File name: | d569e280ab3ad0e8307986371ccb1d56d82549249ef8399dd2691fb75bbe76ea.doc |
Full analysis: | https://app.any.run/tasks/8b8f9993-95d7-457b-a57c-22e2487118bc |
Verdict: | Malicious activity |
Analysis date: | March 21, 2019, 02:43:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Last Saved By: user, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Wed Mar 20 00:13:00 2019, Last Saved Time/Date: Wed Mar 20 00:14:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 2, Security: 0 |
MD5: | C496C3125A1B37C4C9D0B6A2B08DC628 |
SHA1: | ED42C422B4B6D414B7917B7A3178F5DBA165EA57 |
SHA256: | D569E280AB3AD0E8307986371CCB1D56D82549249EF8399DD2691FB75BBE76EA |
SSDEEP: | 1536:0khD0tEVnJi1XEP0Gft8xr0GwekXCyJe5ecE9T:OQMdz98SyP |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | user |
RevisionNumber: | 2 |
Software: | Microsoft Office Word |
TotalEditTime: | 1.0 minutes |
CreateDate: | 2019:03:20 00:13:00 |
ModifyDate: | 2019:03:20 00:14:00 |
Pages: | 1 |
Words: | - |
Characters: | 2 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Bytes: | 11000 |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 2 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
928 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\d569e280ab3ad0e8307986371ccb1d56d82549249ef8399dd2691fb75bbe76ea.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
180 | "C:\Users\admin\AppData\Local\Temp\tquuoei.exe" | C:\Users\admin\AppData\Local\Temp\tquuoei.exe | — | WINWORD.EXE |
User: admin Integrity Level: MEDIUM Description: fiNarEa S.A. SWITZErland Exit code: 0 Version: 1.06.0002 | ||||
3968 | "C:\Users\admin\AppData\Local\Temp\tquuoei.exe" | C:\Users\admin\AppData\Local\Temp\tquuoei.exe | tquuoei.exe | |
User: admin Integrity Level: MEDIUM Description: fiNarEa S.A. SWITZErland Exit code: 0 Version: 1.06.0002 | ||||
1472 | "C:\Users\admin\AppData\Local\Temp\opf.exe" | C:\Users\admin\AppData\Local\Temp\opf.exe | tquuoei.exe | |
User: admin Integrity Level: MEDIUM Description: fiNarEa S.A. SWITZErland Exit code: 0 Version: 1.06.0002 | ||||
2936 | "C:\Users\admin\AppData\Local\Temp\opf.exe" | C:\Users\admin\AppData\Local\Temp\opf.exe | opf.exe | |
User: admin Integrity Level: MEDIUM Description: fiNarEa S.A. SWITZErland Version: 1.06.0002 |
PID | Process | Filename | Type | |
---|---|---|---|---|
928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR89D8.tmp.cvr | — | |
MD5:— | SHA256:— | |||
928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF7F3A8AD10DA460D1.TMP | — | |
MD5:— | SHA256:— | |||
928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{79D0D1AD-D394-4288-8013-58CF77D6D807}.tmp | — | |
MD5:— | SHA256:— | |||
928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{AEDC2C8A-68E0-4450-B6E2-CE5B4F4FDE11}.tmp | — | |
MD5:— | SHA256:— | |||
3968 | tquuoei.exe | C:\Users\admin\AppData\Local\Temp\opf.exe | executable | |
MD5:860B2A17B397F798720FFD627B2F7FBE | SHA256:D52C55C67E0ADAA589D3C099E0D2437C3D61939280AD472E498CFB8C1A96B416 | |||
928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\irsnotices[1].exe | executable | |
MD5:B41358ED77F49E718EBF5DDC51B0AA2F | SHA256:BEF054C8FBFC0350CC91C2ADA7C5C82946A6FEEA8653A27F8EDEF4A73DF0F314 | |||
1472 | opf.exe | C:\Users\admin\AppData\Local\Temp\~DF4F8275BB2F8B6340.TMP | binary | |
MD5:86DFDE1B74675C77205C2B4EA6891FAA | SHA256:90F889E8724D385B2672854204C5308FE1402DF36B4D15C1E774D333BCE1C7AF | |||
928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\tquuoei.exe | executable | |
MD5:B41358ED77F49E718EBF5DDC51B0AA2F | SHA256:BEF054C8FBFC0350CC91C2ADA7C5C82946A6FEEA8653A27F8EDEF4A73DF0F314 | |||
180 | tquuoei.exe | C:\Users\admin\AppData\Local\Temp\~DF5991348177A3BE28.TMP | binary | |
MD5:86DFDE1B74675C77205C2B4EA6891FAA | SHA256:90F889E8724D385B2672854204C5308FE1402DF36B4D15C1E774D333BCE1C7AF | |||
928 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:078AF9604B957CE548ED85D7A40F732C | SHA256:F55335BC6AC76DAAA66A0048400E11F2944A73A6555B7860BBB422EE71940469 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2936 | opf.exe | 185.101.94.172:2019 | www.relatingclause.com | Mike Kaldig | DE | malicious |
928 | WINWORD.EXE | 199.192.23.117:443 | jetlagcanstand.info | — | US | unknown |
Domain | IP | Reputation |
---|---|---|
jetlagcanstand.info |
| unknown |
www.relatingclause.com |
| malicious |
dns.msftncsi.com |
| shared |