File name: | 7c50f42fc4df44918d5b200b3ede38be5342286a08c6acc30e01d4b74b2014a5 |
Full analysis: | https://app.any.run/tasks/9522ceb7-3b4b-40db-9ab3-112f4a379549 |
Verdict: | Malicious activity |
Analysis date: | December 14, 2018, 15:13:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 936, Author: John, Template: Normal.dotm, Last Saved By: Windows , Revision Number: 131, Name of Creating Application: Microsoft Office Word, Total Editing Time: 13:00, Create Time/Date: Sun Nov 25 17:35:00 2018, Last Saved Time/Date: Mon Nov 26 09:05:00 2018, Number of Pages: 1, Number of Words: 4, Number of Characters: 25, Security: 0 |
MD5: | 862EC29AC552C70D70A6A85AC29AE38F |
SHA1: | 05DDF9A9D057915AA2D88A7A1AB036F0395D2EFE |
SHA256: | 7C50F42FC4DF44918D5B200B3EDE38BE5342286A08C6ACC30E01D4B74B2014A5 |
SSDEEP: | 1536:nafUoVZy0S0ivJKC1j+oJ+mlZoh1PlbO8C7eGzjDSmPzLGtAPoWrpO:nafzVZy0SNMPQ+b1PlPuTvRJVO |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | John |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | Windows ?û? |
RevisionNumber: | 131 |
Software: | Microsoft Office Word |
TotalEditTime: | 13.0 minutes |
CreateDate: | 2018:11:25 17:35:00 |
ModifyDate: | 2018:11:26 09:05:00 |
Pages: | 1 |
Words: | 4 |
Characters: | 25 |
Security: | None |
CodePage: | Windows Simplified Chinese (PRC, Singapore) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 28 |
AppVersion: | 15 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 28 |
CompObjUserType: | Microsoft Word 97-2003 ?ĵ? |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2748 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\7c50f42fc4df44918d5b200b3ede38be5342286a08c6acc30e01d4b74b2014a5.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2868 | "C:\Windows\System32\cmd.exe" /c schtasks /create /tn AppLaunch /tr C:\Users\admin\AppData\Roaming\Mui\AppLaunch.exe /sc DAILY /f /RI 10 /du 24:00 /st 00:01 | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3316 | schtasks /create /tn AppLaunch /tr C:\Users\admin\AppData\Roaming\Mui\AppLaunch.exe /sc DAILY /f /RI 10 /du 24:00 /st 00:01 | C:\Windows\system32\schtasks.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4024 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3712 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2748 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR592D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2748 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFDF45F785D4078D70.TMP | — | |
MD5:— | SHA256:— | |||
2748 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFEEB607C7219A3BFB.TMP | — | |
MD5:— | SHA256:— | |||
2748 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~WRD0000.tmp | — | |
MD5:— | SHA256:— | |||
2748 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF517E16D40B1FB30A.TMP | — | |
MD5:— | SHA256:— | |||
2748 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$50f42fc4df44918d5b200b3ede38be5342286a08c6acc30e01d4b74b2014a5.doc | pgc | |
MD5:586E4ECD690A4C17CBB1EECA41699982 | SHA256:95D94A41FC9F644EFB671D49AFF3294646C532DEB449409ED58CA5874B808375 | |||
2748 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:42333F6D8C7532AE166F14794AD21FAD | SHA256:1D98020409C2D0955CA57D86EDE96005ECDB259DB6E78E502A49AE7F8CED4A8E | |||
2748 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~WRL0001.tmp | document | |
MD5:862EC29AC552C70D70A6A85AC29AE38F | SHA256:7C50F42FC4DF44918D5B200B3EDE38BE5342286A08C6ACC30E01D4B74B2014A5 | |||
2748 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\7c50f42fc4df44918d5b200b3ede38be5342286a08c6acc30e01d4b74b2014a5.doc | document | |
MD5:E3887311C829A33E7B361A80DD093F1A | SHA256:4222C41433E41798389A16ABC56CA60D28E35C16AA1718D0A4063FCE5D31AEA5 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2748 | WINWORD.EXE | 188.93.126.191:443 | www.idealnidom.com | Mainstream doo | RS | unknown |
Domain | IP | Reputation |
---|---|---|
www.idealnidom.com |
| suspicious |