File name:

123165 0000 453 Referencia POSIBLE SANCIÓN E INHABILIDAD DEL CARGO 123165 0000 453.msg

Full analysis: https://app.any.run/tasks/013aebf9-6405-44a7-b1f8-c7d2a15c642f
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: September 05, 2024, 17:29:11
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
fileshare
asyncrat
rat
remote
stealer
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

99F3F20CA85B230C2B692AE480B2AA6A

SHA1:

B638211E6B3300316C9F1D861BAADCE803737E7B

SHA256:

DD3455432845ADCC459F74B64771A78231AAD174229C3157563EC7B40A2D6FD7

SSDEEP:

3072:bILL9Afil9OIHQ2HhYWL+UNtMc3l3/9auGuN5uOuau4+ugunuNYuyu7u+uHu3u7u:eAfilNHQUhYINv8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ASYNCRAT has been detected (YARA)

      • MSBuild.exe (PID: 6284)

    • ASYNCRAT has been detected (SURICATA)

      • MSBuild.exe (PID: 6284)

    • Actions looks like stealing of personal data

      • MSBuild.exe (PID: 6284)

    • ASYNCRAT has been detected (MUTEX)

      • MSBuild.exe (PID: 6284)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • msedge.exe (PID: 6992)
      • msedge.exe (PID: 6908)
      • WinRAR.exe (PID: 7864)
      • 01NotificacionElectronica.exe (PID: 7488)

    • Executable content was dropped or overwritten

      • 01NotificacionElectronica.exe (PID: 7488)

    • Connects to unusual port

      • MSBuild.exe (PID: 6284)

    • Contacting a server suspected of hosting an CnC

      • MSBuild.exe (PID: 6284)

    • Starts CMD.EXE for commands execution

      • 01NotificacionElectronica.exe (PID: 7488)
      • 01NotificacionElectronica.exe (PID: 8104)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 6908)

    • The process uses the downloaded file

      • OUTLOOK.EXE (PID: 376)
      • msedge.exe (PID: 8064)
      • WinRAR.exe (PID: 7864)

    • Manual execution by a user

      • msedge.exe (PID: 6908)
      • WinRAR.exe (PID: 7864)
      • 01NotificacionElectronica.exe (PID: 7488)
      • 01NotificacionElectronica.exe (PID: 8104)

    • Attempting to use file storage service

      • msedge.exe (PID: 6992)

    • Reads the computer name

      • identity_helper.exe (PID: 1812)
      • 01NotificacionElectronica.exe (PID: 7488)
      • MSBuild.exe (PID: 6284)
      • 01NotificacionElectronica.exe (PID: 8104)

    • Checks supported languages

      • identity_helper.exe (PID: 1812)
      • 01NotificacionElectronica.exe (PID: 7488)
      • MSBuild.exe (PID: 6284)
      • 01NotificacionElectronica.exe (PID: 8104)

    • Reads Environment values

      • identity_helper.exe (PID: 1812)

    • Reads the software policy settings

      • slui.exe (PID: 1656)
      • slui.exe (PID: 7284)
      • MSBuild.exe (PID: 6284)

    • Sends debugging messages

      • msedge.exe (PID: 6232)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7864)

    • Creates files or folders in the user directory

      • 01NotificacionElectronica.exe (PID: 7488)

    • Reads the machine GUID from the registry

      • MSBuild.exe (PID: 6284)

    • Checks proxy server information

      • slui.exe (PID: 7284)

    • Create files in a temporary directory

      • 01NotificacionElectronica.exe (PID: 7488)
      • 01NotificacionElectronica.exe (PID: 8104)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(6284) MSBuild.exe
C2 (1)ansss2608.duckdns.org
Ports (1)9003
Version| CRACKED BY https://t.me/xworm_v2
Options
AutoRunfalse
MutexAsyncMutex_6SIkaPnk
InstallFolder%AppData%
Certificates
Cert1MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGva...
Server_SignatureZRDfDGRYzuX7x2cZSRXceFLaXHYPpqmf0eLNNdG75Tp76nii3CXINC/OxlOFKxDL5y+OyFQXgAxbJZwtRIFTQl/HMq4JtR9KH71EHn8lRFuSjEU9tEIDmpzqKAw5DqPFI0qn2QpyZaYNOM5Fksyb5hS0/l5BNzDUJY7ZnIgrQKmUenSbj6IPIImZvbI1PQSMTqCWfQQ7qQiez48UtAd1DLWE/HoM20liK3dlIJnyfUKqtpd3xQ0bjL77Um3etHlFL7wBnXf9xkXegDZ+chFJrKgwQRiOr/7GQtCR6iNwx/EA...
Keys
AES1d76f709e4e62a26d6721db00d8e870a1e359ba54fc2f03855277a3eb4d80ba4
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
218
Monitored processes
76
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe ai.exe no specs sppextcomobj.exe no specs slui.exe rundll32.exe no specs msedge.exe msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe 01notificacionelectronica.exe cmd.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs #ASYNCRAT msbuild.exe msedge.exe no specs svchost.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs 01notificacionelectronica.exe no specs cmd.exe no specs conhost.exe no specs msbuild.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
376"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\123165 0000 453 Referencia POSIBLE SANCIÓN E INHABILIDAD DEL CARGO 123165 0000 453.msg"C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1232"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6708 --field-trial-handle=2352,i,11083991916955006278,7467943502431452234,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1568"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=8032 --field-trial-handle=2352,i,11083991916955006278,7467943502431452234,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1656"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1744"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=5244 --field-trial-handle=2352,i,11083991916955006278,7467943502431452234,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1812"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5692 --field-trial-handle=2352,i,11083991916955006278,7467943502431452234,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
1840"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6248 --field-trial-handle=2352,i,11083991916955006278,7467943502431452234,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2268"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3500 --field-trial-handle=2352,i,11083991916955006278,7467943502431452234,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2368"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=1144 --field-trial-handle=2352,i,11083991916955006278,7467943502431452234,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
25 762
Read events
24 424
Write events
1 171
Delete events
167

Modification events

(PID) Process:(376) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:6
Value:
01941A000000001000B24E9A3E06000000000000000600000000000000
(PID) Process:(376) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\376
Operation:writeName:0
Value:
0B0E10085C3C5DEE64184598BE05EBD1D012C6230046BEE195AB92F7BFED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511F802D2120B6F00750074006C006F006F006B002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(376) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:BootCommand
Value:
(PID) Process:(376) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:BootFailureCount
Value:
(PID) Process:(376) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:delete keyName:(default)
Value:
(PID) Process:(376) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:CantBootResolution
Value:
BootSuccess
(PID) Process:(376) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:ProfileBeingOpened
Value:
Outlook
(PID) Process:(376) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:SessionId
Value:
C3D8E96E-C1AF-4750-8D52-F4E28119C131
(PID) Process:(376) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:BootDiagnosticsLogFile
Value:
C:\Users\admin\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16026_20146-20240718T1116060318-1644.etl
(PID) Process:(376) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:ProfileBeingOpened
Value:
Executable files
21
Suspicious files
688
Text files
208
Unknown types
0

Dropped files

PID
Process
Filename
Type
376OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook1.pst
MD5:
SHA256:
6908msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF13619b.TMP
MD5:
SHA256:
6908msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
376OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:3DBDEC66058D8123929C55909548B143
SHA256:3615C0A963E79E8DA2FF9EA18692D3A91D3503F9716FEEF126A30E6F347BD4FE
6908msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF1361ab.TMP
MD5:
SHA256:
6908msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
376OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmbinary
MD5:48C9FC22E93E192281A67195B6B6563C
SHA256:8B46D80511C3773F4042370D09453728708C5AD56AF2F37F85D61B5D5F832F7F
376OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:D550A95D33C67EA90865E62DFF614059
SHA256:E94C5D014E2FB43B8B15AA969958D33BE4C9B9824392932CE32A204F03704DEE
376OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\PLPSL1ST\POSIBLE SANCIÓN E INHABILIDAD DEL CARGO.svg:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
6908msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG.old~RF13618c.TMPtext
MD5:14B091DD8CB3D636D70A696F49E960EA
SHA256:E541B23B9E614A91E599ECFB0150D7BEA56DF139C4AA64736637FD3CA3135D4E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
50
TCP/UDP connections
148
DNS requests
159
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2108
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5796
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
376
OUTLOOK.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
7140
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7140
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2224
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/947fa2d4-1c00-401f-8f00-bf9b775f5d37?P1=1725971716&P2=404&P3=2&P4=kzbNEyYaRcX0uWaYvrMIt2GdKeiZYSUXG2pQdJnd1kiWXuOGYDsGaB5V4NirIyNLgTdyIR8L5WF58yqZDmee8A%3d%3d
unknown
whitelisted
2224
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/947fa2d4-1c00-401f-8f00-bf9b775f5d37?P1=1725971716&P2=404&P3=2&P4=kzbNEyYaRcX0uWaYvrMIt2GdKeiZYSUXG2pQdJnd1kiWXuOGYDsGaB5V4NirIyNLgTdyIR8L5WF58yqZDmee8A%3d%3d
unknown
whitelisted
2224
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/947fa2d4-1c00-401f-8f00-bf9b775f5d37?P1=1725971716&P2=404&P3=2&P4=kzbNEyYaRcX0uWaYvrMIt2GdKeiZYSUXG2pQdJnd1kiWXuOGYDsGaB5V4NirIyNLgTdyIR8L5WF58yqZDmee8A%3d%3d
unknown
whitelisted
7740
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
2224
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/947fa2d4-1c00-401f-8f00-bf9b775f5d37?P1=1725971716&P2=404&P3=2&P4=kzbNEyYaRcX0uWaYvrMIt2GdKeiZYSUXG2pQdJnd1kiWXuOGYDsGaB5V4NirIyNLgTdyIR8L5WF58yqZDmee8A%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6424
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5796
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
376
OUTLOOK.EXE
52.113.194.132:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5796
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5796
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
376
OUTLOOK.EXE
23.48.23.18:443
omex.cdn.office.net
Akamai International B.V.
DE
whitelisted
376
OUTLOOK.EXE
52.111.236.7:443
messaging.lifecycle.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
376
OUTLOOK.EXE
13.69.239.72:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.46
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.119.249.228
  • 51.104.136.2
  • 20.73.194.208
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
omex.cdn.office.net
  • 23.48.23.18
  • 23.48.23.30
whitelisted
messaging.lifecycle.office.com
  • 52.111.236.7
whitelisted
self.events.data.microsoft.com
  • 13.69.239.72
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
odc.officeapps.live.com
  • 52.109.28.48
whitelisted
client.wns.windows.com
  • 40.113.110.67
  • 40.115.3.253
whitelisted

Threats

PID
Process
Class
Message
6992
msedge.exe
Potentially Bad Traffic
ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
6992
msedge.exe
Potentially Bad Traffic
ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
6992
msedge.exe
Misc activity
ET INFO File Sharing Related Domain in TLS SNI (gofile .io)
6992
msedge.exe
Misc activity
ET INFO File Sharing Related Domain in TLS SNI (gofile .io)
6992
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Downloading from a file sharing service is observed
2256
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2256
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
2256
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
2256
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
6284
MSBuild.exe
Domain Observed Used for C2 Detected
REMOTE [ANY.RUN] AsyncRAT SSL certificate
1 ETPRO signatures available at the full report
Process
Message
msedge.exe
[0905/173046.118:WARNING:device_ticket.cc(151)] Timed out waiting for device ticket. Canceling async operation.
msedge.exe
[0905/173047.337:ERROR:process_memory_win.cc(74)] ReadMemory at 0x7ff6278d0000 of 64 bytes failed: Only part of a ReadProcessMemory or WriteProcessMemory request was completed. (0x12B)
msedge.exe
[0905/173047.337:WARNING:pe_image_reader.cc(340)] could not read dos header from C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
[0905/173047.337:ERROR:process_memory_win.cc(74)] ReadMemory at 0x7ffff85f0000 of 64 bytes failed: Only part of a ReadProcessMemory or WriteProcessMemory request was completed. (0x12B)
msedge.exe
[0905/173047.337:WARNING:pe_image_reader.cc(340)] could not read dos header from C:\WINDOWS\SYSTEM32\ntdll.dll
msedge.exe
[0905/173047.337:ERROR:process_memory_win.cc(74)] ReadMemory at 0x7ffff6f10000 of 64 bytes failed: Only part of a ReadProcessMemory or WriteProcessMemory request was completed. (0x12B)
msedge.exe
[0905/173047.337:WARNING:pe_image_reader.cc(340)] could not read dos header from C:\WINDOWS\System32\KERNEL32.DLL
msedge.exe
[0905/173047.337:ERROR:process_memory_win.cc(74)] ReadMemory at 0x7ffff5da0000 of 64 bytes failed: Only part of a ReadProcessMemory or WriteProcessMemory request was completed. (0x12B)
msedge.exe
[0905/173047.337:WARNING:pe_image_reader.cc(340)] could not read dos header from C:\WINDOWS\System32\KERNELBASE.dll
msedge.exe
[0905/173047.337:ERROR:process_memory_win.cc(74)] ReadMemory at 0x7fffcf550000 of 64 bytes failed: Only part of a ReadProcessMemory or WriteProcessMemory request was completed. (0x12B)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
123165 0000 453 Referencia POSIBLE SANCIÓN E INHABILIDAD DEL CARGO 123165 0000 453.msg