File name: | FW Diana participate in this survey for an Amazon Gift Card.msg |
Full analysis: | https://app.any.run/tasks/6afe8adf-0bd4-455e-91df-bcbb0a1b4e5a |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 16:42:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | CD5C1E9E221F9A37733565EC2EB64E49 |
SHA1: | F6D69DDBE78CAC4830C0D44C80287DE24D57A56C |
SHA256: | 3B521E6CC82CD4F8D8AB12B0F8CD3CD9DD5AA6AC152BAFA666DA3EA561E9E337 |
SSDEEP: | 384:XYnpmP7/UwNM14JqkX8dnu2i7mi20teJZ4ZfcJvk0gdWxOJH+4ehZ8ABpBlLB:XY3JFU8Ud7N20t24BcRgdWxoEZ8AHPL |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1476 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\Desktop\FW Diana participate in this survey for an Amazon Gift Card.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.4760.1000 Modules
| |||||||||||||||
1984 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | Explorer.EXE | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 67.0.4 Modules
| |||||||||||||||
2328 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1984.0.1099404033\1082636663" -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 1984 "\\.\pipe\gecko-crash-server-pipe.1984" 1176 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 67.0.4 Modules
| |||||||||||||||
2904 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1984.3.1284808646\1661042620" -childID 1 -isForBrowser -prefsHandle 1668 -prefMapHandle 1664 -prefsLen 1 -prefMapSize 189239 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 1984 "\\.\pipe\gecko-crash-server-pipe.1984" 1336 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 67.0.4 Modules
| |||||||||||||||
2716 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1984.13.591713497\893438393" -childID 2 -isForBrowser -prefsHandle 2728 -prefMapHandle 2824 -prefsLen 5823 -prefMapSize 189239 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 1984 "\\.\pipe\gecko-crash-server-pipe.1984" 2848 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 67.0.4 Modules
| |||||||||||||||
2068 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1984.20.1296313839\102317956" -childID 3 -isForBrowser -prefsHandle 3384 -prefMapHandle 3436 -prefsLen 6545 -prefMapSize 189239 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 1984 "\\.\pipe\gecko-crash-server-pipe.1984" 3460 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 67.0.4 Modules
|
(PID) Process: | (1476) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (1476) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (1476) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: Off | |||
(PID) Process: | (1476) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (1476) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (1476) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (1476) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (1476) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (1476) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off | |||
(PID) Process: | (1476) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1055 |
Value: Off |
PID | Process | Filename | Type | |
---|---|---|---|---|
1476 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR98AD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1476 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
1984 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\nltxvmn2.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
1476 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:C56BDDD75480D2F6828F720234B95CE3 | SHA256:FA048DE57FCBAF52F3A60891FE46D7BF7E7E50FFD696C169C99047C1DFB16CD0 | |||
1476 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:38CDB59D835CB79187E3833E7FCB65B5 | SHA256:4AE5842397753D6A5D04C83117D3E375D755BBFA50FD9368D1FEBEF3551D3859 | |||
1984 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\sessionCheckpoints.json.tmp | binary | |
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A | SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA | |||
1476 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_D161B0A728E1AA47B734315768DDF8AB.dat | xml | |
MD5:EC8CA8C4D9E4B21BF1DBC33B4FD27816 | SHA256:B1230E47FEE2A9F664C82C590C242F764D50C542F8F773254B6CEAC9145F50EF | |||
1476 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_2B77906F7C272043BBB5C8B40AE4B57B.dat | xml | |
MD5:D8B37ED0410FB241C283F72B76987F18 | SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114 | |||
1476 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_WorkHours_1_D4BD8BBD2C39E344825392F29C7E5E40.dat | xml | |
MD5:0B5B8DC93D5CDF7CA798E0F70F9088E5 | SHA256:BEC0EBA2EF9D67291F450ADA494386148A210A279927D160B50C238ADDC1DF8B | |||
1476 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\FORMS\FRMDATA64.DAT | binary | |
MD5:C4643157E488AC6D771054CAD7D50D84 | SHA256:D4FF48EB72AA94E3BA215C87B198733048E75105D024CCA42960EF96A8E04EA6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1476 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
1984 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
1984 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
1984 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
1984 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt | US | text | 8 b | whitelisted |
1984 | firefox.exe | POST | 200 | 2.16.186.19:80 | http://r3.o.lencr.org/ | unknown | der | 503 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1476 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
— | — | 13.224.189.113:443 | snippets.cdn.mozilla.net | — | US | suspicious |
1984 | firefox.exe | 44.240.237.74:443 | shavar.services.mozilla.com | University of California, San Diego | US | unknown |
1984 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
— | — | 34.107.221.82:80 | detectportal.firefox.com | — | US | whitelisted |
1984 | firefox.exe | 35.165.143.157:443 | push.services.mozilla.com | Amazon.com, Inc. | US | unknown |
1984 | firefox.exe | 44.225.72.11:443 | search.services.mozilla.com | University of California, San Diego | US | unknown |
1984 | firefox.exe | 104.111.241.253:443 | surveys.zoomintel.com | Akamai International B.V. | NL | unknown |
1984 | firefox.exe | 2.16.186.19:80 | r3.o.lencr.org | Akamai International B.V. | — | whitelisted |
1984 | firefox.exe | 2.18.232.194:443 | eu.qualtrics.com | Akamai International B.V. | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
detectportal.firefox.com |
| whitelisted |
prod.detectportal.prod.cloudops.mozgcp.net |
| whitelisted |
search.services.mozilla.com |
| whitelisted |
search.r53-2.services.mozilla.com |
| whitelisted |
push.services.mozilla.com |
| whitelisted |
autopush.prod.mozaws.net |
| whitelisted |
tiles.services.mozilla.com |
| whitelisted |
snippets.cdn.mozilla.net |
| whitelisted |
d228z91au11ukj.cloudfront.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1984 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |