File name: | 3174a385107c6445c53bd8b541b0a43d |
Full analysis: | https://app.any.run/tasks/4a476d83-2c69-4e0d-960e-772c0d501694 |
Verdict: | Malicious activity |
Analysis date: | June 19, 2019, 10:39:04 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 3174A385107C6445C53BD8B541B0A43D |
SHA1: | 5DB57F2F0C30E843A6440FDA476235100166B7C1 |
SHA256: | 976F758665D17153F0E6A22810599939092FC8E4FAB91562C0DEF7860C7222A7 |
SSDEEP: | 1536:miIIUewe3XVo622z1RlRKOjDwJ2GHqYnvNvpNiAWihpWFRIxPILSQWns3R:miIjCmxgLSQWno |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2552 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\3174a385107c6445c53bd8b541b0a43d.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.5123.5000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2552 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR565A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2552 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DCAE2F83.png | — | |
MD5:— | SHA256:— | |||
2552 | WINWORD.EXE | C:\Users\admin\Desktop\~$74a385107c6445c53bd8b541b0a43d.rtf | pgc | |
MD5:CDDC92F836CDB72D3FB86916713236EA | SHA256:EDD7CE9B4CCB0CA013099F4975AA7F75FD86014607F6204FAA131CB0C519163D | |||
2552 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:BD573C9A3CDFFD4F4DDBCC1AA90979C3 | SHA256:3BB3B1FF9633826D9E242B93728B272EEF3ACAD2BB57DAACC6D22ECF906631B3 | |||
2552 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Abctfhghghghghg.sct | html | |
MD5:D30215FCA6DD73F3DE2880E083C4D7EC | SHA256:A8A4F9A22D13AE84D154EE4F1975D41BF91F1176E7897086E20E54C548E1493E | |||
2552 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\3174a385107c6445c53bd8b541b0a43d.LNK | lnk | |
MD5:E32662C9B1CAD5993487E322D49F110E | SHA256:3A593EFB1089AD4C91EE0960B8E2E31659E3BBC670F6BE9D4974E1327EA805E6 | |||
2552 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Abctfhghghghghg.sct:Zone.Identifier | text | |
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B | SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 | |||
2552 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2552 | WINWORD.EXE | GET | 404 | 199.101.103.22:443 | https://tlkcloudem.com/file/photo.exe | US | html | 331 b | suspicious |
2552 | WINWORD.EXE | GET | 404 | 199.101.103.22:443 | https://tlkcloudem.com/file/photo.exe | US | html | 331 b | suspicious |
2552 | WINWORD.EXE | GET | 404 | 199.101.103.22:443 | https://tlkcloudem.com/file/photo.exe | US | html | 331 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2552 | WINWORD.EXE | 199.101.103.22:443 | tlkcloudem.com | QuickPacket, LLC | US | suspicious |
Domain | IP | Reputation |
---|---|---|
tlkcloudem.com |
| suspicious |