File name: | cec9252effd1fd99e7db63c24dd1dcaca40df5027faa46e56081e52dae96406d |
Full analysis: | https://app.any.run/tasks/7ab97aca-ab56-4a12-989a-d84507a659a2 |
Verdict: | Malicious activity |
Analysis date: | May 24, 2019, 13:46:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 9892134317E1375C1BEF7200B675854D |
SHA1: | 018939B2982B4BC8A50D91E39A1ED569266A486B |
SHA256: | CEC9252EFFD1FD99E7DB63C24DD1DCACA40DF5027FAA46E56081E52DAE96406D |
SSDEEP: | 1536:+rhwuzHlOQIZEr/YzpooU2mECSaTzaPECSbrcs6b4Tp6p7eacbmF0Fliy9GVdVle:+lwIipooDo3CBs6opMelVrVWKjWDBAvx |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 49247 |
---|---|
CharactersWithSpaces: | 20 |
Characters: | 18 |
Words: | 3 |
Pages: | 1 |
TotalEditTime: | - |
RevisionNumber: | 2 |
ModifyDate: | 2019:04:16 18:26:00 |
CreateDate: | 2019:04:16 18:26:00 |
LastModifiedBy: | Windows Óû§ |
Author: | Windows Óû§ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3576 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\cec9252effd1fd99e7db63c24dd1dcaca40df5027faa46e56081e52dae96406d.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
4004 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
4032 | C:\Windows\system32\WerFault.exe -u -p 4004 -s 336 | C:\Windows\system32\WerFault.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3576 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3E93.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4032 | WerFault.exe | C:\Users\admin\AppData\Local\Temp\WER4F30.tmp.mdmp | — | |
MD5:— | SHA256:— | |||
4032 | WerFault.exe | C:\Users\admin\AppData\Local\Temp\WER4E92.tmp.hdmp | dmp | |
MD5:AB8442EBAF3F5561586D7B53AEA1D23D | SHA256:D2BDE0CF5548EB591CC729B77531B282697A1548DC8BF606D04B76CF2B4624A1 | |||
3576 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5EC10629.emf | emf | |
MD5:34F4DB9051753FFB35510126E773A2CF | SHA256:9679BA93420D59FEA3BBDE8A05A24B56916581EB98F49347566BD5CC724A3B9D | |||
3576 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D42A6E4BB983BD90FC52C342BF8F27D7 | SHA256:464DCA282B2115EE1C4EA61EE07E5E07452FB55AF95763CAD86150BDEDAD6F0A | |||
4032 | WerFault.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_EQNEDT32.EXE_c548e924fb23f2567ceabc811a8b6f4e1fb1ce_cab_0fd34faa\WER4E52.tmp.appcompat.txt | xml | |
MD5:A7C42BA6416A96B9C45530F199833D9E | SHA256:48ECE97C88734E9D7BF84CDBDEE5A8C2EF98AA2A77DEDC6D4B057227E3A13DC6 | |||
4032 | WerFault.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_EQNEDT32.EXE_c548e924fb23f2567ceabc811a8b6f4e1fb1ce_cab_0fd34faa\WER4E91.tmp.WERInternalMetadata.xml | xml | |
MD5:8AC6AB62747E9034FA123E9FD08DE81D | SHA256:0B1252E5B571266281DFB2619DB7048B1A1E14CFBED24A39FE970BBF995F5CF4 | |||
3576 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$c9252effd1fd99e7db63c24dd1dcaca40df5027faa46e56081e52dae96406d.rtf | pgc | |
MD5:A349F5579145320F4651CFFD68A5B766 | SHA256:BFD8BAA2D43DFAAF7F56638B684E6153CD3D3A064D6DEE33B08189781647B5B9 | |||
4032 | WerFault.exe | C:\Users\admin\AppData\Local\Temp\WER4E91.tmp.WERInternalMetadata.xml | xml | |
MD5:8AC6AB62747E9034FA123E9FD08DE81D | SHA256:0B1252E5B571266281DFB2619DB7048B1A1E14CFBED24A39FE970BBF995F5CF4 | |||
4032 | WerFault.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_EQNEDT32.EXE_c548e924fb23f2567ceabc811a8b6f4e1fb1ce_cab_0fd34faa\Report.wer | binary | |
MD5:46C3CC789EC5E18671CBEF4F0ADB7413 | SHA256:0EB5A93F072CAE72FC336FC0C0C3C674B2F283CE15D5B1EE25DB1F592175E8ED |