File name:

0e35e3f9ad29a52b090905de08064f1f.eml

Full analysis: https://app.any.run/tasks/839ad15b-6242-4260-9116-5d5e295ca22d
Verdict: Malicious activity
Threats:

Tycoon 2FA is a phishing-as-a-service (PhaaS) platform designed to bypass multi-factor authentication (MFA) protections, particularly targeting Microsoft 365 and Gmail accounts. Its advanced evasion techniques and modular architecture make it a significant threat to organizations relying on MFA for security.

Malware Trends Tracker     >>>
Analysis date: February 24, 2026, 16:16:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
doc-url
attachments
attc-doc
phishing
github
obfuscated-js
tycoon
storm1747
possible-phishing
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (641)
MD5:

5D3535B47A10DA79F01DE43258590369

SHA1:

3A7A3E928E55500ADA613631F70D259238F46CA3

SHA256:

BBEFE942F33831E1EC3BF6AF5EF87089C1E4160F3687C5D6A9846E652FCEBF93

SSDEEP:

6144:btfBmti7ePah9uqJbee4Fwoz6vWDhV9d8bu27hCWH0f38ave:btfBoar7beUozeWDb9d8ThCnf38Ke

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Fake Microsoft Authentication Page has been detected

      • msedge.exe (PID: 2640)

    • PHISHING has been detected (SURICATA)

      • msedge.exe (PID: 3400)

  • SUSPICIOUS

    • Page with zero-length space title

      • msedge.exe (PID: 2640)

    • Time-based JS anti-debugging method is present

      • msedge.exe (PID: 2640)

  • INFO

    • Drops script file

      • msedge.exe (PID: 2640)

    • Manual execution by a user

      • msedge.exe (PID: 2640)
      • EXCEL.EXE (PID: 4332)

    • Suspicious URL found

      • OUTLOOK.EXE (PID: 3112)

    • Checks supported languages

      • identity_helper.exe (PID: 4800)

    • Reads Environment values

      • identity_helper.exe (PID: 4800)

    • Application launched itself

      • msedge.exe (PID: 2640)

    • Reads the computer name

      • identity_helper.exe (PID: 4800)

    • Checks proxy server information

      • slui.exe (PID: 2340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
181
Monitored processes
30
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe ai.exe no specs msedge.exe msedge.exe no specs #PHISHING msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs excel.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1632"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=6216,i,9349358857593235766,15099637226891822380,262144 --variations-seed-version --mojo-platform-channel-handle=6844 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1856"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3648,i,9349358857593235766,15099637226891822380,262144 --variations-seed-version --mojo-platform-channel-handle=3936 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2340C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2640"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://impfisioterapia.com/MNM/11.phpC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2868"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6088,i,9349358857593235766,15099637226891822380,262144 --variations-seed-version --mojo-platform-channel-handle=6100 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3112"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml C:\Users\admin\AppData\Local\Temp\0e35e3f9ad29a52b090905de08064f1f.emlC:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3400"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2268,i,9349358857593235766,15099637226891822380,262144 --variations-seed-version --mojo-platform-channel-handle=2492 /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4312"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4224,i,9349358857593235766,15099637226891822380,262144 --variations-seed-version --mojo-platform-channel-handle=4276 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4332"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\AppData\Local\Temp\Mather Corporation.xlsx"C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\excel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
4372"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=3896,i,9349358857593235766,15099637226891822380,262144 --variations-seed-version --mojo-platform-channel-handle=4036 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
18 501
Read events
17 825
Write events
583
Delete events
93

Modification events

(PID) Process:(3112) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:6
Value:
01941A000000001000B24E9A3E06000000000000000600000000000000
(PID) Process:(3112) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\3112
Operation:writeName:0
Value:
0B0E1066100F957B19154288B80B77A52A8A64230046A8E5AE8D8EB5A9EE016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511A818D2120B6F00750074006C006F006F006B002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(3112) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common
Operation:writeName:SessionId
Value:
DB5E71B402DF1A489D0EDF30037DC20B
(PID) Process:(3112) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\GracefulExit\OUTLOOK\1644
Operation:delete valueName:0
Value:
ซ渐�꿃僁赇臢섙䘱醛ꂾ樁င$驄摽鶲…ީ湕湫睯쥮Ȇ∢්ł¢ᣂ숁씀褎예ﴏ�뾙뚠ǭ჉砃㐶ᇅ೬ዒ漋甀琀氀漀漀欀⸀攀砀攀씀‖ៅ肀줄࠘㈲㈱䐭捥
(PID) Process:(3112) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\GracefulExit\OUTLOOK\1644
Operation:delete keyName:(default)
Value:
(PID) Process:(3112) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\3112
Operation:writeName:0
Value:
0B0E1066100F957B19154288B80B77A52A8A64230046A8E5AE8D8EB5A9EE016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C50E8908C91003783634C511A818D2120B6F00750074006C006F006F006B002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(3112) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:BootCommand
Value:
(PID) Process:(3112) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:BootFailureCount
Value:
(PID) Process:(3112) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:delete keyName:(default)
Value:
(PID) Process:(3112) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:CantBootResolution
Value:
BootSuccess
Executable files
1
Suspicious files
46
Text files
106
Unknown types
62

Dropped files

PID
Process
Filename
Type
3112OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook1.pst
MD5:
SHA256:
3112OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3C04E07E-385C-4081-9722-7E098761A643xml
MD5:5E6FACEF2F35EF10414ACE29A9768191
SHA256:7229E0F1C0E5210EB2A45F30BE15866247B580A21DAAAF92926A86683F673123
3112OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\olk5215.tmpcompressed
MD5:91DCC20C972DE8238FB5BCEA00598579
SHA256:087D16F41716A11BEE1065B5FB51ACA902BE9A96E9B8A8B4E8A34EFB65AF87A1
3112OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:7F13F242F68185A015BDF5B883A67B85
SHA256:698730D2E21673358C896C7727A1338F62737C3E87FBC51CE865F59E49014647
3112OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:5BC70280F9FA038A2C9062B25F3B2E57
SHA256:A057176886DDC2F0D0A0FB86EB5CF44B5F0F61E99DE2021FED31B42083E5F6CA
3112OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\82A48A73.datimage
MD5:2C43F410C93B4ABB78F705AC176EE2D0
SHA256:D40EB28225125C2707AAFC04BD266BEE59C304DDEC6BAAE4C8F951F0EF031E1C
2640msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1e78b8.TMP
MD5:
SHA256:
2640msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF1e78b8.TMP
MD5:
SHA256:
3112OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_EAF5D55D93603A879FA973006301F24Fbinary
MD5:8EAD632901C6A8BD41D1C63D386DD478
SHA256:C24A481F50C5DC889535A503499257A9D416CB509C78347B7977F5173A3EAD39
3112OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmbinary
MD5:7D189902A09DD2FC2EE6E2E6C0E4F378
SHA256:EA7E8A0AE2A19E2EF6A04E1B07FB678655B5FC88B69ADECFCE461DE4A15CF332
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
165
TCP/UDP connections
121
DNS requests
129
Threats
28

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3112
OUTLOOK.EXE
GET
200
52.110.17.21:443
https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3
US
xml
187 Kb
whitelisted
3112
OUTLOOK.EXE
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAsMayxGaRewR3PGR9SvwMg%3D
US
binary
471 b
whitelisted
3112
OUTLOOK.EXE
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBR0TBEVYklX7A9yLoLD9hqmCWDxFgQU3pGGSLehMVkx8UtfB6nciHnaqHYCEzMAAAAPMyBlN%2B5Crk8AAAAAAA8%3D
US
binary
2.23 Kb
whitelisted
3112
OUTLOOK.EXE
GET
200
2.16.168.119:443
https://omex.cdn.office.net/addinclassifier/officesharedentities
NL
text
314 Kb
whitelisted
3112
OUTLOOK.EXE
GET
200
52.111.232.11:443
https://messaging.lifecycle.office.com/getcustommessage16?app=6&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7B950F1066-197B-4215-88B8-0B77A52A8A64%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%22%7D
US
text
542 b
unknown
3112
OUTLOOK.EXE
POST
200
52.110.17.26:443
https://roaming.svc.cloud.microsoft/rs/RoamingSoapService.svc
US
text
654 b
unknown
3112
OUTLOOK.EXE
POST
200
48.209.192.127:443
https://editor.svc.cloud.microsoft/NlEditor/CloudSuggest/V1
US
text
155 b
unknown
356
svchost.exe
POST
200
40.126.32.136:443
https://login.live.com/RST2.srf
US
xml
11.1 Kb
whitelisted
356
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
US
binary
471 b
whitelisted
356
svchost.exe
POST
200
40.126.32.136:443
https://login.live.com/RST2.srf
US
xml
11.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
7236
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
6768
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8964
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5568
SearchApp.exe
92.123.104.24:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3412
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3112
OUTLOOK.EXE
52.110.17.21:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 216.58.206.78
whitelisted
self.events.data.microsoft.com
  • 20.42.65.84
  • 104.208.16.92
  • 13.89.178.26
whitelisted
www.bing.com
  • 92.123.104.24
  • 92.123.104.21
  • 92.123.104.16
  • 92.123.104.20
  • 92.123.104.18
  • 92.123.104.14
  • 92.123.104.26
  • 92.123.104.19
  • 92.123.104.17
  • 2.16.241.211
  • 2.16.241.201
  • 2.16.241.225
  • 2.16.241.206
  • 2.16.241.207
  • 2.16.241.205
  • 2.16.241.218
  • 2.16.241.219
  • 2.16.241.222
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
officeclient.microsoft.com
  • 52.110.17.21
  • 52.110.17.17
  • 52.110.17.60
  • 52.110.17.28
  • 52.110.17.26
  • 52.110.17.32
  • 52.110.17.38
  • 52.110.17.63
whitelisted
ecs.office.com
  • 52.123.243.72
  • 52.123.243.84
  • 52.123.243.76
  • 52.123.243.70
  • 52.123.243.197
  • 52.123.243.198
  • 52.123.243.95
whitelisted
roaming.svc.cloud.microsoft
  • 52.110.17.26
  • 52.110.17.38
  • 52.110.17.17
  • 52.110.17.60
  • 52.110.17.21
  • 52.110.17.28
  • 52.110.17.63
  • 52.110.17.32
whitelisted

Threats

PID
Process
Class
Message
8964
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
3400
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
3400
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
3400
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
3400
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
3400
msedge.exe
Misc activity
HUNTING [ANY.RUN] Green Spinner browser checking page often used in phishing campaigns
3400
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Bucket Object Storage service (.linodeobjects .com)
3400
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Bucket Object Storage service (.linodeobjects .com)
3400
msedge.exe
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspicious sending of an email address as an unencrypted POST request
3400
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
0e35e3f9ad29a52b090905de08064f1f.eml