File name: | 61488eaafad84e8b86c6a2e87b022e133ccc77701f817c589ef4b01a89dd74ee |
Full analysis: | https://app.any.run/tasks/c51cd2dd-cf65-4df7-acae-5e351e41ef4e |
Verdict: | Malicious activity |
Analysis date: | April 23, 2019, 17:11:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | B1A56E7F8B6CFB230C2021157912477D |
SHA1: | 7DCF4DAC2369194A035D35DED30B0545D7864F0C |
SHA256: | 61488EAAFAD84E8B86C6A2E87B022E133CCC77701F817C589EF4B01A89DD74EE |
SSDEEP: | 12288:saHJdIqySD6T0hASW5DSUoloB+4oGjONXO9do:ZLIFSD6T0+H5DSUoloB+4oGjONe9a |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2168 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\61488eaafad84e8b86c6a2e87b022e133ccc77701f817c589ef4b01a89dd74ee.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3176 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2168 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR2FC7.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2168 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FBB2CE04.wmf | — | |
MD5:— | SHA256:— | |||
2168 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D80CD6B2.wmf | — | |
MD5:— | SHA256:— | |||
3176 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Word\STARTUP\winhelp.wll | executable | |
MD5:922EEDA26ED584601C4A4127ACE38874 | SHA256:4FA4027CF63E45AB00541F099EEE003DFCF93849E045F25AD4726EC6033E7DB8 | |||
2168 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\8.t | executable | |
MD5:922EEDA26ED584601C4A4127ACE38874 | SHA256:4FA4027CF63E45AB00541F099EEE003DFCF93849E045F25AD4726EC6033E7DB8 | |||
2168 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$488eaafad84e8b86c6a2e87b022e133ccc77701f817c589ef4b01a89dd74ee.rtf | pgc | |
MD5:5243470AF11CE6F5F6E1299B0EFF2802 | SHA256:357D27F531D7D247A086B27BD45C2711495009E365564A1119DAE3B40A569898 | |||
2168 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:E0A6D871DF9AF8A843020CC2FC70CA4E | SHA256:33FAFDD37700ECE853AC83901FBEAB68A9A8E725B6B27DF6C65EDBF64767BE47 | |||
2168 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\248E0E35.wmf | wmf | |
MD5:4BB0EECF04B74C919DC05F7315249BF9 | SHA256:9D2DB8DD1A5D210FAD1C6E341ED0AA65F46ECC14685310B0384152EE9818F16C |