File name: | raw.eml |
Full analysis: | https://app.any.run/tasks/550d05ba-4722-4dc8-b7bc-ba59c453d0ee |
Verdict: | Malicious activity |
Analysis date: | October 05, 2022, 05:28:32 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF, LF line terminators |
MD5: | B5698B3AD272AC233DD40076B85F7BA4 |
SHA1: | 95E345ECA43926EB26B7DE04B5188B2660010DC8 |
SHA256: | 58892500A1D6E7058F4565698C764655C5CBCA4E142AE2BF5AB7D8C83E89B1F9 |
SSDEEP: | 384:T71oqjZvztRFGRMMynZnp/6YzaFEcR0CP+bQtDURKjaGqaPX6l6a0Iel3BUofgrx:T71oynZn1zkR0AHARw0z+hl3G0/TWqA5 |
.eml | | | E-Mail message (Var. 3) (100) |
---|
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3536 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\raw.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 Modules
| |||||||||||||||
2588 | "C:\Program Files\Internet Explorer\iexplore.exe" http://secure-web.cisco.com/1fBP5C6g9ZIcAwXLRzgzOjJuESRjFjDvcNxwJf61VJdPe57cttKKaCV5VIlT_m8tT6Tz46NfQU9qoEunl3KGeKBrfeIx9_qASETUncy7jR3mrsW6-BDL9GM2YKbeHhH-Ov4ViuEwQjZE9LD8c-y4ww8t76cuya7MiTLHX-I-aMKs5yn8P19lgKinmh-dQRMIwid-82DiMwwTtyLDMS5y4558ZMZdS8Ubapyela9j2bKnjazPcgyGeUmX7VZxHnuQv5g-0FH3G6jjyxoQpKvpoVmNAppJVDKuKvmr7tJXgGZF1Ux2wZyMFNZrSNEa383e53hGLdaSHU5o3W5ITfS4zNGpsjusZOVN47_9o_DTkTGQmhLzyTcXC_aew4euMbUlL9l0gWR555gq1BkxnOc80AeA8u3ky-ge-peTPj65K1s9p2r_HYoi_RJJZh47SbWcaAza-km0U44CQrdZgIzcgmqeXVqbzdgFCSK-jzpgF-qDFIHiOZQQSOYzVUjS3jqDH/http%3A%2F%2Fhoffentt.com%2F | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
1872 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2588 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3536 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRBEDD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3536 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
3536 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:8B54A0BC8C97C5CECB7EE742DFFEE058 | SHA256:BE6A153A56CE19EDA8E02543AA61949F8B485BB89F1C53C300738AE11AB1BFBE | |||
3536 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CE690500.dat | image | |
MD5:2925EB6713D84C3F6957EBE65DC5896F | SHA256:66B2B9A79AD723226AC33455FB97272D3F8C320502D9DBF08235EBCB8B984D86 | |||
3536 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:B407FACAC091738B83DD6130C2A979C6 | SHA256:507D229DC8BCFBE1D6A6198102B14645E14E65F91BB3192E590708587570BA69 | |||
2588 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442 | binary | |
MD5:FFED0E1D5B8B4533A5969F1FA6DF4738 | SHA256:A5E033CBB120A6A9073D6B7106D936E7BABDB96851EA1B0819410DED5E70B412 | |||
2588 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:8522E8A9D2E24FDC0D09CE506F027C91 | SHA256:CBBD313B38338CB323FCEDFD4D6D12AF8D7CE727B4D94249CE2DA0354D562CE5 | |||
3536 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inf | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 | |||
3536 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TCPrefs_2_FD45A01A0F6CBE4495EDEBFCCFE2023B.dat | xml | |
MD5:F194B1FA12F9B6F46A47391FAE8BEEC2 | SHA256:FCD8D7E030BE6EA7588E5C6CB568E3F1BDFC263942074B693942A27DF9521A74 | |||
3536 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_4CA33CE50F7D5241AD597E02E7170597.dat | xml | |
MD5:B21ED3BD946332FF6EBC41A87776C6BB | SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1872 | iexplore.exe | GET | 302 | 146.112.255.69:80 | http://secure-web.cisco.com/1fBP5C6g9ZIcAwXLRzgzOjJuESRjFjDvcNxwJf61VJdPe57cttKKaCV5VIlT_m8tT6Tz46NfQU9qoEunl3KGeKBrfeIx9_qASETUncy7jR3mrsW6-BDL9GM2YKbeHhH-Ov4ViuEwQjZE9LD8c-y4ww8t76cuya7MiTLHX-I-aMKs5yn8P19lgKinmh-dQRMIwid-82DiMwwTtyLDMS5y4558ZMZdS8Ubapyela9j2bKnjazPcgyGeUmX7VZxHnuQv5g-0FH3G6jjyxoQpKvpoVmNAppJVDKuKvmr7tJXgGZF1Ux2wZyMFNZrSNEa383e53hGLdaSHU5o3W5ITfS4zNGpsjusZOVN47_9o_DTkTGQmhLzyTcXC_aew4euMbUlL9l0gWR555gq1BkxnOc80AeA8u3ky-ge-peTPj65K1s9p2r_HYoi_RJJZh47SbWcaAza-km0U44CQrdZgIzcgmqeXVqbzdgFCSK-jzpgF-qDFIHiOZQQSOYzVUjS3jqDH/http%3A%2F%2Fhoffentt.com%2F | unknown | — | — | whitelisted |
3536 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
1872 | iexplore.exe | GET | 200 | 172.64.155.188:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D | US | der | 2.18 Kb | whitelisted |
1872 | iexplore.exe | GET | 200 | 104.18.32.68:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D | US | der | 1.42 Kb | whitelisted |
1872 | iexplore.exe | GET | 200 | 34.96.116.138:80 | http://hoffentt.com/ | US | html | 22.5 Kb | suspicious |
1872 | iexplore.exe | GET | 200 | 142.250.185.179:80 | http://www.imcreator.com/js/xprs_helper.js?v=1.5.8d | US | text | 10.5 Kb | whitelisted |
2588 | iexplore.exe | GET | 200 | 209.197.3.8:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7fa825505fc751a4 | US | compressed | 4.70 Kb | whitelisted |
2588 | iexplore.exe | GET | 200 | 209.197.3.8:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4e6177a654e2d7cf | US | compressed | 4.70 Kb | whitelisted |
1872 | iexplore.exe | GET | 200 | 172.217.18.3:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | US | der | 1.41 Kb | whitelisted |
1872 | iexplore.exe | GET | 200 | 142.250.185.179:80 | http://www.imcreator.com/all_js.js?v=1.5.8d | US | text | 14.1 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 146.112.255.69:80 | secure-web.cisco.com | OPENDNS | US | suspicious |
2588 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
2588 | iexplore.exe | 13.107.21.200:443 | www.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
2588 | iexplore.exe | 209.197.3.8:80 | ctldl.windowsupdate.com | STACKPATH-CDN | US | whitelisted |
1872 | iexplore.exe | 34.96.116.138:80 | hoffentt.com | GOOGLE | US | malicious |
— | — | 192.168.100.2:53 | — | — | — | whitelisted |
3536 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
— | — | 142.250.185.179:80 | www.imcreator.com | GOOGLE | US | malicious |
— | — | 172.217.18.20:443 | imos006-dot-im--os.appspot.com | GOOGLE | US | whitelisted |
1872 | iexplore.exe | 146.112.255.69:80 | secure-web.cisco.com | OPENDNS | US | suspicious |
Domain | IP | Reputation |
---|---|---|
www.microsoft.com |
| whitelisted |
config.messenger.msn.com |
| whitelisted |
secure-web.cisco.com |
| whitelisted |
hoffentt.com |
| suspicious |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
www.youtube.com |
| whitelisted |
imos006-dot-im--os.appspot.com |
| suspicious |