Malware analysis 202506122353_Incoming_ Caller Left (2) 01_58secs Call_MSG Powered by Voipline Ref_abcca68a0a2c82e6c962c7cbce4a784fa4bf8ebf_mike.zip Malicious activity

Add for printing

File name:	202506122353_Incoming_ Caller Left (2) 01_58secs Call_MSG Powered by Voipline Ref_abcca68a0a2c82e6c962c7cbce4a784fa4bf8ebf_mike.zip
Full analysis:	https://app.any.run/tasks/913f5b95-015a-49c5-9d9f-02acea844cd4
Verdict:	Malicious activity
Analysis date:	June 13, 2025, 03:57:33
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	attachments attc-html susp-attachments amazon-ses
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	D41BAFCD8C20347B8A802EF27EA3E247
SHA1:	1E0CF4722EABCC3C3F7D6DFE162FA894DC4A21B7
SHA256:	842557FE1227D0F491BF2ADE4EFCC3F4BDC7C8CE0550A35292131ECB825F490A
SSDEEP:	192:tX2jM+st0ZSRErRsq4T21OdNF8glZykSkNKUfpx9HvH9M:R2g+sQvmG1OdkgvykrBLPW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Email came from third-party service (Amazon SES)
  - WinRAR.exe (PID: 6852)
SUSPICIOUS
- Email with suspicious attachment
  - WinRAR.exe (PID: 6852)
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 6852)
- Reads Microsoft Outlook installation path
  - WinRAR.exe (PID: 6852)
INFO
- Reads Microsoft Office registry keys
  - WinRAR.exe (PID: 6852)
- Email with attachments
  - WinRAR.exe (PID: 6852)
- Manual execution by a user
  - notepad++.exe (PID: 4648)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	0x0800
ZipCompression:	Deflated
ZipModifyDate:	2025:06:13 03:53:14
ZipCRC:	0x10b80e43
ZipCompressedSize:	6686
ZipUncompressedSize:	22880
ZipFileName:	20250602103342-Incoming_ Caller Left (2) 01_58secs Call_MSG Powered by Voipline Ref_abcca68a0a2c82e6c962c7cbce4a784fa4bf8ebf-mike.eml

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

141

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

4648

"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\MikeVM-Audio-Msg.htm"

C:\Program Files\Notepad++\notepad++.exe

explorer.exe

User:

admin

Company:

Don HO don.h@free.fr

Integrity Level:

MEDIUM

Description:

Notepad++ : a free (GNU) source code editor

Version:

7.91

Modules

Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\msvcp_win.dll

4844

"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\Rar$DIa6852.37815\20250602103342-Incoming_ Caller Left (2) 01_58secs Call_MSG Powered by Voipline Ref_abcca68a0a2c82e6c962c7cbce4a784fa4bf8ebf-mike.eml"

C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

WinRAR.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Outlook

Exit code:

Version:

16.0.16026.20146

Modules

Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

6424

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

6852

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\913f5b95-015a-49c5-9d9f-02acea844cd4.zip

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

6948

"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "81C592A3-3B48-4DCE-BC1B-5ADACC399105" "2D5D49C7-3B60-4335-B250-F7F69CF995DE" "4844"

C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe

—

OUTLOOK.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.

Exit code:

Version:

