File name: | invite.ics |
Full analysis: | https://app.any.run/tasks/f3c18ba0-8f38-4876-a083-b21971ed36fb |
Verdict: | Malicious activity |
Analysis date: | October 04, 2022, 21:21:25 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/calendar |
File info: | vCalendar calendar file |
MD5: | 2267A2D81F027CCE26405CE781070D19 |
SHA1: | 80C2AA727E9C0E878D63510D978EE2E798D49FA3 |
SHA256: | 22C85532B8798E080534070E8D128BCCAEC45D00E46EAD490FE968811017EA21 |
SSDEEP: | 48:EgfozMQQX2YPppf0EDXkF1InxwHNR+Iq9p5OUOMycqGJs:EgfoxQtHfxLqwwtR+p9VtqGJs |
.ics/vcs | | | iCalendar - vCalendar (100) |
---|
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1160 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /ical "C:\Users\admin\AppData\Local\Temp\invite.ics" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 Modules
| |||||||||||||||
3984 | "C:\Program Files\Internet Explorer\iexplore.exe" https://teams.microsoft.com/l/meetup-join/19%3ameeting_ZmMyYzNkYTMtODJjNC00OGIzLTg3YmQtOTYyMjNhZmZiZTM5%40thread.v2/0?context=%7b%22Tid%22%3a%227f786e85-2b61-4bbe-a796-71e91e5e7e38%22%2c%22Oid%22%3a%22e332548b-bf8e-4b01-8ad0-68494620df96%22%7d | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
944 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3984 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
588 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\TeamsSetup_s_8DAA64EE8EAC579-3-0_c_w_.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\TeamsSetup_s_8DAA64EE8EAC579-3-0_c_w_.exe | iexplore.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Installer for Squirrel-based applications Exit code: 0 Version: 1.4.4.0 Modules
| |||||||||||||||
592 | "C:\Users\admin\AppData\Local\SquirrelTemp\Update.exe" --install . --exeName=TeamsSetup_s_8DAA64EE8EAC579-3-0_c_w_.exe --bootstrapperMode | C:\Users\admin\AppData\Local\SquirrelTemp\Update.exe | TeamsSetup_s_8DAA64EE8EAC579-3-0_c_w_.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Teams Exit code: 0 Version: 3.0.4.0 Modules
| |||||||||||||||
2276 | "C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch; | C:\Windows\SYSTEM32\WISPTIS.EXE | — | Update.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Pen and Touch Input Component Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3088 | "C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch; | C:\Windows\SYSTEM32\WISPTIS.EXE | Update.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Pen and Touch Input Component Exit code: 24 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3160 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | Explorer.EXE | ||||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 86.0.4240.198 Modules
| |||||||||||||||
3276 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=86.0.4240.198 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x66ced988,0x66ced998,0x66ced9a4 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 86.0.4240.198 Modules
| |||||||||||||||
2464 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1036,14678372788603869326,3946627528915566078,131072 --enable-features=PasswordImport --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1048 /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 86.0.4240.198 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
1160 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR98C6.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1160 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
1160 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\be71009ff8bb02a2.customDestinations-ms | binary | |
MD5:7E0F6D9C4BE2FD31696140FD1A314637 | SHA256:DA3B385915E8D30CB180B4F7DE4D7B3AE38C5261B738CA1FCCFF0A9947E614CB | |||
1160 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\~DFE7EDE971D29B4B63.TMP | gmc | |
MD5:3DBF6EF3C5023EB50C5952A2D5041D65 | SHA256:CB6BD0BBF4386FADDCFEE1F53D0F8EAE1E21282DDA90B2C5AC59E6F1666E696A | |||
1160 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9SYD2G1TFBD5WEIIH0TI.temp | binary | |
MD5:7E0F6D9C4BE2FD31696140FD1A314637 | SHA256:DA3B385915E8D30CB180B4F7DE4D7B3AE38C5261B738CA1FCCFF0A9947E614CB | |||
1160 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\~DF3D4723E75DC97A2A.TMP | oft | |
MD5:D5AD9A80E5AD18DE1546BABB08DC60B3 | SHA256:0FAD7D5806B77375B0F875D2EAE83FFC0136B52FB750672B22B38FB3E37F77F3 | |||
1160 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:AA3A0175B4854A2FD3D6F4610D78E4D5 | SHA256:9E325C03E0720CDBA73A19179AD00F559CBDC9EAE707A670D78626862EB74D14 | |||
1160 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\~DF00C35B0CE8FFDD8F.TMP | binary | |
MD5:CFF23A288AC92FA3FDC7323A4271184C | SHA256:840FDE6D59B666B6A6C913B6F475E87BE1668DE70ADD0C93BEE9A662040D2510 | |||
1160 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook.lnk | lnk | |
MD5:301F671CC17AF078AC9A373BB2430E6D | SHA256:8D2A3C21C2A78050CDF58078ED973025CA0E86B8895D0FCB0889B0D0AD7ACE0C | |||
1160 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:3EB0A7F1D1294DEE10A4DD6740662E9F | SHA256:772E7D7F2B3469610B61F0205DD9FC7C0816B5B8A52A1238C3F45AE166D788E6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1160 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
944 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D | US | der | 471 b | whitelisted |
3984 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D | US | der | 1.47 Kb | whitelisted |
3764 | chrome.exe | GET | 200 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx | US | crx | 242 Kb | whitelisted |
944 | iexplore.exe | GET | 200 | 23.216.77.69:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1c3e076ed021c716 | US | compressed | 4.70 Kb | whitelisted |
944 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
3984 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D | US | der | 471 b | whitelisted |
944 | iexplore.exe | GET | 200 | 23.216.77.69:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7caa18904c3c839a | US | compressed | 4.70 Kb | whitelisted |
944 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D | US | der | 471 b | whitelisted |
880 | svchost.exe | HEAD | 200 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3 | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3984 | iexplore.exe | 204.79.197.200:443 | www.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
1160 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
944 | iexplore.exe | 52.113.194.132:443 | teams.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | suspicious |
944 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
3984 | iexplore.exe | 23.216.77.69:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | suspicious |
3984 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
944 | iexplore.exe | 23.216.77.69:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | suspicious |
592 | Update.exe | 52.113.194.132:443 | teams.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | suspicious |
3984 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | EDGECAST | US | whitelisted |
3984 | iexplore.exe | 96.16.143.41:443 | go.microsoft.com | AKAMAI-AS | DE | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
teams.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
statics.teams.cdn.office.net |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
browser.pipe.aria.microsoft.com |
| whitelisted |
Process | Message |
---|---|
Update.exe | Update.exe Information: 0 : |
Update.exe | Starting TelemetryManager constructor
|
Update.exe | Update.exe Information: 0 : |
Update.exe | TelemetryManagerImpl creation started
|
Update.exe | Update.exe Information: 0 : |
Update.exe | Performance counters are disabled. Skipping creation of counters category.
|
Update.exe | Update.exe Information: 0 : |
Update.exe | RecordBatcherTask with ID 4 started.
|
Update.exe | Update.exe Information: 0 : |
Update.exe | DataPackageSender with UserAgent name: AST-exe-C#, version: 3.0.4.0, [Ast_Default_Source]
|