File name: | PO(10288).docx |
Full analysis: | https://app.any.run/tasks/8972d134-dadc-47bd-9b63-8c9bef0e1eca |
Verdict: | Malicious activity |
Analysis date: | September 18, 2019, 18:11:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 6CD6E209E21AFC068B736CF5E11B2BDD |
SHA1: | 1C578F46F755521BC2056C68FE053A6463C79F03 |
SHA256: | 716E08C35F609630319502A5877B72474B1FBCDD0D8A7D53A2CD89BA0E2E0239 |
SSDEEP: | 6144:RHUTtIuThnAoO/5iuzSYYo11/NkvUe+hjid0ITbtOU5YE7N9T+/fe0/yfCp0LiKt:5EnBPcSYv/NWUbOI8Yoy+0/eCp0LOel |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0x7fcf3406 |
ZipCompressedSize: | 386 |
ZipUncompressedSize: | 1460 |
ZipFileName: | [Content_Types].xml |
Creator: | Windows User |
---|
LastModifiedBy: | Windows User |
---|---|
RevisionNumber: | 2 |
CreateDate: | 2019:09:18 00:26:00Z |
ModifyDate: | 2019:09:18 00:29:00Z |
Template: | Normal |
TotalEditTime: | 3 minutes |
Pages: | 1 |
Words: | 3 |
Characters: | 18 |
Application: | Microsoft Office Word |
DocSecurity: | None |
Lines: | 1 |
Paragraphs: | 1 |
ScaleCrop: | No |
Company: | - |
LinksUpToDate: | No |
CharactersWithSpaces: | 20 |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 12 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3540 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\PO(10288).docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3024 | "C:\Users\admin\AppData\Local\Temp\Order.exe" | C:\Users\admin\AppData\Local\Temp\Order.exe | WINWORD.EXE | |
User: admin Company: AVAST Software Integrity Level: MEDIUM Description: Vxel Tcpip Generators Cryptography Amung Messengers | ||||
2896 | "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE" | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE | — | services.exe |
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Office Software Protection Platform Service Version: 14.0.0370.400 (longhorn(wmbla).090811-1833) | ||||
2552 | C:\Windows\system32\AUDIODG.EXE 0x6b0 | C:\Windows\system32\AUDIODG.EXE | — | svchost.exe |
User: LOCAL SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Audio Device Graph Isolation Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2424 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\developloan.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2060 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
3640 | "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520 | C:\Windows\system32\SearchFilterHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Search Filter Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
1508 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\developloan.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2804 | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3744 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9B4A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{63A3F387-6F5B-4BE2-8229-79EB81D12786}.tmp | — | |
MD5:— | SHA256:— | |||
3540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A2AFDE35-296B-4075-95E9-64EF58055CCE}.tmp | — | |
MD5:— | SHA256:— | |||
3540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{8D807339-7781-42B4-8FFD-F6A0DBD00E5B}.tmp | — | |
MD5:— | SHA256:— | |||
2424 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4ACA.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4C51.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2424 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0001.tmp | — | |
MD5:— | SHA256:— | |||
2424 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0000.docx | — | |
MD5:— | SHA256:— | |||
2424 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~$RD0000.docx | — | |
MD5:— | SHA256:— | |||
2424 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0003.tmp | — | |
MD5:— | SHA256:— |