File name:

Fwd Payment Slip.msg

Full analysis: https://app.any.run/tasks/10b14c4d-7738-4a20-a90e-3e26d495246f
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 09, 2025, 21:30:16
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
attachments
attc-pdf
phishing
massbass
ipfs
loader
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

7C13069608A735A6AA45D43146640416

SHA1:

6204EFE32ACF60514DE6F0BD9194F44440E860E6

SHA256:

8FE3F1F0487FBE05AD051B4A909EE2B7CA156AB2EC9237C49E4A1529DAAB6A3E

SSDEEP:

24576:p7/XXdgMzcC6mbBdafChtmaiHF+UeTzlLO0GXdgMzcC6mbBdafChtmaiHF+UeTzn:p7/XXdgMzcC6mbBdafChtmaiHF+UeTzG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • PHISHING has been detected (SURICATA)

      • msedge.exe (PID: 7700)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7424)
      • powershell.exe (PID: 6996)
      • powershell.exe (PID: 8516)
      • powershell.exe (PID: 8660)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 7424)
      • powershell.exe (PID: 6996)
      • powershell.exe (PID: 8516)
      • powershell.exe (PID: 8660)

    • Executing a file with an untrusted certificate

      • Any Name.exe (PID: 8344)
      • Any Name.exe (PID: 8360)
      • Any Name.exe (PID: 8804)
      • Any Name.exe (PID: 8892)
      • Any Name.exe (PID: 732)

    • Uses Task Scheduler to run other applications

      • Any Name.exe (PID: 8360)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 7604)
      • WinRAR.exe (PID: 8456)
      • Any Name.exe (PID: 8360)

    • Possibly malicious use of IEX has been detected

      • WinRAR.exe (PID: 7604)
      • WinRAR.exe (PID: 8456)

    • The process hide an interactive prompt from the user

      • WinRAR.exe (PID: 7604)
      • WinRAR.exe (PID: 8456)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7424)
      • powershell.exe (PID: 6996)
      • powershell.exe (PID: 8516)
      • powershell.exe (PID: 8660)

    • Starts POWERSHELL.EXE for commands execution

      • WinRAR.exe (PID: 7604)
      • WinRAR.exe (PID: 8456)

    • The process bypasses the loading of PowerShell profile settings

      • WinRAR.exe (PID: 7604)
      • WinRAR.exe (PID: 8456)

    • Potential Corporate Privacy Violation

      • powershell.exe (PID: 7424)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7424)
      • Any Name.exe (PID: 8360)

    • Process requests binary or script from the Internet

      • powershell.exe (PID: 7424)

    • Starts a Microsoft application from unusual location

      • Any Name.exe (PID: 8344)
      • Any Name.exe (PID: 8360)
      • Any Name.exe (PID: 8804)
      • Any Name.exe (PID: 8892)
      • Any Name.exe (PID: 732)

    • Executes application which crashes

      • Any Name.exe (PID: 8344)

    • Application launched itself

      • Any Name.exe (PID: 8360)

  • INFO

    • Reads Microsoft Office registry keys

      • Acrobat.exe (PID: 5448)
      • msedge.exe (PID: 7456)

    • Email with attachments

      • OUTLOOK.EXE (PID: 6332)

    • Reads the computer name

      • identity_helper.exe (PID: 7184)
      • Any Name.exe (PID: 8360)
      • Any Name.exe (PID: 8344)
      • Any Name.exe (PID: 8804)
      • Any Name.exe (PID: 8892)
      • identity_helper.exe (PID: 8084)

    • Reads Environment values

      • identity_helper.exe (PID: 7184)
      • identity_helper.exe (PID: 8084)

    • Application launched itself

      • Acrobat.exe (PID: 6916)
      • msedge.exe (PID: 7456)
      • Acrobat.exe (PID: 5540)
      • AcroCEF.exe (PID: 2796)
      • msedge.exe (PID: 8952)

    • Checks supported languages

      • identity_helper.exe (PID: 7184)
      • Any Name.exe (PID: 8344)
      • Any Name.exe (PID: 8804)
      • Any Name.exe (PID: 8360)
      • Any Name.exe (PID: 8892)
      • identity_helper.exe (PID: 8084)

    • Disables trace logs

      • powershell.exe (PID: 7424)

    • Checks proxy server information

      • powershell.exe (PID: 7424)

    • The executable file from the user directory is run by the Powershell process

      • Any Name.exe (PID: 8344)
      • Any Name.exe (PID: 8360)
      • Any Name.exe (PID: 8804)
      • Any Name.exe (PID: 8892)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6996)
      • powershell.exe (PID: 8516)
      • powershell.exe (PID: 8660)

    • Reads the machine GUID from the registry

      • Any Name.exe (PID: 8804)
      • Any Name.exe (PID: 8344)
      • Any Name.exe (PID: 8360)
      • Any Name.exe (PID: 8892)

    • Creates files or folders in the user directory

      • Any Name.exe (PID: 8360)

    • Create files in a temporary directory

      • Any Name.exe (PID: 8360)

    • Process checks computer location settings

      • Any Name.exe (PID: 8360)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
205
Monitored processes
74
Malicious processes
11
Suspicious processes
4

