File name:

Fwd Payment Slip.msg

Full analysis: https://app.any.run/tasks/10b14c4d-7738-4a20-a90e-3e26d495246f
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 09, 2025, 21:30:16
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
attachments
attc-pdf
phishing
massbass
ipfs
loader
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

7C13069608A735A6AA45D43146640416

SHA1:

6204EFE32ACF60514DE6F0BD9194F44440E860E6

SHA256:

8FE3F1F0487FBE05AD051B4A909EE2B7CA156AB2EC9237C49E4A1529DAAB6A3E

SSDEEP:

24576:p7/XXdgMzcC6mbBdafChtmaiHF+UeTzlLO0GXdgMzcC6mbBdafChtmaiHF+UeTzn:p7/XXdgMzcC6mbBdafChtmaiHF+UeTzG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6996)
      • powershell.exe (PID: 7424)
      • powershell.exe (PID: 8516)
      • powershell.exe (PID: 8660)

    • PHISHING has been detected (SURICATA)

      • msedge.exe (PID: 7700)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 7424)
      • powershell.exe (PID: 6996)
      • powershell.exe (PID: 8516)
      • powershell.exe (PID: 8660)

    • Executing a file with an untrusted certificate

      • Any Name.exe (PID: 8344)
      • Any Name.exe (PID: 8360)
      • Any Name.exe (PID: 8804)
      • Any Name.exe (PID: 8892)
      • Any Name.exe (PID: 732)

    • Uses Task Scheduler to run other applications

      • Any Name.exe (PID: 8360)

  • SUSPICIOUS

    • The process bypasses the loading of PowerShell profile settings

      • WinRAR.exe (PID: 7604)
      • WinRAR.exe (PID: 8456)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7424)
      • powershell.exe (PID: 6996)
      • powershell.exe (PID: 8516)
      • powershell.exe (PID: 8660)

    • Possibly malicious use of IEX has been detected

      • WinRAR.exe (PID: 7604)
      • WinRAR.exe (PID: 8456)

    • Starts POWERSHELL.EXE for commands execution

      • WinRAR.exe (PID: 7604)
      • WinRAR.exe (PID: 8456)

    • The process hide an interactive prompt from the user

      • WinRAR.exe (PID: 7604)
      • WinRAR.exe (PID: 8456)

    • Potential Corporate Privacy Violation

      • powershell.exe (PID: 7424)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7424)
      • Any Name.exe (PID: 8360)

    • Starts a Microsoft application from unusual location

      • Any Name.exe (PID: 8360)
      • Any Name.exe (PID: 8344)
      • Any Name.exe (PID: 8804)
      • Any Name.exe (PID: 8892)
      • Any Name.exe (PID: 732)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 8456)
      • WinRAR.exe (PID: 7604)
      • Any Name.exe (PID: 8360)

    • Application launched itself

      • Any Name.exe (PID: 8360)

    • Executes application which crashes

      • Any Name.exe (PID: 8344)

    • Process requests binary or script from the Internet

      • powershell.exe (PID: 7424)

  • INFO

    • Reads Microsoft Office registry keys

      • Acrobat.exe (PID: 5448)
      • msedge.exe (PID: 7456)

    • Application launched itself

      • AcroCEF.exe (PID: 2796)
      • msedge.exe (PID: 7456)
      • Acrobat.exe (PID: 6916)
      • Acrobat.exe (PID: 5540)
      • msedge.exe (PID: 8952)

    • Reads Environment values

      • identity_helper.exe (PID: 7184)
      • identity_helper.exe (PID: 8084)

    • Checks supported languages

      • identity_helper.exe (PID: 7184)
      • Any Name.exe (PID: 8344)
      • Any Name.exe (PID: 8360)
      • Any Name.exe (PID: 8804)
      • Any Name.exe (PID: 8892)
      • identity_helper.exe (PID: 8084)

    • Email with attachments

      • OUTLOOK.EXE (PID: 6332)

    • Reads the computer name

      • identity_helper.exe (PID: 7184)
      • Any Name.exe (PID: 8360)
      • Any Name.exe (PID: 8344)
      • Any Name.exe (PID: 8804)
      • Any Name.exe (PID: 8892)
      • identity_helper.exe (PID: 8084)

    • Checks proxy server information

      • powershell.exe (PID: 7424)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6996)
      • powershell.exe (PID: 8516)
      • powershell.exe (PID: 8660)

    • The executable file from the user directory is run by the Powershell process

      • Any Name.exe (PID: 8344)
      • Any Name.exe (PID: 8360)
      • Any Name.exe (PID: 8804)
      • Any Name.exe (PID: 8892)

    • Reads the machine GUID from the registry

      • Any Name.exe (PID: 8344)
      • Any Name.exe (PID: 8360)
      • Any Name.exe (PID: 8804)
      • Any Name.exe (PID: 8892)

    • Disables trace logs

      • powershell.exe (PID: 7424)

    • Creates files or folders in the user directory

      • Any Name.exe (PID: 8360)

    • Create files in a temporary directory

      • Any Name.exe (PID: 8360)

    • Process checks computer location settings

      • Any Name.exe (PID: 8360)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
205
Monitored processes
74
Malicious processes
11
Suspicious processes
4

Behavior graph

Click at the process to see the details
start outlook.exe ai.exe no specs acrobat.exe acrobat.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrobat.exe no specs acrobat.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs #PHISHING msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs any name.exe any name.exe winrar.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs any name.exe no specs any name.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs acrocef.exe no specs schtasks.exe no specs conhost.exe no specs any name.exe no specs werfault.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
440\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
520"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6880 --field-trial-handle=2476,i,15839536002234664407,12072190951842945469,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
540"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=4956 --field-trial-handle=2476,i,15839536002234664407,12072190951842945469,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
732"C:\Users\admin\AppData\Local\Temp\Any Name.exe"C:\Users\admin\AppData\Local\Temp\Any Name.exeAny Name.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Imagindevices.cpl
Version:
6.2.19041.1
Modules
Images
c:\users\admin\appdata\local\temp\any name.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
900"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=6076 --field-trial-handle=2476,i,15839536002234664407,12072190951842945469,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1344"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6616 --field-trial-handle=2476,i,15839536002234664407,12072190951842945469,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1344"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4752 --field-trial-handle=2272,i,272639462363328446,10967658688244023561,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
2148"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5796 --field-trial-handle=2476,i,15839536002234664407,12072190951842945469,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2224"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6596 --field-trial-handle=2476,i,15839536002234664407,12072190951842945469,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
56 532
Read events
55 468
Write events
968
Delete events
96

Modification events

(PID) Process:(6332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:6
Value:
01941A000000001000B24E9A3E06000000000000000600000000000000
(PID) Process:(6332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\6332
Operation:writeName:0
Value:
0B0E10D50132775C48B24A971C695177DFB5BF230046F3C4EFA39DE7DEED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511BC31D2120B6F00750074006C006F006F006B002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(6332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:BootCommand
Value:
(PID) Process:(6332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:BootFailureCount
Value:
(PID) Process:(6332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:delete keyName:(default)
Value:
(PID) Process:(6332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:CantBootResolution
Value:
BootSuccess
(PID) Process:(6332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:ProfileBeingOpened
Value:
Outlook
(PID) Process:(6332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:SessionId
Value:
C3D8E96E-C1AF-4750-8D52-F4E28119C131
(PID) Process:(6332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:BootDiagnosticsLogFile
Value:
C:\Users\admin\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16026_20146-20240718T1116060318-1644.etl
(PID) Process:(6332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:ProfileBeingOpened
Value:
Executable files
14
Suspicious files
432
Text files
96
Unknown types
0

Dropped files

PID
Process
Filename
Type
6332OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook1.pst
MD5:
SHA256:
6332OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\20677884-2B58-4EE9-957E-7D82CA85CE28xml
MD5:436781076580B4C04ACB2178D0314065
SHA256:EA0E941296FFC168B8F18E25E05E2D9F1ED88B1AED1D9FE941851C7B43026994
6332OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\52XT7T29\Payment Swift copy.pdf:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
6332OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187binary
MD5:2DF45D3A40927394CA08373CAE1470C1
SHA256:C117C88681A8D9062150918D3D8A9DBC2140781E0A24B1B1D73FB2026020D808
6916Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lstbinary
MD5:366B140BAFC863B7E366AA1E51604759
SHA256:CBC8B288DBD2C72432081CF33CEF431572A94C7FB89DBCD59973B99E3871814E
6332OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187binary
MD5:5A348E95C7DEDFBACCD88759867D7400
SHA256:80D7D91128CAB01B136F5CAA166184E77632A0C602B95C7C8596F0201A20796B
6332OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
6332OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\52XT7T29\Payment Swift copy (002).pdfpdf
MD5:F8C3A70DC433069C890B27B8361D6C2F
SHA256:3CB9CDB060B46031D10E9E488108F8D411550B1B5D97544957DFB8B1E4208E33
5448Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.5448binary
MD5:366B140BAFC863B7E366AA1E51604759
SHA256:CBC8B288DBD2C72432081CF33CEF431572A94C7FB89DBCD59973B99E3871814E
6332OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TableViewPreviewPrefs_2_6E6A5D74E09C254E9B1460B55B4AB1EA.datxml
MD5:0E092DB99AEE99FDFF9B5B222C732CFD
SHA256:D1614AD99ADED9F6F5C1BE7FE7FFA5124BD04A526580DA3818EA8A954E852AA6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
62
DNS requests
54
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7340
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7424
powershell.exe
GET
200
87.107.190.209:80
http://havajel.com/wp-includes/SimplePie/src/wg0kN97.exe
unknown
malicious
7340
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6916
Acrobat.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
whitelisted
6520
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
52.123.128.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
23.35.238.131:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
52.109.68.129:443
roaming.officeapps.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
23.50.131.86:443
omex.cdn.office.net
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
ecs.office.com
  • 52.123.128.14
  • 52.123.129.14
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
roaming.officeapps.live.com
  • 52.109.68.129
whitelisted
omex.cdn.office.net
  • 23.50.131.86
  • 23.50.131.87
whitelisted
login.live.com
  • 20.190.159.2
  • 20.190.159.131
  • 40.126.31.67
  • 20.190.159.129
  • 40.126.31.0
  • 40.126.31.1
  • 20.190.159.0
  • 20.190.159.130
whitelisted
messaging.lifecycle.office.com
  • 52.111.243.12
whitelisted
nleditor.osi.office.net
  • 52.111.231.26
  • 52.111.231.24
  • 52.111.231.25
  • 52.111.231.23
whitelisted
odc.officeapps.live.com
  • 52.109.76.144
whitelisted
self.events.data.microsoft.com
  • 20.42.73.28
whitelisted

Threats

PID
Process
Class
Message
7700
msedge.exe
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain ( .flk-ipfs .xyz)
7700
msedge.exe
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected IPFS Phishing (baf .ipfs)
7700
msedge.exe
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected IPFS Phishing (baf .ipfs)
7700
msedge.exe
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain ( .flk-ipfs .xyz)
7424
powershell.exe
A Network Trojan was detected
ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
7424
powershell.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7424
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Fwd Payment Slip.msg