File name: | RFP_AllianxMexico_2022.doc |
Full analysis: | https://app.any.run/tasks/05f14cf5-7297-4f7b-8a96-37ad859ab8c2 |
Verdict: | Malicious activity |
Analysis date: | January 24, 2022, 22:40:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Keywords: 16, Comments: 4, Thumbnail: 2362, 0x17: 1048576CDFV2 Microsoft Word |
MD5: | B371E1C2CA2E5718E151760BC4664366 |
SHA1: | 73457D23E5235DF0FCFBF6547AAF26CCCC765011 |
SHA256: | 3542078FD524E3CB141D5BEBF96AEA73467505A07AE72FC58395AFA14F22E8A3 |
SSDEEP: | 24576:/HS4AwARd+X+i4Ht5O9SD++vxRC05yU3LahYcVy7eK+OuQAoKsn7uqb/H:fRyCpG/ |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserTypeLen: | 36 |
---|---|
CompObjUserType: | Documento de Microsoft Word 97-2003 |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 16 |
Paragraphs: | 4 |
CharCountWithSpaces: | 2362 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
392 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\RFP_AllianxMexico_2022.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3832 | "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1420 | C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Application Error Reporting Exit code: 0 Version: 14.0.6015.1000 | ||||
3272 | C:\Windows\system32\dwwin.exe -x -s 1420 | C:\Windows\system32\dwwin.exe | — | DW20.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Watson Client Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (392) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | cy< |
Value: 63793C0088010000010000000000000000000000 | |||
(PID) Process: | (392) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (392) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (392) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (392) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (392) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (392) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (392) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (392) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off | |||
(PID) Process: | (392) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: Off |
PID | Process | Filename | Type | |
---|---|---|---|---|
392 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR1B4.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3272 | dwwin.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_WINWORD.EXE_5925cffacf343a3c93e92254daaac1d4b3aeb_0cdf08ba\Report.wer | — | |
MD5:— | SHA256:— | |||
392 | WINWORD.EXE | C:\Users\admin\Desktop\~$P_AllianxMexico_2022.doc | pgc | |
MD5:C89003727589CBCC535F15DE1AE22235 | SHA256:3CB4D74FD52868B8F7AA0BD5508D0988BFC36AC7F7FDD77435D66E8D108F75E8 | |||
392 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\RFP_AllianxMexico_2022.doc.LNK | lnk | |
MD5:F654AF38858198C6BF688DD803F4D468 | SHA256:103FA1A070A80A607C5FD667C21CCDF52B56E2EF7F6FC4997A40A0963DA774C1 | |||
392 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | ini | |
MD5:824DF79CF8278B9AE50C1016923E5D2D | SHA256:4B3CF0C099BC9F4252726CDFADD2E8BD85F90F970E4E5FB68DF9550A95656DBC | |||
392 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:9869625432E97779171B56FB18E46494 | SHA256:981DBAA638129F6C5282A835ABDCC3404A2F62B2197F95F1C0BD9BECDD1EBCCF | |||
392 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{7284319B-1821-42F1-9C1E-DF2052B1CF57}.tmp | binary | |
MD5:B3F2F524109214EB5DC98D9E3EDD0193 | SHA256:7D3FFD7B9039C552E8C96047C183A2FB28A18E948DBE5BD5DB72EEB1A4243847 | |||
392 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1251C8DF-08AC-47B8-AB98-BE4F7C180CE1}.tmp | binary | |
MD5:D5D8E5E0E7E822A8536164B311472724 | SHA256:CF530E0F013F46CF2B24236002FDC69CCBE4C34DA6A478BBAF5B4421CD24583F | |||
392 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\1313828.cvr | sqm | |
MD5:35E87E9165A1C958FB6817B4AA98B550 | SHA256:A3D75FED3083892719C3661FA64836F5F5282DD82F1FC09778EAB4BBF4EEA5EE | |||
392 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B8017934-9CB0-44A3-B49C-7F140DAAD751}.tmp | smt | |
MD5:5D4D94EE7E06BBB0AF9584119797B23A | SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |