File name: | You're Invited Francisco Credit Risk Modeling Economic and Regulatory Objectives and the impact of COVID-19 on Credit Risk Estimates.msg |
Full analysis: | https://app.any.run/tasks/cb6819ea-50b7-4fa6-9681-bbb579136a7d |
Verdict: | Malicious activity |
Analysis date: | January 24, 2022, 21:40:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | EDB60D0E4F058AFAE92CFCA62AD5D7DA |
SHA1: | F3A78B035A205CE825933168F26A749BBB93E2AC |
SHA256: | 7A57BE28A921E47E0B66A43F26868523BDA9FDECE51F0910CC91908DD4BE5BFA |
SSDEEP: | 1536:g3f/AjlFaP3nmS/r4LXG+IgNH/P+kkaa1:m/A5QP3nQLXTFP+kkaa1 |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2208 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\e70d2545-142e-481c-9690-6340dd8c1b47.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 Modules
| |||||||||||||||
2424 | "C:\Program Files\Internet Explorer\iexplore.exe" https://eur05.safelinks.protection.outlook.com/?url=http%3A%2F%2Femail.marcusevansonline.com%2Fc%2F11kaagdNUwlc1yaEN0P9aT2LhGgG&data=04%7C01%7C%7C199d7b29a2fd4bc9e1d708d9df34cae0%7C10338048193a4298abea3596ae88b05e%7C1%7C0%7C637786240105882213%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Kk9rf1Tqqcwu1HYueMo6sp%2B15%2FvgXuwocHpsDHPBjlI%3D&reserved=0 | C:\Program Files\Internet Explorer\iexplore.exe | OUTLOOK.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
4076 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2424 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3380 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2424 CREDAT:1578250 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3612 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2424 CREDAT:1119508 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3216 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id 3612 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | iexplore.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Exit code: 0 Version: 20.13.20064.405839 Modules
| |||||||||||||||
3048 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id 3612 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | iexplore.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Reader DC Version: 20.13.20064.405839 Modules
| |||||||||||||||
2152 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /o /eo /l /b /id 3612 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | AcroRd32.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Version: 20.13.20064.405839 Modules
| |||||||||||||||
436 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | AcroRd32.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Version: 20.13.20064.405839 Modules
| |||||||||||||||
3704 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1180,7119087600564542728,14479830397861562796,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=14190477337137196951 --renderer-client-id=2 --mojo-platform-channel-handle=1188 --allow-no-sandbox-job /prefetch:1 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Version: 20.13.20064.405839 Modules
|
(PID) Process: | (2208) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2208) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (2208) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (2208) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (2208) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (2208) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (2208) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (2208) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off | |||
(PID) Process: | (2208) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: Off | |||
(PID) Process: | (2208) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1055 |
Value: Off |
PID | Process | Filename | Type | |
---|---|---|---|---|
2208 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR30F0.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2208 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
2208 | OUTLOOK.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894 | der | |
MD5:E9953511B806D96C85112D07C44DE02A | SHA256:86008864D275A5005CDEE88B0DF9E38009AB1F28E731673403DDCD89078A381B | |||
