File name: | RFQ.doc |
Full analysis: | https://app.any.run/tasks/742635bf-70cd-4198-931e-cc47faac0c48 |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 00:35:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CR line terminators |
MD5: | 556B73EC1649749F9E653D6897BB83CC |
SHA1: | EFC45C00871BB59DE77B99DBA6BE3BC928FC8A06 |
SHA256: | 3CDF22675EA6A500634B3A6181A8A93E5048C881FE8F49B45EA056F0F5CB3E99 |
SSDEEP: | 96:w6BOgvq4BRmPLomAx/WV453+M2XOrxZeSFNqinKU3m:J7qSiUmAx/WVYODXO/QmW |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2872 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\RFQ.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3304 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2564 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3428 | "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -Embedding | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Setup Bootstrapper Exit code: 0 Version: 14.0.6010.1000 | ||||
2552 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3156 | C:\Windows\system32\MsiExec.exe -Embedding CF5C8E86F1B1DB85A889294D8163C418 | C:\Windows\system32\MsiExec.exe | msiexec.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3828 | C:\Windows\system32\MsiExec.exe -Embedding A457A55EDB2751DC910331D9962B5E54 M Global\MSI0000 | C:\Windows\system32\MsiExec.exe | — | msiexec.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2492 | C:\Windows\system32\WerFault.exe -u -p 3304 -s 336 | C:\Windows\system32\WerFault.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3068 | C:\Windows\system32\WerFault.exe -u -p 2564 -s 332 | C:\Windows\system32\WerFault.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2292 | C:\Windows\system32\MsiExec.exe -Embedding 0E5ED0CD8CD4C047C9B6F3467A20C103 | C:\Windows\system32\MsiExec.exe | — | msiexec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2872 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE997.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2492 | WerFault.exe | C:\Users\admin\AppData\Local\Temp\WERF9D4.tmp.WERInternalMetadata.xml | — | |
MD5:— | SHA256:— | |||
2492 | WerFault.exe | C:\Users\admin\AppData\Local\Temp\WERF9E4.tmp.hdmp | — | |
MD5:— | SHA256:— | |||
2492 | WerFault.exe | C:\Users\admin\AppData\Local\Temp\WERFAA1.tmp.mdmp | — | |
MD5:— | SHA256:— | |||
2492 | WerFault.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_EQNEDT32.EXE_4190715f755948c31b6cd834465f11f658dcc09d_cab_09acfb4a\WERF9E4.tmp.hdmp | — | |
MD5:— | SHA256:— | |||
3068 | WerFault.exe | C:\Users\admin\AppData\Local\Temp\WER13E5.tmp.hdmp | — | |
MD5:— | SHA256:— | |||
3068 | WerFault.exe | C:\Users\admin\AppData\Local\Temp\WER14A1.tmp.mdmp | — | |
MD5:— | SHA256:— | |||
3068 | WerFault.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_EQNEDT32.EXE_ad59c36926360e5a33660585748b16d7c2e3ff4_cab_0bed155a\WER13E5.tmp.hdmp | — | |
MD5:— | SHA256:— | |||
2872 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$RFQ.doc | pgc | |
MD5:6D829DED53FE7F570C605835C252EB64 | SHA256:C9CA8A59092A89E925CD7A3B00DAC200B6F7AF71AB99195369618315A897F41A | |||
2492 | WerFault.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_EQNEDT32.EXE_4190715f755948c31b6cd834465f11f658dcc09d_cab_09acfb4a\WERFAA1.tmp.mdmp | dmp | |
MD5:BA1BFB255955815FC840CEAA14B2F0A8 | SHA256:EA48F705EA8E4F5BD31D70071FB0BB0F6962103AB147F2A8C4A67521F2137D5F |
Process | Message |
---|---|
msiexec.exe | Failed to release Service
|
addinutil.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
addinutil.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
addinutil.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
addinutil.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
addinutil.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
addinutil.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
addinutil.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
addinutil.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
addinutil.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|