Malware analysis (646) 318-6442 Friday-April-2023 1437 PM..msg Malicious activity

Add for printing

File name:	(646) 318-6442 Friday-April-2023 1437 PM..msg
Full analysis:	https://app.any.run/tasks/88ad8462-8762-4b3a-b09c-6159a8af74ff
Verdict:	Malicious activity
Analysis date:	April 28, 2023, 15:08:17
OS:	Windows 11 Professional (build: 22000, 64 bit)
Indicators:
MIME:	application/vnd.ms-outlook
File info:	CDFV2 Microsoft Outlook Message
MD5:	4C2B95109CE64016E231C64EE9C16445
SHA1:	1514FCD99E59803DEB8740785FF54D1BE25B539D
SHA256:	FE3EAEDA5311140A80FAF2DD75CD53FEF719A9C2B1577A2B1B42A7AE3BF6F160
SSDEEP:	1536:ATCp/NFyncW0WT4fFlnidDfhpFeSzBG8C:ATCp/n6cfF1iiMBG8C

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.1.22000.0
Adobe Acrobat (64-bit) (22.003.20314)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (5.74)
FileZilla Client 3.51.0 (3.51.0)
Google Chrome (69.123.49202)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java 8 Update 351 (64-bit) (8.0.3510.10)
Java Auto Updater (2.8.351.10)
Microsoft Edge (111.0.1661.62)
Microsoft Edge Update (1.3.173.51)
Microsoft Edge WebView2 Runtime (103.0.1264.77)
Microsoft Office Ev ve İş 2021 - tr-tr (16.0.15601.20142)
Microsoft Office Famille et Petite Entreprise 2021 - fr-fr (16.0.15601.20142)
Microsoft Office Hogar y Empresas 2021 - es-es (16.0.15601.20142)
Microsoft Office Home and Business 2021 - de-de (16.0.15601.20142)
Microsoft Office Home and Business 2021 - en-us (16.0.15601.20142)
Microsoft Office Home and Business 2021 - it-it (16.0.15601.20142)
Microsoft Office Home and Business 2021 - ja-jp (16.0.15601.20142)
Microsoft Office Home and Business 2021 - pt-br (16.0.15601.20142)
Microsoft Office Home 및 Business 2021 - ko-kr (16.0.15601.20142)
Microsoft Office для дома и бизнеса 2021 - ru-ru (16.0.15601.20142)
Microsoft OneDrive (22.077.0410.0007)
Microsoft Update Health Tools (4.67.0.0)
Mozilla Firefox (x64 en-US) (111.0.1)
Mozilla Maintenance Service (111.0.1)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15601.20064)
Office 16 Click-to-Run Licensing Component (16.0.15601.20142)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Opera 12.15 (12.15.1748)
VLC media player (3.0.11)
VLC media player 3.0.17 (64-bit) (3.0.17.0)
WinRAR 5.91 (64-bit) (5.91.0)

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Reads the Internet Settings
  - OpenWith.exe (PID: 3312)
- Executes as Windows Service
  - elevation_service.exe (PID: 3888)
INFO
- Reads product name
  - OUTLOOK.EXE (PID: 6796)
- The process checks LSA protection
  - OpenWith.exe (PID: 3312)
  - elevation_service.exe (PID: 3888)
- The process uses the downloaded file
  - OpenWith.exe (PID: 3312)
  - OUTLOOK.EXE (PID: 6796)
- Create files in a temporary directory
  - chrome.exe (PID: 7144)
- Application launched itself
  - chrome.exe (PID: 7144)
- Reads the computer name
  - elevation_service.exe (PID: 3888)
- Checks supported languages
  - elevation_service.exe (PID: 3888)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.msg	\|	Outlook Message (58.9)
.oft	\|	Outlook Form Template (34.4)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

145

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

3312

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\OpenWith.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Pick an app

Exit code:

Version:

10.0.22000.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

3372

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=112.0.5615.50 --initial-client-data=0x110,0x114,0x118,0xec,0x11c,0x7ff8d5e4aa60,0x7ff8d5e4aa70,0x7ff8d5e4aa80

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

112.0.5615.50

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\112.0.5615.50\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

3888

"C:\Program Files (x86)\Google\Chrome\Application\112.0.5615.50\elevation_service.exe"

C:\Program Files (x86)\Google\Chrome\Application\112.0.5615.50\elevation_service.exe

—

services.exe

User:

SYSTEM

Company:

Google LLC

Integrity Level:

SYSTEM

Description:

Google Chrome

Exit code:

Version:

112.0.5615.50

Modules

Images
c:\program files (x86)\google\chrome\application\112.0.5615.50\elevation_service.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

5200

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1504 --field-trial-handle=1844,i,9712279962574404196,8036770135510537694,131072 /prefetch:2

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

112.0.5615.50

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\112.0.5615.50\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

6796

"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\(646) 318-6442 Friday-April-2023 1437 PM..msg"

C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Outlook

Exit code:

Version:

16.0.15601.20142

Modules

Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

7144

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\AVGCM8PZ\12129092527.htm

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

OpenWith.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

112.0.5615.50

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\program files (x86)\google\chrome\application\112.0.5615.50\chrome_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

7184

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1836 --field-trial-handle=1844,i,9712279962574404196,8036770135510537694,131072 /prefetch:2

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

112.0.5615.50

Modules

Images
c:\windows\system32\ntdll.dll
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\kernel32.dll
c:\program files (x86)\google\chrome\application\112.0.5615.50\chrome_elf.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

7204

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1844,i,9712279962574404196,8036770135510537694,131072 /prefetch:8

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

112.0.5615.50

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\112.0.5615.50\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

7280

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1844,i,9712279962574404196,8036770135510537694,131072 /prefetch:8

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

112.0.5615.50

Modules

Images
c:\windows\system32\ntdll.dll
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\112.0.5615.50\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

7580

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1844,i,9712279962574404196,8036770135510537694,131072 /prefetch:1

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

112.0.5615.50

Modules

Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\112.0.5615.50\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

17 768

Read events

17 114

Write events

310

Delete events

344

Modification events


(PID) Process:	(6796) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common
Operation:	write	Name:	SessionId
Value: 70A1684DDDEB6841925B66857825C887
(PID) Process:	(6796) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\Common\GracefulExit\OUTLOOK\1240
Operation:	delete value	Name:	0
Value: 0B0E10EDDA01A76CDCB347A1CAC8431B26DB1646CFB89785DDD7BDEC016A0410240044F17964AE9D01008500A907556E6B6E6F776EC906022222CA0D4201A200C2190000C50E8908C60FCDC0FD94DDD7BDEC01C91003783634C511D809D2120B6F00750074006C006F006F006B002E0065007800650000
(PID) Process:	(6796) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\Common\GracefulExit\OUTLOOK\1240
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6796) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\Common\CrashPersistence\OUTLOOK\6796
Operation:	write	Name:	0
Value: 0B0E105D68496DDC54804EB372571CF5458D39230046EBE3EFD1B4BCDEEC016A0410240044F17964AE9D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C5118C35D2120B6F00750074006C006F006F006B002E0065007800650000
(PID) Process:	(6796) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6796) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6796) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6796) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6796) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:	write	Name:	6
Value: 01A012000000001000AE4EF13C07000000000000000700000000000000
(PID) Process:	(6796) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	delete key	Name:	(default)
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6796	OUTLOOK.EXE	C:\Users\admin\Documents\Outlook Files\Outlook Data File - No Account.pst		—
		MD5:—	SHA256:—
7144	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
6796	OUTLOOK.EXE	C:\USERS\ADMIN\APPDATA\LOCAL\MICROSOFT\TOKENBROKER\CACHE\5475CB191E478C39370A215B2DA98A37E9DC813D.TBRES		binary
		MD5:3FAD30617C6A177A15507B76D43444E1	SHA256:756A8EF75F8A16CCA0FB10E9B250A33BB2DDE30B0C49CC75BCC96ABDC1C1AD4D
6796	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\FORMS\FRMDATA64.DAT		binary
		MD5:AF1EA7B68D3850DC6370F22F4923DE67	SHA256:6CC4471957DA1E617326E5E61E9701E6CC1A962EF42143C3175AE90CBFDF4F27
6796	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Temp\87D8496E.tmp		binary
		MD5:53C79B831E96F574E1B8064CF4DFECED	SHA256:0A759E753C3EDF4B72A27170358F127427EDCE34828A33850B5FC86988BA4F06
6796	OUTLOOK.EXE	C:\ProgramData\Microsoft\Office\Licenses\5\Perpetual\21661362613116367064193984360		binary
		MD5:53C79B831E96F574E1B8064CF4DFECED	SHA256:0A759E753C3EDF4B72A27170358F127427EDCE34828A33850B5FC86988BA4F06
6796	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres		binary
		MD5:08D10A52880DE331526EE194CCA48F18	SHA256:4CA3986FE1BDE76E6DB63DD4735F53BA63C9B1E536F740423CF8A3676CF80458
6796	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\73E9A311-A36E-4522-A9DA-44FFA0A743FC		xml
		MD5:9D9746984AB6F66139B4BA0E72DABA0D	SHA256:32EA4842CDC082E9C0537AC662A92904E6B719E6111F5B0B855C79936C9519AD
6796	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres		binary
		MD5:C542A7B2DA6F9E8E3AE8795076F70403	SHA256:56D222AA0522948E294FA1A80D8A377AF9F5BCC7C2E210DB00B3F2B521130936
6796	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\outlook.exe_Rules.xml		xml
		MD5:F9030EE01034C408A7D6371401DD12C1	SHA256:9907CF959CEEE213147A96498B7AE8870767346B33CBA811D2CC6BED259264A1

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6024	svchost.exe	GET	304	8.238.34.254:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0e302285a99826c9	US	—	—	whitelisted
7204	chrome.exe	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx	US	crx	242 Kb	whitelisted
1480	svchost.exe	GET	200	13.107.4.52:80	http://www.msftconnecttest.com/connecttest.txt	US	text	22 b	whitelisted
6024	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	US	der	471 b	whitelisted
6796	OUTLOOK.EXE	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D	US	der	471 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6796	OUTLOOK.EXE	52.109.32.24:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	suspicious
6796	OUTLOOK.EXE	52.109.8.44:443	nexusrules.officeapps.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	suspicious
6532	svchost.exe	23.35.236.109:443	fs.microsoft.com	AKAMAI-AS	DE	malicious
1480	svchost.exe	13.107.4.52:80	www.msftconnecttest.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6796	OUTLOOK.EXE	52.109.16.60:443	ols.officeapps.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	suspicious
6024	svchost.exe	20.190.160.20:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6024	svchost.exe	8.238.34.254:80	ctldl.windowsupdate.com	LEVEL3	US	suspicious
6796	OUTLOOK.EXE	52.109.28.62:443	odc.officeapps.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	suspicious
6024	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
7204	chrome.exe	142.250.184.205:443	accounts.google.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
officeclient.microsoft.com	52.109.32.24	whitelisted
ecs.office.com	52.113.195.132	whitelisted
nexusrules.officeapps.live.com	52.109.8.44	whitelisted
fs.microsoft.com	23.35.236.109	whitelisted
ols.officeapps.live.com	52.109.16.60	whitelisted
login.live.com	20.190.160.20 20.190.160.22 40.126.32.138 40.126.32.133 40.126.32.76 40.126.32.140 40.126.32.136 40.126.32.72	whitelisted
ctldl.windowsupdate.com	8.238.34.254 67.27.235.126 8.248.145.254 67.27.159.254 8.241.11.126	whitelisted
odc.officeapps.live.com	52.109.28.62	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
clientservices.googleapis.com	216.58.212.163	whitelisted

Threats

PID	Process	Class	Message
1480	svchost.exe	Misc activity	ET INFO Microsoft Connection Test

Add for printing

No debug info

General Info

(646) 318-6442 Friday-April-2023 1437 PM..msg

4C2B95109CE64016E231C64EE9C16445

1514FCD99E59803DEB8740785FF54D1BE25B539D

FE3EAEDA5311140A80FAF2DD75CD53FEF719A9C2B1577A2B1B42A7AE3BF6F160

1536:ATCp/NFyncW0WT4fFlnidDfhpFeSzBG8C:ATCp/n6cfF1iiMBG8C

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Reads the Internet Settings

Executes as Windows Service

INFO

Reads product name

The process checks LSA protection

The process uses the downloaded file

Create files in a temporary directory

Application launched itself

Reads the computer name

Checks supported languages

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings