File name: | 8054b3a5a0e0a19660e006eb80ada8cb2d60360cf84dc4213ba7a9f3bbb4457e |
Full analysis: | https://app.any.run/tasks/a3294099-eb9e-4621-a110-c02ea8a654b8 |
Verdict: | Malicious activity |
Analysis date: | December 14, 2018, 18:25:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | 1CD66FBC91462CD0E8BD16BDC0B625DA |
SHA1: | EC947CB8726D15694D5691636DA3BDD347729256 |
SHA256: | 8054B3A5A0E0A19660E006EB80ADA8CB2D60360CF84DC4213BA7A9F3BBB4457E |
SSDEEP: | 192:+YZEAkEDG3c+auO0rA8R4Njasykz8inchhYVKGcU:LEqGs+VPDsykz8ichhdGcU |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2708 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\8054b3a5a0e0a19660e006eb80ada8cb2d60360cf84dc4213ba7a9f3bbb4457e | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3172 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\8054b3a5a0e0a19660e006eb80ada8cb2d60360cf84dc4213ba7a9f3bbb4457e" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1676 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2972 | "C:\Windows\system32\taskmgr.exe" | C:\Windows\system32\taskmgr.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4064 | "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" | C:\Windows\system32\mmc.exe | — | taskmgr.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Management Console Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2416 | "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" | C:\Windows\system32\mmc.exe | taskmgr.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Management Console Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3172 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRB663.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1676 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A | |||
1676 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txt | text | |
MD5:12C2DD1E76B837633C09F014E2118A24 | SHA256:B9DC094FF9CA5A496378789F67F22EE6348B20251A3F20A1674617BDB274CAB9 | |||
3172 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$54b3a5a0e0a19660e006eb80ada8cb2d60360cf84dc4213ba7a9f3bbb4457e | pgc | |
MD5:3285F4CA7170BE7FB3F82DDC8E6968DC | SHA256:3AC1E0229418349E730E5B277F7A9665D6CB7A3D9C2134BD8187A659BDBF3B6E | |||
3172 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:1A2C6AC82975EFCE4ED6F6A172A02DF4 | SHA256:E4931188BCE994C45AF9AFE8A6D379AF288668F458A954E7C838D98360F0220D | |||
2416 | mmc.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\views[1] | html | |
MD5:A726593A8261930E4786375106FC6BFE | SHA256:E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172 | |||
2416 | mmc.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\views[1] | html | |
MD5:A726593A8261930E4786375106FC6BFE | SHA256:E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1676 | EQNEDT32.EXE | GET | — | 208.97.149.120:80 | http://www.scarpeshop.eu/v/E0.png | US | — | — | malicious |
1676 | EQNEDT32.EXE | GET | 301 | 67.199.248.10:80 | http://bit.ly/2Gn4PCa | US | html | 120 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1676 | EQNEDT32.EXE | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
1676 | EQNEDT32.EXE | 208.97.149.120:80 | www.scarpeshop.eu | New Dream Network, LLC | US | suspicious |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
www.scarpeshop.eu |
| malicious |