General Info

File name

TNT EXPRESS DELIVERY DOCUMENTS.exe

Full analysis
https://app.any.run/tasks/b214d102-bcef-4ae5-b52c-ce5388d91d44
Verdict
Malicious activity
Analysis date
3/15/2019, 04:09:13
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
formbook
stealer
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

561189349e7ef1918a4c27182a279ca6

SHA1

37165c0b5bd29f23664d55e0e4279f89ccde4275

SHA256

5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e

SSDEEP

6144:dt39+IGUiggkeVXZtFz/icY6FBXmyskHrBggUBmefTm2+zNXsl37t:CgWVXZj/XBGyskdgpfT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Formbook was detected
  • wlanext.exe (PID: 2888)
  • Firefox.exe (PID: 3840)
Changes the autorun value in the registry
  • wlanext.exe (PID: 2888)
Actions looks like stealing of personal data
  • wlanext.exe (PID: 2888)
Connects to CnC server
  • explorer.exe (PID: 116)
FORMBOOK was detected
  • explorer.exe (PID: 116)
Stealing of credential data
  • wlanext.exe (PID: 2888)
Uses IPCONFIG.EXE to discover IP address
  • explorer.exe (PID: 116)
Executable content was dropped or overwritten
  • DllHost.exe (PID: 3936)
  • explorer.exe (PID: 116)
Loads DLL from Mozilla Firefox
  • wlanext.exe (PID: 2888)
Creates files in the program directory
  • DllHost.exe (PID: 3936)
Creates files in the user directory
  • wlanext.exe (PID: 2888)
  • explorer.exe (PID: 116)
Starts CMD.EXE for commands execution
  • wlanext.exe (PID: 2888)
Reads Internet Cache Settings
  • explorer.exe (PID: 116)
Application launched itself
  • TNT EXPRESS DELIVERY DOCUMENTS.exe (PID: 2980)
Creates files in the user directory
  • Firefox.exe (PID: 3840)
  • WINWORD.EXE (PID: 2076)
Reads Microsoft Office registry keys
  • WINWORD.EXE (PID: 2076)
Starts Microsoft Office Application
  • explorer.exe (PID: 116)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable Microsoft Visual Basic 6 (84.4%)
.dll
|   Win32 Dynamic Link Library (generic) (6.7%)
.exe
|   Win32 Executable (generic) (4.6%)
.exe
|   Generic Win/DOS Executable (2%)
.exe
|   DOS Executable Generic (2%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:03:14 00:07:16+01:00
PEType:
PE32
LinkerVersion:
6
CodeSize:
360448
InitializedDataSize:
32768
UninitializedDataSize:
null
EntryPoint:
0x131c
OSVersion:
4
ImageVersion:
8.2
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
8.2.0.5
ProductVersionNumber:
8.2.0.5
FileFlagsMask:
0x0000
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Unicode
CompanyName:
sIEmENS
ProductName:
klo
FileVersion:
8.02.0005
ProductVersion:
8.02.0005
InternalName:
sre
OriginalFileName:
sre.exe
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
13-Mar-2019 23:07:16
Detected languages
English - United States
CompanyName:
sIEmENS
ProductName:
klo
FileVersion:
8.02.0005
ProductVersion:
8.02.0005
InternalName:
sre
OriginalFilename:
sre.exe
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000C8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
3
Time date stamp:
13-Mar-2019 23:07:16
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0005725C 0x00058000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.54396
.data 0x00059000 0x00005CB8 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rsrc 0x0005F000 0x00001CA2 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.00442
Resources
1

30001

30002

Imports
    MSVBVM60.DLL

Exports

    No exports.

