File name:

PINEDA Juan Camilo has sent you a message via Zoom Message Portal.msg

Full analysis: https://app.any.run/tasks/ef052e61-3104-4e01-8921-290ef48860ac
Verdict: Malicious activity
Analysis date: December 05, 2022, 20:20:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

26860DC6B83F7A7D437A5323F497534C

SHA1:

273D74965797838DCB1BE1058B3C9AC123D53505

SHA256:

131A53B724870F1D46E8C6819B539A4A26BC650A86FB27EF337B11180C4790DD

SSDEEP:

1536:RGiPFkuK7sYc0IPEdHvsKhgmuK+WhWpWUPMafnOBeo08+I1szfq/1:RPiuKJfIPsH/imuK0PMafnWebdI1sO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 1972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
856"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\PINEDA Juan Camilo has sent you a message via Zoom Message Portal.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
Modules
Images
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1972"C:\Program Files\Internet Explorer\iexplore.exe" https://en-eu.secureconnection.moneytransaction.kb4.io/XUTA1V1ZXeHpNV1pHZGxNdk1ITk1NekpVVXpoWUwxSkNVbUlyUTNCVWFUSlRURloxYzJSUE4ycFNNVUZyVTFWaE16UnhkVXRVZFVkSlREWnRlazFHTUVKd1IyaEpUVEZQUzBoaFNYQjVRM0JzTWpSQlJWQmxWR3hVVFcxemRFVnJTWGR1WmpCaVFsRjJNSEJXYVVaak1GSkNRbms1WWxCaGEwVTVSSEUxZEZwWlprRmhSR041ZG5aMWNFWkdjazAwV210WllrcE5VVGxPVkVGNVpVZ3liazltVjBsSE5uZFZaREJOUFMwdFNHRkRUVGhpWlZSU2JscGpkRU4zUlVjM05FcDFVVDA5LS1mYjkzMzM2MzBjYjYxMjVkNzI1NmQyNTM3YTdlMzY0NmMyMWI1NTA1?cid=142216677C:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2688"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1972 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
23 729
Read events
23 004
Write events
705
Delete events
20

Modification events

(PID) Process:(856) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(856) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(856) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(856) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(856) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(856) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(856) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(856) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(856) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
(PID) Process:(856) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
Off
Executable files
0
Suspicious files
19
Text files
34
Unknown types
18

Dropped files

PID
Process
Filename
Type
856OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRFA0.tmp.cvr
MD5:
SHA256:
856OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
856OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:
SHA256:
856OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:
SHA256:
856OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:
SHA256:
856OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
856OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771binary
MD5:
SHA256:
856OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62binary
MD5:
SHA256:
856OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771der
MD5:
SHA256:
856OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62der
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
43
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
856
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
856
OUTLOOK.EXE
GET
200
192.124.249.24:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
2688
iexplore.exe
GET
200
13.225.84.104:80
http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAQV72KtapPgP6bJk%2FZI%2FPk%3D
US
der
471 b
whitelisted
2688
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEAlrgulzmZS6%2FVWwIdvHyL8%3D
US
der
278 b
whitelisted
1972
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
2688
iexplore.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
2688
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
2688
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
2688
iexplore.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDreCS75DAIaRKqvCi%2FvL9c
US
der
472 b
whitelisted
2688
iexplore.exe
GET
200
13.225.84.104:80
http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEARvjI07tlNggB%2FjBJupetY%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
856
OUTLOOK.EXE
52.214.123.172:443
en-eu.secureconnection.moneytransaction.kb4.io
AMAZON-02
IE
unknown
856
OUTLOOK.EXE
95.140.236.0:80
ctldl.windowsupdate.com
LLNW
US
whitelisted
856
OUTLOOK.EXE
138.92.8.27:443
blogs.canisius.edu
CANISIUS-COLLEGE
US
unknown
856
OUTLOOK.EXE
192.124.249.24:80
ocsp.godaddy.com
SUCURI-SEC
US
suspicious
856
OUTLOOK.EXE
13.225.84.68:80
o.ss2.us
AMAZON-02
US
unknown
856
OUTLOOK.EXE
13.225.84.145:80
ocsp.rootg2.amazontrust.com
AMAZON-02
US
whitelisted
856
OUTLOOK.EXE
13.225.84.104:80
ocsp.sca1b.amazontrust.com
AMAZON-02
US
whitelisted
2688
iexplore.exe
52.214.123.172:443
en-eu.secureconnection.moneytransaction.kb4.io
AMAZON-02
IE
unknown
2688
iexplore.exe
3.248.132.51:443
en-eu.secureconnection.moneytransaction.kb4.io
AMAZON-02
IE
unknown
1972
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted

DNS requests

Domain
IP
Reputation
en-eu.secureconnection.moneytransaction.kb4.io
  • 52.214.123.172
  • 3.248.132.51
malicious
blogs.canisius.edu
  • 138.92.8.27
unknown
ctldl.windowsupdate.com
  • 95.140.236.0
  • 95.140.236.128
whitelisted
config.messenger.msn.com
  • 64.4.26.155
whitelisted
ocsp.godaddy.com
  • 192.124.249.24
  • 192.124.249.23
  • 192.124.249.22
  • 192.124.249.41
  • 192.124.249.36
whitelisted
o.ss2.us
  • 13.225.84.68
  • 13.225.84.42
  • 13.225.84.97
  • 13.225.84.66
whitelisted
ocsp.rootg2.amazontrust.com
  • 13.225.84.49
  • 13.225.84.175
  • 13.225.84.13
  • 13.225.84.145
whitelisted
ocsp.rootca1.amazontrust.com
  • 13.225.84.145
  • 13.225.84.13
  • 13.225.84.49
  • 13.225.84.175
shared
ocsp.sca1b.amazontrust.com
  • 13.225.84.104
  • 13.225.84.107
  • 13.225.84.142
  • 13.225.84.88
whitelisted
eu-secured.com
  • 3.248.132.51
  • 52.214.123.172
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PINEDA Juan Camilo has sent you a message via Zoom Message Portal.msg