File name: | 608b0c2ec4a1252e65fe885e622c0369.doc |
Full analysis: | https://app.any.run/tasks/ac94b362-ae7a-4167-864b-efa2e8cb28f5 |
Verdict: | Malicious activity |
Analysis date: | July 11, 2019, 12:40:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | MIME entity, ISO-8859 text, with CRLF line terminators |
MD5: | 608B0C2EC4A1252E65FE885E622C0369 |
SHA1: | 77AC560B1249AE15B78D3284DB03B32289292568 |
SHA256: | 48196782F18B2E569F8746FCFE37F7BA982FB03A001DDB231A3127FF5E3C55B2 |
SSDEEP: | 768:qI8i0L+PTwXUH/ow4DVyXDyR/flDHiuzMQF9kUjL:f50L+MUHw5DVyXmR/fRCY7kw |
.mht/mhtml | | | MIME HTML archive format (var 2) (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3964 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\608b0c2ec4a1252e65fe885e622c0369.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3052 | C:\Windows\\System32\\rundll32.exe | C:\Windows\System32\rundll32.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 1768843639 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6537.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CB11A0EF-939D-4E4C-B9CE-08CFD6D1D4A0}.tmp | — | |
MD5:— | SHA256:— | |||
3964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A867FA81-BB28-4008-957A-8564275B5466}.tmp | — | |
MD5:— | SHA256:— | |||
3964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{312214DD-6683-4566-97BB-772A497D46A7}.tmp | — | |
MD5:— | SHA256:— | |||
3964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$8b0c2ec4a1252e65fe885e622c0369.doc | pgc | |
MD5:A1FBA09C4930BEDC64CCDB53AE7A6091 | SHA256:F92007FC7AC79CE7C4E10E788EF9B14097A156ADE9700CA2B9209525121C9EA8 | |||
3964 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:2B0C6794069D1E64D2A08CB5EC61E478 | SHA256:8D020FE95A6BDC1F7C945B289071A36410592E8913497C89A76702EF3ADD153E |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3052 | rundll32.exe | 45.58.57.88:9000 | — | HostUS | US | malicious |