2208 | OUTLOOK.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F | der | |
MD5:CC0C289EA7D427477ACE1B0A0DB02D54 | SHA256:A7A7E062E466C1F51B146C74B9C252AF0BCAC6D9DE256E85384A972BA13BE432 | |||
2208 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.log | text | |
MD5:C110C228B7300DC6D97CB056460FC1E4 | SHA256:68B7BE26BA3F3A56A75F1959F4125C47C71A9D1C305B2507E8EBF9CF11158276 | |||
2208 | OUTLOOK.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:26D1FB7C2CF3CCDCF57F7F431351EF6C | SHA256:22E153B3F2A03BE92DC47924F5EFC5BE25576BA1A1192FFFB9E4692913F5615B | |||
2208 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:EBC67BB5BAC2AF61D288AAEFABD1B171 | SHA256:2A2768F0C6E7F49F8A69F14B243606F3AF137AF6BBBF6F95C707DF2378536DC9 | |||
2208 | OUTLOOK.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894 | binary | |
MD5:363C74672F5EDC40FE6967249184C93F | SHA256:E879FEF4F63CD71E92A630D81F3DE8AC4C443B66DD0622EF245AE225D90F09A0 | |||
2208 | OUTLOOK.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F | binary | |
MD5:0D317C92A70DEB58CD39577CBDB39591 | SHA256:0CAAEF70E22A0D21F6CA08F40EAF2D723929DE208EF36372D386CECFC795B7FF | |||
2208 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\me-virtual[1].png | image | |
MD5:70F6DEF129CB98EE9F201416C266AECE | SHA256:8B7966B43D9399BE0C169BA03680C06F91A69AF9DFE4F864ADA2D6BAE64446B3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2208 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
4076 | iexplore.exe | GET | 302 | 143.204.98.92:80 | http://email.marcusevansonline.com/c/11kaagdNUwlc1yaEN0P9aT2LhGgG | US | — | — | malicious |
2208 | OUTLOOK.EXE | GET | 200 | 108.156.253.92:80 | http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAmyjgQsDK7o%2FL1xYnRvpAA%3D | US | der | 471 b | whitelisted |
4076 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAGewca9P1l7sgwzOOVR2Hc%3D | US | der | 471 b | whitelisted |
2208 | OUTLOOK.EXE | GET | 200 | 18.66.242.155:80 | http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D | US | der | 1.51 Kb | whitelisted |
2208 | OUTLOOK.EXE | GET | 200 | 41.63.96.128:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b4d8d6ff90bd2a61 | ZA | compressed | 4.70 Kb | whitelisted |
4076 | iexplore.exe | GET | — | 216.58.212.163:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | US | — | — | whitelisted |
4076 | iexplore.exe | GET | 200 | 104.18.30.182:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D | US | der | 727 b | whitelisted |
2208 | OUTLOOK.EXE | GET | 200 | 18.66.242.62:80 | http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D | US | der | 1.39 Kb | shared |
4076 | iexplore.exe | GET | 200 | 41.63.96.128:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?dfce85383b38708a | ZA | compressed | 59.9 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2208 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
2208 | OUTLOOK.EXE | 143.204.98.92:80 | email.marcusevansonline.com | — | US | suspicious |
2208 | OUTLOOK.EXE | 41.63.96.128:80 | ctldl.windowsupdate.com | Limelight Networks, Inc. | ZA | suspicious |
— | — | 143.204.101.123:80 | o.ss2.us | — | US | malicious |
2208 | OUTLOOK.EXE | 143.204.98.116:443 | t.msgf.net | — | US | shared |
2208 | OUTLOOK.EXE | 18.66.242.155:80 | ocsp.rootg2.amazontrust.com | Massachusetts Institute of Technology | US | whitelisted |
2208 | OUTLOOK.EXE | 13.225.84.92:80 | s.ss2.us | — | US | malicious |
4076 | iexplore.exe | 143.204.98.92:80 | email.marcusevansonline.com | — | US | suspicious |
— | — | 104.47.17.92:443 | eur05.safelinks.protection.outlook.com | Microsoft Corporation | US | suspicious |
2208 | OUTLOOK.EXE | 108.156.253.92:80 | ocsp.sca1b.amazontrust.com | — | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
email.marcusevansonline.com |
| malicious |
t.msgf.net |
| shared |
ctldl.windowsupdate.com |
| whitelisted |
o.ss2.us |
| whitelisted |
s.ss2.us |
| whitelisted |
ocsp.rootg2.amazontrust.com |
| whitelisted |
ocsp.rootca1.amazontrust.com |
| shared |
ocsp.sca1b.amazontrust.com |
| whitelisted |
eur05.safelinks.protection.outlook.com |
| whitelisted |