URL:	https://lgin.msa.trafficmanager.net
Full analysis:	https://app.any.run/tasks/b485db54-21b1-44d1-8a2e-b94038c1fd87
Verdict:	Malicious activity
Analysis date:	December 11, 2019, 19:57:22
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	phishing phish-outlook phish-microsoft
Indicators:
MD5:	2C1050A7B08142A528106F82815FEB89
SHA1:	BED5680980DBFFBF5597FF49A76CEB453358FC59
SHA256:	BD83B1B3C6E369A8E6BD3FEB15F698EF17967FE795872C1AB41C7FA8D1ACE8C5
SSDEEP:	3:N8CKLISx3ys:2Cuis

PID	CMD	Path	Indicators	Parent process
1584	"C:\Program Files\Mozilla Firefox\firefox.exe" "https://lgin.msa.trafficmanager.net"	C:\Program Files\Mozilla Firefox\firefox.exe	—	explorer.exe
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 68.0.1
3100	"C:\Program Files\Mozilla Firefox\firefox.exe" https://lgin.msa.trafficmanager.net	C:\Program Files\Mozilla Firefox\firefox.exe		firefox.exe
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 68.0.1
516	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3100.0.284746288\906218836" -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3100 "\\.\pipe\gecko-crash-server-pipe.3100" 1180 gpu	C:\Program Files\Mozilla Firefox\firefox.exe	—	firefox.exe
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 68.0.1
4080	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3100.3.1182932075\1404399766" -childID 1 -isForBrowser -prefsHandle 1332 -prefMapHandle 1340 -prefsLen 1 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3100 "\\.\pipe\gecko-crash-server-pipe.3100" 1616 tab	C:\Program Files\Mozilla Firefox\firefox.exe		firefox.exe
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 68.0.1
2648	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3100.13.2114074647\491891171" -childID 2 -isForBrowser -prefsHandle 2772 -prefMapHandle 2776 -prefsLen 5996 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3100 "\\.\pipe\gecko-crash-server-pipe.3100" 2788 tab	C:\Program Files\Mozilla Firefox\firefox.exe		firefox.exe
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 68.0.1
3452	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3100.20.1381424292\2097594901" -childID 3 -isForBrowser -prefsHandle 3752 -prefMapHandle 3756 -prefsLen 7129 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3100 "\\.\pipe\gecko-crash-server-pipe.3100" 3768 tab	C:\Program Files\Mozilla Firefox\firefox.exe		firefox.exe
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 68.0.1


(PID) Process:	—	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Launcher
Value: 09AD521703000000
(PID) Process:	(3100) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Browser
Value: F311551703000000
(PID) Process:	(3100) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Telemetry
Value: 1
(PID) Process:	(3100) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(3100) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000

PID	Process	Filename		Type
3100	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin		—
		MD5:—	SHA256:—
3100	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js		—
		MD5:—	SHA256:—
3100	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp		—
		MD5:—	SHA256:—
3100	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm		—
		MD5:—	SHA256:—
3100	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm		—
		MD5:—	SHA256:—
3100	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp		—
		MD5:—	SHA256:—
3100	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js		text
		MD5:24541906B8228313DB6AD3DFC5A4F35B	SHA256:36A8E5E8355B283FBFF0BF12690C0FF5C91083182F652694FB4E70B4F44D0C2C
3100	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
3100	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\allow-flashallow-digest256.pset		cdxl
		MD5:076933FF9904D1110D896E2C525E39E5	SHA256:4CBBD8CA5215B8D161AEC181A74B694F4E24B001D5B081DC0030ED797A8973E0
3100	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4		jsonlz4
		MD5:6D378E0D40B6EACA22C8BCE899A1C5C1	SHA256:ADA2467B2477ACEFF837AC7820C435AD1EBBE844B2DA31C7AB9AE8D010C7A639

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3100	firefox.exe	POST	200	93.184.220.29:80	http://ocsp.digicert.com/	US	der	471 b	whitelisted
3100	firefox.exe	POST	200	93.184.220.29:80	http://ocsp.digicert.com/	US	der	471 b	whitelisted
3100	firefox.exe	POST	200	93.184.220.29:80	http://ocsp.digicert.com/	US	der	471 b	whitelisted
3100	firefox.exe	POST	200	172.217.17.67:80	http://ocsp.pki.goog/gts1o1	US	der	471 b	whitelisted
3100	firefox.exe	GET	200	104.84.152.177:80	http://detectportal.firefox.com/success.txt	NL	text	8 b	whitelisted
3100	firefox.exe	GET	200	104.84.152.177:80	http://detectportal.firefox.com/success.txt	NL	text	8 b	whitelisted
3100	firefox.exe	POST	200	93.184.220.29:80	http://ocsp.digicert.com/	US	der	471 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
3100	firefox.exe	40.90.22.191:443	lgin.msa.trafficmanager.net	Microsoft Corporation	US	malicious
3100	firefox.exe	35.162.117.80:443	tiles.services.mozilla.com	Amazon.com, Inc.	US	unknown
3100	firefox.exe	52.89.218.39:443	search.services.mozilla.com	Amazon.com, Inc.	US	unknown
3100	firefox.exe	52.41.171.126:443	push.services.mozilla.com	Amazon.com, Inc.	US	malicious
3100	firefox.exe	104.84.152.177:80	detectportal.firefox.com	Akamai International B.V.	NL	whitelisted
3100	firefox.exe	172.217.17.42:443	safebrowsing.googleapis.com	Google Inc.	US	whitelisted
3100	firefox.exe	52.84.90.120:443	snippets.cdn.mozilla.net	Amazon.com, Inc.	US	unknown
3100	firefox.exe	93.184.220.29:80	ocsp.digicert.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted
3100	firefox.exe	99.86.115.6:443	content-signature-2.cdn.mozilla.net	AT&T Services, Inc.	US	unknown
3100	firefox.exe	35.167.176.126:443	shavar.services.mozilla.com	Amazon.com, Inc.	US	unknown

Domain	IP	Reputation
detectportal.firefox.com	104.84.152.177	whitelisted
search.services.mozilla.com	52.89.218.39	whitelisted
push.services.mozilla.com	52.41.171.126	whitelisted
snippets.cdn.mozilla.net	52.84.90.120	whitelisted
tiles.services.mozilla.com	35.162.117.80	whitelisted
lgin.msa.trafficmanager.net	40.90.22.191	unknown
safebrowsing.googleapis.com	172.217.17.42	whitelisted
ocsp.pki.goog	172.217.17.67	whitelisted
ocsp.digicert.com	93.184.220.29	whitelisted
support.mozilla.org	34.213.134.214	whitelisted

General Info

https://lgin.msa.trafficmanager.net

2C1050A7B08142A528106F82815FEB89

BED5680980DBFFBF5597FF49A76CEB453358FC59

BD83B1B3C6E369A8E6BD3FEB15F698EF17967FE795872C1AB41C7FA8D1ACE8C5

3:N8CKLISx3ys:2Cuis

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Outlook phishing page detected

SUSPICIOUS

Creates files in the program directory

INFO

Reads CPU info

Application launched itself

Creates files in the user directory

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings