File name: | Rule of conduct.docx |
Full analysis: | https://app.any.run/tasks/e1554478-4430-4c8f-a38b-420740552193 |
Verdict: | Malicious activity |
Analysis date: | July 11, 2019, 21:21:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 2C5CD00D2B2C1D041AAD285CEAC099D1 |
SHA1: | E22070602362554C2BCEF135219B36AAD78A6A46 |
SHA256: | 78DA2E6AC408D6DC7187061E700A721D0A00830B2623494993B4A9D262488BAD |
SSDEEP: | 384:dwiP3+rqiUUcuC8GqHvjNcqkKkxU4U3tTB9A:6iP39iU2C8wqjkx84 |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
AppVersion: | 16 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 736 |
LinksUpToDate: | No |
Company: | by adguard |
TitlesOfParts: | - |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 5 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 627 |
Words: | 110 |
Pages: | 1 |
TotalEditTime: | 8.4 hours |
Template: | Normal |
ModifyDate: | 2019:07:11 18:19:00Z |
CreateDate: | 2019:01:24 16:34:00Z |
LastPrinted: | 2019:01:08 12:58:00Z |
RevisionNumber: | 48 |
LastModifiedBy: | Sue Lyons |
Creator: | HP-PC |
---|
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1445 |
ZipCompressedSize: | 358 |
ZipCRC: | 0x576f9132 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3212 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rule of conduct.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1652 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2872 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1652 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2628 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Exit code: 0 Version: 26,0,0,131 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3212 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD622.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3212 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\msoD845.tmp | — | |
MD5:— | SHA256:— | |||
1652 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
1652 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2872 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8BW8CI0Y\login[1].php | — | |
MD5:— | SHA256:— | |||
3212 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$le of conduct.docx | pgc | |
MD5:274512E2DF468A6A1EE103B3FEC18DD7 | SHA256:9428016556540A0A330747E81E387E1156BBA4D38867CB9A784FC05C292606F6 | |||
3212 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@atamaria[1].txt | text | |
MD5:291634104CABC08B156F29DB7B85E47E | SHA256:680DF16DF0C91B2833CDF071B3030AFFB00A4D3209EFD7B91F571BC865F3256A | |||
2872 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\THOJPES7\login[1].htm | html | |
MD5:7EB81AEDF98B820975E29ACABFD8157B | SHA256:5D577769F938C6D2BCF1BB9EFC02F2E6C97BCB44078424E455FD12E316A184A4 | |||
2872 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@atamaria[1].txt | text | |
MD5:74FFBDD35E3D3306F8B361FED2DB13FE | SHA256:41CB8BF27491E3AF2C1B1891902B1A916CC70512D588FD63598B5A1145309B15 | |||
2872 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8BW8CI0Y\continue[1].png | image | |
MD5:68EE0BF2D67020AFCF0F6C5561FA0361 | SHA256:0A30956D43221ED177BC7C8B0B18A004112DF1E32BB12F4562A5BA6C1418803C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3212 | WINWORD.EXE | GET | 301 | 104.27.136.110:80 | http://atamaria.top/office/office365/ada1d9ff3377cc9007c9d0b1e0e307c3/ | US | — | — | suspicious |
1652 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1652 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2872 | iexplore.exe | 54.148.84.95:443 | www.sitepoint.com | Amazon.com, Inc. | US | unknown |
3212 | WINWORD.EXE | 104.27.136.110:80 | atamaria.top | Cloudflare Inc | US | shared |
3212 | WINWORD.EXE | 104.27.136.110:443 | atamaria.top | Cloudflare Inc | US | shared |
1652 | iexplore.exe | 104.27.136.110:443 | atamaria.top | Cloudflare Inc | US | shared |
2872 | iexplore.exe | 104.27.136.110:443 | atamaria.top | Cloudflare Inc | US | shared |
2872 | iexplore.exe | 104.111.240.106:443 | account.microsoft.com | Akamai International B.V. | NL | whitelisted |
2872 | iexplore.exe | 152.199.19.160:443 | ajax.aspnetcdn.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2872 | iexplore.exe | 23.38.55.187:443 | compass-ssl.microsoft.com | Akamai International B.V. | NL | whitelisted |
2872 | iexplore.exe | 23.210.249.30:443 | cdn.optimizely.com | Akamai International B.V. | NL | whitelisted |
Domain | IP | Reputation |
---|---|---|
atamaria.top |
| suspicious |
www.bing.com |
| whitelisted |
www.sitepoint.com |
| shared |
account.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
mwf-service.akamaized.net |
| whitelisted |
ajax.aspnetcdn.com |
| whitelisted |
cdn.optimizely.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
compass-ssl.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
3212 | WINWORD.EXE | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |