Malware analysis Patenergy ProjectReview RefKXtOqslbdSPusJo June 16 2025 81949 AM.msg Malicious activity

Add for printing

File name:	Patenergy ProjectReview RefKXtOqslbdSPusJo June 16 2025 81949 AM.msg
Full analysis:	https://app.any.run/tasks/53c5de2b-793e-4a67-9bf3-919d522fa631
Verdict:	Malicious activity
Analysis date:	June 16, 2025, 17:49:38
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	attachments attc-unc phishing obfuscated-js arch-scr phishing wikikit
Indicators:
MIME:	application/vnd.ms-outlook
File info:	CDFV2 Microsoft Outlook Message
MD5:	484B650BB1773B64DB3CDE2765B2D7DE
SHA1:	3D2071E38A840D9B2835A6F67522A24008F9D7FF
SHA256:	B4447357CDACB839757C6C201C11767E4BD8DF1E1E678CE2948B6EC52A709605
SSDEEP:	6144:G5nKQ2VGxy0/WVNQYnNUGZsWbNKVzq0bQHXwjjjjjjjjjjjjjjjjjjjjjjjjjjjw:+nKQ4LjNNNUGRZKlqZI0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- PHISHING has been detected (SURICATA)
  - chrome.exe (PID: 7852)
SUSPICIOUS
- Unnecessary Base64 encoding in Email Subject
  - OUTLOOK.EXE (PID: 3780)
INFO
- Email with attachments
  - OUTLOOK.EXE (PID: 3780)
- Reads Microsoft Office registry keys
  - OpenWith.exe (PID: 3964)
  - firefox.exe (PID: 3572)
- Application launched itself
  - firefox.exe (PID: 6256)
  - firefox.exe (PID: 3572)
  - chrome.exe (PID: 2632)
- Reads security settings of Internet Explorer
  - OpenWith.exe (PID: 3964)
- Manual execution by a user
  - chrome.exe (PID: 2632)
- The sample compiled with english language support
  - firefox.exe (PID: 3572)
- Executable content was dropped or overwritten
  - firefox.exe (PID: 3572)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.msg	\|	Outlook Message (58.9)
.oft	\|	Outlook Form Template (34.4)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

193

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

756

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.127 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffc3b6dfff8,0x7ffc3b6e0004,0x7ffc3b6e0010

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1100

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3860,i,14209115578035964141,4113436889026535934,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=3960 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1268

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=2444,i,14209115578035964141,4113436889026535934,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=2452 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

2632

"C:\Program Files\Google\Chrome\Application\chrome.exe" "--disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints"

C:\Program Files\Google\Chrome\Application\chrome.exe

explorer.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2664

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4364 -prefsLen 44926 -prefMapHandle 4368 -prefMapSize 272997 -jsInitHandle 4372 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 4380 -initialChannelId {ca9388c0-1c06-4492-9272-def457d6de45} -parentPid 3572 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3572" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

3108

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -prefsHandle 2200 -prefsLen 36520 -prefMapHandle 2204 -prefMapSize 272997 -ipcHandle 2212 -initialChannelId {538fc0ec-c163-4a10-9c36-9a173b2bc01e} -parentPid 3572 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3572" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1.dll

3460

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3216,i,14209115578035964141,4113436889026535934,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=3256 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

3572

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\GED7R4QB\Docusign - Project Proposal-Patenergy"

C:\Program Files\Mozilla Firefox\firefox.exe

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

3688

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3264,i,14209115578035964141,4113436889026535934,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

133.0.6943.127

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

3780

"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Patenergy ProjectReview RefKXtOqslbdSPusJo June 16 2025 81949 AM.msg"

C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Outlook

Version:

16.0.16026.20146

Modules

Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

31 615

Read events

30 370

Write events

1 090

Delete events

155

Modification events


(PID) Process:	(3780) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:	write	Name:	6
Value: 01941A000000001000B24E9A3E06000000000000000600000000000000
(PID) Process:	(3780) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\3780
Operation:	write	Name:	0
Value: 0B0E10F3A1AC8090F9634F9D845A8A6FE17398230046C884E7E0F0DCF7ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511C41DD2120B6F00750074006C006F006F006B002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:	(3780) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	write	Name:	CantBootResolution
Value: BootSuccess
(PID) Process:	(3780) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	write	Name:	ProfileBeingOpened
Value: Outlook
(PID) Process:	(3780) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	write	Name:	SessionId
Value: C3D8E96E-C1AF-4750-8D52-F4E28119C131
(PID) Process:	(3780) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	write	Name:	BootDiagnosticsLogFile
Value: C:\Users\admin\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16026_20146-20240718T1116060318-1644.etl
(PID) Process:	(3780) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:	delete value	Name:	ProfileBeingOpened
Value:
(PID) Process:	(3780) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3780) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:	write	Name:	OutlookBootFlag
Value: 1
(PID) Process:	(3780) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	en-US
Value: 2