0.12.2.0

Modules

Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\sechost.dll

Add for printing

Total events

15 323

Read events

15 011

Write events

256

Delete events

Modification events


(PID) Process:	(6852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\913f5b95-015a-49c5-9d9f-02acea844cd4.zip
(PID) Process:	(6852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6852) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\oregres.dll,-157
Value: E-mail Message
(PID) Process:	(6852) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\OpenWithProgids
Operation:	write	Name:	Outlook.File.eml.15
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4844	OUTLOOK.EXE	C:\Users\admin\Documents\Outlook Files\Outlook1.pst		—
		MD5:—	SHA256:—
4844	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres		binary
		MD5:E3300740F5D9144CC49AA76EB33B5492	SHA256:1D30EDB224B8B48BBB52438E913D0C72BE3DCB73C1FF381B24FC32B751470541
4844	OUTLOOK.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm		binary
		MD5:FFAA88F7BD44A5E5405E4E6E995D0942	SHA256:1541FC7DBCAD5C45055D9259511468912A3D2C5C682F7A949BB307CE9FAAEFF9
4844	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres		binary
		MD5:EE9E668E8F689BA9B4886D8BEC00B749	SHA256:B663DD162EA11BB99C580789A142D06028E0BDD7B6B5BE5673B1E1C7ECE5FFD3
4844	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TableViewPreviewPrefs_2_7941D2CFCD633D408A63B75950F3C4A4.dat		xml
		MD5:0E092DB99AEE99FDFF9B5B222C732CFD	SHA256:D1614AD99ADED9F6F5C1BE7FE7FFA5124BD04A526580DA3818EA8A954E852AA6
6852	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\__rzi_6852.38215		compressed
		MD5:47B8FF4E216B9EC94559A5AEF700F3A7	SHA256:7FEA5A2BB9F30AE88578FEDE155D4AC58503E50A3CA845EB63C62EAE2D4BA3CB
6852	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\913f5b95-015a-49c5-9d9f-02acea844cd4.zip		compressed
		MD5:47B8FF4E216B9EC94559A5AEF700F3A7	SHA256:7FEA5A2BB9F30AE88578FEDE155D4AC58503E50A3CA845EB63C62EAE2D4BA3CB
6852	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIa6852.37815\20250602103342-Incoming_ Caller Left (2) 01_58secs Call_MSG Powered by Voipline Ref_abcca68a0a2c82e6c962c7cbce4a784fa4bf8ebf-mike.eml		binary
		MD5:003E975E8432E5E8F3D8A792A92896A3	SHA256:DF0386800394A128C8D070A3DB76E2189773236A03925499CFB6EF93BB15EAB2
6852	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIa6852.37815\20250602103342-Incoming_ Caller Left (2) 01_58secs Call_MSG Powered by Voipline Ref_abcca68a0a2c82e6c962c7cbce4a784fa4bf8ebf-mike.eml:OECustomProperty		binary
		MD5:875B11405E1905E9461C15391869604D	SHA256:82B0B486F35AFEBAB3C0DFC8C90AFE6FCD8331C53DC40D74DDE0D2E029C230BC
4844	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal		binary
		MD5:71ADAB88885C466AC739888D1C6B2A9C	SHA256:DE194F08738B550A9A43B53E158E00EA569CC8339FB58A73F821771886EE9966

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6404	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6024	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4844	OUTLOOK.EXE	52.123.129.14:443	ecs.office.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4844	OUTLOOK.EXE	52.123.128.14:443	ecs.office.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4844	OUTLOOK.EXE	2.16.168.119:443	omex.cdn.office.net	Akamai International B.V.	RU	whitelisted
4844	OUTLOOK.EXE	2.16.168.101:443	omex.cdn.office.net	Akamai International B.V.	RU	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.185.110	whitelisted
settings-win.data.microsoft.com	4.231.128.59	whitelisted
ecs.office.com	52.123.129.14 52.123.128.14	whitelisted
omex.cdn.office.net	2.16.168.119 2.16.168.101	whitelisted
self.events.data.microsoft.com	52.168.117.168	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

Threats

No threats detected

Add for printing

Process	Message
notepad++.exe	VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe	VerifyLibrary: certificate revocation checking is disabled
notepad++.exe	ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe	VerifyLibrary: certificate revocation checking is disabled
notepad++.exe	VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe	VerifyLibrary: error while getting certificate informations

General Info

202506122353_Incoming_ Caller Left (2) 01_58secs Call_MSG Powered by Voipline Ref_abcca68a0a2c82e6c962c7cbce4a784fa4bf8ebf_mike.zip

D41BAFCD8C20347B8A802EF27EA3E247

1E0CF4722EABCC3C3F7D6DFE162FA894DC4A21B7

842557FE1227D0F491BF2ADE4EFCC3F4BDC7C8CE0550A35292131ECB825F490A

192:tX2jM+st0ZSRErRsq4T21OdNF8glZykSkNKUfpx9HvH9M:R2g+sQvmG1OdkgvykrBLPW

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Email came from third-party service (Amazon SES)

SUSPICIOUS

Email with suspicious attachment

Reads security settings of Internet Explorer

Reads Microsoft Outlook installation path

INFO

Reads Microsoft Office registry keys

Email with attachments

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings