File name:

MDE_File_Sample_4055dc944a6430de290196b296dda0da1ca11a93.zip

Full analysis: https://app.any.run/tasks/13a72252-eeb0-4ac9-8e16-515597ed7dc4
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: January 10, 2025, 21:57:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

464C846584279DAA16CAEA73B4C3D333

SHA1:

49C5B21342445683617564859B2C2A884D2D8CF4

SHA256:

8DB146D4448E5B67610359FC4C12C3FAFA193BF60024E6E50E0BEB284E0CC0EA

SSDEEP:

24576:WgZdYe6oApzHLTMvPLHIHrB0airMrUzoz3mc5ex14wTM2LCXToJUqRtfwqhH2j:WgZdYe65zHLTMvPLHArB0airMwzoz3ma

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
      • Email Access Online.exe (PID: 3724)
    • Malware-specific behavior (creating "System.dll" in Temp)

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
    • The process creates files with name similar to system file names

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
    • Process requests binary or script from the Internet

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
    • Executable content was dropped or overwritten

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
    • Searches for installed software

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
      • Email Access Online.exe (PID: 3724)
    • Checks Windows Trust Settings

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
      • Email Access Online.exe (PID: 3724)
    • Reads Microsoft Outlook installation path

      • Email Access Online.exe (PID: 3724)
    • Creates a software uninstall entry

      • Email Access Online.exe (PID: 3724)
    • Reads Internet Explorer settings

      • Email Access Online.exe (PID: 3724)
  • INFO

    • The process uses the downloaded file

      • WinRAR.exe (PID: 1852)
    • The sample compiled with english language support

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
      • WinRAR.exe (PID: 1852)
    • Manual execution by a user

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
    • Checks supported languages

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
    • Checks proxy server information

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
      • Email Access Online.exe (PID: 3724)
    • Reads the software policy settings

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
      • Email Access Online.exe (PID: 3724)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1852)
    • Reads the machine GUID from the registry

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
      • Email Access Online.exe (PID: 3724)
    • Create files in a temporary directory

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
    • Creates files or folders in the user directory

      • Access Gov Docs Tab_5e961b22d7571.exe (PID: 7108)
      • Email Access Online.exe (PID: 3724)
    • Application launched itself

      • msedge.exe (PID: 8)
      • msedge.exe (PID: 5696)
    • Reads Environment values

      • identity_helper.exe (PID: 1856)
    • Reads the computer name

      • identity_helper.exe (PID: 1856)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2025:01:10 21:56:56
ZipCRC: 0x851c521d
ZipCompressedSize: 755896
ZipUncompressedSize: 790960
ZipFileName: Access Gov Docs Tab_5e961b22d7571.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
178
Monitored processes
50
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe access gov docs tab_5e961b22d7571.exe email access online.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1852"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Downloads\MDE_File_Sample_4055dc944a6430de290196b296dda0da1ca11a93.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7108"C:\Users\admin\Desktop\Access Gov Docs Tab_5e961b22d7571.exe" C:\Users\admin\Desktop\Access Gov Docs Tab_5e961b22d7571.exe
explorer.exe
User:
admin
Company:
Better Cloud Solutions LTD
Integrity Level:
MEDIUM
Description:
Desktop web search
Exit code:
0
Version:
3.9.0.1
Modules
Images
c:\users\admin\desktop\access gov docs tab_5e961b22d7571.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3724"C:\Users\admin\AppData\Local\Email Access Online\Email Access Online.exe" /firstrunC:\Users\admin\AppData\Local\Email Access Online\Email Access Online.exe
Access Gov Docs Tab_5e961b22d7571.exe
User:
admin
Company:
Better Cloud Solutions LTD
Integrity Level:
MEDIUM
Description:
Desktop web search
Version:
3.9.0.1
Modules
Images
c:\users\admin\appdata\local\email access online\email access online.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5696"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://results.hemailaccessonline.com/s?uid=7ce42b2c-83ca-4350-9603-a9aaeee50b9a&uc=20250110&source=-lp0-bb8-sbe&i_id=email_&ap=appfocus1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Email Access Online.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3988"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x31c,0x320,0x324,0x314,0x32c,0x7ff821c95fd8,0x7ff821c95fe4,0x7ff821c95ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
6268"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2456 --field-trial-handle=2460,i,12400054285894631682,9148779680471048263,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
6304"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2532 --field-trial-handle=2460,i,12400054285894631682,9148779680471048263,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
6552"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2704 --field-trial-handle=2460,i,12400054285894631682,9148779680471048263,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
6744"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3352 --field-trial-handle=2460,i,12400054285894631682,9148779680471048263,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1544"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3768 --field-trial-handle=2460,i,12400054285894631682,9148779680471048263,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
13 217
Read events
13 143
Write events
59
Delete events
15

Modification events

(PID) Process:(1852) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(1852) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(1852) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(1852) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\MDE_File_Sample_4055dc944a6430de290196b296dda0da1ca11a93.zip
(PID) Process:(1852) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1852) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1852) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1852) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1852) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:15
Value:
(PID) Process:(1852) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:14
Value:
Executable files
12
Suspicious files
274
Text files
94
Unknown types
0

Dropped files

PID
Process
Filename
Type
7108Access Gov Docs Tab_5e961b22d7571.exeC:\Users\admin\AppData\Local\Temp\nsq251C.tmp\nsDialogs.dllexecutable
MD5:0D45588070CF728359055F776AF16EC4
SHA256:067C77D51DF034B4A614F83803140FBF4CD2F8684B88EA8C8ACDF163EDAD085A
7108Access Gov Docs Tab_5e961b22d7571.exeC:\Users\admin\AppData\Local\Temp\nsq251C.tmp\System.dllexecutable
MD5:A4DD044BCD94E9B3370CCF095B31F896
SHA256:2E226715419A5882E2E14278940EE8EF0AA648A3EF7AF5B3DC252674111962BC
7108Access Gov Docs Tab_5e961b22d7571.exeC:\Users\admin\AppData\Local\Temp\nsq251C.tmp\installer_small_sb.bmpimage
MD5:9BC62942811FDC96A20A280F0CA71B6C
SHA256:5A95502E8E34B041679DBA2288E8F511EE14AAFB23A97F96A3B4CED7C37BF991
7108Access Gov Docs Tab_5e961b22d7571.exeC:\Users\admin\AppData\Local\Temp\nsq251C.tmp\npHelper.dllexecutable
MD5:94E82583F53A9BDF534B8A8D135BA959
SHA256:9C9D23489AF9449215C17FEE86496C55E309AF32057400C1726E30311677C7B4
7108Access Gov Docs Tab_5e961b22d7571.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517der
MD5:EA77FF6B9F8CD8481BA33062D9A6C482
SHA256:C02C06367922C99C043474BEC40C8CF3A12C1C9AD6062079119CA26F8C9730F1
7108Access Gov Docs Tab_5e961b22d7571.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F53EB4E574DE32C870452087D92DBEBB_9CC1CE4365C70D31C40A15E98F4E626Ebinary
MD5:A542F8A68F63ABA8CE8CC00ECFE0F741
SHA256:961945B799621F238961F06B6B721EAF47825914BE2975F4FA7F9AF2B829BF1E
7108Access Gov Docs Tab_5e961b22d7571.exeC:\Users\admin\AppData\Local\Email Access Online\Icon.icoimage
MD5:78915530B81172A4B82287C655410F0B
SHA256:76A416F229D455BC045E99C3BE0EBE9734AA9018188EFF2FFCF10ABBBCC921C6
7108Access Gov Docs Tab_5e961b22d7571.exeC:\Users\admin\AppData\Local\Temp\nsq251C.tmp\terms.rtftext
MD5:B056EF6D4BD8257ED72BB891116F9D25
SHA256:358D9486CA52E2BB2A2AB4AD856186FCBC8C91289F3BED59BD6EEA395416828D
7108Access Gov Docs Tab_5e961b22d7571.exeC:\Users\admin\AppData\Local\Email Access Online\Sprite.pngimage
MD5:6418FAFD3CF63243B2FFE7EBF67C48B1
SHA256:787F65DB9A7EC976F2C82576AB76A3877AE54BA5A7564ACE3244A7F4209194DD
7108Access Gov Docs Tab_5e961b22d7571.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F53EB4E574DE32C870452087D92DBEBB_9CC1CE4365C70D31C40A15E98F4E626Ebinary
MD5:396D9F839FADBE439008D9A35BADE680
SHA256:9BD263F2022B4AAA2B63487FC5EF8F264D7BF63F5A90A68A93B6B63A57D0513B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
131
DNS requests
110
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7108
Access Gov Docs Tab_5e961b22d7571.exe
GET
503
18.218.193.209:80
http://websearchdl.com/cgi/adk/chrdlid.cgi?dfn=Access%20Gov%20Docs%20Tab_5e961b22d7571.exe&err=4&data=<html><head><title>503%20Service%20Temporarily%20Unavailable</title></head><body><center><h1>503%20Service%20Temporarily%20Unavailable</h1></center></body></html>
unknown
7108
Access Gov Docs Tab_5e961b22d7571.exe
GET
503
18.218.193.209:80
http://websearchdl.com/cgi/adk/chrdlid.cgi?id=5e961b22d7571
unknown
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6848
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7108
Access Gov Docs Tab_5e961b22d7571.exe
GET
200
18.66.145.213:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkpLy9ROx7U76vGUhC06D6E%3D
unknown
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7108
Access Gov Docs Tab_5e961b22d7571.exe
GET
200
18.245.65.219:80
http://ocsp.r2m02.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRmbQtwnInkvkvr7BNFR%2BS2lTYPjAQUwDFSzVpQw4J8dHHOy%2Bmc%2BXrrguICEAcgJC2RE6WQrxCNDcG%2BhG0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5064
SearchApp.exe
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
5848
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 184.30.21.171
whitelisted
google.com
  • 216.58.206.78
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
  • 104.126.37.129
  • 104.126.37.163
  • 104.126.37.123
  • 104.126.37.170
  • 104.126.37.177
  • 104.126.37.131
  • 104.126.37.185
  • 104.126.37.128
  • 104.126.37.130
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.71
  • 20.190.159.2
  • 20.190.159.73
  • 20.190.159.68
  • 20.190.159.64
  • 40.126.31.67
  • 20.190.159.75
  • 20.190.159.0
whitelisted
go.microsoft.com
  • 2.23.242.9
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted

Threats

No threats detected
No debug info