Screenshots

Processes

Total processes
44
Monitored processes
11
Malicious processes
3
Suspicious processes
0

Behavior graph

+
start drop and start tnt express delivery documents.exe no specs tnt express delivery documents.exe no specs #FORMBOOK wlanext.exe cmd.exe no specs winword.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs Copy/Move/Rename/Delete/Link Object cnhejg4il6h.exe no specs cnhejg4il6h.exe no specs ipconfig.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
116
CMD
C:\Windows\Explorer.EXE
Path
C:\Windows\explorer.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sndvolsso.dll
c:\windows\system32\hid.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\timedate.cpl
c:\windows\system32\atl.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\userenv.dll
c:\windows\system32\shacct.dll
c:\windows\system32\samlib.dll
c:\windows\system32\samcli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\msls31.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\authui.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\gameux.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\wer.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\version.dll
c:\windows\system32\msi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\psapi.dll
c:\windows\system32\networkexplorer.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\system32\stobject.dll
c:\windows\system32\batmeter.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\es.dll
c:\windows\system32\prnfldr.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dxp.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\syncreg.dll
c:\windows\ehome\ehsso.dll
c:\windows\system32\netshell.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\alttab.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\pnidui.dll
c:\windows\system32\qutil.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\wwanapi.dll
c:\windows\system32\wwapi.dll
c:\windows\system32\qagent.dll
c:\windows\system32\srchadmin.dll
c:\windows\system32\sxs.dll
c:\windows\system32\bthprops.cpl
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\synccenter.dll
c:\windows\system32\actioncenter.dll
c:\windows\system32\imapi2.dll
c:\windows\system32\hgcpl.dll
c:\windows\system32\provsvc.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\fxsst.dll
c:\windows\system32\fxsapi.dll
c:\windows\system32\fxsresm.dll
c:\windows\system32\wscinterop.dll
c:\windows\system32\wscapi.dll
c:\windows\system32\wscui.cpl
c:\windows\system32\werconcpl.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wercplsupport.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\hcproviders.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\users\admin\appdata\local\temp\tnt express delivery documents.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\wlanext.exe
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\mlang.dll
c:\windows\installer\{90140000-003d-0000-0000-0000000ff1ce}\wordicon.exe
c:\windows\system32\dnsapi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wship6.dll
c:\windows\system32\comsvcs.dll
c:\program files\ciddtqt90\cnhejg4il6h.exe
c:\windows\system32\ipconfig.exe
c:\windows\system32\van.dll
c:\windows\system32\wwanmm.dll
c:\windows\system32\rasmm.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\wlanmm.dll
c:\windows\system32\wlanhlp.dll
c:\windows\system32\onex.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\eappcfg.dll

PID
2980
CMD
"C:\Users\admin\AppData\Local\Temp\TNT EXPRESS DELIVERY DOCUMENTS.exe"
Path
C:\Users\admin\AppData\Local\Temp\TNT EXPRESS DELIVERY DOCUMENTS.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
sIEmENS
Description
Version
8.02.0005
Modules
Image
c:\users\admin\appdata\local\temp\tnt express delivery documents.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\apphelp.dll

PID
3816
CMD
"C:\Users\admin\AppData\Local\Temp\TNT EXPRESS DELIVERY DOCUMENTS.exe"
Path
C:\Users\admin\AppData\Local\Temp\TNT EXPRESS DELIVERY DOCUMENTS.exe
Indicators
No indicators
Parent process
TNT EXPRESS DELIVERY DOCUMENTS.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
sIEmENS
Description
Version
8.02.0005
Modules
Image
c:\systemroot\system32\ntdll.dll
c:\users\admin\appdata\local\temp\tnt express delivery documents.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll

PID
2888
CMD
"C:\Windows\System32\wlanext.exe"
Path
C:\Windows\System32\wlanext.exe
Indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Wireless LAN 802.11 Extensibility Framework
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wlanext.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\vaultcli.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\program files\mozilla firefox\firefox.exe

PID
3616
CMD
/c del "C:\Users\admin\AppData\Local\Temp\TNT EXPRESS DELIVERY DOCUMENTS.exe"
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
wlanext.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2076
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\functionscalls.rtf"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\winspool.drv
c:\windows\system32\shell32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\prntvpt.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\program files\microsoft office\office14\gkword.dll
c:\windows\system32\oleacc.dll
c:\program files\common files\system\ado\msadox.dll
c:\windows\system32\netutils.dll

PID
3840
CMD
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Path
C:\Program Files\Mozilla Firefox\Firefox.exe
Indicators
Parent process
wlanext.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Mozilla Corporation
Description
Firefox
Version
61.0.2
Modules
Image
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\program files\mozilla firefox\ucrtbase.dll
c:\program files\mozilla firefox\api-ms-win-core-timezone-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l2-1-0.dll
c:\program files\mozilla firefox\api-ms-win-core-localization-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-core-synch-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-core-processthreads-l1-1-1.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-string-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-heap-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-stdio-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-convert-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-math-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-time-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-filesystem-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-environment-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\softokn3.dll
c:\program files\mozilla firefox\freebl3.dll
c:\windows\system32\cryptbase.dll

PID
3936
CMD
C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
Path
C:\Windows\system32\DllHost.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
COM Surrogate
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\actxprxy.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\mssprxy.dll

PID
2504
CMD
"C:\Program Files\Ciddtqt90\cnhejg4il6h.exe"
Path
C:\Program Files\Ciddtqt90\cnhejg4il6h.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
sIEmENS
Description
Version
8.02.0005
Modules
Image
c:\program files\ciddtqt90\cnhejg4il6h.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\apphelp.dll

PID
3220
CMD
"C:\Program Files\Ciddtqt90\cnhejg4il6h.exe"
Path
C:\Program Files\Ciddtqt90\cnhejg4il6h.exe
Indicators
No indicators
Parent process
cnhejg4il6h.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
sIEmENS
Description
Version
8.02.0005
Modules
Image
c:\program files\ciddtqt90\cnhejg4il6h.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll

PID
2368
CMD
"C:\Windows\System32\ipconfig.exe"
Path
C:\Windows\System32\ipconfig.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
IP Configuration Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ipconfig.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

Registry activity

Total events
2396
Read events
2334
Write events
56
Delete events
6

Modification events

PID
Process
Operation
Key
Name
Value
116
explorer.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018082720180903
116
explorer.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018090920180910
116
explorer.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1315897374
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\JVAJBEQ.RKR
000000000600000005000000A6350000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF8091B898DCDAD40100000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000002F0000003D000000FA3A1500090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rtf\OpenWithList
a
WINWORD.EXE
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rtf\OpenWithList
MRUList
a
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rtf\OpenWithProgids
Word.RTF.8
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
3
660075006E006300740069006F006E007300630061006C006C0073002E007200740066000000800032000000000000000000000066756E6374696F6E7363616C6C732E7274662E6C6E6B00005A0008000400EFBE00000000000000002A00000000000000000000000000000000000000000000000000660075006E006300740069006F006E007300630061006C006C0073002E007200740066002E006C006E006B00000026000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.rtf
0
660075006E006300740069006F006E007300630061006C006C0073002E007200740066000000800032000000000000000000000066756E6374696F6E7363616C6C732E7274662E6C6E6B00005A0008000400EFBE00000000000000002A00000000000000000000000000000000000000000000000000660075006E006300740069006F006E007300630061006C006C0073002E007200740066002E006C006E006B00000026000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.rtf
MRUListEx
00000000FFFFFFFF
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031520190316
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019031520190316
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031520190316
CachePrefix
:2019031520190316:
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031520190316
CacheLimit
8192
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031520190316
CacheOptions
11
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031520190316
CacheRepair
0
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
MRUListEx
03000000000000000200000001000000FFFFFFFF
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\JVAJBEQ.RKR
000000000600000006000000A6350000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF8091B898DCDAD40100000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000002F0000003E000000FA3A1500090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\JVAJBEQ.RKR
000000000600000006000000A3400000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF8091B898DCDAD40100000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000002F0000003E000000F7451500090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802
2888
wlanext.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
9RXLAJQ8UXF
C:\Program Files\Ciddtqt90\cnhejg4il6h.exe
2076
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
2076
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\1A0BE9
2076
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery
2076
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency
2076
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
3g"
336722001C080000010000000000000000000000
2076
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
2076
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
2076
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1315897375
2076
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1315897488
2076
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1315897489
2076
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
1C0800001808AF98DCDAD40100000000
2076
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
)i"
296922001C08000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
2076
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2076
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2076
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
!j"
216A22001C08000006000000010000006400000002000000540000000400000063003A005C00750073006500720073005C00610064006D0069006E005C006400650073006B0074006F0070005C00660075006E006300740069006F006E007300630061006C006C0073002E00720074006600000000000000
2076
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{7729D44C-3D78-4D5F-AFF7-E4C0FDCBA55B}
2076
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
2076
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 1
[F00000000][T01D4DADC998A6070][O00000000]*C:\Users\admin\Desktop\
2076
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
2076
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 1
[F00000000][T01D4DADC998CAA60][O00000000]*C:\Users\admin\Desktop\functionscalls.rtf
2076
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\1A0BE9
1A0BE9
040000001C0800002900000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C00660075006E006300740069006F006E007300630061006C006C0073002E0072007400660012000000660075006E006300740069006F006E007300630061006C006C0073002E00720074006600000000000100000000000000003E1E6EBEDED201E90B1A00E90B1A0000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
2076
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
019C826E445A4649A5B00BF08FCC4EEE
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
2076
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Toolbars\Settings
Microsoft Word
0101000000000000000006000000
2076
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Data
Settings
C00010033001000034010000040000001E0000001E0000001E0000001E0000001E0000001E000000220000001E0000001E0000001E000000060000000600000006000000060000000600000000000000060000000600000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000C00000002000000020000000200000002000000000000000000000000000000480000000600000006000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004000000DC000000E25024A1100A00633090060007000A002D001600000016000000C0030000F501000004060300000000000000000000000000040087010C000600C80009000180FFFF000006000000040000000C0100000502000000000000A004020000001200000000603090000064000000000000FF0000FF000000000000FF01000000010000005C08E0100000000000010000E40400001D000100000000000000020050000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000D000000000000000000000000D4944600D49446010000002F91010000080A000600000003333296040000000A050C0C0302040600000300000101010606060000000000000000000000000000000000000063631900000001000000000000000000000000000000030000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002100190000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006301190000008C0A00000000E01000004B0000004B0000002000640000006301190000008C0A00000000B01300004B0000004B000000640000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000009002000002000001010101010101000101010101010001010100010001000101010101010101000100020003010301030103000301020003010301030103010000230101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101020101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010301010101010101010101010101FFFFCFFFFFFF00008602FFFF00008602FFFF00000C00FFFF00000100FFFF00000100FFFF0000010061000000610064006D0069006E000000000000000000000087FFFF0300003E00020200000600090034000000000090009000000000000F000000FFFFFF000000000000001400140000000000000002637800C80000000000140000000000900090008000FFFF00000800FFFF00000800FFFF0B00040001002000018014000B0043006F007500720069006500720020004E0065007700018014000B0043006F007500720069006500720020004E0065007700018014000B0043006F007500720069006500720020004E00650077000180140001002000018014000B0043006F007500720069006500720020004E00650077000180140009004D005300200047006F0074006800690063000180150007004D0069006E0067004C0069005500018018000600530069006D00530075006E0001801500050044006F00740075006D00018014000100200001801C0000000000
2076
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options
BackgroundOpen
0
2076
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1315897490
2076
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1315897491
2076
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTF
86
2076
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTA
86

Files activity

Executable files
2
Suspicious files
75
Text files
8
Unknown types
8

Dropped files

PID
Process
Filename
Type
3936
DllHost.exe
C:\Program Files\Ciddtqt90\cnhejg4il6h.exe
executable
MD5: 561189349e7ef1918a4c27182a279ca6
SHA256: 5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e
116
explorer.exe
C:\Users\admin\AppData\Local\Temp\Ciddtqt90\cnhejg4il6h.exe
executable
MD5: 561189349e7ef1918a4c27182a279ca6
SHA256: 5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e
2076
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\functionscalls.rtf.LNK
lnk
MD5: abc5f7e65692c0a7b88571113f4bc4c8
SHA256: e4b55aedfad9e0b37f085466f43be66869477f86ef2fba9c94ab367b52c8d8fe
2504
cnhejg4il6h.exe
C:\Users\admin\AppData\Local\VirtualStore\Windows\win.ini
text
MD5: d2a2412bddba16d60ec63bd9550d933f
SHA256: 79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a
3220
cnhejg4il6h.exe
C:\Users\admin\AppData\Local\Temp\~DF759C26EC6B232DE5.TMP
––
MD5:  ––
SHA256:  ––
3840
Firefox.exe
C:\Users\admin\AppData\Roaming\0456BO7E\045logrf.ini
binary
MD5: 53028481b5b5795f1501241ccc7abff6
SHA256: 75b5f3045e20c80f264568707e2d444dc7498db119d9661ae51a91575960fc5a
3220
cnhejg4il6h.exe
C:\Users\admin\AppData\Local\VirtualStore\Windows\win.ini
text
MD5: d2a2412bddba16d60ec63bd9550d933f
SHA256: 79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a
2888
wlanext.exe
C:\Users\admin\AppData\Roaming\0456BO7E\045logim.jpeg
image
MD5: b27736d692f15b597ce94b75bcf2afd6
SHA256: e628fc3b15b2d86c1582e70342e966bf4ec11fd8ee90300c6d96358755d4f095
2888
wlanext.exe
C:\Users\admin\AppData\Roaming\0456BO7E\045logrv.ini
binary
MD5: ba3b6bc807d4f76794c4b81b09bb9ba5
SHA256: 6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
2888
wlanext.exe
C:\Users\admin\AppData\Roaming\0456BO7E\045logri.ini
binary
MD5: d63a82e5d81e02e399090af26db0b9cb
SHA256: eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
2888
wlanext.exe
C:\Users\admin\AppData\Roaming\0456BO7E\045logrc.ini
binary
MD5: 2855a82ecdd565b4d957ec2ee05aed26
SHA256: 88e38da5b12dd96afd9dc90c79929ec31d8604b1afdebdd5a02b19249c08c939
2076
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2D42D7A1-E944-44BF-9841-C2CC62BE4F19}.tmp
––
MD5:  ––
SHA256:  ––
2076
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FD959111-DD91-4AA4-BD8D-FF239B901DB3}.tmp
––
MD5:  ––
SHA256:  ––
2980
TNT EXPRESS DELIVERY DOCUMENTS.exe
C:\Users\admin\AppData\Local\VirtualStore\Windows\win.ini
text
MD5: d2a2412bddba16d60ec63bd9550d933f
SHA256: 79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a
2076
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
text
MD5: b41640604f57a8f8e0d992e76ebf7437
SHA256: 4a12702b210bfa048acddeea3b149fd884611d23bca7140fc5aaca4516369abb
2076
WINWORD.EXE
C:\Users\admin\Desktop\~$nctionscalls.rtf
pgc
MD5: b55c192a4e1d49c0efec59d78fb6a234
SHA256: c93afdae18fd182814a4148c6690b07b0b21c63f6a0ad2d462b94a4cdac7162c
2076
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
pgc
MD5: 6d7b87262806397679ff737ad37f1aa2
SHA256: d7708ed70992d2af7663732ab1fb55bac28e35565dfda9f2fc981de8dbb7f400
2076
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVR793.tmp.cvr
––
MD5:  ––
SHA256:  ––
116
explorer.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019031520190316\index.dat
dat
MD5: 53ec4dd1d5f8a6cb323e5c70f1ed213e
SHA256: 403374c307f63aec4ecca1fea3b2e86de5e04579af136585db919c6e25411476
116
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\functionscalls.rtf.lnk
lnk
MD5: 46b04c6ab7ce10540eadec775c22e0a8
SHA256: ce4d281a87df7ba789e952115f7907968eaccc336d6ee62b577e0161b3332c71
116
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms
automaticdestinations-ms
MD5: 1697500b16b3b3560e7e6617e09012d9
SHA256: cf735876b62f2e2b1f56d007c60356777ca553793aa64ba86486fe0b4e28dd94
116
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\a7bd71699cd38d1c.automaticDestinations-ms
automaticdestinations-ms
MD5: 20ef998f7e7d326477ed61f46c5cd584
SHA256: 1cf72201f9801924c7b3d162beba238688a37177e0aa11e5e44fac7e1e930f92
3816
TNT EXPRESS DELIVERY DOCUMENTS.exe
C:\Users\admin\AppData\Local\Temp\~DFC3AA9A7F49D273C9.TMP
––
MD5:  ––
SHA256:  ––
2980
TNT EXPRESS DELIVERY DOCUMENTS.exe
C:\Users\admin\AppData\Local\Temp\~DF8B38958D50350EFD.TMP
binary
MD5: 17379ef1b0679abbe2c5122568b33146
SHA256: 859fb14af8b0ade85f4ea01579b4feb1c605398616d218c00c17082839188a1a
3816
TNT EXPRESS DELIVERY DOCUMENTS.exe
C:\Users\admin\AppData\Local\VirtualStore\Windows\win.ini
text
MD5: d2a2412bddba16d60ec63bd9550d933f
SHA256: 79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a
2504
cnhejg4il6h.exe
C:\Users\admin\AppData\Local\Temp\~DFDA1FE98438E5CC97.TMP
binary
MD5: 17379ef1b0679abbe2c5122568b33146
SHA256: 859fb14af8b0ade85f4ea01579b4feb1c605398616d218c00c17082839188a1a

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
26
TCP/UDP connections
26
DNS requests
15
Threats
46

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
116 explorer.exe GET 403 52.18.2.156:80 http://www.masakatsugaru.com/ch/?nDFxwnQ8=3BGAiZVyKl9fLxJyhsiYff7nPCloNTqFOvCxlgZChg49SWRU7JzDOxLXX/U+HhiWaGrgAA==&BZ-=dhDhI4XxZdnx26Y IE
html
malicious
116 explorer.exe GET 404 72.52.238.103:80 http://www.petitkevin.com/ch/?nDFxwnQ8=AlFZyTk3pU7A5ZwtbmhcOPRkLcozONN/lkYmXUgeEpb5/JhgqkT9Hw0m6p38sMFcL9+dzA==&BZ-=dhDhI4XxZdnx26Y&sql=1 US
html
malicious
116 explorer.exe POST –– 72.52.238.103:80 http://www.petitkevin.com/ch/ US
text
––
––
malicious
116 explorer.exe POST –– 72.52.238.103:80 http://www.petitkevin.com/ch/ US
text
––
––
malicious
116 explorer.exe POST –– 72.52.238.103:80 http://www.petitkevin.com/ch/ US
text
––
––
malicious
116 explorer.exe GET 302 23.20.239.12:80 http://www.areauruguay.com/ch/?nDFxwnQ8=DmJOioIitS7uAO0/M47gh5Z7xp1k+h0QvFS8TOeZm0v4YFEgz7D2diDNp9XEDjEKYOeaTg==&BZ-=dhDhI4XxZdnx26Y&sql=1 US
html
malicious
116 explorer.exe POST –– 23.20.239.12:80 http://www.areauruguay.com/ch/ US
text
––
––
malicious
116 explorer.exe POST –– 23.20.239.12:80 http://www.areauruguay.com/ch/ US
text
––
––
malicious
116 explorer.exe POST –– 23.20.239.12:80 http://www.areauruguay.com/ch/ US
text
––
––
malicious
116 explorer.exe GET 404 199.188.203.227:80 http://www.saibez.com/ch/?nDFxwnQ8=ChrdQJ3JjgCxSTMyEG3OxXQQg0zaw2RW1xOAubNXPOhpfFLzh9jLihO0PuLkryl07+EVOw==&BZ-=dhDhI4XxZdnx26Y&sql=1 US
html
malicious
116 explorer.exe POST 404 199.188.203.227:80 http://www.saibez.com/ch/ US
text
html
malicious
116 explorer.exe POST 404 199.188.203.227:80 http://www.saibez.com/ch/ US
text
html
malicious
116 explorer.exe POST –– 199.188.203.227:80 http://www.saibez.com/ch/ US
binary
––
––
malicious
116 explorer.exe GET –– 107.186.23.124:80 http://www.gzxhx168.com/ch/?nDFxwnQ8=6zwHgmy8wWdfY41lmTs6ccVq9nNpqjDmcqB+q0T/59BxEdYsAqc+hSE1PW623fTPITjtjg==&BZ-=dhDhI4XxZdnx26Y US
––
––
malicious
116 explorer.exe POST –– 107.186.23.124:80 http://www.gzxhx168.com/ch/ US
text
––
––
malicious
116 explorer.exe POST –– 107.186.23.124:80 http://www.gzxhx168.com/ch/ US
text
––
––
malicious
116 explorer.exe POST –– 107.186.23.124:80 http://www.gzxhx168.com/ch/ US
binary
––
––
malicious
116 explorer.exe GET –– 198.185.159.144:80 http://www.peoplearentprops.com/ch/?nDFxwnQ8=Bg6dIISLLlUzv0f6aZadhdBlQEnqujIpb9FcNCib6p8PWEukQrgxi90mKrSexnjCZg0PvQ==&BZ-=dhDhI4XxZdnx26Y US
––
––
malicious
116 explorer.exe POST –– 198.185.159.144:80 http://www.peoplearentprops.com/ch/ US
text
––
––
malicious
116 explorer.exe POST –– 198.185.159.144:80 http://www.peoplearentprops.com/ch/ US
text
––
––
malicious
116 explorer.exe POST –– 198.185.159.144:80 http://www.peoplearentprops.com/ch/ US
text
––
––
malicious
116 explorer.exe GET 302 23.20.239.12:80 http://www.automobilagent.com/ch/?nDFxwnQ8=YSM0LrGqhAbnf03HfkKteUxsKsO0PLQnTZE6tVR8CESGCQLj0HwHoCfBcAkLNfFkm0FNqA==&BZ-=dhDhI4XxZdnx26Y US
html
malicious
116 explorer.exe POST –– 23.20.239.12:80 http://www.automobilagent.com/ch/ US
text
––
––
malicious
116 explorer.exe POST –– 23.20.239.12:80 http://www.automobilagent.com/ch/ US
text
––
––
malicious
116 explorer.exe POST –– 23.20.239.12:80 http://www.automobilagent.com/ch/ US
binary
––
––
malicious
116 explorer.exe GET –– 208.91.197.39:80 http://www.atsintech.solutions/ch/?nDFxwnQ8=aFGO3HfTNQs/EkI0vS00ktq/k6bEDerQ1bCXZ7wVEl81gGmfWFevrF/T8LM2yLiAHilEHA==&BZ-=dhDhI4XxZdnx26Y VG
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
116 explorer.exe 52.18.2.156:80 Amazon.com, Inc. IE malicious
116 explorer.exe 72.52.238.103:80 Liquid Web, L.L.C US malicious
116 explorer.exe 23.20.239.12:80 Amazon.com, Inc. US shared
116 explorer.exe 199.188.203.227:80 Namecheap, Inc. US malicious
116 explorer.exe 107.186.23.124:80 EGIHosting US malicious
116 explorer.exe 198.185.159.144:80 Squarespace, Inc. US malicious
116 explorer.exe 208.91.197.39:80 Confluence Networks Inc VG malicious

DNS requests

Domain IP Reputation
www.masakatsugaru.com 52.18.2.156
52.31.109.102
malicious
www.1024ccco.info No response unknown
www.petitkevin.com 72.52.238.103
malicious
www.areauruguay.com 23.20.239.12
malicious
www.thicdienthoai.com No response unknown
www.saibez.com 199.188.203.227
malicious
www.pl8v5z.info No response unknown
www.gzxhx168.com 107.186.23.124
malicious
www.afcct-ladiesinredlunch.com No response unknown
www.peoplearentprops.com 198.185.159.144
198.185.159.145
198.49.23.144
198.49.23.145
malicious
www.automobilagent.com 23.20.239.12
malicious
www.chibitzer.com No response unknown
www.biodesixlungreflex.com No response unknown
www.atsintech.solutions 208.91.197.39
malicious

Threats

PID Process Class Message
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (POST)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (POST)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (POST)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (POST)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (POST)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (GET)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (POST)
116 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (GET)

20 ETPRO signatures available at the full report

Debug output strings

No debug info.