File name: | Multiple ISOnet User IDs Clean up ref_00D301Oe1._5004S3vDMmref .msg |
Full analysis: | https://app.any.run/tasks/d865ba25-07b4-48bb-8a5b-7d68e82c600c |
Verdict: | Malicious activity |
Analysis date: | October 05, 2022, 07:12:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 8FD44658FF56D8DDE60AB6BE2B1FDCC5 |
SHA1: | DFD087C564E50875C76CADB1115BD8DB12EB4F92 |
SHA256: | 6708A97D637C211D54A6069141B278B7580824610A228381C3519FD976C56EBC |
SSDEEP: | 1536:hhKBYeeeeKB3eeeeK8IeSedB+eeeedBLeeeedBDeeeeKLVTcQJgWaWKT7dZhErjy:rE7STRfE9i1 |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
676 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Multiple ISOnet User IDs Clean up ref_00D301Oe1._5004S3vDMmref .msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
3220 | C:\Windows\system32\SearchIndexer.exe /Embedding | C:\Windows\system32\SearchIndexer.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Indexer Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
3740 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1302019708-1500728564-335382590-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1302019708-1500728564-335382590-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Search Protocol Host Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) | ||||
2104 | "C:\Windows\system32\SearchFilterHost.exe" 0 520 524 532 65536 528 | C:\Windows\system32\SearchFilterHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Search Filter Host Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) | ||||
2832 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) |
PID | Process | Filename | Type | |
---|---|---|---|---|
676 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR974F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
676 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
676 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:AFD7D56819BE1A2FD8DD5344B3832613 | SHA256:EC417556E648DCBB44AFF2E6BCA6681C0CA49AA6656260601ACEDB77DE67928F | |||
676 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:AA826E462FC2C851B07D48B5A5236DAE | SHA256:612037FB1B6686D0136E2ACAE2B01F0F9072E5B27BEA8767B12503F6FA94E25D | |||
3220 | SearchIndexer.exe | C:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010011.dir | binary | |
MD5:0512B0DD84145F0B91F2711A3B4ABB40 | SHA256:CD63C0C766D91BC404A4CA2B839D0863441C3C4C245B4EB29BC013D63B5141EE | |||
3220 | SearchIndexer.exe | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log | binary | |
MD5:C2D0F3E51867260A082FE4A27F16F870 | SHA256:D3B401C613D4E4905442FF25C98B32C26867CB81E94B325243538B175FBC3C88 | |||
3220 | SearchIndexer.exe | C:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010011.ci | binary | |
MD5:C4544EB582EA3314A9883C1509B77D79 | SHA256:9AD34C97BE9A2C37005092B08352E8507C72DFAD3F6E02C241C779C4BC5B4789 | |||
676 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TCPrefs_2_631E8C29C28D1C408A24B5BD78B761F0.dat | xml | |
MD5:F194B1FA12F9B6F46A47391FAE8BEEC2 | SHA256:FCD8D7E030BE6EA7588E5C6CB568E3F1BDFC263942074B693942A27DF9521A74 | |||
676 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_332054CC0CB3524C97A3BC4957AA8143.dat | xml | |
MD5:BBCF400BD7AE536EB03054021D6A6398 | SHA256:383020065C1F31F4FB09F448599A6D5E532C390AF4E5B8AF0771FE17A23222AD | |||
676 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_A5CE06CBB17D2A4D8D9D92D1C0606C06.dat | xml | |
MD5:B21ED3BD946332FF6EBC41A87776C6BB | SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
676 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
676 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
— | — | 192.168.100.2:53 | — | — | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.microsoft.com |
| whitelisted |
config.messenger.msn.com |
| whitelisted |