File name: | fde9cadc0bdf699c212ded2a35c09d72.rtf |
Full analysis: | https://app.any.run/tasks/ef3193dc-e6a9-459b-b08a-f61efe281d2f |
Verdict: | Malicious activity |
Analysis date: | February 19, 2019, 02:07:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | FDE9CADC0BDF699C212DED2A35C09D72 |
SHA1: | 29DFE8E6662CBD39189C4A4E7C59068A305818AA |
SHA256: | ECED7B1879EA5FB263B4FC534669E13C098ED981EA6607BEFA01143C21B0AF0A |
SSDEEP: | 48:ifpegXG6zYnEfz58xkkH+ccv16Uo0DZ4oezRLZTdSLYxvx:ifp06UEN/kXcd6UZNetLZTdSLYxZ |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2956 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\fde9cadc0bdf699c212ded2a35c09d72.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
800 | "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1068 | C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Application Error Reporting Exit code: 0 Version: 14.0.6015.1000 | ||||
3188 | C:\Windows\system32\dwwin.exe -x -s 1068 | C:\Windows\system32\dwwin.exe | — | DW20.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Watson Client Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6C38.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8044F728-7271-4F6C-9029-E8E80D900DE5}.tmp | — | |
MD5:— | SHA256:— | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:FFDDA778140572C37C6C1B9E1A88C58B | SHA256:478279FBD54E6D1EE6C21D74755708B0B3AD34CCC4069C872C81C9A3A4BF25D2 | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{68B7E200-A713-42EE-A863-63D78B130091}.tmp | binary | |
MD5:052CA7390A7100C126B6C62C114E7E4F | SHA256:3F6A1110AA92B31B86D707BF421A16F5136BEB3B2C2845F05D3A55199BFC693E | |||
3188 | dwwin.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_WINWORD.EXE_d7fd426ff9d50215af21c7c13a6f73cbcb4969d_0c50cd53\Report.wer | binary | |
MD5:31D872BED0833BFF6902F3829CCD54F2 | SHA256:1A521DC2377F28DF2FCFB1CD623577A87CC644023FD75D81B76F5A1C1A392AA4 | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$e9cadc0bdf699c212ded2a35c09d72.rtf | pgc | |
MD5:C3B3943A18107299F310501524B00187 | SHA256:8903F38B263ECF358BEAC2A75FFD988748302065EFF26706F8FF67B6E7F49F10 | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\2389343.cvr | sqm | |
MD5:E051AE4F86D162DCE16370746CAEB54C | SHA256:205AC2DF70A137504E06AE1B19CCF09D8178C64109417E12F68F0B084F26616F |