File name:

DownloadedMessage (5).zip

Full analysis: https://app.any.run/tasks/7532f352-fdde-458d-82ed-42da5bd12f35
Verdict: Malicious activity
Analysis date: July 09, 2025, 00:49:43
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
phishing
knowbe4
attachments
attc-doc
phish-microsoft
brand-microsoft
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

E1054BD365A65F1C25800E57DEB166CF

SHA1:

6A8FB6C5E5EB2F56A63D3C67AE6ADF4D8C7BD4C5

SHA256:

DE922383DF6AF663F13370D665C43F81ED936380A59752A2988C472A2208EA22

SSDEEP:

6144:22n5vA8vZ4cTVV8+TrSX1vyd6/XNvKndZdlfqoawO7Ev+:2M5I8R4eVV8+TSifdlfqoRJ2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Phishing has been detected

      • OUTLOOK.EXE (PID: 4968)
      • WinRAR.exe (PID: 320)
      • WINWORD.EXE (PID: 4040)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 320)

    • Reads Microsoft Outlook installation path

      • WinRAR.exe (PID: 320)

  • INFO

    • Microsoft logo has been found

      • WinRAR.exe (PID: 320)
      • OUTLOOK.EXE (PID: 4968)
      • WINWORD.EXE (PID: 4040)

    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 320)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2025:07:09 00:49:18
ZipCRC: 0x1a41cba1
ZipCompressedSize: 226133
ZipUncompressedSize: 302587
ZipFileName: Message.eml
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs outlook.exe ai.exe no specs winword.exe no specs winword.exe ai.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
320"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\DownloadedMessage (5).zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1720"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Exit code:
3221225506
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
2140"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "0D5A3C7E-CA67-46AC-AECC-0955961531D3" "977F9725-35CF-4242-B678-5132878F40A3" "4040"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Exit code:
0
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
4040"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\CMR59FUX\statement.doc" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
4576C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4836"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "78AFAE75-5B5A-4DCB-8373-72E830915F85" "53C116FC-1178-4BD1-9622-BE8680AB3BAC" "4968"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
4968"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\Rar$DIb320.116\Message.eml"C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\program files\microsoft office\root\office16\vcruntime140_1.dll
c:\windows\system32\sechost.dll
Total events
23 198
Read events
22 552
Write events
573
Delete events
73

Modification events

(PID) Process:(320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\DownloadedMessage (5).zip
(PID) Process:(320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
0
Suspicious files
24
Text files
12
Unknown types
10

Dropped files

PID
Process
Filename
Type
4968OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook1.pst
MD5:
SHA256:
4968OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187binary
MD5:75BC60BF03C70ABD118D39DC87BD449E
SHA256:5995745F4CDE3A38086E5740EB221289293EF363717EC1E5DDC94CA89596AC9F
4968OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\CMR59FUX\statement (002).docdocument
MD5:0BF1033AC6BF5ADFF19901B7DE2FE82C
SHA256:5D0BDBDFF72E35184A39C64E5DEB65B6BADC9117F42C433462735F46755E27CA
4968OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TableViewPreviewPrefs_2_F23729254477344B9524790513455D9A.datxml
MD5:0E092DB99AEE99FDFF9B5B222C732CFD
SHA256:D1614AD99ADED9F6F5C1BE7FE7FFA5124BD04A526580DA3818EA8A954E852AA6
4968OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:5347B76BDBC777FE429D82D5DD90FC16
SHA256:F65B48630F71C747AFEFB3B0CF8A15D7BC9C76B2292DF5596DDB7F6736B75535
4968OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
4040WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStoreV3\Word\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAA.Sbinary
MD5:A57482480EFD89E36E31A852859888BF
SHA256:5F881AB56339D255469D17AC73DC737ED39C2BC58FAB1414F93CCE4D86FB8DD1
4040WINWORD.EXEC:\Users\admin\AppData\Local\Temp\msoAC43.tmpimage
MD5:ED3C1C40B68BA4F40DB15529D5443DEC
SHA256:039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
4968OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:E80E989EA1ED7FF0CCC8C8C9A3B4BFEA
SHA256:15CFA56496BCE42DD56D25DE051C4CA649BD0CF256A46266F5500530EA1CB24A
4040WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:E6EC37196694D9FBED389D9CD583876A
SHA256:EE6999922CAE589F40C3F010519291037E3FB7C87D1E42BFCDA9CB7C9DE4ECE1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
36
DNS requests
26
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4968
OUTLOOK.EXE
GET
200
23.63.118.230:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
4460
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4040
WINWORD.EXE
GET
200
18.245.65.219:80
http://ocsp.r2m03.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQqHI%2BsdmapawQncL1rpCEZZ8gTSAQUVdkYX9IczAHhWLS%2Bq9lVQgHXLgICEAuKj%2B6HNQeMKuYn%2B%2BCeHX4%3D
unknown
whitelisted
4040
WINWORD.EXE
GET
200
18.245.38.41:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkzUBtJnwJkc3SmanzgxeYU%3D
unknown
whitelisted
1268
svchost.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2524
svchost.exe
GET
200
23.63.118.230:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4460
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4040
WINWORD.EXE
GET
200
23.63.118.230:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5232
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
4968
OUTLOOK.EXE
52.123.128.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1268
svchost.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4968
OUTLOOK.EXE
23.48.23.18:443
omex.cdn.office.net
Akamai International B.V.
DE
whitelisted
4968
OUTLOOK.EXE
52.111.231.13:443
messaging.lifecycle.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.20.245.139
  • 2.20.245.137
whitelisted
ecs.office.com
  • 52.123.128.14
  • 52.123.129.14
whitelisted
www.microsoft.com
  • 2.23.181.156
  • 95.101.149.131
whitelisted
omex.cdn.office.net
  • 23.48.23.18
  • 23.48.23.30
whitelisted
messaging.lifecycle.office.com
  • 52.111.231.13
whitelisted
self.events.data.microsoft.com
  • 51.104.15.252
  • 20.44.10.122
whitelisted
ocsp.digicert.com
  • 23.63.118.230
whitelisted
officeclient.microsoft.com
  • 52.109.76.240
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
Misc activity
ET INFO Observed UA-CPU Header
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DownloadedMessage (5).zip