File name: | 01f9be9446b9d608251924f54f08e82aecdceffd6ba2ed4d13897e311bc6f711 |
Full analysis: | https://app.any.run/tasks/63ebd387-22ec-4abb-9a2e-2f488948ef2e |
Verdict: | Malicious activity |
Analysis date: | April 25, 2019, 16:55:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | B7CF7256280C9A105433219CCCA987DC |
SHA1: | 0FBD7128778C5F8DD92289AA0F2B7B54D282F465 |
SHA256: | 01F9BE9446B9D608251924F54F08E82AECDCEFFD6BA2ED4D13897E311BC6F711 |
SSDEEP: | 1536:czGpn6DtJnf6CzChEGGA5aztO9yEISKRPKFcZkYh1Y28wOmDXc0iyXsLVQNggN4s:mTEGAIOMIBaVIjQl |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2356 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\01f9be9446b9d608251924f54f08e82aecdceffd6ba2ed4d13897e311bc6f711.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
908 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3392 | "C:\Users\admin\AppData\Roaming\dmw cleaner.exe" | C:\Users\admin\AppData\Roaming\dmw cleaner.exe | EQNEDT32.EXE | |
User: admin Company: ubozahulacovudefijovoxam Integrity Level: MEDIUM Description: oruzakahiw Exit code: 0 Version: 8.13.17.22 | ||||
3576 | "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\AppData\Roaming\dmw cleaner.exe:Zone.Identifier" | C:\Windows\System32\cmd.exe | — | dmw cleaner.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1708 | "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\AppData\Roaming\dmw cleaner.exe:Zone.Identifier" | C:\Windows\System32\cmd.exe | — | dmw cleaner.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2200 | "C:\Windows\System32\cmd.exe" /c copy "C:\Users\admin\AppData\Roaming\dmw cleaner.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodgbc.exe" | C:\Windows\System32\cmd.exe | dmw cleaner.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2368 | "C:\Windows\System32\cmd.exe" /c, "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodgbc.exe" | C:\Windows\System32\cmd.exe | — | dmw cleaner.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1660 | "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodgbc.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodgbc.exe | cmd.exe | |
User: admin Company: ubozahulacovudefijovoxam Integrity Level: MEDIUM Description: oruzakahiw Version: 8.13.17.22 | ||||
3852 | "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodgbc.exe:Zone.Identifier" | C:\Windows\System32\cmd.exe | — | audiodgbc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2976 | "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodgbc.exe:Zone.Identifier" | C:\Windows\System32\cmd.exe | — | audiodgbc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2356 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR2F4A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2356 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D60A1EDC-D4DA-4885-803B-880A6C8F1499}.tmp | — | |
MD5:— | SHA256:— | |||
2356 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EBC08C6D-40B8-48B3-859A-FCF92B532BE8}.tmp | — | |
MD5:— | SHA256:— | |||
2356 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D4E142EE-5130-45A3-BB52-64C1BF32075F}.tmp | — | |
MD5:— | SHA256:— | |||
2356 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:E0A6D871DF9AF8A843020CC2FC70CA4E | SHA256:33FAFDD37700ECE853AC83901FBEAB68A9A8E725B6B27DF6C65EDBF64767BE47 | |||
2356 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{14B77740-8F2A-45FE-AE56-978D1C27F7AC}.tmp | binary | |
MD5:6F2EA21E6180009325990D1BE071B06E | SHA256:76205F8E5BDB25C98AFDEC2420A30D78CF7AB9D0CC72CF34C9B01B233796D30A | |||
1660 | audiodgbc.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodgbc.lnk | lnk | |
MD5:35B36A7D28D5FA0CF45B2D90D94FE8A2 | SHA256:DBF63ED82C0722D07D7295F415811D061C83F7FD65DE2AA1B9E1B955486499DB | |||
908 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\5cc165418998fma2[1].exe | executable | |
MD5:5BB164F6437DEBDF1C9E905770A6AA4E | SHA256:3AF74379234601C1D9CDA4E8B20B901B604D6892ECD1E42802303756FBA6980C | |||
2356 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$f9be9446b9d608251924f54f08e82aecdceffd6ba2ed4d13897e311bc6f711.rtf | pgc | |
MD5:54444D248EE2753E32BE8765FA6B266F | SHA256:B78F08813546853269DB70616BBBD871175AC19DC3C1397D6CDDCB9100DCD687 | |||
2200 | cmd.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodgbc.exe | executable | |
MD5:5BB164F6437DEBDF1C9E905770A6AA4E | SHA256:3AF74379234601C1D9CDA4E8B20B901B604D6892ECD1E42802303756FBA6980C |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
908 | EQNEDT32.EXE | 212.227.172.251:443 | hellofbi.com | 1&1 Internet SE | DE | unknown |
Domain | IP | Reputation |
---|---|---|
hellofbi.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
908 | EQNEDT32.EXE | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
Process | Message |
---|---|
dmw cleaner.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
dmw cleaner.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
dmw cleaner.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
dmw cleaner.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
dmw cleaner.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
dmw cleaner.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
dmw cleaner.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
dmw cleaner.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
dmw cleaner.exe |
*** Status originated: -1072365543
*** Source File: d:\iso_whid\x86fre\base\isolation\id_parser.cpp, line 590
|
dmw cleaner.exe |
*** Status propagated: -1072365543
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 147
|