File name: | 6897b33954a4b228f8a7132e07fde3b6 |
Full analysis: | https://app.any.run/tasks/d3621c70-ffa1-4473-b348-6cb4970665df |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 08:29:03 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, ANSI |
MD5: | 6897B33954A4B228F8A7132E07FDE3B6 |
SHA1: | 157E4E252866702B0A069A6166E55DB80363090C |
SHA256: | 37378258B682C92E11E45C4714A95EF843DFC48E064112E9969586AE88C386BF |
SSDEEP: | 12288:+toHy1qH75x/aSIF+m3x8VW+dkOeqKXKg:+toHTX/aNAm3x6dkB |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 24689 |
---|---|
CharactersWithSpaces: | 118 |
Characters: | 102 |
Words: | 17 |
Pages: | 1 |
TotalEditTime: | -7440 seconds |
RevisionNumber: | 22 |
ModifyDate: | 2015:10:16 13:54:00 |
CreateDate: | 2015:10:16 11:37:00 |
LastModifiedBy: | Master |
Author: | Master |
Title: |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2892 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\6897b33954a4b228f8a7132e07fde3b6.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2332 | "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1112 | C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Application Error Reporting Exit code: 0 Version: 14.0.6015.1000 | ||||
3400 | C:\Windows\system32\dwwin.exe -x -s 1112 | C:\Windows\system32\dwwin.exe | — | DW20.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Watson Client Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRDCA6.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E0BAC878-379F-4F4F-B602-E3A7EA2543BD}.tmp | — | |
MD5:— | SHA256:— | |||
2892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A9555F70-F2CF-450F-AAA8-E4C84DCB6A3B}.tmp | — | |
MD5:— | SHA256:— | |||
2892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\1126953.cvr | sqm | |
MD5:6DD8A0CEE91E27657418CEB9DB277D05 | SHA256:3BBBD03682B973CD1FE2C2D68D3424430267C7B76A962B603C910315CF24BFFD | |||
2892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$97b33954a4b228f8a7132e07fde3b6.rtf | pgc | |
MD5:CF7BD22C42D0C2B4D9A0E2134A5A330B | SHA256:A5505448BF133EB93E596963E4CB43E3747DAD7211BF7E60CC78AB1F25B380A3 | |||
2892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{10B0D4D7-5EF6-4C2D-823F-65C9446BC96E}.tmp | binary | |
MD5:CB365264337F1570C7EA4EF53446AA54 | SHA256:D3128F5F12164E1EFD093E417DE4E3AECB828CA71012BC04F1605305F3E3BFB1 | |||
2892 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:3E349EF9EE4271C5BBA07B1B50EF96EB | SHA256:CB672C0AC1DE57783CAFB5095D2E96FF2398A042650181891E7D7AA29A4887CB | |||
3400 | dwwin.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_WINWORD.EXE_d7fd426ff9d50215af21c7c13a6f73cbcb4969d_0d595ca4\Report.wer | binary | |
MD5:AF4A8FC6A8AABF8D1B000FC655FA66A4 | SHA256:C2386D78AFB9BD331D707395828BC98DB77BCC300851CF8251FF26E4B54502F9 | |||
2892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4EE8319D.wmf | wmf | |
MD5:4F03B86E4D6631C26FF5FFFC7332BE1D | SHA256:83F4EA26254D69825486BFFD1D400217AAC7245C5C48FE5ACC3CCDEA173C4851 |