File name:

79195cc577298634d2d1b48aa2187f592b5968b36aa6e0a73c5620565d2f3af0.eml.danger

Full analysis: https://app.any.run/tasks/dfa022ab-2639-469a-8cbe-4e90741a6e5f
Verdict: Malicious activity
Analysis date: August 12, 2022, 14:04:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: message/rfc822
File info: SMTP mail, ASCII text, with very long lines, with CRLF line terminators
MD5:

194BEF7976776CD7C7DD2215AD5BD5F3

SHA1:

E727AEE9AE069F36AAB8713F6AC254BDAF1761A4

SHA256:

79195CC577298634D2D1B48AA2187F592B5968B36AA6E0A73C5620565D2F3AF0

SSDEEP:

6144:M/RAkyw3ME8j5SQlyjjhZH9hRrjzoPmw1:yS7WME8FfujhZVrbw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Checks supported languages

      • OUTLOOK.EXE (PID: 3324)
      • AdobeARM.exe (PID: 2864)
      • Reader_sl.exe (PID: 2268)

    • Reads the computer name

      • OUTLOOK.EXE (PID: 3324)
      • AdobeARM.exe (PID: 2864)

    • Executed via COM

      • prevhost.exe (PID: 4028)

    • Searches for installed software

      • OUTLOOK.EXE (PID: 3324)

    • Application launched itself

      • WINWORD.EXE (PID: 3580)

    • Creates files in the program directory

      • AdobeARM.exe (PID: 2864)

    • Executable content was dropped or overwritten

      • AdobeARM.exe (PID: 2864)

  • INFO

    • Reads the computer name

      • prevhost.exe (PID: 4028)
      • AcroRd32.exe (PID: 1328)
      • AcroRd32.exe (PID: 2292)
      • AcroRd32.exe (PID: 3524)
      • AcroRd32.exe (PID: 3724)
      • RdrCEF.exe (PID: 1500)
      • WINWORD.EXE (PID: 3580)
      • WINWORD.EXE (PID: 1236)

    • Application launched itself

      • AcroRd32.exe (PID: 1328)
      • AcroRd32.exe (PID: 3524)
      • RdrCEF.exe (PID: 1500)

    • Checks supported languages

      • prevhost.exe (PID: 4028)
      • AcroRd32.exe (PID: 1328)
      • AcroRd32.exe (PID: 2292)
      • AcroRd32.exe (PID: 3524)
      • AcroRd32.exe (PID: 3724)
      • RdrCEF.exe (PID: 1500)
      • RdrCEF.exe (PID: 3116)
      • RdrCEF.exe (PID: 1532)
      • RdrCEF.exe (PID: 2056)
      • RdrCEF.exe (PID: 3440)
      • WINWORD.EXE (PID: 3580)
      • WINWORD.EXE (PID: 1236)
      • RdrCEF.exe (PID: 3468)
      • RdrCEF.exe (PID: 2444)
      • RdrCEF.exe (PID: 1808)

    • Searches for installed software

      • AcroRd32.exe (PID: 1328)
      • AcroRd32.exe (PID: 2292)
      • AcroRd32.exe (PID: 3524)
      • AcroRd32.exe (PID: 3724)

    • Reads CPU info

      • AcroRd32.exe (PID: 2292)
      • AcroRd32.exe (PID: 3724)

    • Manual execution by user

      • AcroRd32.exe (PID: 3524)

    • Reads Microsoft Office registry keys

      • AcroRd32.exe (PID: 3724)
      • AcroRd32.exe (PID: 3524)
      • WINWORD.EXE (PID: 3580)
      • WINWORD.EXE (PID: 1236)
      • OUTLOOK.EXE (PID: 3324)

    • Checks Windows Trust Settings

      • AcroRd32.exe (PID: 3524)
      • AdobeARM.exe (PID: 2864)

    • Reads settings of System Certificates

      • AcroRd32.exe (PID: 3524)
      • RdrCEF.exe (PID: 1500)
      • AdobeARM.exe (PID: 2864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 1) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
18
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe prevhost.exe no specs acrord32.exe no specs acrord32.exe no specs acrord32.exe acrord32.exe no specs rdrcef.exe rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs winword.exe winword.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs adobearm.exe reader_sl.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1236"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
1328"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /b /id 4028_1293088567 /if pdfshell_prevf258fb8c-763a-47f7-82ff-b1e298f251c4C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeprevhost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Exit code:
0
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1500"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
AcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
0
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1532"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1072,17037485413862934246,1696119802163570653,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1568017958623079636 --renderer-client-id=2 --mojo-platform-channel-handle=1192 --allow-no-sandbox-job /prefetch:1C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
0
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1808"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1072,17037485413862934246,1696119802163570653,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=17128295087659803923 --renderer-client-id=8 --mojo-platform-channel-handle=1688 --allow-no-sandbox-job /prefetch:1C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
0
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
2056"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1072,17037485413862934246,1696119802163570653,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=3752961725070742662 --mojo-platform-channel-handle=1404 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
1
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
2268"C:\Program Files\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe" C:\Program Files\Adobe\Acrobat Reader DC\Reader\Reader_sl.exeAdobeARM.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat SpeedLauncher
Exit code:
0
Version:
20.12.20041.394260
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\reader_sl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\advapi32.dll
2292"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /b /id 4028_1293088567 /if pdfshell_prevf258fb8c-763a-47f7-82ff-b1e298f251c4C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Exit code:
0
Version:
20.13.20064.405839
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2444"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1072,17037485413862934246,1696119802163570653,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=17689118088495597371 --renderer-client-id=7 --mojo-platform-channel-handle=1604 --allow-no-sandbox-job /prefetch:1C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
0
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2864"C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:20.0 /MODE:3C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
AcroRd32.exe
User:
admin
Company:
Adobe Inc.
Integrity Level:
MEDIUM
Description:
Adobe Reader and Acrobat Manager
Exit code:
0
Version:
1.824.39.9311
Modules
Images
c:\program files\common files\adobe\arm\1.0\adobearm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
Total events
28 422
Read events
26 953
Write events
1 272
Delete events
197

Modification events

(PID) Process:(3324) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3324) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(3324) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(3324) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(3324) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(3324) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(3324) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(3324) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(3324) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
(PID) Process:(3324) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
Off
Executable files
1
Suspicious files
159
Text files
22
Unknown types
11

Dropped files

PID
Process
Filename
Type
3324OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR4464.tmp.cvr
MD5:
SHA256:
3324OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
3324OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\tmp45CC.tmpbinary
MD5:
SHA256:
3324OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:
SHA256:
3324OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:
SHA256:
3324OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_FFE50834E36CF744AD7BA40AA8E60BDC.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
3324OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
3324OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_7E1EF52FD77EED4BB166DC09A6616A4C.datxml
MD5:D8B37ED0410FB241C283F72B76987F18
SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114
3324OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_BFB0732B55E1C34BB96EF1D85F78B815.datxml
MD5:B21ED3BD946332FF6EBC41A87776C6BB
SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4
3324OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{772D4F64-F45E-4D8F-BADC-37E9FC9A5FF5}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:4C61C12EDBC453D7AE184976E95258E1
SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
23
DNS requests
12
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3580
WINWORD.EXE
HEAD
301
52.222.236.89:80
http://aws3.link/XLxFAp
US
malicious
3524
AcroRd32.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D
US
der
471 b
whitelisted
3580
WINWORD.EXE
OPTIONS
403
52.222.236.89:80
http://aws3.link/
US
html
1.03 Kb
malicious
3524
AcroRd32.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d950300507103ff0
US
compressed
4.70 Kb
whitelisted
3524
AcroRd32.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?27f0a60c6ef682c0
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3524
AcroRd32.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1500
RdrCEF.exe
23.35.236.137:443
geo2.adobe.com
Zayo Bandwidth Inc
US
suspicious
1500
RdrCEF.exe
52.5.13.197:443
p13n.adobe.io
Amazon.com, Inc.
US
suspicious
3324
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
892
svchost.exe
2.18.233.74:443
armmf.adobe.com
Akamai International B.V.
whitelisted
3580
WINWORD.EXE
52.222.236.89:80
aws3.link
Amazon.com, Inc.
US
suspicious
3580
WINWORD.EXE
52.222.236.89:443
aws3.link
Amazon.com, Inc.
US
suspicious
892
svchost.exe
23.48.23.39:443
ardownload3.adobe.com
TRUE INTERNET Co.,Ltd.
US
suspicious
2864
AdobeARM.exe
23.48.23.39:443
ardownload3.adobe.com
TRUE INTERNET Co.,Ltd.
US
suspicious
1500
RdrCEF.exe
2.18.233.74:443
armmf.adobe.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
aws3.link
  • 52.222.236.89
  • 52.222.236.124
  • 52.222.236.23
  • 52.222.236.78
malicious
geo2.adobe.com
  • 23.35.236.137
whitelisted
p13n.adobe.io
  • 52.5.13.197
  • 54.227.187.23
  • 52.202.204.11
  • 23.22.254.206
whitelisted
armmf.adobe.com
  • 2.18.233.74
whitelisted
acroipm2.adobe.com
  • 23.48.23.54
  • 23.48.23.34
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ardownload3.adobe.com
  • 23.48.23.39
  • 23.48.23.25
whitelisted

Threats

PID
Process
Class
Message
3580
WINWORD.EXE
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3580
WINWORD.EXE
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
3580
WINWORD.EXE
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3580
WINWORD.EXE
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
892
svchost.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
79195cc577298634d2d1b48aa2187f592b5968b36aa6e0a73c5620565d2f3af0.eml.danger