File name: | 5aca6a390464c4880d813ebc04e6822fda9c68597600d27e1c5afaa26405bf6f |
Full analysis: | https://app.any.run/tasks/7c29050c-a32e-4eba-9cd4-e90a59712d80 |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 07:53:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 949, Author: HP, Template: Normal.dotm, Last Saved By: Windows User, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Mon Sep 11 10:20:00 2017, Last Saved Time/Date: Fri Jan 19 03:12:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0 |
MD5: | 1AA7277DAD2FC8268C79E8295514AA06 |
SHA1: | A79488B114F57BD3D8A7FA29E7647E2281CE21F6 |
SHA256: | 5ACA6A390464C4880D813EBC04E6822FDA9C68597600D27E1C5AFAA26405BF6F |
SSDEEP: | 12288:44K6BgttUJhd/I4MClEFl3+YnmD5KYf/UXRDsin:476BgttUJhd/I4MCCX3+D7ORDsy |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 15 |
CharCountWithSpaces: | - |
Paragraphs: | - |
Lines: | - |
Company: | - |
CodePage: | Windows Korean (Unified Hangul Code) |
Security: | None |
Characters: | - |
Words: | - |
Pages: | 1 |
ModifyDate: | 2018:01:19 03:12:00 |
CreateDate: | 2017:09:11 09:20:00 |
TotalEditTime: | 2.0 minutes |
Software: | Microsoft Office Word |
RevisionNumber: | 2 |
LastModifiedBy: | Windows User |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | HP |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3772 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\5aca6a390464c4880d813ebc04e6822fda9c68597600d27e1c5afaa26405bf6f.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3736 | "C:\Windows\System32\cmd.exe" /c start /b C:\Users\admin\AppData\Local\Temp\.\dwm.exe /pumpingcore | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1440 | C:\Users\admin\AppData\Local\Temp\.\dwm.exe /pumpingcore | C:\Users\admin\AppData\Local\Temp\dwm.exe | — | cmd.exe |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
3772 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRF87A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3772 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF3D5A3C7A91AF4737.TMP | — | |
MD5:— | SHA256:— | |||
3772 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF30A11004D0B36E20.TMP | — | |
MD5:— | SHA256:— | |||
3772 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{32458EEB-F366-4B83-9ACB-4E44C51BF397}.tmp | — | |
MD5:— | SHA256:— | |||
3772 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{75777BAA-0C05-4B7B-BBD0-8E4FD5F98B3D}.tmp | — | |
MD5:— | SHA256:— | |||
3772 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{CD48D8D6-5A32-4BAB-9831-4049CE820F53}.tmp | — | |
MD5:— | SHA256:— | |||
3772 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:5ED49D629F9F1900D1799BB6FD77BE0D | SHA256:7BC60DC12AB979A9825AEB969F961D5519C4D44BC8E052A9DBCFD5E24CB71991 | |||
3772 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Job Description.doc | document | |
MD5:8019E78DD1CF8DDBAB6CFD11DA77F1E8 | SHA256:391CB4D7131892004F69D4928A39AD3CCC1ACB27B14DF1128D3D0D8881A82723 | |||
3772 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleUpdate.lnk | lnk | |
MD5:69651B81110BE5785F03B073EE669CDB | SHA256:FC43C7087C69E792FF1572C380478766E976E323A276BB3FD37F8CA837DAE999 | |||
3772 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$ca6a390464c4880d813ebc04e6822fda9c68597600d27e1c5afaa26405bf6f.doc | pgc | |
MD5:AD99B13ED144561AD6971728777F1F19 | SHA256:5CFC9C6D0CB84842628F8F53D908A7ECA730A41816769E197FCA8217070E7A9A |
Domain | IP | Reputation |
---|---|---|
deltaemis.com |
| unknown |