File name:

attachment.zip

Full analysis: https://app.any.run/tasks/ed4a10b7-6255-46da-b99a-14dacbdf1995
Verdict: Suspicious activity
Analysis date: February 17, 2025, 08:44:25
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-doc
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

E0DD5DB184384CB5A9B1762906DB0C95

SHA1:

55F99C69399134EE39C7CE9E30CD268E7536B82F

SHA256:

889D79E7E004891E2A887C3A11D37DDD7E9028D53BB33622AE12685776181068

SSDEEP:

12:5jDadqyLS9zTbKLoPaTAu8IqMIadg5Htab:9vlTbavTAu8Iz2Y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from MS Office

      • WINWORD.EXE (PID: 6884)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6280)

    • Generic archive extractor

      • WinRAR.exe (PID: 6280)

  • INFO

    • Reads Microsoft Office registry keys

      • DWWIN.EXE (PID: 5988)
      • WinRAR.exe (PID: 6280)

    • Reads the software policy settings

      • DWWIN.EXE (PID: 5988)

    • Creates files in the program directory

      • DWWIN.EXE (PID: 5988)

    • Checks proxy server information

      • DWWIN.EXE (PID: 5988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2025:01:20 21:22:02
ZipCRC: 0x6ba75e5c
ZipCompressedSize: 134
ZipUncompressedSize: 221
ZipFileName: mail.rtf
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
5988C:\WINDOWS\system32\dwwin.exe -x -s 3872C:\Windows\System32\DWWIN.EXE
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Error Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dwwin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wer.dll
c:\windows\system32\version.dll
6280"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\attachment.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6884"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb6280.19090\mail.rtf" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
4
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
9 566
Read events
9 344
Write events
216
Delete events
6

Modification events

(PID) Process:(6280) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6280) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6280) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6280) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\attachment.zip
(PID) Process:(6280) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6280) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6280) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6280) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6280) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(6280) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rtf\OpenWithProgids
Operation:writeName:Word.RTF.8
Value:
Executable files
0
Suspicious files
13
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
5988DWWIN.EXEC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_WINWORD.EXE_32afa92cd6dc5a41387953d68edafb73db78ecf_00000000_707cbbc2-c9a0-4bb1-9ad5-1dc52453628d\Report.wer
MD5:
SHA256:
6884WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:53F7AAE068F915A02D2021CACBE8BAB0
SHA256:26C61183FC8F94A3633048384DE13E67946BBA65692EF7E15BB2C7396624C2D1
6884WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187binary
MD5:8B420A982DD958AE60CC6F76F90C7352
SHA256:F201F143E1344B3358FB411BEB2599ACECD63030AB61F7C364BAACBD13ECD528
5988DWWIN.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785binary
MD5:680B0331A3CC8FCCE16367586EC7A721
SHA256:19F1B5D2C7F62663C14D97578411DC610E5F33E6CE4165977314442435F15305
6884WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{B036D650-5636-453F-8FD1-8324EE84474E}.tmpbinary
MD5:F0F6B7F3DA41ABFC89C0F14CCEF8596B
SHA256:F67B5C9B653FC0EBF5A2C2D297F9621A25C49A1E477CCA4F043778920D97FFA6
6884WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:010E07E795821D6574BA351E98EF9457
SHA256:0988067CD81C25AC0903D83F43B6CD58502949BC5E45952C9AA297FC62983E48
6884WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Rar$DIb6280.19090\~$mail.rtfbinary
MD5:FC3035372175115873487EFC3DEB6ADD
SHA256:EB910A90F2A7219C4E81DFF3E6962652A55F2C1A69AFF1B91AD96FDA122F0481
6280WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb6280.19090\mail.rtftext
MD5:A529CCD0F9ED8C983BB8C96510964CBD
SHA256:CC62F911C39C949D2C6935B6B1E4D2F1CEF4466F87050E94EF92914C4E08F766
6884WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187binary
MD5:8FD39C4AC3967909ACDEE363BDBE2130
SHA256:DC0D556B7C2F7DF79F134CBB34CD5C200A4EF2A19BCE1FBA13BB7FA247A80C01
6884WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
38
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3508
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
3508
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
6884
WINWORD.EXE
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
US
binary
471 b
whitelisted
5988
DWWIN.EXE
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
5988
DWWIN.EXE
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
3884
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
419 b
whitelisted
1176
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
6480
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
US
binary
471 b
whitelisted
3884
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
DE
binary
408 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3416
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3508
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.32.138:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
1076
svchost.exe
2.19.106.8:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
3508
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3508
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
login.live.com
  • 40.126.32.138
  • 40.126.32.74
  • 20.190.160.128
  • 20.190.160.131
  • 20.190.160.2
  • 20.190.160.130
  • 20.190.160.22
  • 20.190.160.67
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
go.microsoft.com
  • 2.19.106.8
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.147
  • 23.48.23.167
  • 23.48.23.166
  • 23.48.23.143
  • 23.48.23.194
  • 23.48.23.177
  • 23.48.23.145
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
officeclient.microsoft.com
  • 52.109.32.97
whitelisted
ecs.office.com
  • 52.123.128.14
  • 52.123.129.14
whitelisted
roaming.officeapps.live.com
  • 52.109.32.7
whitelisted
omex.cdn.office.net
  • 23.48.23.43
  • 23.48.23.11
  • 23.48.23.6
  • 23.48.23.52
  • 23.48.23.18
  • 23.48.23.30
  • 23.48.23.45
  • 23.48.23.29
  • 23.48.23.25
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
attachment.zip