Malware analysis message - 2023-04-27T060613.211.eml Malicious activity

Add for printing

File name:	message - 2023-04-27T060613.211.eml
Full analysis:	https://app.any.run/tasks/1e96312d-2fdc-4941-be92-88dadfb3abf6
Verdict:	Malicious activity
Analysis date:	April 27, 2023, 04:13:26
OS:	Windows 11 Professional (build: 22000, 64 bit)
Indicators:
MIME:	message/rfc822
File info:	RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators
MD5:	4F2C0B802A8FA2D880B1127D88A9644D
SHA1:	77F94A1513CF487A13B0BB57A80328BD580D1AD8
SHA256:	F608B4215E47CF239A125F9CB7C832011F9B91C05C2178E0C78BB50F4A11F003
SSDEEP:	384:xZ9i8okJ1DdjvHELM7VXNxCdUe23xrNocWNk89vjc6g7/Q5i4BNom:xZ9i8XJRZvHELM7Vdg6bIz9vjDCoi4TF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.1.22000.0
Adobe Acrobat (64-bit) (22.003.20314)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (5.74)
FileZilla Client 3.51.0 (3.51.0)
Google Chrome (69.123.49202)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java 8 Update 351 (64-bit) (8.0.3510.10)
Java Auto Updater (2.8.351.10)
Microsoft Edge (111.0.1661.62)
Microsoft Edge Update (1.3.173.51)
Microsoft Edge WebView2 Runtime (103.0.1264.77)
Microsoft Office Ev ve İş 2021 - tr-tr (16.0.15601.20142)
Microsoft Office Famille et Petite Entreprise 2021 - fr-fr (16.0.15601.20142)
Microsoft Office Hogar y Empresas 2021 - es-es (16.0.15601.20142)
Microsoft Office Home and Business 2021 - de-de (16.0.15601.20142)
Microsoft Office Home and Business 2021 - en-us (16.0.15601.20142)
Microsoft Office Home and Business 2021 - it-it (16.0.15601.20142)
Microsoft Office Home and Business 2021 - ja-jp (16.0.15601.20142)
Microsoft Office Home and Business 2021 - pt-br (16.0.15601.20142)
Microsoft Office Home 및 Business 2021 - ko-kr (16.0.15601.20142)
Microsoft Office для дома и бизнеса 2021 - ru-ru (16.0.15601.20142)
Microsoft OneDrive (22.077.0410.0007)
Microsoft Update Health Tools (4.67.0.0)
Mozilla Firefox (x64 en-US) (111.0.1)
Mozilla Maintenance Service (111.0.1)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15601.20064)
Office 16 Click-to-Run Licensing Component (16.0.15601.20142)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Opera 12.15 (12.15.1748)
VLC media player (3.0.11)
VLC media player 3.0.17 (64-bit) (3.0.17.0)
WinRAR 5.91 (64-bit) (5.91.0)

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executes as Windows Service
  - elevation_service.exe (PID: 8028)
INFO
- Manual execution by a user
  - chrome.exe (PID: 1760)
- Reads product name
  - OUTLOOK.EXE (PID: 2320)
- Checks supported languages
  - elevation_service.exe (PID: 8028)
- The process uses the downloaded file
  - chrome.exe (PID: 7872)
  - chrome.exe (PID: 6972)
  - OUTLOOK.EXE (PID: 2320)
  - chrome.exe (PID: 7572)
  - chrome.exe (PID: 7496)
  - chrome.exe (PID: 6348)
- Reads the computer name
  - elevation_service.exe (PID: 8028)
- Application launched itself
  - chrome.exe (PID: 1760)
- The process checks LSA protection
  - elevation_service.exe (PID: 8028)
- Create files in a temporary directory
  - chrome.exe (PID: 1760)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.eml	\|	E-Mail message (Var. 5) (100)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

167

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1760

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

explorer.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

112.0.5615.50

Modules

Images
c:\windows\system32\ntdll.dll
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\program files (x86)\google\chrome\application\112.0.5615.50\chrome_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

2320

"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\message - 2023-04-27T060613.211.eml"

C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Outlook

Exit code:

Version:

16.0.15601.20142

Modules

Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll

3276

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2372 --field-trial-handle=1832,i,3933020361088949081,2753698671261493075,131072 /prefetch:8

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

112.0.5615.50

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\112.0.5615.50\chrome_elf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

3372

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1832,i,3933020361088949081,2753698671261493075,131072 /prefetch:8

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

112.0.5615.50

Modules

Images
c:\windows\system32\ntdll.dll
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\112.0.5615.50\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

3476

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5556 --field-trial-handle=1832,i,3933020361088949081,2753698671261493075,131072 /prefetch:8

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

112.0.5615.50

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\112.0.5615.50\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

4304

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4872 --field-trial-handle=1832,i,3933020361088949081,2753698671261493075,131072 /prefetch:2

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

112.0.5615.50

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\112.0.5615.50\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

4988

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1832,i,3933020361088949081,2753698671261493075,131072 /prefetch:8

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

112.0.5615.50

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\112.0.5615.50\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

5384

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1832,i,3933020361088949081,2753698671261493075,131072 /prefetch:8

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

112.0.5615.50

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\112.0.5615.50\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

5424

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=112.0.5615.50 --initial-client-data=0x110,0x114,0x118,0xec,0x11c,0x7ff8d5e3aa60,0x7ff8d5e3aa70,0x7ff8d5e3aa80

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

112.0.5615.50

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\112.0.5615.50\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

5540

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1828 --field-trial-handle=1832,i,3933020361088949081,2753698671261493075,131072 /prefetch:2

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

112.0.5615.50

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\112.0.5615.50\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

29 838

Read events

28 958

Write events

480

Delete events

400

Modification events


(PID) Process:	(2320) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:	write	Name:	6
Value: 01A012000000001000AE4EF13C07000000000000000700000000000000
(PID) Process:	(2320) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(2320) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(2320) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	en-US
Value: 1
(PID) Process:	(2320) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	de-de
Value: 1
(PID) Process:	(2320) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	es-es
Value: 1
(PID) Process:	(2320) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	fr-fr
Value: 1
(PID) Process:	(2320) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	it-it
Value: 1
(PID) Process:	(2320) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	ja-jp
Value: 1
(PID) Process:	(2320) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	ko-kr
Value: 1

Add for printing

Executable files

Suspicious files

388

Text files

178

Unknown types

Dropped files

PID	Process	Filename		Type
2320	OUTLOOK.EXE	C:\Users\admin\Documents\Outlook Files\Outlook Data File - No Account.pst		—
		MD5:—	SHA256:—
2320	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\FORMS\FRMDATA64.DAT		binary
		MD5:AF1EA7B68D3850DC6370F22F4923DE67	SHA256:6CC4471957DA1E617326E5E61E9701E6CC1A962EF42143C3175AE90CBFDF4F27
2320	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres		binary
		MD5:0513000B574471B8B928607A1BEC0877	SHA256:CE0A566E3F0F9498B3D935D181E6B5F452B8E28D56DABE3C746288280737E6C2
1760	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
2320	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4D0A6173-CB38-44CE-B1DE-8489CF3FAEF7		xml
		MD5:FD0AB7FE3880B8A23559D8791AE5D17B	SHA256:BE5CF6C01B628D479CE26757D263F11A9071E24BED9B8CB74B98027018C99B43
2320	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\QPBGFHZ1\️MT101_Receipts.html		html
		MD5:13ED4C1EA804508E81E990981C69DC69	SHA256:83C40226E88EDBF9C89DCB2E0650263C91138083CD6D7365552F04CA9C44E417
2320	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\outlook.exe_Rules.xml		xml
		MD5:F9030EE01034C408A7D6371401DD12C1	SHA256:9907CF959CEEE213147A96498B7AE8870767346B33CBA811D2CC6BED259264A1
2320	OUTLOOK.EXE	C:\USERS\ADMIN\APPDATA\LOCAL\MICROSOFT\TOKENBROKER\CACHE\5475CB191E478C39370A215B2DA98A37E9DC813D.TBRES		binary
		MD5:AC15EF1BEEF7D0B910A224BDC3F937A1	SHA256:3264A4E2D3320E8F61C92F3A95340BD9DAB15CC7EF45ADA2A24716E811EB9427
2320	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Temp\D975EFB7.tmp		binary
		MD5:4002FC2D0835DA723339A6A7DA21CF12	SHA256:A9187F7BA7772D8152F444CF35264E5932D2C2A6945E5FD91B9028263070930D
2320	OUTLOOK.EXE	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177		binary
		MD5:CB27FA7E4C14FCEDE100FF2093FD7F8B	SHA256:9175800275097D78785E405BFC3D99064CFDB3BCEFCD9F01C591436C88AD422B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1496	svchost.exe	GET	304	209.197.3.8:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7390236c44285166	US	—	—	whitelisted
3372	chrome.exe	GET	—	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx	US	—	—	whitelisted
1480	svchost.exe	GET	200	13.107.4.52:80	http://www.msftconnecttest.com/connecttest.txt	US	text	22 b	whitelisted
2320	OUTLOOK.EXE	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAxq6XzO1ZmDhpCgCp6lMhQ%3D	US	der	471 b	whitelisted
1496	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	US	der	471 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6108	svchost.exe	23.35.236.109:443	fs.microsoft.com	AKAMAI-AS	DE	malicious
2320	OUTLOOK.EXE	52.109.32.24:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	suspicious
2320	OUTLOOK.EXE	52.109.16.1:443	ols.officeapps.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	suspicious
1496	svchost.exe	209.197.3.8:80	ctldl.windowsupdate.com	STACKPATH-CDN	US	whitelisted
1496	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
2320	OUTLOOK.EXE	52.109.28.62:443	odc.officeapps.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	suspicious
2320	OUTLOOK.EXE	13.89.178.27:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	suspicious
2320	OUTLOOK.EXE	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
3372	chrome.exe	142.250.185.196:443	www.google.com	GOOGLE	US	whitelisted
1496	svchost.exe	40.126.32.134:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
officeclient.microsoft.com	52.109.32.24	whitelisted
ecs.office.com	52.113.194.132	whitelisted
nexusrules.officeapps.live.com	52.109.13.63	whitelisted
fs.microsoft.com	23.35.236.109	whitelisted
ols.officeapps.live.com	52.109.16.1	whitelisted
login.live.com	40.126.32.134 20.190.160.20 40.126.32.76 20.190.160.17 40.126.32.140 20.190.160.22 20.190.160.14 40.126.32.138	whitelisted
ctldl.windowsupdate.com	209.197.3.8	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
odc.officeapps.live.com	52.109.28.62	whitelisted
self.events.data.microsoft.com	13.89.178.27	whitelisted

Threats

PID	Process	Class	Message
1480	svchost.exe	Misc activity	ET INFO Microsoft Connection Test

Add for printing

No debug info

General Info

message - 2023-04-27T060613.211.eml

4F2C0B802A8FA2D880B1127D88A9644D

77F94A1513CF487A13B0BB57A80328BD580D1AD8

F608B4215E47CF239A125F9CB7C832011F9B91C05C2178E0C78BB50F4A11F003

384:xZ9i8okJ1DdjvHELM7VXNxCdUe23xrNocWNk89vjc6g7/Q5i4BNom:xZ9i8XJRZvHELM7Vdg6bIz9vjDCoi4TF

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Executes as Windows Service

INFO

Manual execution by a user

Reads product name

Checks supported languages

The process uses the downloaded file

Reads the computer name

Application launched itself

The process checks LSA protection

Create files in a temporary directory

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings