File name: | PO(10288).docx |
Full analysis: | https://app.any.run/tasks/0b8b1798-b593-473b-ab66-5a9c6aee78d0 |
Verdict: | Malicious activity |
Analysis date: | September 18, 2019, 18:17:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 6CD6E209E21AFC068B736CF5E11B2BDD |
SHA1: | 1C578F46F755521BC2056C68FE053A6463C79F03 |
SHA256: | 716E08C35F609630319502A5877B72474B1FBCDD0D8A7D53A2CD89BA0E2E0239 |
SSDEEP: | 6144:RHUTtIuThnAoO/5iuzSYYo11/NkvUe+hjid0ITbtOU5YE7N9T+/fe0/yfCp0LiKt:5EnBPcSYv/NWUbOI8Yoy+0/eCp0LOel |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
AppVersion: | 12 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 20 |
LinksUpToDate: | No |
Company: | - |
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 18 |
Words: | 3 |
Pages: | 1 |
TotalEditTime: | 3 minutes |
Template: | Normal |
ModifyDate: | 2019:09:18 00:29:00Z |
CreateDate: | 2019:09:18 00:26:00Z |
RevisionNumber: | 2 |
LastModifiedBy: | Windows User |
Creator: | Windows User |
---|
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1460 |
ZipCompressedSize: | 386 |
ZipCRC: | 0x7fcf3406 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2884 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\PO(10288).docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2848 | "C:\Users\admin\AppData\Local\Temp\Order.exe" | C:\Users\admin\AppData\Local\Temp\Order.exe | WINWORD.EXE | |
User: admin Company: AVAST Software Integrity Level: MEDIUM Description: Vxel Tcpip Generators Cryptography Amung Messengers | ||||
3764 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\meauthor.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2736 | "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE" | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE | — | services.exe |
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Office Software Protection Platform Service Version: 14.0.0370.400 (longhorn(wmbla).090811-1833) | ||||
2268 | C:\Windows\system32\AUDIODG.EXE 0x6b0 | C:\Windows\system32\AUDIODG.EXE | — | svchost.exe |
User: LOCAL SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Audio Device Graph Isolation Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3556 | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3032 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\floridamiddle.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
1304 | "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520 | C:\Windows\system32\SearchFilterHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Search Filter Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
2936 | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2588 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\waysmaps.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9E29.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2884 | WINWORD.EXE | C:\Users\admin\Downloads\~WRD0000.tmp | — | |
MD5:— | SHA256:— | |||
2884 | WINWORD.EXE | C:\Users\admin\Downloads\~WRD0002.tmp | — | |
MD5:— | SHA256:— | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{63A3F387-1B1B-4B99-8A2B-4EEB81D12786}.tmp | — | |
MD5:— | SHA256:— | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A2AFDE35-296B-4075-95E9-64EF58055CCE}.tmp | — | |
MD5:— | SHA256:— | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{8D807339-7781-42B4-8FFD-F6A053D2395B}.tmp | — | |
MD5:— | SHA256:— | |||
3764 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3F7.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3764 | WINWORD.EXE | C:\Users\admin\Desktop\~WRD0000.tmp | — | |
MD5:— | SHA256:— | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:E4FFA545936DD6AC4DF40351196079CB | SHA256:7C22577194956F39632C98BEC2FAEACD6A5B1A7F5E603CFFC5815F30F049DB64 | |||
2884 | WINWORD.EXE | C:\Users\admin\Downloads\~WRL0003.tmp | document | |
MD5:207CDD57F3E2BB60FAF7EF22400B928B | SHA256:E0346BBF0F347287772BEA881CB833181586AF1EDC5784B13EBCAC92062EDAE5 |