General Info

File name

0561991.doc

Full analysis
https://app.any.run/tasks/ba0c52ed-eb7f-4cf8-bee9-9c5833c79cba
Verdict
Malicious activity
Analysis date
9/11/2019, 11:31:03
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

ole-embedded

trojan

exploit

CVE-2017-11882

rat

azorult

Indicators:

MIME:
text/rtf
File info:
Rich Text Format data, unknown version
MD5

cf1e71ba7104001fb7f249cedf0a2675

SHA1

a74d0e0da6d17474d1981038bfda2bd897d4b12d

SHA256

2e270e03789b09e134f0ef8b7e42bb874191dd0954efc710eb40c293ed686267

SSDEEP

1536:zssG7RYPiYC8tmNRDNRKNRWNRwNRFH02HsBkBEx2kPhHxFlb7qDH8DUFVl5lmank:zcFYPiYC8SQk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Connects to CnC server
  • sgmj.exe (PID: 1876)
Downloads executable files from the Internet
  • EQNEDT32.EXE (PID: 2152)
AZORULT was detected
  • sgmj.exe (PID: 1876)
Application was dropped or rewritten from another process
  • 908.exe (PID: 2304)
  • sgmj.exe (PID: 1876)
  • sgmj.exe (PID: 3108)
Writes to a start menu file
  • sgmj.exe (PID: 3108)
Equation Editor starts application (CVE-2017-11882)
  • EQNEDT32.EXE (PID: 2152)
Suspicious connection from the Equation Editor
  • EQNEDT32.EXE (PID: 2152)
Creates files in the user directory
  • sgmj.exe (PID: 3108)
  • 908.exe (PID: 2304)
  • EQNEDT32.EXE (PID: 2152)
Executable content was dropped or overwritten
  • 908.exe (PID: 2304)
  • EQNEDT32.EXE (PID: 2152)
Application launched itself
  • sgmj.exe (PID: 3108)
Starts itself from another location
  • 908.exe (PID: 2304)
Executed via COM
  • EQNEDT32.EXE (PID: 2152)
Creates files in the user directory
  • WINWORD.EXE (PID: 2860)
Reads Microsoft Office registry keys
  • WINWORD.EXE (PID: 2860)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rtf
|   Rich Text Format (100%)
EXIF
RTF
Author:
null
LastModifiedBy:
null
Fonttbl:
{{*02020603050405020304}Times New Roman;}{{*02020603050405020304}Times New Roman;}{{*020f0502020204030204}Calibri;}{{*02020603050405020304}Times New Roman;}{{*02020603050405020304}Times New Roman;}{{*020f0302020204030204}Calibri Light;}{{*02020603050405020304}Times New Roman;}{{*02020603050405020304}Times New Roman;}{{*02020603050405020304}Times New Roman;}{{*020f0502020204030204}Calibri;}{{*02020603050405020304}Times New Roman;}{Times New Roman;}{Times New Roman Cyr;}{Times New Roman Greek;}{Times New Roman Tur;}{Times New Roman (Hebrew);}{Times New Roman (Arabic);}{Times New Roman Baltic;}{Times New Roman (Vietnamese);}{Times New Roman;}{Times New Roman Cyr;}{Times New Roman Greek;}{Times New Roman Tur;}{Times New Roman (Hebrew);}{Times New Roman (Arabic);}{Times New Roman Baltic;}{Times New Roman (Vietnamese);}{Calibri;}{Calibri Cyr;}{Calibri Greek;}{Calibri Tur;}{Calibri (Hebrew);}{Calibri (Arabic);}{Calibri Baltic;}{Calibri (Vietnamese);}{Times New Roman;}{Times New Roman Cyr;}{Times New Roman Greek;}{Times New Roman Tur;}{Times New Roman (Hebrew);}{Times New Roman (Arabic);}{Times New Roman Baltic;}{Times New Roman (Vietnamese);}{Times New Roman;}{Times New Roman Cyr;}{Times New Roman Greek;}{Times New Roman Tur;}{Times New Roman (Hebrew);}{Times New Roman (Arabic);}{Times New Roman Baltic;}{Times New Roman (Vietnamese);}{Calibri Light;}{Calibri Light Cyr;}{Calibri Light Greek;}{Calibri Light Tur;}{Calibri Light (Hebrew);}{Calibri Light (Arabic);}{Calibri Light Baltic;}{Calibri Light (Vietnamese);}{Times New Roman;}{Times New Roman Cyr;}{Times New Roman Greek;}{Times New Roman Tur;}{Times New Roman (Hebrew);}{Times New Roman (Arabic);}{Times New Roman Baltic;}{Times New Roman (Vietnamese);}{Times New Roman;}{Times New Roman Cyr;}{Times New Roman Greek;}{Times New Roman Tur;}{Times New Roman (Hebrew);}{Times New Roman (Arabic);}{Times New Roman Baltic;}{Times New Roman (Vietnamese);}{Times New Roman;}{Times New Roman Cyr;}{Times New Roman Greek;}{Times New Roman Tur;}{Times New Roman (Hebrew);}{Times New Roman (Arabic);}{Times New Roman Baltic;}{Times New Roman (Vietnamese);}{Calibri;}{Calibri Cyr;}{Calibri Greek;}{Calibri Tur;}{Calibri (Hebrew);}{Calibri (Arabic);}{Calibri Baltic;}{Calibri (Vietnamese);}{Times New Roman;}{Times New Roman Cyr;}{Times New Roman Greek;}{Times New Roman Tur;}{Times New Roman (Hebrew);}{Times New Roman (Arabic);}{Times New Roman Baltic;}{Times New Roman (Vietnamese);}
Colortbl:
;;;;;;;;;;;;;;;;;
Defchp:
null
Defpap:
null
Stylesheet:
{Normal;}{*Default Paragraph Font;}{*Normal Table;}
Rsidtbl:
null
MmathPr:
null
Info:
{Windows User}{Windows User}{}{}{}{}{}{}{}{}{}
Xmlnstbl:
{http://schemas.microsoft.com/office/word/2003/wordml}
Wgrffmtfilter:
2450
Pnseclvl:
9{(}{)}
Rtlch:
Themedata:
504b030414000600080000002100e9de0fbfff0000001c020000130000005b436f6e74656e745f54797065735d2e786d6cac91cb4ec3301045f748fc83e52d4a9cb2400825e982c78ec7a27cc0c8992416c9d8b2a755fbf74cd25442a820166c2cd933f79e3be372bd1f07b5c3989ca74aaff2422b24eb1b475da5df374fd9ad5689811a183c61a50f98f4babebc2837878049899a52a57be670674cb23d8e90721f90a4d2fa3802cb35762680fd800ecd7551dc18eb899138e3c943d7e503b6b01d583deee5f99824e290b4ba3f364eac4a430883b3c092d4eca8f946c916422ecab927f52ea42b89a1cd59c254f919b0e85e6535d135a8de20f20b8c12c3b00c895fcf6720192de6bf3b9e89ecdbd6596cbcdd8eb28e7c365ecc4ec1ff1460f53fe813d3cc7f5b7f020000ffff0300504b030414000600080000002100a5d6a7e7c0000000360100000b0000005f72656c732f2e72656c73848fcf6ac3300c87ef85bd83d17d51d2c31825762fa590432fa37d00e1287f68221bdb1bebdb4fc7060abb0884a4eff7a93dfeae8bf9e194e720169aaa06c3e2433fcb68e1763dbf7f82c985a4a725085b787086a37bdbb55fbc50d1a33ccd311ba548b63095120f88d94fbc52ae4264d1c910d24a45db3462247fa791715fd71f989e19e0364cd3f51652d73760ae8fa8c9ffb3c330cc9e4fc17faf2ce545046e37944c69e462a1a82fe353bd90a865aad41ed0b5b8f9d6fd010000ffff0300504b0304140006000800000021006b799616830000008a0000001c0000007468656d652f7468656d652f7468656d654d616e616765722e786d6c0ccc4d0ac3201040e17da17790d93763bb284562b2cbaebbf600439c1a41c7a0d29fdbd7e5e38337cedf14d59b4b0d592c9c070d8a65cd2e88b7f07c2ca71ba8da481cc52c6ce1c715e6e97818c9b48d13df49c873517d23d59085adb5dd20d6b52bd521ef2cdd5eb9246a3d8b4757e8d3f729e245eb2b260a0238fd010000ffff0300504b03041400060008000000210007b740aaca0600008f1a0000160000007468656d652f7468656d652f7468656d65312e786d6cec595b8bdb46147e2ff43f08bd3bbe49be2cf1065bb69336bb49889d943cceda636bb2238dd18c776342a0244f7d2914d2d28706fad687521a68a0a12ffd310b1bdaf447f4cc489667ec71f6420aa1640d8b34face996fce39face48ba7aed51449d239c70c2e2965bbe52721d1c8fd898c4d3967b6fd82f345c870b148f1165316eb90bccdd6bbb9f7e7215ed881047d801fb98efa0961b0a31db2916f9088611bfc26638866b13964448c069322d8e13740c7e235aac944ab5628448ec3a318ac0ededc9848cb033942edddda5f31e85d358703930a2c940bac68685c28e0fcb12c1173ca089738468cb8579c6ec78881f09d7a1880bb8d0724beacf2dee5e2da29dcc888a2db69a5d5ffd657699c1f8b0a2e64ca607f9a49ee77bb576ee5f01a8d8c4f5eabd5aaf96fb5300341ac14a532eba4fbfd3ec74fd0cab81d2438bef6ebd5b2d1b78cd7f758373db973f03af40a97f6f03dfef07104503af4029dedfc07b5ebd1278065e81527c6d035f2fb5bb5eddc02b5048497cb8812ef9b56ab05c6d0e99307ac30a6ffa5ebf5ec99caf50500d7975c929262c16db6a2d420f59d2078004522448ec88c50c4fd008aa3840941c24c4d923d3100a6f8662c661b85429f54b55f82f7f9e3a5211413b1869d6921730e11b43928fc34709998996fb39787535c8e9ebd7274f5f9d3cfdfde4d9b393a7bf66732b5786dd0d144f75bbb73f7df3cf8b2f9dbf7ffbf1edf36fd3a9d7f15cc7bff9e5ab377ffcf92ef7b0e255284ebf7bf9e6d5cbd3efbffeebe7e716efed041de8f0218930776ee163e72e8b608116fef820b998c5304444b768c7538e622467b1f8ef89d040df5a208a2cb80e36e3783f01a9b101afcf1f1a8407613217c4e2f1661819c07dc6688725d628dc947369611ecee3a97df264aee3ee2274649b3b40b191e5de7c061a4b6c2e83101b34ef50140b34c531168ebcc60e31b6acee0121465cf7c928619c4d84f380381d44ac21199203a39a56463748047959d80842be8dd8ecdf773a8cda56ddc5472612ee0d442de487981a61bc8ee6024536974314513de07b48843692834532d2713d2e20d3534c99d31b63ce6d36b71358af96f49b2033f6b4efd345642213410e6d3ef710633ab2cb0e831045331b7640e250c77ec60fa144917387091b7c9f9977883c873ca0786bbaef136ca4fb6c35b8070aab535a1588bc324f2cb9bc8e9951bf83059d20aca4061a80a1eb1189cf14f93579f7ff3b7907113dfde1856545ef47d2ed8e8d7c5c50ccdb09b1de4d37d6247c1b6e5db803968cc987afdb5d348fef60b855369bd747d9fe28dbeeff5eb6b7ddcfef5fac57fa0cd22db7ade9765d6ddea3ad7bf709a174201614ef71b57de7d095c67d189476eab915e7cf72b3100ee59d0c1318b86982948d9330f10511e1204433d8e3975de964ca33d753eecc1887adbf1ab6fa96783a8ff6d9387d642d97e5e3692a1e1c89d578c9cfc7e17143a4e85a7df51896bb576ca7ea71794940da5e8484369949a26a21515f0eca20a98773089a85845ad97b61d1b4b06848f7cb546db0006a795660dbe4c066abe5fa1e9880113c55218ac7324f69aa97d955c97c9f99de164ca302600fb1ac8055a69b92ebd6e5c9d5a5a5768e4c1b24b4723349a8c8a81ec64334c65975cad1f3d0b868ae9bab941af46428d47c505a2b1af5c6bb585c36d760b7ae0d34d69582c6ce71cbad557d2899119ab5dc093cfac3613483dae172bb8be814de9f8d4492def097519659c24517f1300db8129d540d222270e25012b55cb9fc3c0d34561aa2b8952b20081f2cb926c8ca87460e926e26194f267824f4b46b2332d2e929287caa15d6abcafcf26069c9e690ee41383e760ee83cb98ba0c4fc7a5906704c38bc012aa7d11c1378a5990bd9aafed61a5326bbfa3b455543e938a2b310651d4517f314aea43ca7a3cef2186867d99a21a05a48b2467830950d560faad14df3ae9172d8da75cf369291d34473d5330d55915dd3ae62c60ccb36b016cbcb35798dd532c4a0697a874fa57b5d729b4bad5bdb27e45d02029ec7cfd275cfd110346aabc90c6a92f1a60c4bcdce46cddeb15ce019d4ced32434d5af2dddaec52def11d6e960f0529d1fecd6ab168626cb7da58ab4faf6a17f9e60070f413cbaf022784e0557a9848f0f09820dd140ed4952d9805be491c86e0d3872e60969b98f4b7edb0b2a7e502835fc5ec1ab7aa542c36f570b6ddfaf967b7eb9d4ed549e4063116154f6d3ef2e7d780d4517d9d71735bef105265abe69bb32625191a92f2c45455c7d812957b67f81710888cee35aa5dfac363bb542b3daee17bc6ea7516806b54ea15b0beadd7e37f01bcdfe13d7395260af5d0dbc5aaf51a89583a0e0d54a927ea359a87b954adbabb71b3daffd24dbc6c0ca53f9c86201e155bc76ff050000ffff0300504b0304140006000800000021000dd1909fb60000001b010000270000007468656d652f7468656d652f5f72656c732f7468656d654d616e616765722e786d6c2e72656c73848f4d0ac2301484f78277086f6fd3ba109126dd88d0add40384e4350d363f2451eced0dae2c082e8761be9969bb979dc9136332de3168aa1a083ae995719ac16db8ec8e4052164e89d93b64b060828e6f37ed1567914b284d262452282e3198720e274a939cd08a54f980ae38a38f56e422a3a641c8bbd048f7757da0f19b017cc524bd62107bd5001996509affb3fd381a89672f1f165dfe514173d9850528a2c6cce0239baa4c04ca5bbabac4df000000ffff0300504b01022d0014000600080000002100e9de0fbfff0000001c0200001300000000000000000000000000000000005b436f6e74656e745f54797065735d2e786d6c504b01022d0014000600080000002100a5d6a7e7c0000000360100000b00000000000000000000000000300100005f72656c732f2e72656c73504b01022d00140006000800000021006b799616830000008a0000001c00000000000000000000000000190200007468656d652f7468656d652f7468656d654d616e616765722e786d6c504b01022d001400060008000000210007b740aaca0600008f1a00001600000000000000000000000000d60200007468656d652f7468656d652f7468656d65312e786d6c504b01022d00140006000800000021000dd1909fb60000001b0100002700000000000000000000000000d40900007468656d652f7468656d652f5f72656c732f7468656d654d616e616765722e786d6c2e72656c73504b050600000000050005005d010000cf0a00000000
Colorschememapping:
3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d3822207374616e64616c6f6e653d22796573223f3e0d0a3c613a636c724d617020786d6c6e733a613d22687474703a2f2f736368656d61732e6f70656e786d6c666f726d6174732e6f72672f64726177696e676d6c2f323030362f6d61696e22206267313d226c743122207478313d22646b3122206267323d226c743222207478323d22646b322220616363656e74313d22616363656e74312220616363656e74323d22616363656e74322220616363656e74333d22616363656e74332220616363656e74343d22616363656e74342220616363656e74353d22616363656e74352220616363656e74363d22616363656e74362220686c696e6b3d22686c696e6b2220666f6c486c696e6b3d22666f6c486c696e6b222f3e
Latentstyles:
{Normal;heading 1;heading 2;heading 3;heading 4;heading 5;heading 6;heading 7;heading 8;heading 9;index 1;index 2;index 3;index 4;index 5;index 6;index 7;index 8;index 9;toc 1;toc 2;toc 3;toc 4;toc 5;toc 6;toc 7;toc 8;toc 9;Normal Indent;footnote text;annotation text;header;footer;index heading;caption;table of figures;envelope address;envelope return;footnote reference;annotation reference;line number;page number;endnote reference;endnote text;table of authorities;macro;toa heading;List;List Bullet;List Number;List 2;List 3;List 4;List 5;List Bullet 2;List Bullet 3;List Bullet 4;List Bullet 5;List Number 2;List Number 3;List Number 4;List Number 5;Title;Closing;Signature;Default Paragraph Font;Body Text;Body Text Indent;List Continue;List Continue 2;List Continue 3;List Continue 4;List Continue 5;Message Header;Subtitle;Salutation;Date;Body Text First Indent;Body Text First Indent 2;Note Heading;Body Text 2;Body Text 3;Body Text Indent 2;Body Text Indent 3;Block Text;Hyperlink;FollowedHyperlink;Strong;Emphasis;Document Map;Plain Text;E-mail Signature;HTML Top of Form;HTML Bottom of Form;Normal (Web);HTML Acronym;HTML Address;HTML Cite;HTML Code;HTML Definition;HTML Keyboard;HTML Preformatted;HTML Sample;HTML Typewriter;HTML Variable;Normal Table;annotation subject;No List;Outline List 1;Outline List 2;Outline List 3;Table Simple 1;Table Simple 2;Table Simple 3;Table Classic 1;Table Classic 2;Table Classic 3;Table Classic 4;Table Colorful 1;Table Colorful 2;Table Colorful 3;Table Columns 1;Table Columns 2;Table Columns 3;Table Columns 4;Table Columns 5;Table Grid 1;Table Grid 2;Table Grid 3;Table Grid 4;Table Grid 5;Table Grid 6;Table Grid 7;Table Grid 8;Table List 1;Table List 2;Table List 3;Table List 4;Table List 5;Table List 6;Table List 7;Table List 8;Table 3D effects 1;Table 3D effects 2;Table 3D effects 3;Table Contemporary;Table Elegant;Table Professional;Table Subtle 1;Table Subtle 2;Table Web 1;Table Web 2;Table Web 3;Balloon Text;Table Grid;Table Theme;Placeholder Text;No Spacing;Light Shading;Light List;Light Grid;Medium Shading 1;Medium Shading 2;Medium List 1;Medium List 2;Medium Grid 1;Medium Grid 2;Medium Grid 3;Dark List;Colorful Shading;Colorful List;Colorful Grid;Light Shading Accent 1;Light List Accent 1;Light Grid Accent 1;Medium Shading 1 Accent 1;Medium Shading 2 Accent 1;Medium List 1 Accent 1;Revision;List Paragraph;Quote;Intense Quote;Medium List 2 Accent 1;Medium Grid 1 Accent 1;Medium Grid 2 Accent 1;Medium Grid 3 Accent 1;Dark List Accent 1;Colorful Shading Accent 1;Colorful List Accent 1;Colorful Grid Accent 1;Light Shading Accent 2;Light List Accent 2;Light Grid Accent 2;Medium Shading 1 Accent 2;Medium Shading 2 Accent 2;Medium List 1 Accent 2;Medium List 2 Accent 2;Medium Grid 1 Accent 2;Medium Grid 2 Accent 2;Medium Grid 3 Accent 2;Dark List Accent 2;Colorful Shading Accent 2;Colorful List Accent 2;Colorful Grid Accent 2;Light Shading Accent 3;Light List Accent 3;Light Grid Accent 3;Medium Shading 1 Accent 3;Medium Shading 2 Accent 3;Medium List 1 Accent 3;Medium List 2 Accent 3;Medium Grid 1 Accent 3;Medium Grid 2 Accent 3;Medium Grid 3 Accent 3;Dark List Accent 3;Colorful Shading Accent 3;Colorful List Accent 3;Colorful Grid Accent 3;Light Shading Accent 4;Light List Accent 4;Light Grid Accent 4;Medium Shading 1 Accent 4;Medium Shading 2 Accent 4;Medium List 1 Accent 4;Medium List 2 Accent 4;Medium Grid 1 Accent 4;Medium Grid 2 Accent 4;Medium Grid 3 Accent 4;Dark List Accent 4;Colorful Shading Accent 4;Colorful List Accent 4;Colorful Grid Accent 4;Light Shading Accent 5;Light List Accent 5;Light Grid Accent 5;Medium Shading 1 Accent 5;Medium Shading 2 Accent 5;Medium List 1 Accent 5;Medium List 2 Accent 5;Medium Grid 1 Accent 5;Medium Grid 2 Accent 5;Medium Grid 3 Accent 5;Dark List Accent 5;Colorful Shading Accent 5;Colorful List Accent 5;Colorful Grid Accent 5;Light Shading Accent 6;Light List Accent 6;Light Grid Accent 6;Medium Shading 1 Accent 6;Medium Shading 2 Accent 6;Medium List 1 Accent 6;Medium List 2 Accent 6;Medium Grid 1 Accent 6;Medium Grid 2 Accent 6;Medium Grid 3 Accent 6;Dark List Accent 6;Colorful Shading Accent 6;Colorful List Accent 6;Colorful Grid Accent 6;Subtle Emphasis;Intense Emphasis;Subtle Reference;Intense Reference;Book Title;Bibliography;TOC Heading;Plain Table 1;Plain Table 2;Plain Table 3;Plain Table 4;Plain Table 5;Grid Table Light;Grid Table 1 Light;Grid Table 2;Grid Table 3;Grid Table 4;Grid Table 5 Dark;Grid Table 6 Colorful;Grid Table 7 Colorful;Grid Table 1 Light Accent 1;Grid Table 2 Accent 1;Grid Table 3 Accent 1;Grid Table 4 Accent 1;Grid Table 5 Dark Accent 1;Grid Table 6 Colorful Accent 1;Grid Table 7 Colorful Accent 1;Grid Table 1 Light Accent 2;Grid Table 2 Accent 2;Grid Table 3 Accent 2;Grid Table 4 Accent 2;Grid Table 5 Dark Accent 2;Grid Table 6 Colorful Accent 2;Grid Table 7 Colorful Accent 2;Grid Table 1 Light Accent 3;Grid Table 2 Accent 3;Grid Table 3 Accent 3;Grid Table 4 Accent 3;Grid Table 5 Dark Accent 3;Grid Table 6 Colorful Accent 3;Grid Table 7 Colorful Accent 3;Grid Table 1 Light Accent 4;Grid Table 2 Accent 4;Grid Table 3 Accent 4;Grid Table 4 Accent 4;Grid Table 5 Dark Accent 4;Grid Table 6 Colorful Accent 4;Grid Table 7 Colorful Accent 4;Grid Table 1 Light Accent 5;Grid Table 2 Accent 5;Grid Table 3 Accent 5;Grid Table 4 Accent 5;Grid Table 5 Dark Accent 5;Grid Table 6 Colorful Accent 5;Grid Table 7 Colorful Accent 5;Grid Table 1 Light Accent 6;Grid Table 2 Accent 6;Grid Table 3 Accent 6;Grid Table 4 Accent 6;Grid Table 5 Dark Accent 6;Grid Table 6 Colorful Accent 6;Grid Table 7 Colorful Accent 6;List Table 1 Light;List Table 2;List Table 3;List Table 4;List Table 5 Dark;List Table 6 Colorful;List Table 7 Colorful;List Table 1 Light Accent 1;List Table 2 Accent 1;List Table 3 Accent 1;List Table 4 Accent 1;List Table 5 Dark Accent 1;List Table 6 Colorful Accent 1;List Table 7 Colorful Accent 1;List Table 1 Light Accent 2;List Table 2 Accent 2;List Table 3 Accent 2;List Table 4 Accent 2;List Table 5 Dark Accent 2;List Table 6 Colorful Accent 2;List Table 7 Colorful Accent 2;List Table 1 Light Accent 3;List Table 2 Accent 3;List Table 3 Accent 3;List Table 4 Accent 3;List Table 5 Dark Accent 3;List Table 6 Colorful Accent 3;List Table 7 Colorful Accent 3;List Table 1 Light Accent 4;List Table 2 Accent 4;List Table 3 Accent 4;List Table 4 Accent 4;List Table 5 Dark Accent 4;List Table 6 Colorful Accent 4;List Table 7 Colorful Accent 4;List Table 1 Light Accent 5;List Table 2 Accent 5;List Table 3 Accent 5;List Table 4 Accent 5;List Table 5 Dark Accent 5;List Table 6 Colorful Accent 5;List Table 7 Colorful Accent 5;List Table 1 Light Accent 6;List Table 2 Accent 6;List Table 3 Accent 6;List Table 4 Accent 6;List Table 5 Dark Accent 6;List Table 6 Colorful Accent 6;List Table 7 Colorful Accent 6;}
Datastore:
0105000002000000180000004d73786d6c322e534158584d4c5265616465722e362e3000000000000000000000060000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001000000010000000000000000100000feffffff00000000feffffff0000000000000000fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdfffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffffffffffff0c6ad98892f1d411a65f0040963251e5000000000000000000000000606a91bf5166d501feffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000105000000000000

Screenshots

Processes

Total processes
36
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

+
start download and start drop and start winword.exe no specs eqnedt32.exe 908.exe sgmj.exe #AZORULT sgmj.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2860
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\0561991.doc.rtf"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\winspool.drv
c:\windows\system32\shell32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\sxs.dll
c:\program files\common files\microsoft shared\office14\usp10.dll

PID
2152
CMD
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Path
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Design Science, Inc.
Description
Microsoft Equation Editor
Version
00110900
Modules
Image
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msi.dll
c:\program files\common files\microsoft shared\equation\1033\eeintl.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\version.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\apphelp.dll
c:\users\public\908.exe

PID
2304
CMD
C:\Users\Public\908.exe
Path
C:\Users\Public\908.exe
Indicators
Parent process
EQNEDT32.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\public\908.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\roaming\mopl\sgmj.exe

PID
3108
CMD
"C:\Users\admin\AppData\Roaming\mopl\sgmj.exe"
Path
C:\Users\admin\AppData\Roaming\mopl\sgmj.exe
Indicators
Parent process
908.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\roaming\mopl\sgmj.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll

PID
1876
CMD
"C:\Users\admin\AppData\Roaming\mopl\sgmj.exe"
Path
C:\Users\admin\AppData\Roaming\mopl\sgmj.exe
Indicators
Parent process
sgmj.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\roaming\mopl\sgmj.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crtdll.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll

Registry activity

Total events
279
Read events
228
Write events
51
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2860
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
=!
7F3D21002C0B0000010000000000000000000000
2860
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
2860
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
2860
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1328218142
2860
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1328218256
2860
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1328218257
2860
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
2C0B0000F2BA6EA88368D50100000000
2860
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
z>!
7A3E21002C0B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
2860
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2860
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2860
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
5?!
353F21002C0B000006000000010000007400000002000000640000000400000063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C006C006F00630061006C005C00740065006D0070005C0030003500360031003900390031002E0064006F0063002E00720074006600000000000000
2860
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{82531B81-E9C2-4D5E-A1E9-D68F9021D29B}
2152
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
EquationEditorFilesIntl_1033
1328218115
2152
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
EnableFileTracing
0
2152
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
EnableConsoleTracing
0
2152
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
FileTracingMask
4294901760
2152
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
ConsoleTracingMask
4294901760
2152
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
MaxFileSize
1048576
2152
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
FileDirectory
%windir%\tracing
2152
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
EnableFileTracing
0
2152
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
EnableConsoleTracing
0
2152
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
FileTracingMask
4294901760
2152
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
ConsoleTracingMask
4294901760
2152
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
MaxFileSize
1048576
2152
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
FileDirectory
%windir%\tracing
2152
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2152
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2152
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2152
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1876
sgmj.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sgmj_RASAPI32
EnableFileTracing
0
1876
sgmj.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sgmj_RASAPI32
EnableConsoleTracing
0
1876
sgmj.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sgmj_RASAPI32
FileTracingMask
4294901760
1876
sgmj.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sgmj_RASAPI32
ConsoleTracingMask
4294901760
1876
sgmj.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sgmj_RASAPI32
MaxFileSize
1048576
1876
sgmj.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sgmj_RASAPI32
FileDirectory
%windir%\tracing
1876
sgmj.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sgmj_RASMANCS
EnableFileTracing
0
1876
sgmj.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sgmj_RASMANCS
EnableConsoleTracing
0
1876
sgmj.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sgmj_RASMANCS
FileTracingMask
4294901760
1876
sgmj.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sgmj_RASMANCS
ConsoleTracingMask
4294901760
1876
sgmj.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sgmj_RASMANCS
MaxFileSize
1048576
1876
sgmj.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sgmj_RASMANCS
FileDirectory
%windir%\tracing
1876
sgmj.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1876
sgmj.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000093000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
1876
sgmj.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1876
sgmj.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1

