Malware analysis POTENTIAL PHISH [EXT]e_Share_Docs via - 3182025. Ref0e079f3ac83785184d909fb47e075431.zip.zip Malicious activity

Add for printing

File name:	POTENTIAL PHISH [EXT]e_Share_Docs via - 3182025. Ref0e079f3ac83785184d909fb47e075431.zip.zip
Full analysis:	https://app.any.run/tasks/b4f2dd07-e87a-461e-b837-855086d84d15
Verdict:	Malicious activity
Analysis date:	March 24, 2025, 14:12:10
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-email attachments attc-arch spf-fail susp-attachments attc-unc attc-eml
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	17DB62E2859ECD423A8B954B4F3C7BA8
SHA1:	C69EF02E8C40E4C36F2328BF548AE3161FE04135
SHA256:	A4E4B85FC337256D26763A58EB8E45CB841AAB330B4F61322B7543B8D60F19F0
SSDEEP:	768:PNnRo6TiU/YSFJPv1q2eZQKFvjB5g/DIZ2OpbL9njYN74gkTvu:PJ/1w2UdFvl5cIggsN74gX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 672)
  - WinRAR.exe (PID: 5868)
- Application launched itself
  - WinRAR.exe (PID: 5868)
- Reads Microsoft Outlook installation path
  - WinRAR.exe (PID: 672)
- Generic archive extractor
  - WinRAR.exe (PID: 5868)
INFO
- Reads Microsoft Office registry keys
  - WinRAR.exe (PID: 672)
- Reads security settings of Internet Explorer
  - BackgroundTransferHost.exe (PID: 7508)
  - BackgroundTransferHost.exe (PID: 8072)
  - BackgroundTransferHost.exe (PID: 7388)
- Checks proxy server information
  - BackgroundTransferHost.exe (PID: 8072)
- Creates files or folders in the user directory
  - BackgroundTransferHost.exe (PID: 8072)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2025:03:24 13:44:38
ZipCRC:	0xbe9ff2a4
ZipCompressedSize:	31537
ZipUncompressedSize:	31643
ZipFileName:	POTENTIAL PHISH [EXT]e_Share_Docs via - 3182025. Ref0e079f3ac83785184d909fb47e075431.zip

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

151

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

672

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa5868.35585\POTENTIAL PHISH [EXT]e_Share_Docs via - 3182025. Ref0e079f3ac83785184d909fb47e075431.zip"

C:\Program Files\WinRAR\WinRAR.exe

—

WinRAR.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\windows\system32\explorerframe.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\policymanager.dll
c:\windows\system32\msvcp110_win.dll
c:\windows\system32\edputil.dll
c:\windows\system32\windows.staterepositoryps.dll
c:\windows\system32\windows.ui.appdefaults.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\srvcli.dll

5124

"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "FB8904B0-2C09-4D93-985C-CBD97E7DA77C" "9920C9BE-453E-489C-8590-63C492BA850F" "7372"

C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe

—

OUTLOOK.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.

Version:

0.12.2.0

Modules

Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll

5868

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\POTENTIAL PHISH [EXT]e_Share_Docs via - 3182025. Ref0e079f3ac83785184d909fb47e075431.zip.zip"

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

6032

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

7208

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\System32\BackgroundTransferHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Download/Upload Host

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll

7372

"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\Rar$DIa672.35985\POTENTIAL PHISH [EXT]e_Share_Docs via - 3182025. Ref0e079f3ac83785184d909fb47e075431.eml"

C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

WinRAR.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Outlook

Version:

16.0.16026.20146

Modules

Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

7388

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\System32\BackgroundTransferHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Download/Upload Host

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll

7508

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\System32\BackgroundTransferHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Download/Upload Host

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll

7572

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\System32\BackgroundTransferHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Download/Upload Host

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll

8072

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\System32\BackgroundTransferHost.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Download/Upload Host

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll

Add for printing

Total events

14 982

Read events

14 466

Write events

431

Delete events

Modification events


(PID) Process:	(5868) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(5868) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(5868) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(5868) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\POTENTIAL PHISH [EXT]e_Share_Docs via - 3182025. Ref0e079f3ac83785184d909fb47e075431.zip.zip
(PID) Process:	(5868) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(5868) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(5868) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(5868) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(672) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(672) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7372	OUTLOOK.EXE	C:\Users\admin\Documents\Outlook Files\Outlook1.pst		—
		MD5:—	SHA256:—
8072	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\a92966ef-66da-4459-88a3-11be81b4f5ca.down_data		—
		MD5:—	SHA256:—
672	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIa672.35985\POTENTIAL PHISH [EXT]e_Share_Docs via - 3182025. Ref0e079f3ac83785184d909fb47e075431.eml:OECustomProperty		binary
		MD5:B10CEBC4345585570E911E3CF06F6EED	SHA256:CA79FA894F82825A7FDEB60A72D74E7F47FE5EE84D60882219FC84EAD445DD69
7372	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A43508A7-1B04-4B63-80F2-D65053D20762		xml
		MD5:01F5F05F9992F78AD34A4A83EA362BD6	SHA256:965B08409DFEB747E3AA6C2FEE1C942DF5E439A3883EC275AA3D2D2D1F981F67
8072	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D		binary
		MD5:4872BABAF39AA62B8D32695EBB7E9173	SHA256:2EE85DF86EE29BBEB3DCA81AA29B6DE204F605A2769B84C728A329178A2D0999
5868	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIa5868.35585\POTENTIAL PHISH [EXT]e_Share_Docs via - 3182025. Ref0e079f3ac83785184d909fb47e075431.zip		compressed
		MD5:6D04CC75D9A09604AAF457EC2A05F356	SHA256:E52D4F7BE0E9F651AEA508958C536A76EF285951ADF26120D57839C00E55BD1F
7372	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres		binary
		MD5:9268CDD7AF3FE351F1FD89FC39BD8B35	SHA256:B64E9F1AB581D67BD09F0B5A56EE003353916C7665E293FF94C20DEE992C28AE
672	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIa672.35985\POTENTIAL PHISH [EXT]e_Share_Docs via - 3182025. Ref0e079f3ac83785184d909fb47e075431.eml		text
		MD5:7CF21676F9D7DB23FC310E87C9C75F4E	SHA256:27728C9E18730686B029D8F706E0E9792BC0D3EB8CE5ED5BB92A1237B924D3F1
8072	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D		binary
		MD5:72665F146031F8EF4DCAEA9D3E084D2F	SHA256:CD3F064B1935957F54064352FDFB66AD62954BE5A744A1C567EFCF85539E0F88
7372	OUTLOOK.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm		binary
		MD5:6EEC8C18FC25771B15C1E2C7DC2EAF1B	SHA256:EEAF12D3AE8A33715B9EA0416052E26CC10FA55469035A25F37EE70DD197DA74

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	23.48.23.169:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1512	backgroundTaskHost.exe	GET	200	23.54.109.203:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
—	—	GET	200	23.54.109.203:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
8072	BackgroundTransferHost.exe	GET	200	23.54.109.203:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
7372	OUTLOOK.EXE	GET	200	23.54.109.203:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted
7968	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7372	OUTLOOK.EXE	GET	200	23.54.109.203:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D	unknown	—	—	whitelisted
7968	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2104	svchost.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5496	MoUsoCoreWorker.exe	23.48.23.169:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5496	MoUsoCoreWorker.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6876	RUXIMICS.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.115.3.253:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	40.126.32.74:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	23.54.109.203:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.184.238	whitelisted
crl.microsoft.com	23.48.23.169 23.48.23.141 23.48.23.158 23.48.23.159 23.48.23.143 23.48.23.156 23.48.23.166 23.48.23.162	whitelisted
client.wns.windows.com	40.115.3.253 40.113.110.67	whitelisted
login.live.com	40.126.32.74 20.190.160.3 40.126.32.68 40.126.32.140 40.126.32.138 20.190.160.5 20.190.160.130 20.190.160.66	whitelisted
ocsp.digicert.com	23.54.109.203	whitelisted
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
arc.msn.com	20.223.35.26	whitelisted
officeclient.microsoft.com	52.109.28.46	whitelisted
ecs.office.com	52.123.130.14 52.123.131.14	whitelisted
www.bing.com	92.123.104.22 92.123.104.26 92.123.104.24 92.123.104.27 92.123.104.30 92.123.104.29 92.123.104.21 92.123.104.32 92.123.104.20	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

POTENTIAL PHISH [EXT]e_Share_Docs via - 3182025. Ref0e079f3ac83785184d909fb47e075431.zip.zip

17DB62E2859ECD423A8B954B4F3C7BA8

C69EF02E8C40E4C36F2328BF548AE3161FE04135

A4E4B85FC337256D26763A58EB8E45CB841AAB330B4F61322B7543B8D60F19F0

768:PNnRo6TiU/YSFJPv1q2eZQKFvjB5g/DIZ2OpbL9njYN74gkTvu:PJ/1w2UdFvl5cIggsN74gX

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Reads security settings of Internet Explorer

Application launched itself

Reads Microsoft Outlook installation path

Generic archive extractor

INFO

Reads Microsoft Office registry keys

Reads security settings of Internet Explorer

Checks proxy server information

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings