File name: | example.rtf |
Full analysis: | https://app.any.run/tasks/c033e8dd-c4ba-47eb-95f9-5fff864bd3aa |
Verdict: | Malicious activity |
Analysis date: | February 19, 2019, 05:51:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with no line terminators |
MD5: | 48F31C6F2619441F9150C5182F33FED4 |
SHA1: | 2D82997F01C11B1BE9AE0151613C7C6DA5F74DF3 |
SHA256: | 68BB3E0D6AB40A2B59C19B7B1A88BC55C16932484E88D6FD000FA9AF68B5787E |
SSDEEP: | 48:rOjNsP06EOWBgj5eaqJ6TDJT/hfJT/wJT/RVzwBrUQcQK49246JT/vWtp:rl06Lqgj5eaqW/mJwZ3Kw60P |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2804 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\example.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3708 | "C:\Windows\System32\calc.exe" | C:\Windows\System32\calc.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Calculator Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1948 | "C:\Windows\System32\calc.exe" | C:\Windows\System32\calc.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Calculator Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2580 | "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1348 | C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Application Error Reporting Exit code: 0 Version: 14.0.6015.1000 | ||||
3680 | C:\Windows\system32\dwwin.exe -x -s 1348 | C:\Windows\system32\dwwin.exe | — | DW20.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Watson Client Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2804 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR98CB.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2804 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E9B5C50B-96A0-41DB-8BB7-089D393CEB15}.tmp | — | |
MD5:— | SHA256:— | |||
2804 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{188F40FB-AC26-4613-AC04-CFFF591997D3}.tmp | — | |
MD5:— | SHA256:— | |||
2804 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFBC896C97DB180C2E.TMP | — | |
MD5:— | SHA256:— | |||
2804 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$xample.rtf | pgc | |
MD5:66122630B9F1C83355B71F2B66ABA8AC | SHA256:933A9D5AD0748C30D1F0F6123907607E03AA76352360ABAC1C49E9997A167E8A | |||
2804 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Word\~WRL0001.tmp | document | |
MD5:1DB02927677882422054DEA30CAC63D0 | SHA256:70F036AA5467FE29B36E34D76DC2E85DED212CF9D8EA45D68E304ED14B5683A6 | |||
2804 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Word\~WRD0000.tmp | document | |
MD5:CE5011779E62B7754977BAFB8BB874B8 | SHA256:4079E1BA08BC84A3EF31F37013CD0D780D4E233360FC83D174E50B50056A9AC1 | |||
2804 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4E01AAB1-1ADC-47F5-92E6-6DDF87BF159B}.tmp | binary | |
MD5:2694FCC1EE99A834292EC5DB89D58C90 | SHA256:8B5B56E20A874E0587785C9BB757FC58184BBA3332B4FA4CB4F8999A8E5C32A5 | |||
2804 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\1696312.cvr | sqm | |
MD5:FD91D23EEE8C351409DD434CE88E5BBB | SHA256:3877C404BD467D0192C90C223DD972E6D6358BAC6EF117567AC6247A00864154 | |||
2804 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:7B8D8F0F22BFFE8C9210FB71869EA470 | SHA256:E46B2111FFFB8ED0961B6BEF60B74A9814DD3570D8D6F7DF2CA84869ABA557ED |