File name: | z3r0.rtf |
Full analysis: | https://app.any.run/tasks/3d049e31-eecf-46f1-836e-5ec0153b7fee |
Verdict: | Malicious activity |
Analysis date: | November 08, 2019, 14:24:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CR, LF line terminators |
MD5: | 5858B1C68C8A91C565E875E3492EDD49 |
SHA1: | 48B8DF7B68BA004E67AD5F4C8A0E9215F632AB04 |
SHA256: | B5572ED87256F85CC663EDBE6884820AC35AFFECD16891F28EC6A8817D1A2F88 |
SSDEEP: | 48:5fU5NncuBCnb5S2vw3xMa279j+J5ffRKVr9z9UyDW3SkSNmhmXmw9sv5:NaBCnLvwWxBCRKVJzuyDW3SkuOmsv5 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2816 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\z3r0.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.5123.5000 | ||||
1788 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2908 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
992 | "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -Embedding | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Setup Bootstrapper Exit code: 1073807364 Version: 14.0.4755.1000 | ||||
1472 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
1364 | C:\Windows\system32\MsiExec.exe -Embedding 9FC01BC9E90E1CD9A7A08127AD00BBCF | C:\Windows\system32\MsiExec.exe | msiexec.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
124 | C:\Windows\syswow64\MsiExec.exe -Embedding 2429B2E20F24DB52ED6E71202754B6BA | C:\Windows\syswow64\MsiExec.exe | — | msiexec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2632 | C:\Windows\system32\MsiExec.exe -Embedding C1B2A60EBB73E99CD5DFBC654D71E3D9 E Global\MSI0000 | C:\Windows\system32\MsiExec.exe | — | msiexec.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2500 | C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 380 | C:\Windows\SysWOW64\WerFault.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2456 | C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 384 | C:\Windows\SysWOW64\WerFault.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2816 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR5011.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2500 | WerFault.exe | C:\Users\admin\AppData\Local\Temp\WER6CB3.tmp.hdmp | — | |
MD5:— | SHA256:— | |||
2500 | WerFault.exe | C:\Users\admin\AppData\Local\Temp\WER6D8F.tmp.mdmp | — | |
MD5:— | SHA256:— | |||
904 | svchost.exe | C:\Windows\appcompat\programs\RecentFileCache.bcf | txt | |
MD5:1F4EA661D0A10D6E1ACEFD5A096068AA | SHA256:71B9C6D945F9A9F4E0AA7FC26271CBE2B909C22BAFEF1845A480C0AD040E4432 | |||
2456 | WerFault.exe | C:\Users\admin\AppData\Local\Temp\WERFB58.tmp.mdmp | — | |
MD5:— | SHA256:— | |||
2500 | WerFault.exe | C:\Users\admin\AppData\Local\Temp\WER6CA2.tmp.WERInternalMetadata.xml | xml | |
MD5:FE9482BD5D96FC6A0914FB6A739A5236 | SHA256:D3F7590BB0E63E55664CCBEEC888DE825DA33BD130740626077E1C29A98584E2 | |||
2816 | WINWORD.EXE | C:\Users\admin\Desktop\~$z3r0.rtf | pgc | |
MD5:B681B4FC9F55778FF5CF57A99ADB8993 | SHA256:EE2583E7F1550089BFE9FA42BAAEEA8385D1E6AD4F2B97E2234944F0C348259D | |||
2500 | WerFault.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_EQNEDT32.EXE_67557343b893ec8761487d58d5a5eebb314b7_cab_09d56dda\WER6CA2.tmp.WERInternalMetadata.xml | xml | |
MD5:FE9482BD5D96FC6A0914FB6A739A5236 | SHA256:D3F7590BB0E63E55664CCBEEC888DE825DA33BD130740626077E1C29A98584E2 | |||
1936 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms | automaticdestinations-ms | |
MD5:7FFED926DF324BEACC2688E67CD177FE | SHA256:34CC28B76C6F62634864BED6AD1680E950ACC819F141FC32C32D41612FDF037F | |||
1936 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\44a3621b32122d64.automaticDestinations-ms | automaticdestinations-ms | |
MD5:EF91D819A1FF1D34ABBE52DCBDB53565 | SHA256:861AC578BD3A8E65666B425D3C41C4FC87F70FB49298C8CF59BEE787057DA7F8 |
Domain | IP | Reputation |
---|---|---|
teredo.ipv6.microsoft.com |
| whitelisted |
Process | Message |
---|---|
msiexec.exe | Failed to release Service
|
msiexec.exe | Failed to release Service
|
addinutil.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\amd64fre\base\isolation\com\copyout.cpp, line 1302
|
addinutil.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
addinutil.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\amd64fre\base\isolation\com\copyout.cpp, line 1302
|
addinutil.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
addinutil.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\amd64fre\base\isolation\com\copyout.cpp, line 1302
|
addinutil.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
addinutil.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\amd64fre\base\isolation\com\copyout.cpp, line 1302
|
addinutil.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
|