File name: | 82918f0396e738fb0833d65ef582607ce3c19f973740c8a5d179b2b4e764605b |
Full analysis: | https://app.any.run/tasks/4c5a5b67-12ec-4b25-af7a-ab1a41f4234a |
Verdict: | Malicious activity |
Analysis date: | June 19, 2019, 10:44:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: Performance Evaluation Template, Author: Maylene Raful, Template: Normal.dotm, Last Saved By: pc1, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Total Editing Time: 04:00, Last Printed: Tue Feb 21 19:12:00 2017, Create Time/Date: Tue Jun 18 07:40:00 2019, Last Saved Time/Date: Tue Jun 18 08:05:00 2019, Number of Pages: 3, Number of Words: 916, Number of Characters: 5223, Security: 0 |
MD5: | 8F416A523E272A751061F86E77B8CDAD |
SHA1: | 54E8936EE761FDD3E26DBAB6606F6DB1B3492BD4 |
SHA256: | 82918F0396E738FB0833D65EF582607CE3C19F973740C8A5D179B2B4E764605B |
SSDEEP: | 3072:LDqvZRRZLGU1XTqcGfTsxO/sq+c2QkbSJu9RZNebKr3nsthySDNH3q6JWBd1gFf6:avf6Q2IGJDFoB2Hi |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
PublishingStartDate: | - |
PublishingExpirationDate: | - |
DocumentVersion: | 2017-04-01T00:00:00Z |
Xd_ProgID: | - |
Xd_Signature: | - |
Tag_SharedFileIndex: | - |
Tag_SourceUrl: | - |
TemplateUrl: | - |
ContentTypeId: | 0x0101001320F0329649CF4096F15D3A24058C2A |
CodePage: | Windows Latin 1 (Western European) |
HeadingPairs: |
|
TitleOfParts: | Performance Evaluation Template |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 6127 |
Paragraphs: | 12 |
Lines: | 43 |
Company: | UCLA |
ThumbnailClip: | (Binary data 152692 bytes, use -b option to extract) |
Security: | None |
Characters: | 5223 |
Words: | 916 |
Pages: | 3 |
ModifyDate: | 2019:06:18 07:05:00 |
CreateDate: | 2019:06:18 06:40:00 |
LastPrinted: | 2017:02:21 19:12:00 |
TotalEditTime: | 4.0 minutes |
Software: | Microsoft Office Word |
RevisionNumber: | 4 |
LastModifiedBy: | pc1 |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Maylene Raful |
Subject: | - |
Title: | Performance Evaluation Template |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3136 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\82918f0396e738fb0833d65ef582607ce3c19f973740c8a5d179b2b4e764605b.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3608 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3008 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\Public\lovelyTrump.tx" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.51 | ||||
2768 | "C:\Program Files\Notepad++\updater\gup.exe" -v7.51 | C:\Program Files\Notepad++\updater\gup.exe | notepad++.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: GUP : a free (LGPL) Generic Updater Exit code: 0 Version: 4.1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3136 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRF913.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3136 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFFCA453BD7AD991A2.TMP | — | |
MD5:— | SHA256:— | |||
3136 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF54177715DCFA8106.TMP | — | |
MD5:— | SHA256:— | |||
3136 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFB8DE30B9EBE9EF99.TMP | — | |
MD5:— | SHA256:— | |||
3136 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$918f0396e738fb0833d65ef582607ce3c19f973740c8a5d179b2b4e764605b.doc | pgc | |
MD5:784E766BFF1B3C395BF6B3316BA2D8D5 | SHA256:609A418E43EB3A0D0DC80656F627280EF802118324B23FED6F626DA6C60ABE42 | |||
3136 | WINWORD.EXE | C:\Users\Public\lovelyTrump.tx | text | |
MD5:9AB662BC899E5DC9B4E90B3027E098E0 | SHA256:511491B45DBF7AA3AF4A0B9E6BE24C45C0A9147B72A73BA93EE051EFCC39F1AE | |||
3008 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\session.xml | text | |
MD5:F7C83D8C8E08F4A1AC1AA9F85EA4FD69 | SHA256:0314561894E6624A35E20BBE42B3715463A409C811E126FA2D3F6B8ABC1A60BF | |||
3136 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Forms\WINWORD.box | binary | |
MD5:2AC728BF6ED96941F9DEDC5E595CF095 | SHA256:91C4697B03E738099368877EAFB5D991E0AC01251C672EB083249ABCF5AA8DA9 | |||
3136 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:91C32645C5010C831CE5C6830DF5F196 | SHA256:79940DBC918A81CC57D6EE080B5F0CDEF4A01E32CC1920E18BC5812C682CABD4 | |||
3136 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:17222E7BED955763CB75EBDA153E0074 | SHA256:EAEB163582F92B56C14963150DA7DBEA34565552F3D187A793BE19BEB0978882 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 2.21.242.187:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | NL | der | 1.37 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2768 | gup.exe | 37.59.28.236:443 | notepad-plus-plus.org | OVH SAS | FR | whitelisted |
— | — | 2.21.242.187:80 | isrg.trustid.ocsp.identrust.com | Akamai International B.V. | NL | whitelisted |
Domain | IP | Reputation |
---|---|---|
notepad-plus-plus.org |
| whitelisted |
isrg.trustid.ocsp.identrust.com |
| whitelisted |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|