File name: | Subscription Confirmation.dot |
Full analysis: | https://app.any.run/tasks/84c22fe8-d419-4e49-be91-66a28a26dd3e |
Verdict: | Malicious activity |
Analysis date: | June 18, 2019, 19:25:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: User, Template: Subscription Confirmation, Last Saved By: User, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Sun Jun 16 21:15:00 2019, Last Saved Time/Date: Sun Jun 16 21:16:00 2019, Number of Pages: 1, Number of Words: 155, Number of Characters: 887, Security: 0 |
MD5: | 68529A182EBC2A6682C4D4F408178ABF |
SHA1: | B997923BC6338840E887BC3DBD1D3D07F5EFD47F |
SHA256: | 74F0C302F8CD0CA79792CE7A97647841B49269AE52FE4F5EAD5704AA3B138E38 |
SSDEEP: | 384:pQ9tKFXWZcQFO2kTImX9ZlqiwW0+RgkeBPN/9NG95i9QeU90Wgq9933U9r5I9iRW:pQ9tKFyNXiOjeTVI9s066DKxz99 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Author: | User |
---|---|
Template: | Subscription Confirmation |
LastModifiedBy: | User |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | 1.0 minutes |
LastPrinted: | - |
CreateDate: | 2019:06:16 20:15:00 |
ModifyDate: | 2019:06:16 20:16:00 |
Pages: | 1 |
Words: | 155 |
Characters: | 887 |
Security: | None |
Company: | - |
Lines: | 7 |
Paragraphs: | 2 |
CharCountWithSpaces: | 1040 |
AppVersion: | 14 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CodePage: | Windows Latin 1 (Western European) |
Hyperlinks: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3316 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\Subscription Confirmation.dot.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1252 | "C:\Windows\System32\msdt.exe" -skip TRUE -path C:\Windows\diagnostics\system\networking -ep NetworkDiagnosticsPNI | C:\Windows\System32\msdt.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Diagnostics Troubleshooting Wizard Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1940 | C:\Windows\System32\sdiagnhost.exe -Embedding | C:\Windows\System32\sdiagnhost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Scripted Diagnostics Native Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3812 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\bhc-9tsp.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | sdiagnhost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
2708 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES6952.tmp" "c:\Users\admin\AppData\Local\Temp\CSC6951.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) | ||||
1784 | "C:\Windows\system32\ipconfig.exe" /all | C:\Windows\system32\ipconfig.exe | — | sdiagnhost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: IP Configuration Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2848 | "C:\Windows\system32\ROUTE.EXE" print | C:\Windows\system32\ROUTE.EXE | — | sdiagnhost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Route Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1716 | "C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf | C:\Windows\system32\makecab.exe | — | sdiagnhost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Cabinet Maker Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
936 | "C:\Windows\system32\ipconfig.exe" /all | C:\Windows\system32\ipconfig.exe | — | sdiagnhost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: IP Configuration Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2852 | "C:\Windows\system32\ROUTE.EXE" print | C:\Windows\system32\ROUTE.EXE | — | sdiagnhost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Route Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3316 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRED6A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3316 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:1C254EDAEA17101D0E85171E27A7F768 | SHA256:4A2E9339750A6E089CDA0B8F020F99FB76F56222B5F3CDB3385429B902BF5045 | |||
3812 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC6951.tmp | — | |
MD5:— | SHA256:— | |||
3812 | csc.exe | C:\Users\admin\AppData\Local\Temp\bhc-9tsp.pdb | — | |
MD5:— | SHA256:— | |||
2708 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RES6952.tmp | — | |
MD5:— | SHA256:— | |||
3812 | csc.exe | C:\Users\admin\AppData\Local\Temp\bhc-9tsp.dll | — | |
MD5:— | SHA256:— | |||
3812 | csc.exe | C:\Users\admin\AppData\Local\Temp\bhc-9tsp.out | — | |
MD5:— | SHA256:— | |||
1940 | sdiagnhost.exe | C:\Users\admin\AppData\Local\Temp\D85833DB-F721-4C8D-991F-5CF9A11B5DE8.Diagnose.0.etl | — | |
MD5:— | SHA256:— | |||
3316 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:17222E7BED955763CB75EBDA153E0074 | SHA256:EAEB163582F92B56C14963150DA7DBEA34565552F3D187A793BE19BEB0978882 | |||
3316 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Subscription Confirmation.dot.doc.LNK | lnk | |
MD5:D27E1C3553AF95DC0E440938C3A2DE3E | SHA256:2BD7B4481663034719C0A22CADBE434E28141C47983158021010F015842DBB50 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3272 | chrome.exe | GET | 200 | 87.245.198.16:80 | http://r5---sn-gxuog0-axqe.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=185.117.118.92&mm=28&mn=sn-gxuog0-axqe&ms=nvh&mt=1560885776&mv=u&pl=24&shardbypass=yes | RU | crx | 842 Kb | whitelisted |
3272 | chrome.exe | GET | 302 | 172.217.16.174:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx | US | html | 511 b | whitelisted |
972 | svchost.exe | GET | 200 | 92.122.253.175:80 | http://www.microsoft.com/ | unknown | html | 1020 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3272 | chrome.exe | 172.217.18.163:443 | ssl.gstatic.com | Google Inc. | US | whitelisted |
3272 | chrome.exe | 172.217.22.78:443 | apis.google.com | Google Inc. | US | whitelisted |
3272 | chrome.exe | 216.58.207.78:443 | clients1.google.com | Google Inc. | US | whitelisted |
3272 | chrome.exe | 172.217.18.3:443 | www.gstatic.com | Google Inc. | US | whitelisted |
972 | svchost.exe | 92.122.253.175:80 | www.microsoft.com | GTT Communications Inc. | — | suspicious |
3272 | chrome.exe | 172.217.22.35:443 | www.google.com.ua | Google Inc. | US | whitelisted |
3272 | chrome.exe | 172.217.22.109:443 | accounts.google.com | Google Inc. | US | whitelisted |
3272 | chrome.exe | 172.217.16.138:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
3272 | chrome.exe | 216.58.208.46:443 | ogs.google.com | Google Inc. | US | whitelisted |
3272 | chrome.exe | 172.217.16.132:443 | www.google.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.microsoft.com |
| whitelisted |
reviewpaymentsld.reachdeers.com |
| unknown |
www.google.com.ua |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
clients1.google.com |
| whitelisted |
ssl.gstatic.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
apis.google.com |
| whitelisted |
www.google.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
972 | svchost.exe | A Network Trojan was detected | ET POLICY Microsoft user-agent automated process response to automated request |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|