File name: | Purchase Order.doc |
Full analysis: | https://app.any.run/tasks/0cdbfcd2-7ea1-4af9-b1c9-0a0e7e5fa4f5 |
Verdict: | Malicious activity |
Analysis date: | October 14, 2019, 08:56:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | 1E8F51413C1FDEE66E8D19DC47869BD4 |
SHA1: | 35E7E2619E724788E24CAC2F0B14198619E54275 |
SHA256: | 2E30907EBFAFE954F3184E0310C5C98BCAE55255963189E90A4E85F263A7BF36 |
SSDEEP: | 96:uz3Kyv6Z9XBdzMGmG3c+auaJ0rk8O+DuxrIDkTxTAr5Ubd:gKy6ZrdgDG3c+auO0rk8R0bNTAtWd |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2280 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Purchase Order.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3904 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 3221225547 Version: 00110900 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2280 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA7E3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2280 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$rchase Order.doc.rtf | pgc | |
MD5:6D54FCD867DC28F15DF64F0CBEF0A282 | SHA256:D111532CF1BA59479855FE109BBB2EC6FE5D18B3E72EFE124F31F35FE7D4AC6C | |||
2280 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D3E45E9E34C71A48C10FD945E9620BAF | SHA256:6CC7603DD408465CD9F4E0ED479443E49C34BDBCC43DE9FD1A9A1A1B8185537F | |||
3904 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3904 | EQNEDT32.EXE | 34.207.119.231:80 | hastilyfing.co.kr | Amazon.com, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
hastilyfing.co.kr |
| unknown |
dns.msftncsi.com |
| shared |