General Info

File name

922075B1D2E58C34B8BB6B47262B77A9

Full analysis
https://app.any.run/tasks/19c84301-b4ec-4a99-9b0a-01a6a32de5e8
Verdict
Malicious activity
Analysis date
5/15/2019, 04:01:57
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

ole-embedded

Indicators:

MIME:
text/rtf
File info:
Rich Text Format data, version 1, ANSI
MD5

922075b1d2e58c34b8bb6b47262b77a9

SHA1

d05e586251b3a965b9c9af76568eff912e16432f

SHA256

76a0c2684a4429710c3bebff6e827881986fb8eeb9d370fafb3aa8bbd6f371df

SSDEEP

6144:oJOElgNkaVtlvP5OWuK0itb/XbI99qjIaj4iNt/10FsfPv2Tz5EveNMf:/ElzaVzMslrI9AUAqFsfPv2Pnuf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Modifies the Internet Explorer registry keys for privacy or tracking
  • dwm.exe (PID: 2016)
Changes internet zones settings
  • dwm.exe (PID: 2016)
Runs injected code in another process
  • ubda.exe (PID: 1400)
Actions looks like stealing of personal data
  • dwm.exe (PID: 2016)
Application was injected by another process
  • dwm.exe (PID: 2016)
Changes the autorun value in the registry
  • dwm.exe (PID: 2016)
Unusual execution from Microsoft Office
  • WINWORD.EXE (PID: 2992)
Application was dropped or rewritten from another process
  • ubda.exe (PID: 1400)
  • F2AC.tmp (PID: 3388)
Executable content was dropped or overwritten
  • WINWORD.EXE (PID: 2992)
Starts CMD.EXE for commands execution
  • WINWORD.EXE (PID: 2992)
Starts Microsoft Office Application
  • cmd.exe (PID: 2720)
Creates files in the user directory
  • F2AC.tmp (PID: 3388)
Starts application with an unusual extension
  • WINWORD.EXE (PID: 2992)
Starts itself from another location
  • F2AC.tmp (PID: 3388)
Executable content was dropped or overwritten
  • F2AC.tmp (PID: 3388)
Searches for installed software
  • dwm.exe (PID: 2016)
Reads Microsoft Office registry keys
  • WINWORD.EXE (PID: 2484)
  • WINWORD.EXE (PID: 2992)
Creates files in the user directory
  • WINWORD.EXE (PID: 2992)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rtf
|   Rich Text Format (100%)

Screenshots

Processes

Total processes
39
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

+
drop and start start inject winword.exe f2ac.tmp ubda.exe no specs cmd.exe no specs winword.exe no specs dwm.exe winmail.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2016
CMD
"C:\Windows\system32\Dwm.exe"
Path
C:\Windows\System32\dwm.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Desktop Window Manager
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dwmredir.dll
c:\windows\system32\dwmcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ole32.dll
c:\windows\system32\d3d10_1.dll
c:\windows\system32\d3d10_1core.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\version.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\program files\common files\system\wab32.dll
c:\windows\system32\cryptdlg.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\msoert2.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\msimg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\propsys.dll
c:\windows\system32\msxml6.dll
c:\program files\windows mail\msoe.dll
c:\windows\system32\atl.dll
c:\windows\system32\msoeacct.dll
c:\windows\system32\inetcomm.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\esent.dll
c:\windows\system32\msidcrl30.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\inetres.dll
c:\windows\system32\acctres.dll
c:\program files\windows mail\msoeres.dll

PID
2992
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\922075B1D2E58C34B8BB6B47262B77A9.rtf"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\winspool.drv
c:\windows\system32\shell32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\mscomctl.ocx
c:\windows\system32\comdlg32.dll
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\users\admin\appdata\local\temp\f2ac.tmp
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
3388
CMD
C:\Users\admin\AppData\Local\Temp\F2AC.tmp
Path
C:\Users\admin\AppData\Local\Temp\F2AC.tmp
Indicators
Parent process
WINWORD.EXE
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\f2ac.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\roaming\gixi\ubda.exe

PID
1400
CMD
"C:\Users\admin\AppData\Roaming\Gixi\ubda.exe"
Path
C:\Users\admin\AppData\Roaming\Gixi\ubda.exe
Indicators
No indicators
Parent process
F2AC.tmp
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\roaming\gixi\ubda.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\dwm.exe

PID
2720
CMD
cmd.exe /c C:\Users\admin\AppData\Local\Temp\~tmp.doc
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
WINWORD.EXE
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\version.dll
c:\windows\system32\msi.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sxs.dll
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\devrtl.dll
c:\windows\system32\mpr.dll

PID
2484
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\~tmp.doc"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\gdi32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\psapi.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\windows\system32\version.dll
c:\program files\common files\microsoft shared\office14\1033\alrtintl.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll

PID
3372
CMD
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
Path
C:\Program Files\Windows Mail\WinMail.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Mail
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\windows mail\winmail.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msoert2.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\windows mail\msoe.dll
c:\windows\system32\atl.dll
c:\windows\system32\msoeacct.dll
c:\windows\system32\inetcomm.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\esent.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\msidcrl30.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\inetres.dll
c:\windows\system32\acctres.dll
c:\windows\system32\psapi.dll
c:\program files\windows mail\msoeres.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\mlang.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msident.dll
c:\windows\system32\pstorec.dll

Registry activity

Total events
1042
Read events
986
Write events
56
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2016
dwm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy
CleanCookies
0
2016
dwm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1406
0
2016
dwm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1609
0
2016
dwm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1406
0
2016
dwm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1609
0
2016
dwm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Cyocyvor
C:\Users\admin\AppData\Roaming\Gixi\ubda.exe
2992
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
'?
273F2000B00B0000010000000000000000000000
2992
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
2992
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
2992
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1320091678
2992
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1320091800
2992
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1320091801
2992
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
B00B0000D070FD36C20AD50100000000
2992
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
!
21202000B00B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
2992
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2992
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2992
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
l!
6C212000B00B000006000000010000009E000000020000008E0000000400000063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C006C006F00630061006C005C00740065006D0070005C00390032003200300037003500620031006400320065003500380063003300340062003800620062003600620034003700320036003200620037003700610039002E00720074006600000000000000
2992
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductNonBootFiles
1320091649
2720
cmd.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1320091686
2484
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DisabledItems
156DC8
020000008E0000000400000063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C006C006F00630061006C005C00740065006D0070005C00390032003200300037003500620031006400320065003500380063003300340062003800620062003600620034003700320036003200620037003700610039002E00720074006600000000000000
2484
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
2484
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
2484
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1320091802
2484
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
ProductNonBootFilesIntl_1033
1320091658
2484
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
ProductNonBootFilesIntl_1033
1320091659
3372
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\IAM\Accounts
ConnectionSettingsMigrated
1
3372
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Trident\Main
Move System Caret
no
3372
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
StoreMigratedV5
1
3372
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
Settings Upgraded
10
3372
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Mail
Safe Attachments
1
3372
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Mail
Secure Safe Attachments
1
3372
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
Running
1
3372
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\IAM
Server ID
2
3372
WinMail.exe
write
HKEY_CURRENT_USER\Identities
Identity Ordinal
2
3372
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
LastBackup
E307050003000F000200030009000002

Files activity

Executable files
2
Suspicious files
9
Text files
0
Unknown types
6

Dropped files

PID
Process
Filename
Type
3388
F2AC.tmp
C:\Users\admin\AppData\Roaming\Gixi\ubda.exe
executable
MD5: 0b4c8ed7984ffafd6eeaf049075a7514
SHA256: 3c941f7c06be631858d28037a66ac784d937ab5863914a0b9ab7d9f1bc098989
2992
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\F2AC.tmp
executable
MD5: e2fa3d5bd4ae97f60e47359549b777fd
SHA256: ff60dd3e8d0098c0b2718eb9477395c2e691176cec922e12fce50ff53f94764f
3372
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore
––
MD5:  ––
SHA256:  ––
3372
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log
––
MD5:  ––
SHA256:  ––
3372
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb00002.log
binary
MD5: 2a1b073cd12ba994d059a4a57307a2cf
SHA256: de6a8d407e236fb60a4ab350cd37e187e5a58464a89c1ca709df21ab847f78f7
3372
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.log
––
MD5:  ––
SHA256:  ––
3372
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edbtmp.log
––
MD5:  ––
SHA256:  ––
3372
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore
edb
MD5: 24dc355474e6ccab4d4d3b9907ca9870
SHA256: e6a2ab7401be0545b917fc4e82004d19be9cbfe92db2e6f7d38c811dfa1f884b
3372
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.chk
binary
MD5: 1d92199d1f7fd0b55174bbafc6498a81
SHA256: 6d90047e4a4301551ddc5a19495c57ab3e6c05dc9d897a3bd589968838e85736
3372
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\old\
––
MD5:  ––
SHA256:  ––
2992
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVREB87.tmp.cvr
––
MD5:  ––
SHA256:  ––
2016
dwm.exe
C:\Users\admin\AppData\Roaming\Siedto\syyze.acn
binary
MD5: 548ad6962c0b301332ef270f28acf8e4
SHA256: 4e92a0e6c49bb7d1e4be8a44916f217ed147c701e7421a9dfce293fbc6d44546
2484
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVR6DB7.tmp.cvr
––
MD5:  ––
SHA256:  ––
2992
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4670C243-A512-44CB-9F61-9D8E31CDC004}.tmp
binary
MD5: 80c6550f00872e0515c83f5e1a2fb5d6
SHA256: 7f46d1d9032262459233552ceade5b0663fa138df9b8048bdcf711cf54e27d21
2992
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F26BBDD6-644C-4DB8-AF83-F352B857D5C4}.tmp
smt
MD5: 5d4d94ee7e06bbb0af9584119797b23a
SHA256: 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
2992
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\~tmp.doc
document
MD5: 45f021fbf8b533f4180393e10e6dfdf9
SHA256: 4dc5fe8e9637abd4c251c4623afbae5d05d415479606902ad069f922241305d9
3372
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat
dbf
MD5: dae253afdd2d33dfd012644519cc90c7
SHA256: 4cb5b1934ded44df26f9c328a4af0f3450061eec95e419127e8d145c50bb9638
3372
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat
––
MD5:  ––
SHA256:  ––
2992
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\~$2075B1D2E58C34B8BB6B47262B77A9.rtf
pgc
MD5: 51bbafe4e90b7fee880c3473f97ab3ea
SHA256: 435b6db36995c32df50092c2dca55baa21552b5a56e859f22d450cbee3e3c2ea
2992
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
pgc
MD5: 816bea007272e3d591722a84b2ebd2e8
SHA256: 0bd48b965dd591f21a77d8c83e4c24fe5627c543192a698f7b1e1842a0eedb5a
3372
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\new
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

No debug info.