File name: | FW Sandra participate in this survey for an Amazon Gift Card.msg |
Full analysis: | https://app.any.run/tasks/c4a41be7-b5f9-4949-a305-89fd227ba557 |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 16:25:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 4B4EEF260C1620918DB7A4A95CB7C460 |
SHA1: | 014E6578E911124242124553E3898C6BEA9D6433 |
SHA256: | 61C23D0E32D1C40F3DE9F9672CDB0FEFCC04DAB7E35A397F6960C6DC91ACEEAD |
SSDEEP: | 768:qeYWDtBrpb7tFiWy2qVZk5w6ZW35YTJ+Yl2INNlHSU:YODZiWy2qVZk5wT2d+o2o |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2756 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\Desktop\FW Sandra participate in this survey for an Amazon Gift Card.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.4760.1000 Modules
| |||||||||||||||
2216 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | Explorer.EXE | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 67.0.4 Modules
| |||||||||||||||
2112 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2216.0.924040899\1522925823" -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2216 "\\.\pipe\gecko-crash-server-pipe.2216" 1184 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 67.0.4 Modules
| |||||||||||||||
2308 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2216.3.1164269291\577668024" -childID 1 -isForBrowser -prefsHandle 1892 -prefMapHandle 1888 -prefsLen 1 -prefMapSize 189239 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2216 "\\.\pipe\gecko-crash-server-pipe.2216" 1732 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 67.0.4 Modules
| |||||||||||||||
2700 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2216.13.1320006625\890862511" -childID 2 -isForBrowser -prefsHandle 2764 -prefMapHandle 2772 -prefsLen 5823 -prefMapSize 189239 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2216 "\\.\pipe\gecko-crash-server-pipe.2216" 2784 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 67.0.4 Modules
| |||||||||||||||
840 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2216.20.632299238\2104670201" -childID 3 -isForBrowser -prefsHandle 3364 -prefMapHandle 3368 -prefsLen 6545 -prefMapSize 189239 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2216 "\\.\pipe\gecko-crash-server-pipe.2216" 3424 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 67.0.4 Modules
|
(PID) Process: | (2756) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2756) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (2756) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: Off | |||
(PID) Process: | (2756) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (2756) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (2756) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (2756) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (2756) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (2756) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off | |||
(PID) Process: | (2756) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1055 |
Value: Off |
PID | Process | Filename | Type | |
---|---|---|---|---|
2756 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRA3AE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2756 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
2216 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\nltxvmn2.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
2756 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:3A0CC4BD82B854ECE1D3E88AC6B41ED2 | SHA256:89C9A03FCF1C27D53CC43A92FA1DFEEE24D25688287D59CE6F1825C73C0D7D32 | |||
2756 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:F52434DF98418373F44AC78FE8A5F6B6 | SHA256:0CF1BFE6FAD111E15B1ABDE0AB6A2A0D311D2AAB953012D1FE8D4C99126C1936 | |||
2216 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\permissions.sqlite-journal | binary | |
MD5:514A30A538E16AAE2D7268B5CC58FFF0 | SHA256:89F200283000135ABCD6BF63CE632EAB9E0DA0850390D697AF3D3D5AC45DF2DD | |||
2756 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_576765698E10194685B55BF29BA5C6FF.dat | xml | |
MD5:EEAA832C12F20DE6AAAA9C7B77626E72 | SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16 | |||
2756 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{ADB16E78-733A-4553-A7DB-34F2FAC190E5}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png | image | |
MD5:4C61C12EDBC453D7AE184976E95258E1 | SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F | |||
2756 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ConversationPrefs_2_8B2D4C018F86244DB6A1916ABC6BE3F6.dat | xml | |
MD5:57F30B1BCA811C2FCB81F4C13F6A927B | SHA256:612BAD93621991CB09C347FF01EC600B46617247D5C041311FF459E247D8C2D3 | |||
2756 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_15220B3A32B2874BBD509A9870C0F482.dat | xml | |
MD5:D58C02D47497EFF7B621405F528C201A | SHA256:F3322AFB6FE61BCB9A12C1C134340C87CF3A97F1BB0F7731067973D8563AC95A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2756 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
2216 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2216 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt | US | text | 8 b | whitelisted |
2216 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2216 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2216 | firefox.exe | POST | 200 | 172.217.16.131:80 | http://ocsp.pki.goog/gts1c3 | US | der | 472 b | whitelisted |
2216 | firefox.exe | POST | 200 | 2.16.186.11:80 | http://r3.o.lencr.org/ | unknown | der | 503 b | shared |
2216 | firefox.exe | POST | 200 | 2.16.186.11:80 | http://r3.o.lencr.org/ | unknown | der | 503 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2216 | firefox.exe | 52.35.93.250:443 | search.services.mozilla.com | Amazon.com, Inc. | US | unknown |
2756 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
2216 | firefox.exe | 34.107.221.82:80 | detectportal.firefox.com | — | US | whitelisted |
2216 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2216 | firefox.exe | 13.32.121.85:443 | snippets.cdn.mozilla.net | Amazon.com, Inc. | US | suspicious |
2216 | firefox.exe | 52.42.74.230:443 | push.services.mozilla.com | Amazon.com, Inc. | US | unknown |
2216 | firefox.exe | 2.16.186.11:80 | r3.o.lencr.org | Akamai International B.V. | — | whitelisted |
2216 | firefox.exe | 52.43.189.249:443 | shavar.services.mozilla.com | Amazon.com, Inc. | US | unknown |
2216 | firefox.exe | 172.217.18.106:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
2216 | firefox.exe | 207.189.124.9:443 | info.zoomintel.com | ViaWest | US | suspicious |
Domain | IP | Reputation |
---|---|---|
teredo.ipv6.microsoft.com |
| whitelisted |
config.messenger.msn.com |
| whitelisted |
detectportal.firefox.com |
| whitelisted |
prod.detectportal.prod.cloudops.mozgcp.net |
| whitelisted |
search.services.mozilla.com |
| whitelisted |
search.r53-2.services.mozilla.com |
| whitelisted |
push.services.mozilla.com |
| whitelisted |
autopush.prod.mozaws.net |
| whitelisted |
snippets.cdn.mozilla.net |
| whitelisted |
tiles.services.mozilla.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2216 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |