File name:

Исх. №723 ОКР.docx

Full analysis: https://app.any.run/tasks/dc4f9a62-c7f8-4d96-ac6e-6f8e5409fb8d
Verdict: Malicious activity
Analysis date: January 22, 2025, 09:08:34
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
smb
scan
smbscan
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

922E1742EC5BC2D89611B123B483D04E

SHA1:

448B005A29771251180D76524BB98683D329DA74

SHA256:

5847097ECC3C14479894F1F0F2510262F2908C310A54B97E62298452454F5B9B

SSDEEP:

12288:nN85Y+a8Tib1nSE/FdQ0uo8ZsXCrGCRP9lvX:nN85Y+a8TiRSE/FdQ0uo8WXCtPb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SMBSCAN has been detected (SURICATA)

      • System (PID: 4)

  • SUSPICIOUS

    • Potential Corporate Privacy Violation

      • System (PID: 4)

  • INFO

    • The process uses the downloaded file

      • WINWORD.EXE (PID: 4944)

    • An automatically generated document

      • WINWORD.EXE (PID: 4944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:01:21 12:17:38
ZipCRC: 0x167f8533
ZipCompressedSize: 350
ZipUncompressedSize: 1361
ZipFileName: [Content_Types].xml

XML

Template: Normal.dotm
TotalEditTime: 1 minute
Pages: 1
Words: -
Characters: 1
Application: Microsoft Office Word
DocSecurity: None
Lines: 1
Paragraphs: 1
ScaleCrop: No
Company: -
LinksUpToDate: No
CharactersWithSpaces: 1
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16
Keywords: -
LastModifiedBy: Aleksei Prokofev
RevisionNumber: 2
CreateDate: 2024:06:21 13:45:00Z
ModifyDate: 2024:06:21 13:45:00Z

XMP

Title: -
Subject: -
Creator: Aleksei Prokofev
Description: -
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe #SMBSCAN system ai.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4System
[System Process]
User:
SYSTEM
Integrity Level:
SYSTEM
4944"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Исх. №723 ОКР.docx" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6992"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "1DA96A2D-D929-425F-855C-8AF6C937A4A3" "175C1A43-B714-4E08-B9EC-8A7F656E894D" "4944"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ucrtbase.dll
Total events
13 433
Read events
13 093
Write events
320
Delete events
20

Modification events

(PID) Process:(4944) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:0
Value:
017012000000001000B24E9A3E02000000000000000600000000000000
(PID) Process:(4944) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\4944
Operation:writeName:0
Value:
0B0E10C90CD985DFA4AA48BC32487DCCA68B10230046A2C29BEFD395DBED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511D026D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(4944) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(4944) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(4944) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(4944) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(4944) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(4944) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(4944) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(4944) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
Executable files
33
Suspicious files
122
Text files
15
Unknown types
0

Dropped files

PID
Process
Filename
Type
4944WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bintext
MD5:354549F44E0F8E2927D76215C65CC747
SHA256:CF96E63CF0CA84235897FA7C6453D4F43CF42DE7E18FE0BEC87998FF27844AAC
4944WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3115ACC7-9E39-4B14-8786-D10C4FAD9193xml
MD5:3DC6C12083323973CE2223DA52CC2CAD
SHA256:96111357C69A2DD95DD1263F5CCC113734E5BC471F11FF9FD85F6453D7D0B476
4944WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
4944WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:C158C9711E9A4533581BA7E894758C00
SHA256:17738B6B6DA0FFB376193A4A284111087091C785C0EB58A183155DEDB3740801
4944WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\Personalization\Governance\Anonymous\floodgatecampaigns.json.tmpbinary
MD5:796C8DC92820E113B1D620FAF219E174
SHA256:3A26C15E56EFEB350A459047E86D95B87366445E3B01844920388AFD906B595A
4944WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:E50D57A17E0C86451B1258FE3E2768A7
SHA256:C8FC4374407065D16013DAC84BE73035403B0B1C38DA38E8FB85160DFF8DF936
4944WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:4E1440CF8FA844A8B83DFB5F35E64EFD
SHA256:335989189BF58E443FDD85CC611D96150480533472C45A0A9DEEC650F2724467
4944WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9binary
MD5:7E47215446DF5B5F5CB4208D3293F6B4
SHA256:D72D94C42DB412EB1A0A57AD56F5AA6636DE6F2CCBC8287B823253375AC72C90
4944WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y92109R5EVH2RVAPKIRM.tempbinary
MD5:E4A1661C2C886EBB688DEC494532431C
SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
4944WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\Personalization\Governance\Anonymous\floodgatecampaigns.jsonbinary
MD5:796C8DC92820E113B1D620FAF219E174
SHA256:3A26C15E56EFEB350A459047E86D95B87366445E3B01844920388AFD906B595A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
151
DNS requests
21
Threats
355

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1176
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4944
WINWORD.EXE
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
6312
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6312
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4944
WINWORD.EXE
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
unknown
whitelisted
4944
WINWORD.EXE
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
unknown
whitelisted
6448
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
4944
WINWORD.EXE
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
unknown
whitelisted
4944
WINWORD.EXE
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
4944
WINWORD.EXE
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4944
WINWORD.EXE
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
4944
WINWORD.EXE
52.113.194.132:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4944
WINWORD.EXE
2.19.11.103:443
omex.cdn.office.net
Elisa Oyj
NL
whitelisted
4
System
31.214.157.162:445
servinga GmbH
NL
malicious
5064
SearchApp.exe
104.126.37.123:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1176
svchost.exe
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
omex.cdn.office.net
  • 2.19.11.103
  • 2.19.11.102
whitelisted
www.bing.com
  • 104.126.37.123
  • 104.126.37.139
  • 104.126.37.179
  • 104.126.37.186
  • 104.126.37.129
  • 104.126.37.137
  • 104.126.37.178
  • 104.126.37.177
  • 104.126.37.147
whitelisted
login.live.com
  • 20.190.159.0
  • 20.190.159.68
  • 20.190.159.64
  • 40.126.31.71
  • 20.190.159.4
  • 20.190.159.75
  • 40.126.31.67
  • 20.190.159.23
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
go.microsoft.com
  • 2.23.242.9
whitelisted
fs.microsoft.com
  • 23.213.164.137
whitelisted
messaging.engagement.office.com
  • 52.109.16.3
whitelisted
self.events.data.microsoft.com
  • 20.189.173.27
whitelisted

Threats

PID
Process
Class
Message
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Successful connection to external SMB server
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Successful connection to external SMB server
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] NTLM Over SMB (NTLMSSP_NEGOTIATE)
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] NTLM Over SMB (NTLMSSP_NEGOTIATE)
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible NTLM Hash leak over SMB (NTLMSSP_AUTH)
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Successful connection to external SMB server
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Successful connection to external SMB server
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Successful connection to external SMB server
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Successful connection to external SMB server
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Successful connection to external SMB server
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Исх. №723 ОКР.docx