Behavior graph

Click at the process to see the details
start outlook.exe ai.exe no specs acrobat.exe acrobat.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrobat.exe no specs acrobat.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs #PHISHING msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs any name.exe any name.exe winrar.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs any name.exe no specs any name.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs acrocef.exe no specs schtasks.exe no specs conhost.exe no specs any name.exe no specs werfault.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
440\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
520"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6880 --field-trial-handle=2476,i,15839536002234664407,12072190951842945469,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
540"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=4956 --field-trial-handle=2476,i,15839536002234664407,12072190951842945469,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
732"C:\Users\admin\AppData\Local\Temp\Any Name.exe"C:\Users\admin\AppData\Local\Temp\Any Name.exeAny Name.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Imagindevices.cpl
Version:
6.2.19041.1
Modules
Images
c:\users\admin\appdata\local\temp\any name.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
900"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=6076 --field-trial-handle=2476,i,15839536002234664407,12072190951842945469,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1344"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6616 --field-trial-handle=2476,i,15839536002234664407,12072190951842945469,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1344"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4752 --field-trial-handle=2272,i,272639462363328446,10967658688244023561,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
2148"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5796 --field-trial-handle=2476,i,15839536002234664407,12072190951842945469,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2224"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6596 --field-trial-handle=2476,i,15839536002234664407,12072190951842945469,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
56 532
Read events
55 468
Write events
968
Delete events
96

Modification events

(PID) Process:(6332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:6
Value:
01941A000000001000B24E9A3E06000000000000000600000000000000
(PID) Process:(6332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\6332
Operation:writeName:0
Value:
0B0E10D50132775C48B24A971C695177DFB5BF230046F3C4EFA39DE7DEED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511BC31D2120B6F00750074006C006F006F006B002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(6332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:BootCommand
Value:
(PID) Process:(6332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:BootFailureCount
Value:
(PID) Process:(6332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:delete keyName:(default)
Value:
(PID) Process:(6332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:CantBootResolution
Value:
BootSuccess
(PID) Process:(6332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:ProfileBeingOpened
Value:
Outlook
(PID) Process:(6332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:SessionId
Value:
C3D8E96E-C1AF-4750-8D52-F4E28119C131
(PID) Process:(6332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:BootDiagnosticsLogFile
Value:
C:\Users\admin\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16026_20146-20240718T1116060318-1644.etl
(PID) Process:(6332) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:ProfileBeingOpened
Value:
Executable files
14
Suspicious files
432
Text files
96
Unknown types
0

Dropped files

PID
Process
Filename
Type
6332OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook1.pst
MD5:
SHA256:
6332OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bintext
MD5:0F6F2CE4425E6E694536D30CFFC5245B
SHA256:8EB35A7CAAC81EC50FCC2F79060658CEBC90D49F3DC327A7F937F03F95CD45CE
6332OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\20677884-2B58-4EE9-957E-7D82CA85CE28xml
MD5:436781076580B4C04ACB2178D0314065
SHA256:EA0E941296FFC168B8F18E25E05E2D9F1ED88B1AED1D9FE941851C7B43026994
6332OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:E6E449FB46A23813B53186A1153147A0
SHA256:D323BC813CF2534E2408F3D6A4D21899FE874295501B3F9744F81EF11133E1A3
6332OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmbinary
MD5:C6536F2CE46D85EF5BCB597D446BAC15
SHA256:133239E1A44E2BB98EC4FAD1DAD6BF34C6EEF112E9DBA9B6022692BC09E670C1
2796AcroCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.oldtext
MD5:2EF1F7C0782D1A46974286420D24F629
SHA256:D3A9BB7E09E1F4B0C41FF7808E930DDACF5DB3BACD98ECCF5BC7DB4863D1FCF5
5448Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.5448binary
MD5:366B140BAFC863B7E366AA1E51604759
SHA256:CBC8B288DBD2C72432081CF33CEF431572A94C7FB89DBCD59973B99E3871814E
5448Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTINGbinary
MD5:DC84B0D741E5BEAE8070013ADDCC8C28
SHA256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
5448Acrobat.exeC:\Users\admin\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txttext
MD5:03C2CB134E41AD91D7DCDE92274818FB
SHA256:5A57DFC2D08567F447766AE688A24EBAEBE07828674F91C703755B64F160996A
2796AcroCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF13a098.TMPtext
MD5:D012E5B4EB91B61F6E8AE2F8EC3C623E
SHA256:1BDA750084F20306722008016420E1912BA608CA8EFB9C661F7E7EFCF5E89673
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
62
DNS requests
54
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6520
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7424
powershell.exe
GET
200
87.107.190.209:80
http://havajel.com/wp-includes/SimplePie/src/wg0kN97.exe
unknown
malicious
7340
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6916
Acrobat.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
whitelisted
7340
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
52.123.128.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
23.35.238.131:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
52.109.68.129:443
roaming.officeapps.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
23.50.131.86:443
omex.cdn.office.net
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
ecs.office.com
  • 52.123.128.14
  • 52.123.129.14
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
roaming.officeapps.live.com
  • 52.109.68.129
whitelisted
omex.cdn.office.net
  • 23.50.131.86
  • 23.50.131.87
whitelisted
login.live.com
  • 20.190.159.2
  • 20.190.159.131
  • 40.126.31.67
  • 20.190.159.129
  • 40.126.31.0
  • 40.126.31.1
  • 20.190.159.0
  • 20.190.159.130
whitelisted
messaging.lifecycle.office.com
  • 52.111.243.12
whitelisted
nleditor.osi.office.net
  • 52.111.231.26
  • 52.111.231.24
  • 52.111.231.25
  • 52.111.231.23
whitelisted
odc.officeapps.live.com
  • 52.109.76.144
whitelisted
self.events.data.microsoft.com
  • 20.42.73.28
whitelisted

Threats

PID
Process
Class
Message
7700
msedge.exe
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain ( .flk-ipfs .xyz)
7700
msedge.exe
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected IPFS Phishing (baf .ipfs)
7700
msedge.exe
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected IPFS Phishing (baf .ipfs)
7700
msedge.exe
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain ( .flk-ipfs .xyz)
7424
powershell.exe
A Network Trojan was detected
ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
7424
powershell.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7424
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Fwd Payment Slip.msg