Add for printing

Executable files

Suspicious files

216

Text files

135

Unknown types

352

Dropped files

PID	Process	Filename		Type
3780	OUTLOOK.EXE	C:\Users\admin\Documents\Outlook Files\Outlook1.pst		—
		MD5:—	SHA256:—
3780	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres		binary
		MD5:EB43BA1407CBBED86720B90CFBF5F34F	SHA256:2F0E55189B05FB7B61F3B0469C801C1A4DAC03B45C56BE393064B6CA0F132DB1
3780	OUTLOOK.EXE	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187		der
		MD5:9004DCA50CF624767773BA61B0F10086	SHA256:02D76B8111C93D5BEE110B2B37E641599FFD85D92E096F3C19A169EDC106C233
3780	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin		text
		MD5:CC90D669144261B198DEAD45AA266572	SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
3780	OUTLOOK.EXE	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187		binary
		MD5:40C4D3BD3D563BA90E6BB9FB8F92F941	SHA256:1ED774BEB857CBD97A6BDDE8B154E88B948F2DFF465D3E9CACF293766EF87F15
3780	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TableViewPreviewPrefs_2_A6FF69AFB0FB40458564676FEA6570D9.dat		xml
		MD5:0E092DB99AEE99FDFF9B5B222C732CFD	SHA256:D1614AD99ADED9F6F5C1BE7FE7FFA5124BD04A526580DA3818EA8A954E852AA6
3780	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\GED7R4QB\Docusign - Project Proposal-Patenergy		image
		MD5:A5743282B683DC61D168949308FA3D54	SHA256:16E9F52BF7DB426404E7942F5C87530CAB1F1D505A11560642B7572262F5E8BF
3780	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\GED7R4QB\Docusign - Project Proposal-Patenergy:Zone.Identifier		text
		MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B	SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
3780	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\GED7R4QB\Docusign - Project Proposal-Patenergy (002)		image
		MD5:A5743282B683DC61D168949308FA3D54	SHA256:16E9F52BF7DB426404E7942F5C87530CAB1F1D505A11560642B7572262F5E8BF
3780	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres		binary
		MD5:4FF117894AD9E3EDA07439FF4AFE285A	SHA256:D4741F1961CCF75D085A047F6D53CADF0A3183F1E015BA641B3DF5CC241360D7

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

164

DNS requests

230

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2464	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
3780	OUTLOOK.EXE	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3572	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	—	—	whitelisted
3572	firefox.exe	POST	200	2.16.168.113:80	http://r11.o.lencr.org/	unknown	—	—	whitelisted
3572	firefox.exe	POST	200	142.250.185.67:80	http://o.pki.goog/s/wr3/3H4	unknown	—	—	whitelisted
3572	firefox.exe	POST	200	2.16.168.113:80	http://r11.o.lencr.org/	unknown	—	—	whitelisted
3572	firefox.exe	POST	200	2.23.77.188:80	http://ocsp.digicert.com/	unknown	—	—	whitelisted
3572	firefox.exe	POST	200	104.18.38.233:80	http://ocsp.sectigo.com/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5944	MoUsoCoreWorker.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3108	RUXIMICS.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3780	OUTLOOK.EXE	52.123.128.14:443	ecs.office.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3780	OUTLOOK.EXE	2.16.168.203:443	omex.cdn.office.net	Akamai International B.V.	RU	whitelisted
3780	OUTLOOK.EXE	52.111.240.11:443	messaging.lifecycle.office.com	MICROSOFT-CORP-MSN-AS-BLOCK	SG	whitelisted
2336	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
2464	svchost.exe	40.126.31.73:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.185.174	whitelisted
ecs.office.com	52.123.128.14 52.123.129.14	whitelisted
omex.cdn.office.net	2.16.168.203 2.16.168.206	whitelisted
messaging.lifecycle.office.com	52.111.240.11	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
login.live.com	40.126.31.73 20.190.159.131 40.126.31.0 40.126.31.128 20.190.159.64 40.126.31.69 20.190.159.23 20.190.159.68 40.126.31.1 40.126.31.130 20.190.159.130 20.190.159.73	whitelisted
ocsp.digicert.com	2.23.77.188 2.17.190.73	whitelisted
settings-win.data.microsoft.com	51.104.136.2 20.73.194.208	whitelisted
crl.microsoft.com	2.16.241.12 2.16.241.19	whitelisted
www.microsoft.com	2.23.246.101	whitelisted

Threats

PID	Process	Class	Message
2200	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] hCaptcha Enterprise Challenge
2200	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] hCaptcha Enterprise Challenge
2200	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] hCaptcha Enterprise Challenge
7852	chrome.exe	Not Suspicious Traffic	INFO [ANY.RUN] hCaptcha Enterprise Challenge
7852	chrome.exe	Not Suspicious Traffic	INFO [ANY.RUN] hCaptcha Enterprise Challenge
7852	chrome.exe	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
7852	chrome.exe	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
7852	chrome.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
7852	chrome.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
7852	chrome.exe	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Fake Microsoft Sign-In Page (Logo Request w/o MSlogin)

Add for printing

No debug info

General Info

Patenergy ProjectReview RefKXtOqslbdSPusJo June 16 2025 81949 AM.msg

484B650BB1773B64DB3CDE2765B2D7DE

3D2071E38A840D9B2835A6F67522A24008F9D7FF

B4447357CDACB839757C6C201C11767E4BD8DF1E1E678CE2948B6EC52A709605

6144:G5nKQ2VGxy0/WVNQYnNUGZsWbNKVzq0bQHXwjjjjjjjjjjjjjjjjjjjjjjjjjjjw:+nKQ4LjNNNUGRZKlqZI0

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

PHISHING has been detected (SURICATA)

SUSPICIOUS

Unnecessary Base64 encoding in Email Subject

INFO

Email with attachments

Reads Microsoft Office registry keys

Application launched itself

Reads security settings of Internet Explorer

Manual execution by a user

The sample compiled with english language support

Executable content was dropped or overwritten

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings