File name: | {Possible Spam } DX1 sales invoice numbered SIN023731.msg |
Full analysis: | https://app.any.run/tasks/51241a51-b03d-4e63-a795-b161625868e0 |
Verdict: | Malicious activity |
Analysis date: | September 19, 2019, 10:28:05 |
OS: | Windows 10 Professional (build: 16299, 64 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | C0DED4885F2A18F098B0C2469CEA6BFA |
SHA1: | 83C0B2A4F613360196FF30B8B2D57C70E5B53D92 |
SHA256: | AF4E8C39434C261A1C0BB0DEEEAD1D15AB8C609EBD4101CC5C82E2BE90EB0B0B |
SSDEEP: | 192:PthgzAM3zWoSyY3TAi/IARyuUuRuhu27jNR8R9+7RJ/3RsXhIjQxiA:Fh6AMDbmLY7ZR8R9mAhIjQIA |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
5692 | "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\admin\Desktop\{Possible Spam } DX1 sales invoice numbered SIN023731.msg" | C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 16.0.11328.20158 | ||||
5856 | C:\WINDOWS\system32\OpenWith.exe -Embedding | C:\WINDOWS\system32\OpenWith.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) | ||||
3864 | "C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca | C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 1 Version: 11.00.16299.402 (WinBuild.160101.0800) | ||||
2060 | C:\WINDOWS\system32\browser_broker.exe -Embedding | C:\WINDOWS\system32\browser_broker.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Browser_Broker Exit code: 2147500037 Version: 11.00.16299.15 (WinBuild.160101.0800) | ||||
3308 | C:\Windows\System32\RuntimeBroker.exe -Embedding | C:\Windows\System32\RuntimeBroker.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Runtime Broker Version: 10.0.16299.15 (WinBuild.160101.0800) | ||||
4856 | "C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca | C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Content Process Exit code: 0 Version: 11.00.16299.402 (WinBuild.160101.0800) | ||||
1932 | "C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca | C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Content Process Exit code: 1 Version: 11.00.16299.402 (WinBuild.160101.0800) | ||||
4924 | "C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca | C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Content Process Exit code: 0 Version: 11.00.16299.402 (WinBuild.160101.0800) | ||||
3060 | "C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca | C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Content Process Exit code: 0 Version: 11.00.16299.402 (WinBuild.160101.0800) | ||||
6340 | C:\Windows\System32\RuntimeBroker.exe -Embedding | C:\Windows\System32\RuntimeBroker.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Runtime Broker Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3864 | MicrosoftEdge.exe | C:\Users\admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb | — | |
MD5:— | SHA256:— | |||
3864 | MicrosoftEdge.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm | — | |
MD5:— | SHA256:— | |||
3864 | MicrosoftEdge.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb | — | |
MD5:— | SHA256:— | |||
5692 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\.session64 | binary | |
MD5:009421AB095EA93CB203D86BC0D3C271 | SHA256:5F515070358AB278B2D83EABF5E95654FE250DB25A10D995FFF4AEEB215D3B92 | |||
1932 | MicrosoftEdgeCP.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\XFX9M9IP\EDJH21KJ.htm | html | |
MD5:F4F07309889944887356724D85636A89 | SHA256:54BDEC9710CD07F2FE1ECC84E821A5A15C87DB84FE2D23BECEE164614A5044B8 | |||
1932 | MicrosoftEdgeCP.exe | C:\Users\admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\AD2SZ9CR\materialize.min[1].css | text | |
MD5:B26ACC100B5E8D84F6992D3E6574089F | SHA256:06FAB51359128393A5F3BD6F0E6E625B05EC10E61D74075FD37185FFC15FF8DD | |||
5692 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:D5C55E74BDF199237AE8C3D308DB1B4A | SHA256:257A0AD8A32FFFD7BF6AE66506AEE645D39B5CB857319D1C054A284E50289B04 | |||
5692 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_WorkHours_1_DBE94A85F8649B4FBBEA7ED958BFE171.dat | xml | |
MD5:807EF0FC900FEB3DA82927990083D6E7 | SHA256:4411E7DC978011222764943081500FFF0E43CBF7CCD44264BD1AB6306CA68913 | |||
5692 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B3B1D48C-0BB4-4B94-B090-8ACB7C7CDFD0 | xml | |
MD5:0D84D45768BC47DB6E02CEA847391252 | SHA256:46CCC4FE927BD7F4FE2333FFE83C96BA17ECB1A8BAC31C118BEDD65977DEDA3C | |||
1932 | MicrosoftEdgeCP.exe | C:\Users\admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LCEF4J41\bootstrap[1].css | text | |
MD5:EA6EC4F237685BD28936CB2EC8B8061B | SHA256:3918856FA4F25004BEABBDB1B37AC553E8DA7A8BD4A2DD3186A66EC2C23C4A58 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 302 | 31.192.213.23:80 | http://es.kuvve.net/class.php | TR | — | — | unknown |
5692 | OUTLOOK.EXE | GET | 200 | 13.107.3.128:443 | https://config.edge.skype.com/config/v1/Office/16.0.11328.20158?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=outlook&Platform=win32&Version=16.0.11328.20158&MsoVersion=16.0.11328.20156&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7b873062D3-EFB2-4A70-AAF7-8E8A4BABAF1B%7d&LabMachine=false | US | text | 56.6 Kb | whitelisted |
2676 | SearchProtocolHost.exe | GET | 200 | 13.107.3.128:443 | https://config.edge.skype.com/config/v1/Office/0.0.0.0?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=unknown_app&Platform=win32&Version=0.0.0.0&MsoVersion=16.0.11328.20156&Audience=Production&Build=ship&Architecture=x64&Language=en-US&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7b4399FFDF-826C-432E-A216-9B40C1CE3029%7d&LabMachine=false | US | text | 5.44 Kb | whitelisted |
2676 | SearchProtocolHost.exe | GET | 204 | 52.109.8.20:443 | https://nexusrules.officeapps.live.com/nexus/rules?Application=searchprotocolhost.exe&Version=7.0.16299.402&ClientId=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&OSEnvironment=10&MsoAppId=-2&AudienceName=Production&AudienceGroup=Production&AppVersion=7.0.16299.402& | US | — | — | whitelisted |
— | — | GET | 200 | 23.20.248.43:443 | https://docparser.com/css/fontawesome5/fontawesome-pro-light.css | US | text | 553 b | unknown |
— | — | GET | 200 | 23.20.248.43:443 | https://docparser.com/ | US | html | 37.4 Kb | unknown |
— | — | GET | 200 | 23.20.248.43:443 | https://docparser.com/css/fontawesome5/fontawesome-pro-regular.css | US | text | 569 b | unknown |
— | — | GET | 200 | 23.20.248.43:443 | https://docparser.com/img/logo.png | US | image | 13.1 Kb | unknown |
— | — | GET | 200 | 23.20.248.43:443 | https://docparser.com/css/fontawesome5/fontawesome-pro-core.css | US | text | 36.8 Kb | unknown |
— | — | GET | 200 | 23.20.248.43:443 | https://docparser.com/css/materialize.min.css | US | text | 115 Kb | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2676 | SearchProtocolHost.exe | 52.109.8.20:443 | nexusrules.officeapps.live.com | Microsoft Corporation | US | whitelisted |
5692 | OUTLOOK.EXE | 52.114.158.53:443 | self.events.data.microsoft.com | Microsoft Corporation | US | whitelisted |
5692 | OUTLOOK.EXE | 13.107.3.128:443 | config.edge.skype.com | Microsoft Corporation | US | whitelisted |
5464 | svchost.exe | 40.90.137.124:443 | login.live.com | Microsoft Corporation | US | unknown |
— | — | 31.192.213.23:80 | es.kuvve.net | Netinternet Bilisim Teknolojileri AS | TR | unknown |
2676 | SearchProtocolHost.exe | 13.107.3.128:443 | config.edge.skype.com | Microsoft Corporation | US | whitelisted |
— | — | 172.217.18.106:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
5692 | OUTLOOK.EXE | 52.109.8.20:443 | nexusrules.officeapps.live.com | Microsoft Corporation | US | whitelisted |
— | — | 23.20.248.43:443 | docparser.com | Amazon.com, Inc. | US | unknown |
5692 | OUTLOOK.EXE | 52.109.76.6:443 | officeclient.microsoft.com | Microsoft Corporation | IE | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.edge.skype.com |
| whitelisted |
login.live.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
es.kuvve.net |
| unknown |
officeclient.microsoft.com |
| whitelisted |
docparser.com |
| unknown |
fonts.googleapis.com |
| whitelisted |
fast.wistia.com |
| whitelisted |
assets.capterra.com |
| shared |
Process | Message |
---|---|
OUTLOOK.EXE | Reminder Queue Starts ===========================:
|
OUTLOOK.EXE | ReminderQueue: Hrinitialize hr = 0
|
OUTLOOK.EXE | ReminderQueueBase:InitializeTable hr=0
|
OUTLOOK.EXE | ReminderQueue: ProcessNotification: End<-----
|