File name: | FW In_Voice RDSP-953810 from Christine S. Wilson.msg |
Full analysis: | https://app.any.run/tasks/4256dee2-a6df-466a-b799-a26e103f8579 |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 14:02:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | EF3052FAB2AE98CDE1C0123C5F1CA7B0 |
SHA1: | B38CDD1AC1AA0BF63648F7583FFA310B93A9A5D1 |
SHA256: | C4B6B303CA4EB913AE1B2CA7966CDED13A5AD0A0F177EF9144D430925803EC12 |
SSDEEP: | 6144:QFXXcEisufS0zRjQWeerw/6X5pdmRBR7csV2iUgUadiCj6G8dKsbhBGZXS:uQX+zeM6X5pxE0RamdKihIBS |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2732 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\Desktop\FW In_Voice RDSP-953810 from Christine S. Wilson.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.4760.1000 Modules
| |||||||||||||||
2624 | C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} | C:\Windows\system32\DllHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3016 | "C:\Program Files\Opera x64\Opera.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\XOU2R0KB\Untitled attachment 00887.png" | C:\Program Files\Opera x64\Opera.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser Exit code: 0 Version: 1748 Modules
| |||||||||||||||
2900 | "C:\Program Files\Opera x64\pluginwrapper\opera_plugin_wrapper.exe" -newprocess "3016 2 0 1 2" -logfolder "C:\Users\admin\AppData\Local\Opera\Opera x64\logs" | C:\Program Files\Opera x64\pluginwrapper\opera_plugin_wrapper.exe | — | Opera.exe | |||||||||||
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser plugin wrapper Exit code: 0 Version: 1748 Modules
| |||||||||||||||
384 | "C:\Program Files\Opera x64\pluginwrapper\opera_plugin_wrapper_32.exe" -newprocess "3016 5 0 1 3" -logfolder "C:\Users\admin\AppData\Local\Opera\Opera x64\logs" | C:\Program Files\Opera x64\pluginwrapper\opera_plugin_wrapper_32.exe | — | Opera.exe | |||||||||||
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser plugin wrapper Exit code: 0 Version: 1748 Modules
| |||||||||||||||
3040 | "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\XOU2R0KB\MUDX-91370.pdf" | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Reader DC Version: 15.7.20033.133275 Modules
| |||||||||||||||
2356 | "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --channel=3040.0.1171351085 --type=renderer "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\XOU2R0KB\MUDX-91370.pdf" | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | AcroRd32.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Version: 15.7.20033.133275 Modules
| |||||||||||||||
1740 | "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | AcroRd32.exe | ||||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe RdrCEF Version: 15.7.20033.133275 Modules
| |||||||||||||||
1660 | "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-delegated-renderer --disable-desktop-notifications --disable-file-system --disable-shared-workers --disable-speech-input --disable-threaded-compositing --disable-webaudio --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.7.20033 Chrome/35.0.1916.138" --disable-accelerated-compositing --disable-accelerated-video-decode --enable-software-compositing --disable-gpu-compositing --channel="1740.0.816148788\1355740763" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe RdrCEF Version: 15.7.20033.133275 Modules
| |||||||||||||||
472 | "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-delegated-renderer --disable-desktop-notifications --disable-file-system --disable-shared-workers --disable-speech-input --disable-threaded-compositing --disable-webaudio --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.7.20033 Chrome/35.0.1916.138" --disable-accelerated-compositing --disable-accelerated-video-decode --enable-software-compositing --disable-gpu-compositing --channel="1740.1.1584375898\1655501671" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe RdrCEF Version: 15.7.20033.133275 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
2732 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRA60F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2732 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
2624 | DllHost.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat | — | |
MD5:— | SHA256:— | |||
2732 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:556416F7C0BA4E2CDC8970710C2A70CF | SHA256:5562CDB84A1D0345AEF011ABB7676B1A8BAA678E02CA07E6130D0855F5C0A80F | |||
2732 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:E827D141C1F5702DBEB8AB4BE8264294 | SHA256:C4B0654F72A22DC52C31796E7DD1850B667ED6A485709060A5B571E1C3C80632 | |||
2624 | DllHost.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk | binary | |
MD5:3DA00FFBA5690F6AF13370F00CAE5A17 | SHA256:FD0449A09A4627216BFABE3DB5243B0DB1818F01ACD3E617AD075668D5D3D011 | |||
2624 | DllHost.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\V01.log | binary | |
MD5:5E3C6B74D1FD73C5D74C3871945A55DB | SHA256:B6CB57DE1A5EBF078CFCD4EBC2630DB260D2F2A377D0AEA280B603DC0E8A8CF9 | |||
2732 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{618A5148-5995-4875-809A-2812E16BB9AF}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png | image | |
MD5:4C61C12EDBC453D7AE184976E95258E1 | SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F | |||
2732 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_327410CC4A27D64FBD5D8A9661761A3B.dat | xml | |
MD5:EEAA832C12F20DE6AAAA9C7B77626E72 | SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16 | |||
2732 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_96463C522335D54BB296B2DC9C08181D.dat | xml | |
MD5:D8B37ED0410FB241C283F72B76987F18 | SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2732 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3016 | Opera.exe | GET | 200 | 172.217.16.131:80 | http://crl.pki.goog/gsr1/gsr1.crl | US | der | 1.70 Kb | whitelisted |
3040 | AcroRd32.exe | GET | 304 | 23.48.23.54:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/278.zip | US | — | — | whitelisted |
3040 | AcroRd32.exe | GET | 304 | 23.48.23.54:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277.zip | US | — | — | whitelisted |
3016 | Opera.exe | GET | 200 | 142.250.185.163:80 | http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEBp9LmS70lPuCr4VsgvV1T0%3D | US | der | 471 b | whitelisted |
3040 | AcroRd32.exe | GET | 304 | 23.48.23.54:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280.zip | US | — | — | whitelisted |
— | — | HEAD | 200 | 23.48.23.41:80 | http://ardownload.adobe.com/pub/adobe/reader/win/AcrobatDC/1502320070/AcroRdrDCUpd1502320070_MUI.msp | US | — | — | whitelisted |
3040 | AcroRd32.exe | GET | 304 | 23.48.23.54:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281.zip | US | — | — | whitelisted |
3016 | Opera.exe | GET | 200 | 172.217.16.131:80 | http://crl.pki.goog/gtsr1/gtsr1.crl | US | der | 760 b | whitelisted |
3016 | Opera.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 592 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3016 | Opera.exe | 185.26.182.93:443 | certs.opera.com | Opera Software AS | — | whitelisted |
2732 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
— | — | 2.18.233.74:443 | armmf.adobe.com | Akamai International B.V. | — | whitelisted |
3016 | Opera.exe | 142.250.186.100:443 | www.google.com | Google Inc. | US | whitelisted |
3016 | Opera.exe | 172.217.16.131:80 | crl.pki.goog | Google Inc. | US | whitelisted |
1740 | RdrCEF.exe | 34.199.101.34:443 | cloud.acrobat.com | Amazon.com, Inc. | US | suspicious |
3016 | Opera.exe | 142.250.185.163:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
3040 | AcroRd32.exe | 23.48.23.54:80 | acroipm2.adobe.com | TRUE INTERNET Co.,Ltd. | US | suspicious |
3016 | Opera.exe | 93.184.220.29:80 | crl3.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
— | — | 23.48.23.41:80 | ardownload.adobe.com | TRUE INTERNET Co.,Ltd. | US | malicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
www.google.com |
| whitelisted |
certs.opera.com |
| whitelisted |
crl.pki.goog |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
crl3.digicert.com |
| whitelisted |
cloud.acrobat.com |
| whitelisted |
acroipm2.adobe.com |
| whitelisted |
armmf.adobe.com |
| whitelisted |
ardownload.adobe.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1952 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
1952 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|