Malware analysis Quarantined Messages (5).zip Malicious activity

Add for printing

File name:	Quarantined Messages (5).zip
Full analysis:	https://app.any.run/tasks/fa762817-4c87-4423-b179-5631c5a27487
Verdict:	Malicious activity
Analysis date:	May 03, 2023, 10:36:50
OS:	Windows 11 Professional (build: 22000, 64 bit)
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v4.5 to extract
MD5:	E373AE46BAAC05887C0B3A8EC6BA7742
SHA1:	07848E2421FE55D0742842321A059949BFA88433
SHA256:	E4DE5CC1FB1050071882673EE10D9897EFD7A353F97F39F44E167D9BB2B9CDD8
SSDEEP:	24576:5LxRMxi/+dTR0zwfNfU3UnpFylYFj2ebb6kTnNCyZL/:NxvrEU34FyCFLxjZL/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.1.22000.0
Adobe Acrobat (64-bit) (22.003.20314)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (5.74)
FileZilla Client 3.51.0 (3.51.0)
Google Chrome (69.123.49202)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java 8 Update 351 (64-bit) (8.0.3510.10)
Java Auto Updater (2.8.351.10)
Microsoft Edge (111.0.1661.62)
Microsoft Edge Update (1.3.173.51)
Microsoft Edge WebView2 Runtime (103.0.1264.77)
Microsoft Office Ev ve İş 2021 - tr-tr (16.0.15601.20142)
Microsoft Office Famille et Petite Entreprise 2021 - fr-fr (16.0.15601.20142)
Microsoft Office Hogar y Empresas 2021 - es-es (16.0.15601.20142)
Microsoft Office Home and Business 2021 - de-de (16.0.15601.20142)
Microsoft Office Home and Business 2021 - en-us (16.0.15601.20142)
Microsoft Office Home and Business 2021 - it-it (16.0.15601.20142)
Microsoft Office Home and Business 2021 - ja-jp (16.0.15601.20142)
Microsoft Office Home and Business 2021 - pt-br (16.0.15601.20142)
Microsoft Office Home 및 Business 2021 - ko-kr (16.0.15601.20142)
Microsoft Office для дома и бизнеса 2021 - ru-ru (16.0.15601.20142)
Microsoft OneDrive (22.077.0410.0007)
Microsoft Update Health Tools (4.67.0.0)
Mozilla Firefox (x64 en-US) (111.0.1)
Mozilla Maintenance Service (111.0.1)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15601.20064)
Office 16 Click-to-Run Licensing Component (16.0.15601.20142)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Opera 12.15 (12.15.1748)
VLC media player (3.0.11)
VLC media player 3.0.17 (64-bit) (3.0.17.0)
WinRAR 5.91 (64-bit) (5.91.0)

Add for printing

MALICIOUS
- Unusual execution from MS Office
  - OUTLOOK.EXE (PID: 4280)
SUSPICIOUS
- Reads the Internet Settings
  - OpenWith.exe (PID: 6476)
- Reads Microsoft Outlook installation path
  - OpenWith.exe (PID: 6476)
- Detected use of alternative data streams (AltDS)
  - OpenWith.exe (PID: 6476)
INFO
- The process checks LSA protection
  - OpenWith.exe (PID: 6476)
  - prevhost.exe (PID: 5892)
- Reads Microsoft Office registry keys
  - OpenWith.exe (PID: 6476)
  - Acrobat.exe (PID: 8056)
- The process uses the downloaded file
  - OUTLOOK.EXE (PID: 4280)
- Reads product name
  - OUTLOOK.EXE (PID: 4280)
- Application launched itself
  - Acrobat.exe (PID: 7816)
  - Acrobat.exe (PID: 6924)
  - AcroCEF.exe (PID: 7692)
- Checks supported languages
  - acrobat_sl.exe (PID: 8108)
- Executable content was dropped or overwritten
  - AdobeARM.exe (PID: 7804)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipFileName:	d4abffef-2ca6-4c62-75ac-08db4baf718d/4889d38b-f60c-70f2-97ce-2005c8126c3d.eml
ZipUncompressedSize:	4294967295
ZipCompressedSize:	4294967295
ZipCRC:	0x28231976
ZipModifyDate:	2023:05:03 10:36:06
ZipCompression:	Deflated
ZipBitFlag:	0x0009
ZipRequiredVersion:	45

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

151

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1384

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/22.3.20314 Chrome/105.0.0.0" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1728 --field-trial-handle=1588,i,7506379358649580831,14196960082568435541,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Exit code:

Version:

22.3.20314.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

2024

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Quarantined Messages (5).zip"

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

2436

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/22.3.20314 Chrome/105.0.0.0" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2768 --field-trial-handle=1588,i,7506379358649580831,14196960082568435541,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Exit code:

Version:

22.3.20314.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

3920

"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" --type=renderer /prefetch:1 /b /id 5892_2077350253 /if pdfshell_prev507d881c-2f04-4497-89bc-3e71297cad99 /CR

C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

—

Acrobat.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe Acrobat

Exit code:

Version:

22.3.20314.0

Modules

Images
c:\windows\system32\ntdll.dll
c:\program files\adobe\acrobat dc\acrobat\acrobat.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

4280

"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\admin\Desktop\d4abffef-2ca6-4c62-75ac-08db4baf718d\4889d38b-f60c-70f2-97ce-2005c8126c3d.eml"

C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

OpenWith.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Outlook

Exit code:

Version:

16.0.15601.20142

Modules

Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcp_win.dll

5892

C:\Windows\system32\prevhost.exe {DC6EFB56-9CFA-464D-8880-44885D7DC193} -Embedding

C:\Windows\System32\prevhost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Preview Handler Surrogate Host

Exit code:

Version:

10.0.22000.653 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\prevhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll

6344

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=gpu-process --log-severity=disable --user-agent-product="ReaderServices/22.3.20314 Chrome/105.0.0.0" --lang=en-US --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1732 --field-trial-handle=1588,i,7506379358649580831,14196960082568435541,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Exit code:

Version:

22.3.20314.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

6476

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\OpenWith.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Pick an app

Exit code:

Version:

10.0.22000.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

6924

"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" /b /id 5892_2077350253 /if pdfshell_prev507d881c-2f04-4497-89bc-3e71297cad99 /CR

C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

prevhost.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

MEDIUM

Description:

Adobe Acrobat

Exit code:

Version:

22.3.20314.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrobat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

7188

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/22.3.20314 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1748 --field-trial-handle=1588,i,7506379358649580831,14196960082568435541,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Exit code:

Version:

22.3.20314.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\win32u.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

Add for printing

Total events

33 360

Read events

32 700

Write events

392

Delete events

268

Modification events


(PID) Process:	(2024) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\General
Operation:	write	Name:	VerInfo
Value: 000B0600C647D6C8AFF6D801
(PID) Process:	(2024) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2024) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2024) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2024) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6476) OpenWith.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6476) OpenWith.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6476) OpenWith.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6476) OpenWith.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6476) OpenWith.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:	write	Name:	Zvpebfbsg.Bssvpr.BHGYBBX.RKR.15
Value: 000000000700000006000000640A0300000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFFC0C092D0BDF6D80100000000

Add for printing

Executable files

Suspicious files

414

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4280	OUTLOOK.EXE	C:\Users\admin\Documents\Outlook Files\Outlook Data File - No Account.pst		—
		MD5:—	SHA256:—
4280	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres		binary
		MD5:264D6EBA0B2BA3937B8DC8039ACD1E1C	SHA256:F6BA15E2257765FC29D19418169E5280832D9EF6794C8FADA66BC9FB9A71E5C3
2024	WinRAR.exe	C:\USERS\ADMIN\APPDATA\ROAMING\WINRAR\VERSION.DAT		binary
		MD5:92DB2DA3374350E492E363A8A81643BC	SHA256:854BF0BDF1FD9638CCCA8713A61514B658321556B8957FC5EDC56169DB0622EC
6924	Acrobat.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_6684D38897EAD61FC218D0450A40D38F		der
		MD5:836F79A24BC48A7C8802DFB8990AE45B	SHA256:3F2F6FD380291DA9655DFECAC2EC26DD1CC36934FC815CEE69B1A628C85772B0
4280	OUTLOOK.EXE	C:\USERS\ADMIN\APPDATA\LOCAL\MICROSOFT\TOKENBROKER\CACHE\5475CB191E478C39370A215B2DA98A37E9DC813D.TBRES		binary
		MD5:20448DD04B191216BED9D907676F7FA8	SHA256:7D0C95905500C7740A16B13019C20B9E461042073B733C74E1607D32C752543F
6924	Acrobat.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04		binary
		MD5:682E32434EF9A393ABDB4F927C185422	SHA256:DB256014CC42A5AF814EF942234F2296186B190F86C43B62E259A2152F7AEEDD
3920	Acrobat.exe	C:\Users\admin\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt		text
		MD5:3C4E9F0ABAB0459C6232B01B018F7B2B	SHA256:207A8E9B79F8BBF82A1A44EA2F25CBAFF339AA9D59C1E395548AE716F3DBBC07
6924	Acrobat.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04		der
		MD5:C5E0565AD8934FBEF948B072A7A957CD	SHA256:6B84D22AF6C68116B9EC46B37CF0DAAED057D5FEBB75B5141535463112DBDD3D
4280	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\outlook.exe_Rules.xml		xml
		MD5:F9030EE01034C408A7D6371401DD12C1	SHA256:9907CF959CEEE213147A96498B7AE8870767346B33CBA811D2CC6BED259264A1
4280	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\FSGYU8XC\cid5599F8112859E04EB489C83C81658D91@eurprd04.prod.outlook.com (002).pdf		pdf
		MD5:E0F7F77B0D0CA80869AFCD2AA53A13CD	SHA256:B51A36C037B102968B9AEB0669C04FE72F975DB3160396C7AB27243B764D5111

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6316	svchost.exe	GET	304	23.216.77.69:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8b53cdf880faa446	US	—	—	whitelisted
1480	svchost.exe	GET	200	13.107.4.52:80	http://www.msftconnecttest.com/connecttest.txt	US	text	22 b	whitelisted
7804	AdobeARM.exe	GET	200	2.19.126.76:80	http://acroipm2.adobe.com/assets/Owner/arm/2023/5/OwnerAPI/Rdr.txt	DE	text	4 b	whitelisted
7804	AdobeARM.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D	US	binary	471 b	whitelisted
7804	AdobeARM.exe	GET	200	2.19.126.76:80	http://acroipm2.adobe.com/assets/Owner/arm/ReportOwner.txt	DE	text	4 b	whitelisted
4280	OUTLOOK.EXE	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAxq6XzO1ZmDhpCgCp6lMhQ%3D	US	der	471 b	whitelisted
6924	Acrobat.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D	US	der	471 b	whitelisted
1480	svchost.exe	GET	200	13.107.4.52:80	http://www.msftconnecttest.com/connecttest.txt	US	text	22 b	whitelisted
6316	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	US	der	471 b	whitelisted
6924	Acrobat.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAHfQJBoQn4xgYEKiBpnK%2Bc%3D	US	der	471 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5708	svchost.exe	23.35.236.109:443	fs.microsoft.com	AKAMAI-AS	DE	malicious
6316	svchost.exe	20.190.159.68:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	suspicious
4280	OUTLOOK.EXE	20.224.254.73:443	nexusrules.officeapps.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	suspicious
4280	OUTLOOK.EXE	52.113.194.132:443	ecs.office.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	suspicious
4280	OUTLOOK.EXE	52.109.16.60:443	ols.officeapps.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	suspicious
6924	Acrobat.exe	54.194.243.238:443	cc-api-data.adobe.io	AMAZON-02	IE	suspicious
4280	OUTLOOK.EXE	13.89.179.9:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	suspicious
6924	Acrobat.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
4536	msedge.exe	204.79.197.239:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
4280	OUTLOOK.EXE	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
login.live.com	20.190.159.68 40.126.31.73 20.190.159.4 20.190.159.73 20.190.159.23 20.190.159.2 20.190.159.0 40.126.31.71	whitelisted
ctldl.windowsupdate.com	23.216.77.69 23.216.77.80	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
www.msftconnecttest.com	13.107.4.52	whitelisted
fs.microsoft.com	23.35.236.109	whitelisted
officeclient.microsoft.com	52.109.32.24	whitelisted
ecs.office.com	52.113.194.132	whitelisted
nexusrules.officeapps.live.com	20.224.254.73	whitelisted
ols.officeapps.live.com	52.109.16.60	whitelisted
odc.officeapps.live.com	52.109.88.193	whitelisted

Threats

PID	Process	Class	Message
1480	svchost.exe	Misc activity	ET INFO Microsoft Connection Test
1480	svchost.exe	Misc activity	ET INFO Microsoft Connection Test

Add for printing

No debug info

General Info

Quarantined Messages (5).zip

E373AE46BAAC05887C0B3A8EC6BA7742

07848E2421FE55D0742842321A059949BFA88433

E4DE5CC1FB1050071882673EE10D9897EFD7A353F97F39F44E167D9BB2B9CDD8

24576:5LxRMxi/+dTR0zwfNfU3UnpFylYFj2ebb6kTnNCyZL/:NxvrEU34FyCFLxjZL/

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Unusual execution from MS Office

SUSPICIOUS

Reads the Internet Settings

Reads Microsoft Outlook installation path

Detected use of alternative data streams (AltDS)

INFO

The process checks LSA protection

Reads Microsoft Office registry keys

The process uses the downloaded file

Reads product name

Application launched itself

Checks supported languages

Executable content was dropped or overwritten

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings