File name:

MDE_File_Sample_4055dc944a6430de290196b296dda0da1ca11a93.zip

Full analysis: https://app.any.run/tasks/13a72252-eeb0-4ac9-8e16-515597ed7dc4
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: January 10, 2025, 21:57:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

464C846584279DAA16CAEA73B4C3D333

SHA1:

49C5B21342445683617564859B2C2A884D2D8CF4

SHA256:

8DB146D4448E5B67610359FC4C12C3FAFA193BF60024E6E50E0BEB284E0CC0EA

SSDEEP:

24576:WgZdYe6oApzHLTMvPLHIHrB0airMrUzoz3mc5ex14wTM2LCXToJUqRtfwqhH2j:WgZdYe65zHLTMvPLHArB0airMwzoz3ma

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
      • Email Access Online.exe (PID: 3724)
    • The process creates files with name similar to system file names

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
    • Malware-specific behavior (creating "System.dll" in Temp)

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
    • Executable content was dropped or overwritten

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
    • Searches for installed software

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
      • Email Access Online.exe (PID: 3724)
    • Process requests binary or script from the Internet

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
    • Creates a software uninstall entry

      • Email Access Online.exe (PID: 3724)
    • Checks Windows Trust Settings

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
      • Email Access Online.exe (PID: 3724)
    • Reads Microsoft Outlook installation path

      • Email Access Online.exe (PID: 3724)
    • Reads Internet Explorer settings

      • Email Access Online.exe (PID: 3724)
  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1852)
    • The sample compiled with english language support

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
      • WinRAR.exe (PID: 1852)
    • Manual execution by a user

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
    • The process uses the downloaded file

      • WinRAR.exe (PID: 1852)
    • Checks supported languages

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
    • Checks proxy server information

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
      • Email Access Online.exe (PID: 3724)
    • Create files in a temporary directory

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
    • Creates files or folders in the user directory

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
      • Email Access Online.exe (PID: 3724)
    • Reads the software policy settings

      • Email Access Online.exe (PID: 3724)
      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
    • Reads the machine GUID from the registry

      • Email Access Online.exe (PID: 3724)
      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
    • Reads Environment values

      • identity_helper.exe (PID: 1856)
    • Application launched itself

      • msedge.exe (PID: 8)
      • msedge.exe (PID: 5696)
    • Reads the computer name

      • identity_helper.exe (PID: 1856)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Access Gov Docs Tab_5e961b22d7571.exe
ZipUncompressedSize: 790960
ZipCompressedSize: 755896
ZipCRC: 0x851c521d
ZipModifyDate: 2025:01:10 21:56:56
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
178
Monitored processes
50
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe access gov docs tab_5e961b22d7571.exe email access online.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1852"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Downloads\MDE_File_Sample_4055dc944a6430de290196b296dda0da1ca11a93.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7108"C:\Users\admin\Desktop\Access Gov Docs Tab_5e961b22d7571.exe" C:\Users\admin\Desktop\Access Gov Docs Tab_5e961b22d7571.exe
explorer.exe
User:
admin
Company:
Better Cloud Solutions LTD
Integrity Level:
MEDIUM
Description:
Desktop web search
Exit code:
0
Version:
3.9.0.1
Modules
Images
c:\users\admin\desktop\access gov docs tab_5e961b22d7571.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3724"C:\Users\admin\AppData\Local\Email Access Online\Email Access Online.exe" /firstrunC:\Users\admin\AppData\Local\Email Access Online\Email Access Online.exe
Access Gov Docs Tab_5e961b22d7571.exe
User:
admin
Company:
Better Cloud Solutions LTD
Integrity Level:
MEDIUM
Description:
Desktop web search
Version:
3.9.0.1
Modules
Images
c:\users\admin\appdata\local\email access online\email access online.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5696"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://results.hemailaccessonline.com/s?uid=7ce42b2c-83ca-4350-9603-a9aaeee50b9a&uc=20250110&source=-lp0-bb8-sbe&i_id=email_&ap=appfocus1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Email Access Online.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3988"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x31c,0x320,0x324,0x314,0x32c,0x7ff821c95fd8,0x7ff821c95fe4,0x7ff821c95ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
6268"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2456 --field-trial-handle=2460,i,12400054285894631682,9148779680471048263,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
6304"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2532 --field-trial-handle=2460,i,12400054285894631682,9148779680471048263,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
6552"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2704 --field-trial-handle=2460,i,12400054285894631682,9148779680471048263,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
6744"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3352 --field-trial-handle=2460,i,12400054285894631682,9148779680471048263,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1544"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3768 --field-trial-handle=2460,i,12400054285894631682,9148779680471048263,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
13 217
Read events
13 143
Write events
59
Delete events
15

Modification events

(PID) Process:(1852) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(1852) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(1852) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(1852) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\MDE_File_Sample_4055dc944a6430de290196b296dda0da1ca11a93.zip
(PID) Process:(1852) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1852) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1852) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1852) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1852) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:15
Value:
(PID) Process:(1852) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:14
Value:
Executable files
12
Suspicious files
274
Text files
94
Unknown types
0

Dropped files

PID
Process
Filename
Type
1852WinRAR.exeC:\Users\admin\Desktop\Access Gov Docs Tab_5e961b22d7571.exeexecutable
MD5:C9C4011E629278B01F38FCDA712E824E
SHA256:0C859D4BAF7EE76F7923F3C66A39FB0226833CB5B38557CE3AB83BFA98D64BB9
7108Access Gov Docs Tab_5e961b22d7571.exeC:\Users\admin\AppData\Local\Temp\nsq251C.tmp\terms.rtftext
MD5:B056EF6D4BD8257ED72BB891116F9D25
SHA256:358D9486CA52E2BB2A2AB4AD856186FCBC8C91289F3BED59BD6EEA395416828D
7108Access Gov Docs Tab_5e961b22d7571.exeC:\Users\admin\AppData\Local\Temp\nsq251C.tmp\nsDialogs.dllexecutable
MD5:0D45588070CF728359055F776AF16EC4
SHA256:067C77D51DF034B4A614F83803140FBF4CD2F8684B88EA8C8ACDF163EDAD085A
7108Access Gov Docs Tab_5e961b22d7571.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656binary
MD5:68A372C3CB02EE13D5859586384F2B4D
SHA256:0AE1E361CD2CC977822B81910533B5271FA504D6CBCABCF2E48E4E893AF18F24
7108Access Gov Docs Tab_5e961b22d7571.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F53EB4E574DE32C870452087D92DBEBB_9CC1CE4365C70D31C40A15E98F4E626Ebinary
MD5:A542F8A68F63ABA8CE8CC00ECFE0F741
SHA256:961945B799621F238961F06B6B721EAF47825914BE2975F4FA7F9AF2B829BF1E
7108Access Gov Docs Tab_5e961b22d7571.exeC:\Users\admin\AppData\Local\Temp\nsq251C.tmp\System.dllexecutable
MD5:A4DD044BCD94E9B3370CCF095B31F896
SHA256:2E226715419A5882E2E14278940EE8EF0AA648A3EF7AF5B3DC252674111962BC
7108Access Gov Docs Tab_5e961b22d7571.exeC:\Users\admin\AppData\Local\Email Access Online\Icon.icoimage
MD5:78915530B81172A4B82287C655410F0B
SHA256:76A416F229D455BC045E99C3BE0EBE9734AA9018188EFF2FFCF10ABBBCC921C6
7108Access Gov Docs Tab_5e961b22d7571.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F53EB4E574DE32C870452087D92DBEBB_9CC1CE4365C70D31C40A15E98F4E626Ebinary
MD5:396D9F839FADBE439008D9A35BADE680
SHA256:9BD263F2022B4AAA2B63487FC5EF8F264D7BF63F5A90A68A93B6B63A57D0513B
7108Access Gov Docs Tab_5e961b22d7571.exeC:\Users\admin\AppData\Local\Temp\nsq251C.tmp\installer_small_sb.bmpimage
MD5:9BC62942811FDC96A20A280F0CA71B6C
SHA256:5A95502E8E34B041679DBA2288E8F511EE14AAFB23A97F96A3B4CED7C37BF991
7108Access Gov Docs Tab_5e961b22d7571.exeC:\Users\admin\AppData\Local\Email Access Online\Uninstall.exeexecutable
MD5:AD3EA1A55BAFA37B5BF9CD9CB1D49B93
SHA256:48A8C28C8C54D02B65751899EE716C2EE40809126D1AC6E4D0ADDB2DCF10B9C7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
131
DNS requests
110
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7108
Access Gov Docs Tab_5e961b22d7571.exe
GET
503
18.218.193.209:80
http://sb-mybettercloud.com/cgi/adk/chrdlid.cgi?id=5e961b22d7571
unknown
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7108
Access Gov Docs Tab_5e961b22d7571.exe
GET
200
18.66.145.213:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkzUBtJnwJkc3SmanzgxeYU%3D
unknown
6848
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7108
Access Gov Docs Tab_5e961b22d7571.exe
GET
200
18.245.65.219:80
http://ocsp.r2m02.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRmbQtwnInkvkvr7BNFR%2BS2lTYPjAQUwDFSzVpQw4J8dHHOy%2Bmc%2BXrrguICEAcgJC2RE6WQrxCNDcG%2BhG0%3D
unknown
whitelisted
7108
Access Gov Docs Tab_5e961b22d7571.exe
GET
503
18.218.193.209:80
http://websearchdl.com/cgi/adk/chrdlid.cgi?id=5e961b22d7571
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5064
SearchApp.exe
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
5848
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 184.30.21.171
whitelisted
google.com
  • 216.58.206.78
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
  • 104.126.37.129
  • 104.126.37.163
  • 104.126.37.123
  • 104.126.37.170
  • 104.126.37.177
  • 104.126.37.131
  • 104.126.37.185
  • 104.126.37.128
  • 104.126.37.130
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.71
  • 20.190.159.2
  • 20.190.159.73
  • 20.190.159.68
  • 20.190.159.64
  • 40.126.31.67
  • 20.190.159.75
  • 20.190.159.0
whitelisted
go.microsoft.com
  • 2.23.242.9
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted

Threats

No threats detected
No debug info