File name: | PI.doc |
Full analysis: | https://app.any.run/tasks/23db988d-9115-47d6-b4de-46882a7413f2 |
Verdict: | Malicious activity |
Analysis date: | January 11, 2019, 00:45:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | 5CFFE1D298F8231962F28480F9030A33 |
SHA1: | 31FBFDF0DD0A0BA9CEDD79FFE01E6F5866D66AD5 |
SHA256: | 0A195AE08CDA6CC1465046B1F1EA7A8997A5806652732988834592CA591136A2 |
SSDEEP: | 24576:7sf3y53R1Ne/PMkByLWv9JMoDWWCj+dUekP8CSgPajeZJoKVaVEHzfdkyytsZJbK:E |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3092 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\PI.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3876 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2572 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3276 | cmd /c %tmp%\A.X | C:\Windows\system32\cmd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2812 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3932 | "C:\Program Files\Microsoft Office\Office14\excelcnv.exe" -Embedding | C:\Program Files\Microsoft Office\Office14\excelcnv.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3092 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRF040.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3876 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRF8BC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3932 | excelcnv.exe | C:\Users\admin\AppData\Local\Temp\CVR464.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3092 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF998F62F325EF4223.TMP | — | |
MD5:— | SHA256:— | |||
3092 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{548357C9-649A-426F-882F-63BB7EAFBA17}.tmp | — | |
MD5:— | SHA256:— | |||
3092 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{822D647E-E416-4006-992F-C560E9589ABF}.tmp | — | |
MD5:— | SHA256:— | |||
3092 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:5A2A2BF1B9B0B962C0149F308BD95D21 | SHA256:D89CAB5E2C797E14581071AAB9A6E3B6999EA1DA8A1AF05067B3D36BC4686D61 | |||
3092 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3FF639A6-C22C-4E9B-B5CF-2423865ECD7D}.tmp | document | |
MD5:ACB46D676542BC5981AC38EBA4423347 | SHA256:AE2380955E210E4A64DD59A6A87389BCE22BD78A748284A75EC9DA0A36149AF2 | |||
3092 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$PI.doc.rtf | pgc | |
MD5:91B446CA98FC55828359C44B08E6C262 | SHA256:01FC3D1DAD7741D91A493094D7B454B3C1A40FB0A8D012982A5915A3FC1A0D07 | |||
3092 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C679C771.emf | emf | |
MD5:E36B6261E06D7383B8E5599EF5173F34 | SHA256:08666166B6F367E2832FA367749C0EE722ACA082166650814E93C07CD624C574 |