Malware analysis 901635425;LPG COLOMBIA;3644258;01;LPG COLOMBIA.eml Malicious activity

Add for printing

File name:	901635425;LPG COLOMBIA;3644258;01;LPG COLOMBIA.eml
Full analysis:	https://app.any.run/tasks/033f64b8-a6e7-417c-8d48-ce1e386ea91f
Verdict:	Malicious activity
Analysis date:	December 12, 2024, 13:32:11
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	qrcode arch-doc mailgun attachments attc-arch
Indicators:
MIME:	message/rfc822
File info:	RFC 822 mail, ASCII text, with CRLF line terminators
MD5:	4E38A6E2E03F9C71DC8EF4E03399DFA9
SHA1:	8E3C33D8ABAC5C0D9E9EA23CB2F7F759AE6DAB1A
SHA256:	A730C83AEE7FE6D1EF10160A38A73109B6B078E059B7F9A54360E62BE547C0BE
SSDEEP:	3072:rK5OlfJvpqUacgeqaOUMSUT8l9pvq49zMltnU3fGmz4cR9xZ7L2:rsK1png1aOZQ9pi4NMLGfGSTRzlL2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Email came from third-party service (Mailgun)
  - OUTLOOK.EXE (PID: 6212)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 5892)
INFO
- Reads Microsoft Office registry keys
  - WinRAR.exe (PID: 5892)
  - Acrobat.exe (PID: 5604)
- The process uses the downloaded file
  - OUTLOOK.EXE (PID: 6212)
- Email with attachments
  - OUTLOOK.EXE (PID: 6212)
- Application launched itself
  - Acrobat.exe (PID: 3692)
  - msedge.exe (PID: 6680)
  - AcroCEF.exe (PID: 6768)
  - msedge.exe (PID: 3032)
- Sends debugging messages
  - Acrobat.exe (PID: 5604)
- Checks supported languages
  - identity_helper.exe (PID: 3680)
- Reads the computer name
  - identity_helper.exe (PID: 3680)
  - identity_helper.exe (PID: 6668)
- Reads Environment values
  - identity_helper.exe (PID: 3680)
  - identity_helper.exe (PID: 6668)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.eml	\|	E-Mail message (Var. 5) (100)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

204

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

440

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5780 --field-trial-handle=2372,i,2736566270826105664,17133782077186479381,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

448

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4988 --field-trial-handle=2244,i,10479108483537084399,11547595376665098517,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

836

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5460 --field-trial-handle=2372,i,2736566270826105664,17133782077186479381,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

848

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2068 --field-trial-handle=1640,i,4833301230762914761,14903602148318412357,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Exit code:

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

936

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3500 --field-trial-handle=2372,i,2736566270826105664,17133782077186479381,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1416

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2808 --field-trial-handle=1640,i,4833301230762914761,14903602148318412357,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Exit code:

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1488

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2244,i,10479108483537084399,11547595376665098517,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1544

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2236 --field-trial-handle=2244,i,10479108483537084399,11547595376665098517,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1596

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3284 --field-trial-handle=2244,i,10479108483537084399,11547595376665098517,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1616

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4056 --field-trial-handle=2244,i,10479108483537084399,11547595376665098517,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

37 848

Read events

36 390

Write events

1 276

Delete events

182

Modification events


(PID) Process:	(6212) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:	write	Name:	6
Value: 01941A000000001000B24E9A3E06000000000000000600000000000000
(PID) Process:	(6212) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\6212
Operation:	write	Name:	0
Value: 0B0E1017EFDA6A2E70184B869D9CDCE5120F6A230046F5BB8FA4A493D3ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511C430D2120B6F00750074006C006F006F006B002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:	(6212) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:	delete value	Name:	BootCommand
Value:
(PID) Process:	(6212) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:	delete value	Name:	BootFailureCount
Value:
(PID) Process:	(6212) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6212) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	write	Name:	CantBootResolution
Value: BootSuccess
(PID) Process:	(6212) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	write	Name:	ProfileBeingOpened
Value: Outlook
(PID) Process:	(6212) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	write	Name:	SessionId
Value: C3D8E96E-C1AF-4750-8D52-F4E28119C131
(PID) Process:	(6212) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	write	Name:	BootDiagnosticsLogFile
Value: C:\Users\admin\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16026_20146-20240718T1116060318-1644.etl
(PID) Process:	(6212) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:	delete value	Name:	ProfileBeingOpened
Value:

Add for printing

Executable files

Suspicious files

701

Text files

144

Unknown types

Dropped files

PID	Process	Filename		Type
6212	OUTLOOK.EXE	C:\Users\admin\Documents\Outlook Files\Outlook1.pst		—
		MD5:—	SHA256:—
6212	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\289653A3-291E-478D-9354-A133BDE58BF7		xml
		MD5:1900377FF420E6AF0485E67772FEAB9E	SHA256:7EC2CDCF021EAA792F2529FDA4303A24155C6D1148DC6140EE0AFE0BD5E763B4
6212	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres		binary
		MD5:2CBA2259F49446C0608CA0EDE0F3F829	SHA256:ED8CB47502F8EBA361AEAC77D292710124871B4E969F58FE839AECF31BA7ABDE
6212	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres		binary
		MD5:638B8EA1BF5FA4C5AEA50B54FD2F67D8	SHA256:599EB34E35192A195F8B6758AD2B68AF240BB58FF6EAEADF60CB6155E7C19C8D
6212	OUTLOOK.EXE	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04		binary
		MD5:F1AA6CAA38E0942B5394B7E24210044C	SHA256:2809A0EABEE15DE3378D9762B50CC2B3E1C265301575C965A7DBFEB4F4E23B43
6212	OUTLOOK.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm		binary
		MD5:6B0E1FEA75E6538FFCC69DBF1C616F04	SHA256:7306C5FD58A0DB371CF0D00E4965645226E8E208D53CC4CBEA117532172F1F70
5604	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json		binary
		MD5:837C1211E392A24D64C670DC10E8DA1B	SHA256:8013AC030684B86D754BBFBAB8A9CEC20CAA4DD9C03022715FF353DC10E14031
6212	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\C0FPOSUR\z090163542500824003505d3.zip:Zone.Identifier		text
		MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B	SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
6212	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\C0FPOSUR\z090163542500824003505d3 (002).zip:Zone.Identifier		text
		MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B	SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
6212	OUTLOOK.EXE	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A		der
		MD5:CB8C39FF833F6A7430BAAB216963132E	SHA256:ED2A5DAB5930E34A4872A64F4F8E50C714DAC7DD80736D8FE473F6E0A2744334

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

102

DNS requests

104

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5400	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
3692	Acrobat.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D	unknown	—	—	whitelisted
5780	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9ff6323b-be21-4d0a-848f-4e609840e48d?P1=1734502730&P2=404&P3=2&P4=QgS%2bOeAW%2ffQUDZatOARtIK%2b5TY%2bhcPc9ziUy3%2b6Rv%2fVmUlgDd%2b2sIjKhv%2b%2b0EG9xaTgzHiZZKB3p2Cl6xs7ByQ%3d%3d	unknown	—	—	whitelisted
5780	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9ff6323b-be21-4d0a-848f-4e609840e48d?P1=1734502730&P2=404&P3=2&P4=QgS%2bOeAW%2ffQUDZatOARtIK%2b5TY%2bhcPc9ziUy3%2b6Rv%2fVmUlgDd%2b2sIjKhv%2b%2b0EG9xaTgzHiZZKB3p2Cl6xs7ByQ%3d%3d	unknown	—	—	whitelisted
5780	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9ff6323b-be21-4d0a-848f-4e609840e48d?P1=1734502730&P2=404&P3=2&P4=QgS%2bOeAW%2ffQUDZatOARtIK%2b5TY%2bhcPc9ziUy3%2b6Rv%2fVmUlgDd%2b2sIjKhv%2b%2b0EG9xaTgzHiZZKB3p2Cl6xs7ByQ%3d%3d	unknown	—	—	whitelisted
5780	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9ff6323b-be21-4d0a-848f-4e609840e48d?P1=1734502730&P2=404&P3=2&P4=QgS%2bOeAW%2ffQUDZatOARtIK%2b5TY%2bhcPc9ziUy3%2b6Rv%2fVmUlgDd%2b2sIjKhv%2b%2b0EG9xaTgzHiZZKB3p2Cl6xs7ByQ%3d%3d	unknown	—	—	whitelisted
5780	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9ff6323b-be21-4d0a-848f-4e609840e48d?P1=1734502730&P2=404&P3=2&P4=QgS%2bOeAW%2ffQUDZatOARtIK%2b5TY%2bhcPc9ziUy3%2b6Rv%2fVmUlgDd%2b2sIjKhv%2b%2b0EG9xaTgzHiZZKB3p2Cl6xs7ByQ%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
716	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5064	SearchApp.exe	104.126.37.155:443	www.bing.com	Akamai International B.V.	DE	whitelisted
5064	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1076	svchost.exe	23.35.238.131:443	go.microsoft.com	AKAMAI-AS	DE	whitelisted
6212	OUTLOOK.EXE	52.109.76.240:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208 51.104.136.2	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
google.com	142.250.181.238	whitelisted
www.bing.com	104.126.37.155 104.126.37.152 104.126.37.161 104.126.37.162 104.126.37.153 104.126.37.163 104.126.37.147 104.126.37.160 104.126.37.170 2.23.209.137 2.23.209.140 2.23.209.189 2.23.209.135 2.23.209.193 2.23.209.133 2.23.209.141 2.23.209.143 2.23.209.131	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
go.microsoft.com	23.35.238.131 23.218.210.69	whitelisted
officeclient.microsoft.com	52.109.76.240	whitelisted
ecs.office.com	52.113.194.132	whitelisted
login.live.com	40.126.32.76 40.126.32.72 20.190.160.22 40.126.32.68 20.190.160.14 40.126.32.133 40.126.32.74 20.190.160.17	whitelisted

Threats

PID	Process	Class	Message
5684	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
5684	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
5684	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Azure Blob Storage (.blob .core .windows .net)
5684	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Azure Blob Storage (.blob .core .windows .net)

Add for printing

No debug info

General Info

901635425;LPG COLOMBIA;3644258;01;LPG COLOMBIA.eml

4E38A6E2E03F9C71DC8EF4E03399DFA9

8E3C33D8ABAC5C0D9E9EA23CB2F7F759AE6DAB1A

A730C83AEE7FE6D1EF10160A38A73109B6B078E059B7F9A54360E62BE547C0BE

3072:rK5OlfJvpqUacgeqaOUMSUT8l9pvq49zMltnU3fGmz4cR9xZ7L2:rsK1png1aOZQ9pi4NMLGfGSTRzlL2

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Email came from third-party service (Mailgun)

SUSPICIOUS

Reads security settings of Internet Explorer

INFO

Reads Microsoft Office registry keys

The process uses the downloaded file

Email with attachments

Application launched itself

Sends debugging messages

Checks supported languages

Reads the computer name

Reads Environment values

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings