File name: | Natalie_Colgrave_has_shared_a_file_with_you.eml |
Full analysis: | https://app.any.run/tasks/104cf749-354b-4c3e-84a2-6840ae8e867f |
Verdict: | Malicious activity |
Analysis date: | January 11, 2019, 01:48:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | message/rfc822 |
File info: | RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators |
MD5: | 914C8508338772C90039DB82B6C49568 |
SHA1: | D51F4B509C8B61E2E0C17F82640D9D2A1961F15C |
SHA256: | CC6E2FBACEF75860C5605FBCFC31731C882EEC2CA575CED76D811B15E6CC9604 |
SSDEEP: | 192:j95/DeCXa0aH5NelL+m+m4PRWoYzhLmmnAzX0c7KgYFJkMv8Mn0uZC:j9BD4ZIJH+m45kwbXYQE0uA |
.eml | | | E-Mail message (Var. 5) (100) |
---|
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2896 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\Natalie_Colgrave_has_shared_a_file_with_you.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 Modules
| |||||||||||||||
2904 | "C:\Program Files\Internet Explorer\iexplore.exe" https://zzim.egnyte.com/dl/ycbaRVHSeq | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3660 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2904 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2908 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Exit code: 0 Version: 26,0,0,131 Modules
| |||||||||||||||
2716 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id 3660 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | iexplore.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Exit code: 0 Version: 15.23.20070.215641 Modules
| |||||||||||||||
2832 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id 3660 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | iexplore.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Reader DC Exit code: 1 Version: 15.23.20070.215641 Modules
| |||||||||||||||
2332 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /o /eo /l /b /id 3660 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | AcroRd32.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Exit code: 1 Version: 15.23.20070.215641 Modules
| |||||||||||||||
3188 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | AcroRd32.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe RdrCEF Exit code: 3221225547 Version: 15.23.20053.211670 Modules
| |||||||||||||||
3804 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3188.0.1109933787\252987491" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Exit code: 0 Version: 15.23.20053.211670 Modules
| |||||||||||||||
2724 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3188.1.841066505\188086996" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Exit code: 0 Version: 15.23.20053.211670 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
2896 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR99C5.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2904 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2904 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3660 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\ycbaRVHSeq[1].txt | — | |
MD5:— | SHA256:— | |||
2896 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:3E39F3C9CAEED1349A47FBA764EC7410 | SHA256:051245D95B4041160EE11C46942CC898B2C7870AEEBBF991183E025B19C3D574 | |||
2896 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\logo[1].png | image | |
MD5:A3BC3599B218AA91FEF6158F41F7FCE8 | SHA256:47D0D2DF7B653110448516B5ACB62A673FBE664A7113B0D91C83B999A44FBE4E | |||
2896 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt | text | |
MD5:993382892032D73C5E14CD1D765EEC1B | SHA256:4375CF1023C5E4E415C4BC3F77A023B4275B5CF55BD36A66D1FDC5AABF7251AF | |||
2896 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_544BB3D1BDA21943882716055F6F378B.dat | xml | |
MD5:B21ED3BD946332FF6EBC41A87776C6BB | SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4 | |||
3660 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@egnyte[1].txt | text | |
MD5:D14AC41BA6F95BFBCC60074CAD401FAA | SHA256:A61743800B153A149EA8EBA92C13500525A2BEF96481E568C2CD8CD850D6D318 | |||
2896 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\download-icon-3[1].png | image | |
MD5:1DE523B8D0E26AC001825288EEB63CC7 | SHA256:F398063A8C254B74E8FE914BFC8C9311079FC54EA5EC9BBEAD5833BF491FEB7B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3660 | iexplore.exe | GET | — | 184.168.131.241:80 | http://go2l.ink/ObhjZ/1vik | US | — | — | shared |
3660 | iexplore.exe | GET | — | 184.168.131.241:80 | http://go2l.ink/1vik | US | — | — | shared |
2896 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3660 | iexplore.exe | GET | 302 | 184.168.131.241:80 | http://go2l.ink/1vik | US | — | — | shared |
3660 | iexplore.exe | GET | 200 | 216.222.194.40:80 | http://clinkpk.com/public/assets/files/converged.css | US | text | 99.8 Kb | suspicious |
3660 | iexplore.exe | GET | 200 | 216.222.194.40:80 | http://clinkpk.com/public/ | US | html | 254 b | suspicious |
3660 | iexplore.exe | GET | 200 | 216.222.194.40:80 | http://clinkpk.com/public/assets/files/prefetch_data/share.htm | US | html | 291 Kb | suspicious |
2904 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
3660 | iexplore.exe | GET | 200 | 216.222.194.40:80 | http://clinkpk.com/public/Login.php?sslchannel=true&sessionid=nrBnMPhHaJEn1Nq4h9hWw5mZ91RXyzTW1ujNkAvuk9SmWirdsJ9YOwYXxPU6oO2qildDWI8hR0EOj51LObKCHIAexvlWjnmCIAfFjnWaoBZIG0tvce8UWI9ueurxRNaAoq | US | html | 20.4 Kb | suspicious |
3660 | iexplore.exe | GET | 200 | 216.222.194.40:80 | http://clinkpk.com/public/assets/files/prefetch_data/prefetch.htm | US | html | 3.23 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2904 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3660 | iexplore.exe | 162.216.250.12:443 | zzim.egnyte.com | Bloomip Inc. | NL | unknown |
2896 | OUTLOOK.EXE | 162.216.250.12:443 | zzim.egnyte.com | Bloomip Inc. | NL | unknown |
2896 | OUTLOOK.EXE | 104.17.70.206:443 | pages.egnyte.com | Cloudflare Inc | US | shared |
2896 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
2904 | iexplore.exe | 162.216.250.12:443 | zzim.egnyte.com | Bloomip Inc. | NL | unknown |
3660 | iexplore.exe | 216.58.207.40:443 | ssl.google-analytics.com | Google Inc. | US | whitelisted |
3660 | iexplore.exe | 162.247.242.20:443 | bam.nr-data.net | New Relic | US | whitelisted |
3660 | iexplore.exe | 2.18.232.137:443 | r4.res.office365.com | Akamai International B.V. | — | whitelisted |
3660 | iexplore.exe | 35.186.241.51:443 | api.mixpanel.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
zzim.egnyte.com |
| unknown |
pages.egnyte.com |
| malicious |
www.bing.com |
| whitelisted |
ssl.google-analytics.com |
| whitelisted |
js-agent.newrelic.com |
| whitelisted |
bam.nr-data.net |
| whitelisted |
cdn.mxpnl.com |
| whitelisted |
api.mixpanel.com |
| whitelisted |
go2l.ink |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3344 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY Http Client Body contains passwd= in cleartext |
3344 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY Http Client Body contains passwd= in cleartext |