344,i,17357009729192601572,13559256776933010933,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1096"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6096 --field-trial-handle=2344,i,17357009729192601572,13559256776933010933,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1128"C:\WINDOWS\SystemTemp\ScreenConnect\25.2.3.9216\Temp\FileForTransfer.exe" C:\Windows\SystemTemp\ScreenConnect\25.2.3.9216\Temp\FileForTransfer.exe
ScreenConnect.WindowsClient.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\windows\systemtemp\screenconnect\25.2.3.9216\temp\filefortransfer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1764"C:\Users\admin\Downloads\KirkIand&EIIis_E-Sign_Key.exe" C:\Users\admin\Downloads\KirkIand&EIIis_E-Sign_Key.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\downloads\kirkiand&eiiis_e-sign_key.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2096"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4116 --field-trial-handle=2344,i,17357009729192601572,13559256776933010933,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=8084 --field-trial-handle=2344,i,17357009729192601572,13559256776933010933,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2268"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7936 --field-trial-handle=2344,i,17357009729192601572,13559256776933010933,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2316"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7524 --field-trial-handle=2344,i,17357009729192601572,13559256776933010933,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2644"C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\ScreenConnect.WindowsClient.exe" "RunRole" "b1b8c6f4-6c37-41ec-a199-60f9fbad2014" "User"C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\ScreenConnect.WindowsClient.exeScreenConnect.ClientService.exe
User:
admin
Company:
ScreenConnect Software
Integrity Level:
MEDIUM
Description:
Version:
23.2.9.8466
Modules
Images
c:\program files (x86)\screenconnect client (73a0227d089fe193)\screenconnect.windowsclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
44 322
Read events
42 316
Write events
1 779
Delete events
227

Modification events

(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\triage-report_105645-phishing-we-us-04150_AT_wework_com.zip
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\OpenWithProgids
Operation:writeName:Outlook.File.eml.15
Value:
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{5FA29220-36A1-40F9-89C6-F4B384B7642E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF
Value:
0100000000000000CF7A634A2FAEDB01
Executable files
123
Suspicious files
847
Text files
157
Unknown types
1

Dropped files

PID
Process
Filename
Type
7672OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook1.pst
MD5:
SHA256:
6268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa6268.41648\original.emlbinary
MD5:C4A5D7C36E85A7CE343D52B19DC0D9D6
SHA256:33D711CC9373F7FC88CA26CE9D5B1F728D54E2C76B23942C87286E612BAF0440
7672OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TableViewPreviewPrefs_2_A08CD66681A8E740BD8F5BA9243C65F7.datxml
MD5:0E092DB99AEE99FDFF9B5B222C732CFD
SHA256:D1614AD99ADED9F6F5C1BE7FE7FFA5124BD04A526580DA3818EA8A954E852AA6
5064msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF1109b1.TMP
MD5:
SHA256:
5064msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
5064msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1109b1.TMP
MD5:
SHA256:
5064msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
5064msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1109b1.TMP
MD5:
SHA256:
5064msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
7672OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bintext
MD5:532FDA739483633B0AB067AFF78D0FB7
SHA256:42EF7FF6947281598E7564B533D53EFF651A8E82EDB4746CC70B25301DE0B8A8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
41
TCP/UDP connections
227
DNS requests
242
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7868
svchost.exe
GET
206
208.89.74.19:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cbc98ff-b69b-4fda-ad94-17ec2f9cf48b?P1=1744953268&P2=404&P3=2&P4=l8ZU4mjSgzcXDkkOrAGC7P3pnHPwwOe865E8M5kj0JsOWKsLfV6pw%2fXt%2bzmXFyHgBkHEbakg17MorYmqzVbTnw%3d%3d
US
binary
28.7 Kb
whitelisted
GET
200
23.48.23.188:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
7868
svchost.exe
GET
206
208.89.74.19:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cbc98ff-b69b-4fda-ad94-17ec2f9cf48b?P1=1744953268&P2=404&P3=2&P4=l8ZU4mjSgzcXDkkOrAGC7P3pnHPwwOe865E8M5kj0JsOWKsLfV6pw%2fXt%2bzmXFyHgBkHEbakg17MorYmqzVbTnw%3d%3d
US
compressed
16.7 Kb
whitelisted
7868
svchost.exe
HEAD
200
208.89.74.19:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d0729495-2185-4a92-a46f-fde358fd775c?P1=1744953268&P2=404&P3=2&P4=NtTeKkMZ%2f%2fLvgXGrh3nRxcyLUeAuS0tx4c%2fUFbneLBPHjqHQiC5KvmM56gRRA80gxPWcdfyRd4AbZjBiUNfZ3Q%3d%3d
US
compressed
16.7 Kb
whitelisted
7868
svchost.exe
GET
200
208.89.74.19:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d0729495-2185-4a92-a46f-fde358fd775c?P1=1744953268&P2=404&P3=2&P4=NtTeKkMZ%2f%2fLvgXGrh3nRxcyLUeAuS0tx4c%2fUFbneLBPHjqHQiC5KvmM56gRRA80gxPWcdfyRd4AbZjBiUNfZ3Q%3d%3d
US
binary
82.2 Kb
whitelisted
7868
svchost.exe
HEAD
200
208.89.74.19:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1744953265&P2=404&P3=2&P4=IRwJYIxAES4O52Bo%2bmr8wb3Wm65gKuKwz585cWlyyxjqCCxXE0ahzuaV%2fD2kkvO6hPJszEtxK2pKNz150XJQxg%3d%3d
US
binary
17.4 Kb
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
7868
svchost.exe
GET
206
208.89.74.19:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fb6dd03b-99d7-4cc8-a878-91c8e655c2d3?P1=1744953267&P2=404&P3=2&P4=WAxMxKf2IduhSTlW1ZjvH1nv3Na9xi9%2bkq%2fLvcIcrzmnAltgNtr2LhZ%2ftBV9wOnk5zPGEuEr5QegUxilZ2rv1A%3d%3d
US
binary
1.09 Kb
whitelisted
8444
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
NL
binary
419 b
whitelisted
7672
OUTLOOK.EXE
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
DE
binary
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.48.23.188:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
7672
OUTLOOK.EXE
52.109.76.240:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.48.23.188
  • 23.48.23.185
  • 23.48.23.190
  • 23.48.23.177
  • 23.48.23.181
  • 23.48.23.183
  • 23.48.23.184
  • 23.48.23.179
  • 23.48.23.192
whitelisted
google.com
  • 142.250.74.206
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.32.74
  • 40.126.32.138
  • 20.190.160.20
  • 20.190.160.2
  • 40.126.32.136
  • 20.190.160.67
  • 20.190.160.22
  • 20.190.160.65
  • 20.190.159.71
  • 40.126.31.128
  • 20.190.159.131
  • 40.126.31.69
  • 20.190.159.0
  • 20.190.159.128
  • 40.126.31.1
  • 40.126.31.2
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
officeclient.microsoft.com
  • 52.109.76.240
whitelisted
ecs.office.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted
roaming.officeapps.live.com
  • 52.109.68.129
whitelisted
omex.cdn.office.net
  • 23.50.131.87
  • 23.50.131.86
whitelisted

Threats

PID
Process
Class
Message
5344
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Blob Storage (.blob .core .windows .net)
5344
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Blob Storage (.blob .core .windows .net)
5344
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Blob Storage (.blob .core .windows .net)
5344
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Blob Storage (.blob .core .windows .net)
5344
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Blob Storage (.blob .core .windows .net)
5344
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Blob Storage (.blob .core .windows .net)
2196
svchost.exe
Misc activity
ET REMOTE_ACCESS Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain
7660
ScreenConnect.ClientService.exe
Potential Corporate Privacy Violation
REMOTE [ANY.RUN] ScreenConnect Server Response
8984
ScreenConnect.ClientService.exe
Potential Corporate Privacy Violation
REMOTE [ANY.RUN] ScreenConnect Server Response
5344
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Blob Storage (.blob .core .windows .net)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
triage-report_105645-phishing-we-us-04150_AT_wework_com.zip