General Info

File name

po.xlsx

Full analysis
https://app.any.run/tasks/34cf7b04-3c77-49e2-acee-a30d5ab1e60d
Verdict
Malicious activity
Analysis date
11/8/2018, 16:12:28
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

encrypted

opendir

exploit

CVE-2017-11882

loader

autoit

trojan

formbook

stealer

Indicators:

MIME:
application/encrypted
File info:
CDFV2 Encrypted
MD5

8162899574dd9bf113e7d5850b36903d

SHA1

79528e042c26edca9e535869318cc95588fdafde

SHA256

05806749c9c50f3a7559357c5dcbb3917783be47706c6bec8b74c9c50a84a7ce

SSDEEP

3072:7Wno3fi5NdQVRmuK+Cmk0wsoyqBemBazm7TqRF87mNnB0GDxXAUHw:s7QuuK+CR07oymBaEORF+cHXRw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Downloads executable files from the Internet
  • EQNEDT32.EXE (PID: 2936)
Changes the autorun value in the registry
  • rundll32.exe (PID: 2424)
Application was dropped or rewritten from another process
  • RegSvcs.exe (PID: 1904)
  • rns.exe (PID: 1908)
  • rns.exe (PID: 3436)
  • vbc.exe (PID: 2340)
Downloads executable files from IP
  • EQNEDT32.EXE (PID: 2936)
Connects to CnC server
  • explorer.exe (PID: 1604)
Actions looks like stealing of personal data
  • rundll32.exe (PID: 2424)
FORMBOOK was detected
  • explorer.exe (PID: 1604)
Formbook was detected
  • Firefox.exe (PID: 4064)
  • rundll32.exe (PID: 2424)
Equation Editor starts application (CVE-2017-11882)
  • EQNEDT32.EXE (PID: 2936)
Suspicious connection from the Equation Editor
  • EQNEDT32.EXE (PID: 2936)
Stealing of credential data
  • rundll32.exe (PID: 2424)
Application launched itself
  • rns.exe (PID: 1908)
Starts CMD.EXE for commands execution
  • rundll32.exe (PID: 2424)
Uses RUNDLL32.EXE to load library
  • explorer.exe (PID: 1604)
Loads DLL from Mozilla Firefox
  • rundll32.exe (PID: 2424)
Executable content was dropped or overwritten
  • rns.exe (PID: 3436)
  • vbc.exe (PID: 2340)
  • EQNEDT32.EXE (PID: 2936)
Creates files in the user directory
  • rundll32.exe (PID: 2424)
Drop AutoIt3 executable file
  • vbc.exe (PID: 2340)
Dropped object may contain Bitcoin addresses
  • rns.exe (PID: 1908)
  • vbc.exe (PID: 2340)
Creates files in the user directory
  • Firefox.exe (PID: 4064)
Reads Microsoft Office registry keys
  • EXCEL.EXE (PID: 3556)
Starts Microsoft Office Application
  • explorer.exe (PID: 1604)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

Screenshots

Processes

Total processes
40
Monitored processes
10
Malicious processes
4
Suspicious processes
2

Behavior graph

+
start download and start drop and start drop and start excel.exe no specs eqnedt32.exe vbc.exe rns.exe no specs rns.exe regsvcs.exe no specs #FORMBOOK rundll32.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1604
CMD
C:\Windows\Explorer.EXE
Path
C:\Windows\explorer.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sndvolsso.dll
c:\windows\system32\hid.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\timedate.cpl
c:\windows\system32\atl.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\userenv.dll
c:\windows\system32\samlib.dll
c:\windows\system32\samcli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\msls31.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\authui.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\winsta.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\psapi.dll
c:\windows\system32\gameux.dll
c:\windows\system32\wer.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\version.dll
c:\windows\system32\msi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\system32\stobject.dll
c:\windows\system32\batmeter.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\es.dll
c:\windows\system32\prnfldr.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dxp.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\syncreg.dll
c:\windows\ehome\ehsso.dll
c:\windows\system32\netshell.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\alttab.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\pnidui.dll
c:\windows\system32\qutil.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\wwanapi.dll
c:\windows\system32\wwapi.dll
c:\windows\system32\qagent.dll
c:\windows\system32\srchadmin.dll
c:\windows\system32\sxs.dll
c:\windows\system32\bthprops.cpl
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\synccenter.dll
c:\windows\system32\actioncenter.dll
c:\windows\system32\imapi2.dll
c:\windows\system32\hgcpl.dll
c:\windows\system32\provsvc.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\fxsst.dll
c:\windows\system32\fxsapi.dll
c:\windows\system32\fxsresm.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wscinterop.dll
c:\windows\system32\wscapi.dll
c:\windows\system32\wscui.cpl
c:\windows\system32\werconcpl.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wercplsupport.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\hcproviders.dll
c:\windows\system32\drprov.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\searchfolder.dll
c:\windows\system32\structuredquery.dll
c:\windows\system32\naturallanguage6.dll
c:\windows\system32\nlsdata0009.dll
c:\windows\system32\nlslexicons0009.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\networkexplorer.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\aclui.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\comsvcs.dll
c:\windows\system32\mlang.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\dsound.dll
c:\windows\system32\spinf.dll
c:\windows\system32\twext.dll
c:\program files\winrar\rarext.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\syncui.dll
c:\windows\system32\synceng.dll
c:\program files\notepad++\nppshell_06.dll
c:\windows\system32\acppage.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\program files\microsoft office\office14\excel.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll

PID
3556
CMD
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde
Path
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Excel
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\version.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\winsta.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mpr.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\sxs.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\winmm.dll
c:\windows\system32\shdocvw.dll

PID
2936
CMD
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Path
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Design Science, Inc.
Description
Microsoft Equation Editor
Version
00110900
Modules
Image
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msi.dll
c:\program files\common files\microsoft shared\equation\1033\eeintl.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\sxs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\users\public\vbc.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\mpr.dll

PID
2340
CMD
"C:\Users\Public\vbc.exe"
Path
C:\Users\Public\vbc.exe
Indicators
Parent process
EQNEDT32.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\public\vbc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\90407336\rns.exe

PID
1908
CMD
"C:\Users\admin\AppData\Local\Temp\90407336\rns.exe" qgx=vbw
Path
C:\Users\admin\AppData\Local\Temp\90407336\rns.exe
Indicators
No indicators
Parent process
vbc.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\90407336\rns.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
3436
CMD
C:\Users\admin\AppData\Local\Temp\90407336\rns.exe C:\Users\admin\AppData\Local\Temp\90407336\UGFIR
Path
C:\Users\admin\AppData\Local\Temp\90407336\rns.exe
Indicators
Parent process
rns.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\90407336\rns.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\users\admin\appdata\local\temp\regsvcs.exe

PID
1904
CMD
"C:\Users\admin\AppData\Local\Temp\RegSvcs.exe"
Path
C:\Users\admin\AppData\Local\Temp\RegSvcs.exe
Indicators
No indicators
Parent process
rns.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\users\admin\appdata\local\temp\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

PID
2424
CMD
"C:\Windows\System32\rundll32.exe"
Path
C:\Windows\System32\rundll32.exe
Indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\vaultcli.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\program files\mozilla firefox\firefox.exe

PID
3112
CMD
/c del "C:\Users\admin\AppData\Local\Temp\RegSvcs.exe"
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
rundll32.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
4064
CMD
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Path
C:\Program Files\Mozilla Firefox\Firefox.exe
Indicators
Parent process
rundll32.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Mozilla Corporation
Description
Firefox
Version
61.0.2
Modules
Image
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\program files\mozilla firefox\ucrtbase.dll
c:\program files\mozilla firefox\api-ms-win-core-timezone-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l2-1-0.dll
c:\program files\mozilla firefox\api-ms-win-core-localization-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-core-synch-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-core-processthreads-l1-1-1.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-string-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-heap-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-stdio-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-convert-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-math-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-time-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-filesystem-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-environment-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\program files\mozilla firefox\softokn3.dll
c:\program files\mozilla firefox\freebl3.dll
c:\windows\system32\cryptbase.dll

Registry activity

Total events
1004
Read events
946
Write events
53
Delete events
5

Modification events

PID
Process
Operation
Key
Name
Value
1604
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
CheckSetting
01000000D08C9DDF0115D1118C7A00C04FC297EB010000006821FD290F362A42A685E6961EA74BA800000000020000000000106600000001000020000000CE7EE1893B7BC0A023C01C954805F5BA662E1D1469B65F8C59D7F54E9F630B3E000000000E800000000200002000000085828C68936B7B5E6876AF7DB7B057DF6EBC2CC00000FE266FB8290890ECDD4730000000B9DEF93655EC723283738F42E0C5C1FAC971E5F738CB554A9DF98C4D73D8923D356DCB25DAB34BC0DB3E8115A7BB27A54000000001220A5F3FD7335490EC4840B64EBE3D82DBFB30F406F435787EF948C8D4E96F38A2C3B963B7A2A51CD691A628B7682C8A87788450477630104A2E4C7A8AB96F
1604
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsx\OpenWithList
a
EXCEL.EXE
1604
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsx\OpenWithList
MRUList
a
1604
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\RKPRY.RKR
000000000100000001000000C0070000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF0020467F5148D40100000000
1604
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
00000000260000003200000039851000090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000002FCA04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E006500780065000000740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7A24E800006751EA7AD8E728028291917524E828028CD800007351EA7AECE72802B69C917590D8D4034C06000004E8280200D4D40311000000F0443500E844350040B0C37504E8280220D4D40374E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802
1604
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
1604
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\RKPRY.RKR
000000000100000001000000E0C60200000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF0020467F5148D40100000000
1604
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
00000000260000003200000059441300090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000002FCA04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E006500780065000000740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7A24E800006751EA7AD8E728028291917524E828028CD800007351EA7AECE72802B69C917590D8D4034C06000004E8280200D4D40311000000F0443500E844350040B0C37504E8280220D4D40374E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802
3556
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
3556
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
3556
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\5D9557
3556
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery
3556
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
!#a
21236100E40D0000010000000000000000000000
3556
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
3556
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
3556
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTT
E40D0000D49263817577D40100000000
3556
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3556
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3556
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\5D9557
5D9557
04000000E40D00002900000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0070006F002E0078006C0073007800000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000E025DD817577D40157955D0057955D0000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3556
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\5D9557
5D9557
04000000E40D00002900000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0070006F002E0078006C0073007800000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000E025DD817577D40157955D0057955D0000000000AC020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3556
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{A192D29A-6C37-4013-8A54-C4B95489973A}
3556
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
EXCELFiles
1298661393
3556
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1298661504
3556
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\5DDC62
5DDC62
04000000E40D00002900000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0070006F002E0078006C0073007800000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000001000000000000000000000062DC5D0062DC5D0000000000AC020000640000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3556
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Max Display
25
3556
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Max Display
25
3556
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
538F6C892AD540068154C6670774E980
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
3556
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
LastPurgeTime
25694833
2936
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
EquationEditorFilesIntl_1033
1298661379
2936
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
EnableFileTracing
0
2936
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
EnableConsoleTracing
0
2936
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
FileTracingMask
4294901760
2936
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
ConsoleTracingMask
4294901760
2936
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
MaxFileSize
1048576
2936
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
FileDirectory
%windir%\tracing
2936
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
EnableFileTracing
0
2936
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
EnableConsoleTracing
0
2936
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
FileTracingMask
4294901760
2936
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
ConsoleTracingMask
4294901760
2936
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
MaxFileSize
1048576
2936
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
FileDirectory
%windir%\tracing
2936
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2936
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2936
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2936
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2340
vbc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2340
vbc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2424
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
BBMDP6DHFL1
C:\Program Files\Vqrqlrddx\configsvl4an.exe

Files activity

Executable files
5
Suspicious files
74
Text files
48
Unknown types
0

Dropped files

PID
Process
Filename
Type
3436
rns.exe
C:\Users\admin\AppData\Local\Temp\RegSvcs.exe
executable
MD5: be5073ae05e68612ba0fc1a3d339e64c
SHA256: 1735ba356794975169a93ee2babd33862229a1842c6e2c6a0b67366f5856894e
2936
EQNEDT32.EXE
C:\Users\Public\vbc.exe
executable
MD5: 2251d5713e8114609fb6aa3e9bd36673
SHA256: 1be3a2eaa351611c6510f6cb036d07acdc7b46e4a83b49062951bf14b80c8334
2936
EQNEDT32.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\frank[1].exe
executable
MD5: 2251d5713e8114609fb6aa3e9bd36673
SHA256: 1be3a2eaa351611c6510f6cb036d07acdc7b46e4a83b49062951bf14b80c8334
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\rns.exe
executable
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\ufw.mp4
text
MD5: 50580e5ccfdb3145eb226af74abe192e
SHA256: 928db1a5cc99a5eaeb36a0267acfe6d483077208beb909d4d7294193ddb993fb
2424
rundll32.exe
C:\Users\admin\AppData\Roaming\J-PQPS2W\J-Plogrc.ini
binary
MD5: 2855a82ecdd565b4d957ec2ee05aed26
SHA256: 88e38da5b12dd96afd9dc90c79929ec31d8604b1afdebdd5a02b19249c08c939
4064
Firefox.exe
C:\Users\admin\AppData\Roaming\J-PQPS2W\J-Plogrf.ini
binary
MD5: 53028481b5b5795f1501241ccc7abff6
SHA256: 75b5f3045e20c80f264568707e2d444dc7498db119d9661ae51a91575960fc5a
1908
rns.exe
C:\Users\admin\AppData\Local\Temp\90407336\UGFIR
text
MD5: ee5fc51b8e4a417064ae3523b75b9f9a
SHA256: 0a0b6cac53655ec01f9c8ed37bdadda7290540f77ee6174dace321b9d723be80
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\uxa.mp4
text
MD5: a13ad3345cb17735445c2f7c9dd1b355
SHA256: 52258eba5b561d7a65d23116f501f11851bcfaef15f51b6e6d2ec0dc3b81b293
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\slc.xl
text
MD5: 28881d47a86f70198d2b612808dd4325
SHA256: c8372ab9da9220822c3ac71610b0c8e64b4234ab71f71f9d17eb2b26ef3a88b8
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\vnx.txt
text
MD5: f1a57e0c11b0f912c4b7dda64a26e3a0
SHA256: fc594d588d315e939712aa10877ce835902368beca444e0b0668805d756ab447
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\tff.txt
text
MD5: 1e925f33b223b23ca93ad92afd3887b2
SHA256: ec2ae4c62fdca58df6ec01fd379caeccfef33b9d8184e2ef4d533cbe9fab2c36
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\pvl.dat
text
MD5: 96ae13bea2760a1ab19dc4be06ce4d4a
SHA256: ae925a612a94ccb0b77599cf237135666ce84160fff2944bfb93b411c1f92b11
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\euf.ppt
text
MD5: 4b674a0c7433468b8aa081f4adecf7a3
SHA256: 9f2aa715b00761111d6e8c919cf2d198c9d07ae5d133ffc49a9873a6752c2c65
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\cwk.xl
text
MD5: 900796cbebc322e2fc2c552609fbb908
SHA256: ea6daad8c7bbf1d0ef6353fd8c74a77db6c4537dec6c60b1fe1c990dd7a7dff6
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\fxq.docx
text
MD5: 43d947b3e6763f10faff0298cfb9368a
SHA256: 48e418f949aac1b837f4785ee28b3dbff3caf734bd17ace99f35c82c61fe8a08
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\rjh.jpg
text
MD5: e1ee0cd1e6cd51552994b59b14097546
SHA256: f9c299aceb2022858eeec5aca6f9700418ee68156baf796884a99dcd78ef146d
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\adv.jpg
text
MD5: 4a2ffbad9f4458359340d27e4ecb219f
SHA256: d5fee810a07e071f4c64c32e70b62015ec98b53228e4ca80a40cd9fa23773ecf
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\igm.jpg
text
MD5: 66da9a9bbe9e7b3171c9692b039ae388
SHA256: d0ab5aa9dbda0df467fd8c2c9f4fd1fa314adb51bd3d963fb7e64483ef30dc10
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\sdj.docx
text
MD5: d88dd21b5384269cc3c0e67917b6d1b0
SHA256: bd464499ee0a6da8128300de74f2abef132a6a679a8c03a4dc4274bfefa79e0f
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\tal.mp3
text
MD5: e784cd632c54d824280d78ba3ab983d3
SHA256: 3ce1f1446bb08013c3ad12b78fa965c1e82de49ddbd91be326d4b9df6d0f9931
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\qse.mp3
text
MD5: 39e13b4d2c406c034def2445ee2689ed
SHA256: a738feac14836da96b1b48c2882e70fec48199cf604d31af4efc362ca12c70ee
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\btu.mp3
text
MD5: 7c57b10afbbdf1d283c35faf79494b7b
SHA256: 02af6a730a78ed3db3185f16ddd8ae5be7d488f8a922e8127ef0f777d3293dd6
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\rlk.docx
text
MD5: 1067180307976f3eee72cc2e0fce8378
SHA256: 9fd077e17653d896e4d857cf4b3c0ee00e02aa4dff0901d5e5c0a6e769b32754
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\khl.jpg
text
MD5: 47a1f74bd8889e55e086d350e235d482
SHA256: 20d50b3bb80c1fb270fa9b37497f49290f900f96401a080e9c6c18f87a15dc7d
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\ckr.icm
text
MD5: 81fbf186fd0eb8341c1b07a97da23c07
SHA256: 4a4dda880014952cfa919f28cae7562f86a34c8e94ecc75d509bc5025080fbe6
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\phg.icm
text
MD5: 4589ef76f4fbbdc67d9e16dc70c64187
SHA256: 29a039da0aaf5fc41065ab6ff1bddd96bf1f7c3c3f59f8b11986d9f6009aea32
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\nob.icm
text
MD5: a87ea5b9695f85c556795cceb62f0644
SHA256: ef260c2bc2aa8d553c897b1f0fe53bd765e19ddfec453bb4ac74d0b20ffb048d
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\dhp.pdf
text
MD5: 424406acb59cdd2f84904d79ade574d7
SHA256: bb2f52b22d47449e76e41233037759fea3cc0310286aab4ab22cbf90a3ae2430
3556
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\CVR9381.tmp.cvr
––
MD5:  ––
SHA256:  ––
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\rnc.docx
text
MD5: ea6c8bfc92d5757b1f723e0c3d87f2ff
SHA256: 3855c9b73acb924cc8999e93fab3a258a90f2e2e530e14b6e6e11adcbe1fb540
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\vxg.pdf
text
MD5: 06c96189899ffecdf12c18e28401215e
SHA256: b36c5c24f3c9b0b53c4d3855bfee6130394ac83003c10ff42f74536bd92eae45
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\gul.ppt
text
MD5: 18de5328db1975bd280afb7f403cfc2a
SHA256: 603889da5e55ccf61e71844913d8e866ee5df64b01c990a48379b4c003641021
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\xem.bmp
text
MD5: e3d47c2d2c4a0ef10f4d6b99b7025d31
SHA256: 770f3a4ccc41c3293dcba46014aa9c359d89d26344281ead28750f0934f027a5
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\rnb.mp3
text
MD5: b0f71ca11296656477794f1c34f8eccd
SHA256: 7f37b8844e31ef1077a15cb37906df5fc875a329497c286787b4e3ed2068267c
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\uwa.xl
text
MD5: b249641587b3a38e2d2b7ba0ffcc3f3b
SHA256: f62c8747fd1bed6bf7eaddb15890e7b64b80a0b11496fcb9e1134d54c2a23dc3
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\cgm.mp3
text
MD5: 134051898b2d9e9464116b9a8e9b9770
SHA256: 6701c0e71b49a127e2a24ccaf1cb7e9f1642dfb8b3586932d15aa1399df1593e
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\pve.ppt
text
MD5: 79127906685bb68804ac5b829adeba6e
SHA256: 7806f940e20f081e363ec4a14c6076388d5a771f6c6e708307dfcee95742829b
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\hhe.dat
text
MD5: 42757dc1dc1cfe02246bbd13745f3344
SHA256: dfc5a1892aa7f13b26441de319b51634a985530d4b41bab6a3518079c6915291
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\ftw.txt
text
MD5: ba75ccdb2e8715a157f8f851fbaa7e02
SHA256: e875942545042b7866b3d3ec3e1b849c4752b4acd6096b6760d54a7692869821
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\hnq.mp3
text
MD5: fab79b481c319b651fdbeba163abac34
SHA256: ed44651d5fcee90fce6c71c6c0f97c234b28b70d147667b62ff637c8b8cb2acc
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\gbn.txt
text
MD5: fc0e33d5d57a0e80c4713046c61b54c8
SHA256: 09d98303cd755632bc58191eb7c7bf5bcab92b1127394ba8377f17b39aa3e491
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\nwh.jpg
text
MD5: 2f9f2c16ef8fd0285d0f34746808fe2d
SHA256: e3dd79c4e3ffa2a017481f1cac0cb8fbf002ecef93c1809cedcaad386d9f327d
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\jug.xl
text
MD5: a22055e3af5206eea00531258489e2c5
SHA256: 14f1bf6efbbf9960908489e9329f3a126e4b8c6ac5c74e319a05910650df544c
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\bqd.xl
text
MD5: 8b4e174ca7350758a33b0490971f84f4
SHA256: 1ef293d70fa9c5b505ee9d61f449ad200b06dadd7c3ef28012a57713d4241a3f
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\ocj.dat
text
MD5: 2bfeabc8b449a09668371e8371091f24
SHA256: 48de13701c9eb1c969023c389574c19381d598e1b9773257be045b10563c5764
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\efr.bmp
text
MD5: ac17706881b5eca4108ac69d7756b202
SHA256: 5b6328cf41a13dca9388fd9a4f0e6b97fadf859677d925b898b100eb72a8345d
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\cfc.ppt
text
MD5: a814740493e0fb0db6eb848f59085281
SHA256: 006cdda94df2ce9491afef945051e483dcba8db309e4511104df3e9f7463512d
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\igw.pdf
text
MD5: 44af209b75353ffa7a0181b8a141f84b
SHA256: 8f182ddd391ca6dde8eced6322e6d5542b70e427ad7f91d5cf5d905feec4a21f
2424
rundll32.exe
C:\Users\admin\AppData\Roaming\J-PQPS2W\J-Plogrv.ini
binary
MD5: ba3b6bc807d4f76794c4b81b09bb9ba5
SHA256: 6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\jpp.jpg
text
MD5: 63f078adb3f851122cca3b51ecb73c87
SHA256: b331506b36a0f787a1f317e91a1b392e9f515fffc8fdc3bfee3ef447d69fa0ee
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\uvd.xl
text
MD5: 25f21ff87d98e106980a10c3942dd418
SHA256: 47f713dda2e6cc66b91da78524874b182be1775e23a121701812dff705a69ffb
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\aaq.docx
text
MD5: 4a2927fdf8596bf0ab5eee6923a6db0c
SHA256: 3f6d12ea89fabda15d79acc2068532d01ce0340974c7d83e087033e1a12538f5
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\qgx=vbw
text
MD5: 0106092deba205cb68ac70845856cbe1
SHA256: e8730684be006116371f1c6e8a4b206866ce88da340e23a587439a28c4413019
2340
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\nrw.mp3
text
MD5: d19084d895a74ddf37208c9a2a04d808
SHA256: d05f2464e8baa4e01b80fcde1cb1e06f32e09f2fc96be9c4af11ce13db6fe68e
2424
rundll32.exe
C:\Users\admin\AppData\Roaming\J-PQPS2W\J-Plogri.ini
binary
MD5: a91326b17ffc60ffa0db96a24bc0080c
SHA256: 7df0ac1eb893dc02b3a5f65fcee6d054ffcb34596b7863a339c279d6ef1f5f78
2424
rundll32.exe
C:\Users\admin\AppData\Roaming\J-PQPS2W\J-Plogri.ini
binary
MD5: d63a82e5d81e02e399090af26db0b9cb
SHA256: eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
2424
rundll32.exe
C:\Users\admin\AppData\Roaming\J-PQPS2W\J-Plogim.jpeg
image
MD5: f6dcafca209a73007c4088416c6b88f5
SHA256: a822efd8bbdf4f3f232304798b8de0aab1cbf68b689c503e87f92762c9f46381

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
22
TCP/UDP connections
22
DNS requests
19
Threats
42

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2936 EQNEDT32.EXE GET 200 23.249.161.100:80 http://23.249.161.100/frankm/frank.exe US
executable
malicious
1604 explorer.exe GET 404 74.208.236.237:80 http://www.mtamstore.com/aa8/?0puHwJ=JNhgMdbImNKqMu8yexzqgfWmRQQ4Viu2qbFnlcgUm3KzSsHYhtmoGp2ALpPl9XC5X9G7sg==&00A=vDzpdxFPZdFhEjM US
html
suspicious
1604 explorer.exe GET –– 203.170.80.250:80 http://www.misterpips.com/aa8/?0puHwJ=5j3zBjERkQZ9BrvBozWMVamVFVEOpyDcfugbGSmkUPL+Oe3M4hwR5L2pHLMlU/qxqvD4mg==&00A=vDzpdxFPZdFhEjM&sql=1 AU
––
––
malicious
1604 explorer.exe POST –– 203.170.80.250:80 http://www.misterpips.com/aa8/ AU
text
––
––
malicious
1604 explorer.exe POST –– 203.170.80.250:80 http://www.misterpips.com/aa8/ AU
text
––
––
malicious
1604 explorer.exe POST –– 203.170.80.250:80 http://www.misterpips.com/aa8/ AU
text
––
––
malicious
1604 explorer.exe POST –– 203.170.80.250:80 http://www.misterpips.com/aa8/ AU
text
––
––
malicious
1604 explorer.exe GET –– 172.217.168.19:80 http://www.xn--n9j7ff2irju61ovphy97i.com/aa8/?0puHwJ=1dSfG+6p2+XpdxKPE4MLxT/HXcyBkSgMzXVh47vwts/p9M1747zdxw2yoAxc37c8tq+Ewg==&00A=vDzpdxFPZdFhEjM&sql=1 US
––
––
malicious
1604 explorer.exe POST –– 172.217.168.19:80 http://www.xn--n9j7ff2irju61ovphy97i.com/aa8/ US
text
––
––
malicious
1604 explorer.exe POST –– 172.217.168.19:80 http://www.xn--n9j7ff2irju61ovphy97i.com/aa8/ US
text
––
––
malicious
1604 explorer.exe POST –– 172.217.168.19:80 http://www.xn--n9j7ff2irju61ovphy97i.com/aa8/ US
text
––
––
malicious
1604 explorer.exe POST –– 172.217.168.19:80 http://www.xn--n9j7ff2irju61ovphy97i.com/aa8/ US
text
––
––
malicious
1604 explorer.exe GET –– 47.52.142.209:80 http://www.fluorysports.com/aa8/?0puHwJ=8QtQh+QKR4X7xXWpsWgmLAzc5/T6YCkTzuAoZm2VrSe2knya/26h47lQL8rgD55NpSkKog==&00A=vDzpdxFPZdFhEjM&sql=1 HK
––
––
malicious
1604 explorer.exe POST –– 47.52.142.209:80 http://www.fluorysports.com/aa8/ HK
text
––
––
malicious
1604 explorer.exe POST –– 47.52.142.209:80 http://www.fluorysports.com/aa8/ HK
text
––
––
malicious
1604 explorer.exe POST –– 47.52.142.209:80 http://www.fluorysports.com/aa8/ HK
text
––
––
malicious
1604 explorer.exe POST –– 47.52.142.209:80 http://www.fluorysports.com/aa8/ HK
binary
––
––
malicious
1604 explorer.exe GET –– 160.202.124.193:80 http://www.boxilite.com/aa8/?0puHwJ=NabGGMvU0ukeEQLlh6+MgxSvMPLz7OWkzcoZHL5n5LWGphHkQNmcZkyqtkTQUFx+M7z4zw==&00A=vDzpdxFPZdFhEjM&sql=1 US
––
––
malicious
1604 explorer.exe POST –– 160.202.124.193:80 http://www.boxilite.com/aa8/ US
text
––
––
malicious
1604 explorer.exe POST –– 160.202.124.193:80 http://www.boxilite.com/aa8/ US
text
––
––
malicious
1604 explorer.exe POST –– 160.202.124.193:80 http://www.boxilite.com/aa8/ US
text
––
––
malicious
1604 explorer.exe POST –– 160.202.124.193:80 http://www.boxilite.com/aa8/ US
binary
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2936 EQNEDT32.EXE 23.249.161.100:80 ColoCrossing US malicious
1604 explorer.exe 74.208.236.237:80 1&1 Internet SE US suspicious
1604 explorer.exe 203.170.80.250:80 Dreamscape Networks Limited AU malicious
1604 explorer.exe 172.217.168.19:80 Google Inc. US whitelisted
1604 explorer.exe 47.52.142.209:80 Alibaba (China) Technology Co., Ltd. HK malicious
1604 explorer.exe 160.202.124.193:80 QuickPacket, LLC US malicious