Files activity

Executable files
3
Suspicious files
0
Text files
2
Unknown types
3

Dropped files

PID
Process
Filename
Type
2304
908.exe
C:\Users\admin\AppData\Roaming\mopl\sgmj.exe
executable
MD5: 71f2213cd2a3f5826463a3c9ba941827
SHA256: f761c48861753a2b847b2c7d24a84b5b69a9140e3ffc39dfd50140c4a69586bb
2152
EQNEDT32.EXE
C:\Users\Public\908.exe
executable
MD5: 71f2213cd2a3f5826463a3c9ba941827
SHA256: f761c48861753a2b847b2c7d24a84b5b69a9140e3ffc39dfd50140c4a69586bb
2152
EQNEDT32.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\0561991[1].txt
executable
MD5: 71f2213cd2a3f5826463a3c9ba941827
SHA256: f761c48861753a2b847b2c7d24a84b5b69a9140e3ffc39dfd50140c4a69586bb
3108
sgmj.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mopl.vbs
text
MD5: 9de3ab8271748b49e8b21e2858d1b607
SHA256: b46c8f7231c21016eef73ebacf7fe6da282a6574fb2d1d37f69fe850c560597d
2152
EQNEDT32.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
dat
MD5: d7a950fefd60dbaa01df2d85fefb3862
SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a
2304
908.exe
C:\Users\admin\AppData\Roaming\mopl\sgmj.exe:ZoneIdentifier
––
MD5:  ––
SHA256:  ––
2152
EQNEDT32.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 36c0b43b52e86c7f13a352229f782930
SHA256: 4b8a7509e23ede9ec0349b5a847efd3e364728837b1ccc85fc1aaf9e4f8ef3a6
2860
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\~$61991.doc.rtf
pgc
MD5: 4bdea2515c3810eddcf2688df0c12a59
SHA256: 89d42f3c3c2141328cd5e1af6e962b9b6bdc43d3c684e02aa5ae347b55bc8fa1
2860
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
pgc
MD5: bd0bd85d12df5ce57b5d696ff6315b76
SHA256: bbd5b4e3adcb328520812edc3f17b323835ef76488b58eee5cbc42ec9f2534d8
2860
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVR8D70.tmp.cvr
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
3
Threats
10

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2152 EQNEDT32.EXE GET 200 110.45.144.173:80 http://dawoomang.co.kr/asapro/member/s/0561991 KR
executable
malicious
1876 sgmj.exe POST 200 161.117.182.74:80 http://wupx.ml/prexid/index.php SG
text
text
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2152 EQNEDT32.EXE 67.199.248.10:80 Bitly Inc US shared
2152 EQNEDT32.EXE 110.45.144.173:80 LG DACOM Corporation KR malicious
1876 sgmj.exe 161.117.182.74:80 SG malicious

DNS requests

Domain IP Reputation
bit.ly 67.199.248.10
67.199.248.11
shared
dawoomang.co.kr 110.45.144.173
malicious
wupx.ml 161.117.182.74
malicious

Threats

PID Process Class Message
2152 EQNEDT32.EXE Misc activity SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
2152 EQNEDT32.EXE Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
2152 EQNEDT32.EXE A Network Trojan was detected ET TROJAN Possible Windows executable sent when remote host claims to send a Text File
–– –– Potentially Bad Traffic ET INFO DNS Query for Suspicious .ml Domain
1876 sgmj.exe A Network Trojan was detected ET TROJAN AZORult Variant.4 Checkin M2
1876 sgmj.exe A Network Trojan was detected AV TROJAN Azorult CnC Beacon
1876 sgmj.exe A Network Trojan was detected AV TROJAN AZORult CnC Beacon
1876 sgmj.exe A Network Trojan was detected MALWARE [PTsecurity] AZORult client request
1876 sgmj.exe A Network Trojan was detected MALWARE [PTsecurity] AZORult.Stealer HTTP Header
1876 sgmj.exe Potentially Bad Traffic ET INFO HTTP POST Request to Suspicious *.ml Domain

Debug output strings

No debug info.