File name: | uploads_0b3d41ff-6d92-4cad-90b6-80ec1eb7d602.eml |
Full analysis: | https://app.any.run/tasks/6fb253ef-2058-4ac3-98fe-0ec566eb4caa |
Verdict: | Malicious activity |
Analysis date: | June 27, 2022, 13:17:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | message/rfc822 |
File info: | RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators |
MD5: | 043ED47473FB03ED8EA9EEE40E76E4A6 |
SHA1: | 4F2DB1BE05AE674C68099CE9E20A19264E9434CD |
SHA256: | 92AD9F7D6783F806FD31337DC8CC382233D395CCA14FD0766E8894DD365B41D4 |
SSDEEP: | 3072:AexwJpHnI+GuIRNWsehP9OIQ6nj41pPxSu5o7lKy:AvVCy3vncpPoGoYy |
.eml | | | E-Mail message (Var. 5) (100) |
---|
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2956 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\uploads_0b3d41ff-6d92-4cad-90b6-80ec1eb7d602.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 Modules
| |||||||||||||||
3592 | "C:\Program Files\Internet Explorer\iexplore.exe" https://secure-web.cisco.com/1nDPM18lFQo5BdoAMFlOh5-jDUScedDXADdZOUukuzcYaz0Ipep06EB7lj1yCa1wL4enw4L8jvUnuCT99A6yckYx3AR1_FT-Szni2MjqsncIhbu8jECSE4gmFH06qqZUpfqBegqVmPNWEjKd2mED_qtyFtAyiaYuw2D6F3nd9nrTgsUB2Nc6QDOUQC0tqDlCT29h8FZ2xWgL0IOI-mfE-9z9CcNV5nVZ7y6FzsWg7kwLC8GVk7EujPr3ZVAEod5-DMH1VF9UfZJEhSmTX3BUhu5Y7kImu21lKHHONrH-flKVNxNh9h8SmiUUmBYS11tKj/https%3A%2F%2Flocations.theupsstore.com%2Fwi%2Ffitchburg%2F2935-s-fish-hatchery-rd%3Futm_source%3DYext%26utm_medium%3Dorganic%26utm_campaign%3DListings | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
1796 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3592 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
284 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3592 CREDAT:726284 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
(PID) Process: | (2956) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2956) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (2956) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (2956) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (2956) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (2956) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (2956) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (2956) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off | |||
(PID) Process: | (2956) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: Off | |||
(PID) Process: | (2956) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1055 |
Value: Off |
PID | Process | Filename | Type | |
---|---|---|---|---|
2956 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR9349.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2956 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
2956 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:760455A277E3ECE7ACB38BBC2ABE420F | SHA256:94632F41AE8D109E666C656AFC59771EF117376ADA288506857B70A1B8173BF4 | |||
1796 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6CFED4E1A8866BE87BE17622BFB4D726_FBADB8F7FD7B56EE191ACF24A8989D94 | binary | |
MD5:A6BE7286ABC096F64A4B6E799D065DFC | SHA256:FF2D80DF2F491F9BB5C2BCCC1114580B0EED1F5375E0BEBC628AF8E0509468C5 | |||
2956 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9E91ED2.dat | image | |
MD5:A57B2535259C4FE2C6575AC006C68C7C | SHA256:C65209F6361DF2980B4A12AA256B4C366D2631AC8564DEBA7461690277B873E9 | |||
2956 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\87DC8ED5.dat | image | |
MD5:5FD0E87674098F299861893BCC09A9E1 | SHA256:977F03B7E415B64DC96BC8A800153590C0B51645A65695EE69B6BFBB03FA13C0 | |||
1796 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:CCCD7CAFBA8EEF260F7B0A5260344B37 | SHA256:FFB56D4D94755368C3836695A2088E8A666A99997CA9AE91B23B5FF420292E7E | |||
1796 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\263821BCA2CBC5EA0B25012F05788322_41310C887E59D4EB5B8FD9D3DCA2C98D | binary | |
MD5:71EE610DDB592939A7BE8178840704D4 | SHA256:564671CA0ACBFE6E08B569B43ED113B071AD89A75A5322C246571ADB8112DAA5 | |||
2956 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:27452C66BC5F7E67F22285F70433487B | SHA256:AC0BC9D9E0034209FF0F18344058D7184F6BBDAB571B8086E6C8A95B246B6CB6 | |||
1796 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\263821BCA2CBC5EA0B25012F05788322_41310C887E59D4EB5B8FD9D3DCA2C98D | der | |
MD5:B9D856A49E81B93E5977326E9C9355C0 | SHA256:AC28DF271E623D8EAE6310F5D45C064300E402C79FD7C64501014208C1836091 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2956 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3592 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
1796 | iexplore.exe | GET | 200 | 8.252.189.126:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?914e09c5243539fb | US | compressed | 4.70 Kb | whitelisted |
1796 | iexplore.exe | GET | 200 | 104.18.32.68:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEGfe9D7xe9riT%2FWUBgbSwIQ%3D | US | der | 471 b | whitelisted |
1796 | iexplore.exe | GET | 200 | 142.250.186.35:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D | US | der | 724 b | whitelisted |
1796 | iexplore.exe | GET | 200 | 192.35.177.23:80 | http://commercial.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTQfEOioPd4%2FtCA3%2FhgDklRXB0FwgQU7UQZwNPwBovupHu%2BQucmVMiONnYCEEABbvsKIFz66%2BGPcdc6u3g%3D | US | der | 1.63 Kb | whitelisted |
1796 | iexplore.exe | GET | 200 | 18.66.242.155:80 | http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D | US | der | 1.39 Kb | shared |
1796 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D | US | der | 471 b | whitelisted |
1796 | iexplore.exe | GET | 200 | 192.35.177.23:80 | http://commercial.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTULRG8NAnkG2vMiFulhUophWOf2gQUibibtp7t%2B7DGvQ3sZ048o5KdLfkCEEABfOt6GkOKldoRYnQ%2BdUA%3D | US | der | 1.46 Kb | whitelisted |
1796 | iexplore.exe | GET | 200 | 8.252.189.126:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?98e54bba644b3f82 | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2956 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
3592 | iexplore.exe | 131.253.33.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
1796 | iexplore.exe | 8.252.189.126:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | suspicious |
3592 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1796 | iexplore.exe | 146.112.255.69:443 | secure-web.cisco.com | OpenDNS, LLC | — | suspicious |
1796 | iexplore.exe | 104.18.116.52:443 | locations.theupsstore.com | Cloudflare Inc | US | shared |
1796 | iexplore.exe | 192.35.177.23:80 | commercial.ocsp.identrust.com | IdenTrust | US | unknown |
— | — | 104.18.116.52:443 | locations.theupsstore.com | Cloudflare Inc | US | shared |
1796 | iexplore.exe | 104.18.32.68:80 | ocsp.comodoca.com | Cloudflare Inc | US | suspicious |
1796 | iexplore.exe | 142.250.186.35:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
secure-web.cisco.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
commercial.ocsp.identrust.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
locations.theupsstore.com |
| suspicious |
ocsp.comodoca.com |
| whitelisted |
services.listrak.com |
| whitelisted |