DNS requests

Domain IP Reputation
www.lcdluq.info No response unknown
www.mtamstore.com 74.208.236.237
unknown
www.misterpips.com 203.170.80.250
malicious
www.recht-auf-loeschung.info No response unknown
www.xn--n9j7ff2irju61ovphy97i.com 172.217.168.19
malicious
www.wisdommwakiwa.com No response unknown
www.fluorysports.com 47.52.142.209
malicious
www.forgotumented.net No response unknown
www.yg6669.com No response unknown
dns.msftncsi.com 131.107.255.255
whitelisted
www.greekprivateislandretreat.com No response malicious
www.boxilite.com 160.202.124.193
malicious
www.inbxd.info No response unknown
www.xcybyf.info No response unknown

Threats

PID Process Class Message
2936 EQNEDT32.EXE A Network Trojan was detected ET INFO Executable Download from dotted-quad Host
2936 EQNEDT32.EXE A Network Trojan was detected ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
2936 EQNEDT32.EXE Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
2936 EQNEDT32.EXE A Network Trojan was detected ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
2936 EQNEDT32.EXE Potentially Bad Traffic ET INFO SUSPICIOUS Dotted Quad Host MZ Response
1604 explorer.exe A Network Trojan was detected SC SPYWARE Trojan-Spy.Win32.Noon
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (GET)
1604 explorer.exe A Network Trojan was detected SC SPYWARE Trojan-Spy.Win32.Noon
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (GET)
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
1604 explorer.exe A Network Trojan was detected SC SPYWARE Trojan-Spy.Win32.Noon
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (POST)
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
1604 explorer.exe A Network Trojan was detected SC SPYWARE Trojan-Spy.Win32.Noon
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (GET)
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (POST)
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
1604 explorer.exe A Network Trojan was detected SC SPYWARE Trojan-Spy.Win32.Noon
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (GET)
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (POST)

13 ETPRO signatures available at the full report

Debug output strings

No debug info.