File name:

Explore Key Topics at these 6 Partner Events During DISTRIBUTECH 2025.msg

Full analysis: https://app.any.run/tasks/dcad882d-13c5-406e-a0e0-df2e08606a3a
Verdict: Malicious activity
Analysis date: January 10, 2025, 23:22:14
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
phishing
phish-url
amazon-ses
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

36D600854E185B33F4D18657AC289D89

SHA1:

ACEEB4DA815F8B78D6D3EBBECF4F653053FD1B51

SHA256:

D9E1304650F512D28339453D8AD577DDEE9A09C980991709A720ADC39A4D5EEC

SSDEEP:

6144:orN50+YC+7T1BPzEv0nkcn73iUE6SILoFy80dsnxUN2Q+yPha5A/RA9Mq/LLYBHI:e50+YC+7T1BPzEv0nkcn73E6Sn480dsX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Suspicious URL found

      • OUTLOOK.EXE (PID: 3732)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • The process uses the downloaded file

      • OUTLOOK.EXE (PID: 3732)
    • Email came from third-party service (Amazon SES)

      • OUTLOOK.EXE (PID: 3732)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe ai.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3732"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Explore Key Topics at these 6 Partner Events During DISTRIBUTECH 2025.msg"C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6676"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "AE9787B3-160E-427F-8C4D-C850AC8B4258" "F96DEC51-2FA6-4C7E-AE44-750B0ABF45B2" "3732"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Exit code:
0
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\sechost.dll
Total events
9 435
Read events
9 053
Write events
327
Delete events
55

Modification events

(PID) Process:(3732) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:6
Value:
01941A000000001000B24E9A3E06000000000000000600000000000000
(PID) Process:(3732) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\3732
Operation:writeName:0
Value:
0B0E1063B23B77FD05754985CF26F9BF89B15D230046839EE986E8F6D8ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511941DD2120B6F00750074006C006F006F006B002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(3732) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:BootCommand
Value:
(PID) Process:(3732) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:BootFailureCount
Value:
(PID) Process:(3732) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:delete keyName:(default)
Value:
(PID) Process:(3732) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:CantBootResolution
Value:
BootSuccess
(PID) Process:(3732) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:ProfileBeingOpened
Value:
Outlook
(PID) Process:(3732) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:SessionId
Value:
C3D8E96E-C1AF-4750-8D52-F4E28119C131
(PID) Process:(3732) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:BootDiagnosticsLogFile
Value:
C:\Users\admin\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16026_20146-20240718T1116060318-1644.etl
(PID) Process:(3732) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:ProfileBeingOpened
Value:
Executable files
0
Suspicious files
55
Text files
31
Unknown types
7

Dropped files

PID
Process
Filename
Type
3732OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook1.pst
MD5:
SHA256:
3732OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TableViewPreviewPrefs_2_2BF299A9B149484CBA1B84D439281CCB.datxml
MD5:0E092DB99AEE99FDFF9B5B222C732CFD
SHA256:D1614AD99ADED9F6F5C1BE7FE7FFA5124BD04A526580DA3818EA8A954E852AA6
3732OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
3732OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_55209007C2DA2D56C1F9D41F7B3BBB66binary
MD5:A4B8FAC47ACC00D37C9AEE9594BCD8EF
SHA256:F175503871B836667BF2DE8762B322821A3E15F459EC40CA059D24595A6F9A10
3732OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bintext
MD5:4B55D528B0CE697F129ECBA7C39A4DF8
SHA256:DFC66269D6D0C6FAD954EDC7E3468B9F7B6D1A3A4A57CBBCC0A592E3D15DF0A6
3732OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04binary
MD5:9D4659F61009D6CEDB128E5CA822183A
SHA256:BDDB76B772734E96DB1BEF3CD025954BC635B4D2BB90864AF74922B378CD2E22
3732OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_55209007C2DA2D56C1F9D41F7B3BBB66binary
MD5:20115909D1E8D17ED11CFB439180D85F
SHA256:35BD564EA6612A6C62949EF2AFCD600F156CCEF31893F62AABD213DD14E2FD78
3732OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:1D1750F678556C6042F93BB70BE7728B
SHA256:C228281E50E50F36E0DFCC6596963A91D5CE34652656746B2E99F5A8DA13C6BA
3732OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:1799B1AFA4EBC5907FA2AB2D8126E34E
SHA256:B3DE8118672DCF1914A789883E15AA3D2A29EDD7A2C3413377FEECD80561A99C
3732OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:6FB94A2F4E2C5F4161A26DF9AF990757
SHA256:428203A88C03FCB12BC16FE9B5F52DCE94ED5A8CD6022032D6F52B25D8306B70
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
82
DNS requests
32
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3732
OUTLOOK.EXE
GET
200
142.250.184.227:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
whitelisted
716
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3732
OUTLOOK.EXE
GET
18.66.145.213:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkzUBtJnwJkc3SmanzgxeYU%3D
unknown
716
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3732
OUTLOOK.EXE
GET
200
172.217.18.3:80
http://c.pki.goog/r/r1.crl
unknown
whitelisted
3732
OUTLOOK.EXE
GET
200
95.101.54.131:80
http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgSKVbsUjxHHnGvUCyV6STazqw%3D%3D
unknown
whitelisted
3732
OUTLOOK.EXE
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
unknown
whitelisted
3732
OUTLOOK.EXE
GET
301
50.87.230.228:80
http://creative-ops.us/creative-ops.us/clarion/2025/DT2-1685/images/li-pink-63px.png
unknown
3732
OUTLOOK.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
716
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1228
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3732
OUTLOOK.EXE
52.113.194.132:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3732
OUTLOOK.EXE
2.19.198.51:443
omex.cdn.office.net
Akamai International B.V.
DE
whitelisted
3732
OUTLOOK.EXE
52.111.243.12:443
messaging.lifecycle.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
716
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
716
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.78
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
omex.cdn.office.net
  • 2.19.198.51
  • 2.19.198.56
whitelisted
messaging.lifecycle.office.com
  • 52.111.243.12
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
self.events.data.microsoft.com
  • 40.79.173.41
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
fonts.googleapis.com
  • 172.217.16.202
whitelisted

Threats

No threats detected
No debug info