General Info

File name

PO no.01313283.xlsx

Full analysis
https://app.any.run/tasks/7b383c42-0d1d-4a8b-8bba-2965b0727354
Verdict
Malicious activity
Analysis date
11/9/2018, 00:19:05
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

encrypted

opendir

exploit

CVE-2017-11882

loader

autoit

trojan

formbook

stealer

Indicators:

MIME:
application/encrypted
File info:
CDFV2 Encrypted
MD5

8162899574dd9bf113e7d5850b36903d

SHA1

79528e042c26edca9e535869318cc95588fdafde

SHA256

05806749c9c50f3a7559357c5dcbb3917783be47706c6bec8b74c9c50a84a7ce

SSDEEP

3072:7Wno3fi5NdQVRmuK+Cmk0wsoyqBemBazm7TqRF87mNnB0GDxXAUHw:s7QuuK+CR07oymBaEORF+cHXRw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • control.exe (PID: 256)
Formbook was detected
  • control.exe (PID: 256)
  • Firefox.exe (PID: 3732)
Application was dropped or rewritten from another process
  • RegSvcs.exe (PID: 3656)
  • rns.exe (PID: 628)
  • vbc.exe (PID: 3736)
  • rns.exe (PID: 3308)
FORMBOOK was detected
  • explorer.exe (PID: 1604)
Changes the autorun value in the registry
  • control.exe (PID: 256)
Actions looks like stealing of personal data
  • control.exe (PID: 256)
Downloads executable files from IP
  • EQNEDT32.EXE (PID: 3508)
Connects to CnC server
  • explorer.exe (PID: 1604)
Stealing of credential data
  • cmd.exe (PID: 1580)
  • control.exe (PID: 256)
Equation Editor starts application (CVE-2017-11882)
  • EQNEDT32.EXE (PID: 3508)
Downloads executable files from the Internet
  • EQNEDT32.EXE (PID: 3508)
Suspicious connection from the Equation Editor
  • EQNEDT32.EXE (PID: 3508)
Starts CMD.EXE for commands execution
  • control.exe (PID: 256)
Creates files in the user directory
  • control.exe (PID: 256)
Loads DLL from Mozilla Firefox
  • control.exe (PID: 256)
Executable content was dropped or overwritten
  • control.exe (PID: 256)
  • rns.exe (PID: 628)
  • EQNEDT32.EXE (PID: 3508)
  • vbc.exe (PID: 3736)
Drop AutoIt3 executable file
  • vbc.exe (PID: 3736)
Creates files in the user directory
  • Firefox.exe (PID: 3732)
Dropped object may contain Bitcoin addresses
  • rns.exe (PID: 3308)
  • vbc.exe (PID: 3736)
Starts Microsoft Office Application
  • explorer.exe (PID: 1604)
Reads Microsoft Office registry keys
  • EXCEL.EXE (PID: 3924)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

Screenshots

Processes

Total processes
41
Monitored processes
11
Malicious processes
5
Suspicious processes
0

Behavior graph

+
start download and start drop and start drop and start excel.exe no specs eqnedt32.exe vbc.exe rns.exe no specs rns.exe regsvcs.exe no specs #FORMBOOK control.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs cmd.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1604
CMD
C:\Windows\Explorer.EXE
Path
C:\Windows\explorer.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sndvolsso.dll
c:\windows\system32\hid.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\timedate.cpl
c:\windows\system32\atl.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\userenv.dll
c:\windows\system32\samlib.dll
c:\windows\system32\samcli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\msls31.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\authui.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\winsta.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\psapi.dll
c:\windows\system32\gameux.dll
c:\windows\system32\wer.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\version.dll
c:\windows\system32\msi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\system32\stobject.dll
c:\windows\system32\batmeter.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\es.dll
c:\windows\system32\prnfldr.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dxp.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\syncreg.dll
c:\windows\ehome\ehsso.dll
c:\windows\system32\netshell.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\alttab.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\pnidui.dll
c:\windows\system32\qutil.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\wwanapi.dll
c:\windows\system32\wwapi.dll
c:\windows\system32\qagent.dll
c:\windows\system32\srchadmin.dll
c:\windows\system32\sxs.dll
c:\windows\system32\bthprops.cpl
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\synccenter.dll
c:\windows\system32\actioncenter.dll
c:\windows\system32\imapi2.dll
c:\windows\system32\hgcpl.dll
c:\windows\system32\provsvc.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\fxsst.dll
c:\windows\system32\fxsapi.dll
c:\windows\system32\fxsresm.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wscinterop.dll
c:\windows\system32\wscapi.dll
c:\windows\system32\wscui.cpl
c:\windows\system32\werconcpl.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wercplsupport.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\hcproviders.dll
c:\windows\system32\drprov.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\searchfolder.dll
c:\windows\system32\structuredquery.dll
c:\windows\system32\naturallanguage6.dll
c:\windows\system32\nlsdata0009.dll
c:\windows\system32\nlslexicons0009.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\networkexplorer.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\aclui.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\comsvcs.dll
c:\windows\system32\mlang.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\dsound.dll
c:\windows\system32\spinf.dll
c:\windows\system32\twext.dll
c:\program files\winrar\rarext.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\syncui.dll
c:\windows\system32\synceng.dll
c:\program files\notepad++\nppshell_06.dll
c:\windows\system32\acppage.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\program files\microsoft office\office14\excel.exe
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wship6.dll

PID
3924
CMD
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde
Path
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Excel
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\version.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\winsta.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mpr.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\sxs.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\winmm.dll
c:\windows\system32\shdocvw.dll

PID
3508
CMD
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Path
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Design Science, Inc.
Description
Microsoft Equation Editor
Version
00110900
Modules
Image
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msi.dll
c:\program files\common files\microsoft shared\equation\1033\eeintl.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\sxs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\users\public\vbc.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\mpr.dll

PID
3736
CMD
"C:\Users\Public\vbc.exe"
Path
C:\Users\Public\vbc.exe
Indicators
Parent process
EQNEDT32.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\public\vbc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\90407336\rns.exe

PID
3308
CMD
"C:\Users\admin\AppData\Local\Temp\90407336\rns.exe" qgx=vbw
Path
C:\Users\admin\AppData\Local\Temp\90407336\rns.exe
Indicators
No indicators
Parent process
vbc.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\90407336\rns.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
628
CMD
C:\Users\admin\AppData\Local\Temp\90407336\rns.exe C:\Users\admin\AppData\Local\Temp\90407336\FVIEZ
Path
C:\Users\admin\AppData\Local\Temp\90407336\rns.exe
Indicators
Parent process
rns.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\90407336\rns.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\shell32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\users\admin\appdata\local\temp\regsvcs.exe

PID
3656
CMD
"C:\Users\admin\AppData\Local\Temp\RegSvcs.exe"
Path
C:\Users\admin\AppData\Local\Temp\RegSvcs.exe
Indicators
No indicators
Parent process
rns.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\users\admin\appdata\local\temp\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

PID
256
CMD
"C:\Windows\System32\control.exe"
Path
C:\Windows\System32\control.exe
Indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Control Panel
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\control.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\vaultcli.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\zipfldr.dll
c:\program files\winrar\rarext.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll
c:\users\admin\appdata\local\temp\sqlite3.dll

PID
3280
CMD
/c del "C:\Users\admin\AppData\Local\Temp\RegSvcs.exe"
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
control.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3732
CMD
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Path
C:\Program Files\Mozilla Firefox\Firefox.exe
Indicators
Parent process
control.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Mozilla Corporation
Description
Firefox
Version
61.0.2
Modules
Image
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\program files\mozilla firefox\ucrtbase.dll
c:\program files\mozilla firefox\api-ms-win-core-timezone-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l2-1-0.dll
c:\program files\mozilla firefox\api-ms-win-core-localization-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-core-synch-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-core-processthreads-l1-1-1.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-string-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-heap-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-stdio-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-convert-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-math-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-time-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-filesystem-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-environment-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\softokn3.dll
c:\program files\mozilla firefox\freebl3.dll
c:\windows\system32\cryptbase.dll

PID
1580
CMD
/c copy "C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\admin\AppData\Local\Temp\DB1" /V
Path
C:\Windows\System32\cmd.exe
Indicators
Parent process
control.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

Registry activity

Total events
1349
Read events
1293
Write events
51
Delete events
5

Modification events

PID
Process
Operation
Key
Name
Value
1604
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsx\OpenWithList
a
EXCEL.EXE
1604
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsx\OpenWithList
MRUList
a
1604
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\RKPRY.RKR
000000000100000001000000C0070000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF0020467F5148D40100000000
1604
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
0000000026000000320000006F961000090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000002FCA04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E006500780065000000740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7A24E800006751EA7AD8E728028291917524E828028CD800007351EA7AECE72802B69C917590D8D4034C06000004E8280200D4D40311000000F0443500E844350040B0C37504E8280220D4D40374E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802
3924
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
3924
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
3924
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\5DA39F
3924
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery
3924
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
*%k
2A256B00540F0000010000000000000000000000
3924
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
3924
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
3924
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTT
540F00000ED5C180B977D40100000000
3924
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3924
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3924
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\5DA39F
5DA39F
04000000540F00003500000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0050004F0020006E006F002E00300031003300310033003200380033002E0078006C0073007800000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000B0314081B977D4019FA35D009FA35D0000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3924
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\5DA39F
5DA39F
04000000540F00003500000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0050004F0020006E006F002E00300031003300310033003200380033002E0078006C0073007800000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000B0314081B977D4019FA35D009FA35D0000000000AC020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3924
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{A9824B9E-7B6E-48C4-AE10-2A8C0898147E}
3924
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
EXCELFiles
1298661393
3924
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1298661504
3924
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\5DB0ED
5DB0ED
04000000540F00003500000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0050004F0020006E006F002E00300031003300310033003200380033002E0078006C0073007800000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0001000000010000000000000000000000EDB05D00EDB05D0000000000AC020000640000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3924
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Max Display
25
3924
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Max Display
25
3924
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
538F6C892AD540068154C6670774E980
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
3924
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
LastPurgeTime
25695320
3508
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
EquationEditorFilesIntl_1033
1298661379
3508
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
EnableFileTracing
0
3508
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
EnableConsoleTracing
0
3508
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
FileTracingMask
4294901760
3508
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
ConsoleTracingMask
4294901760
3508
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
MaxFileSize
1048576
3508
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32
FileDirectory
%windir%\tracing
3508
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
EnableFileTracing
0
3508
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
EnableConsoleTracing
0
3508
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
FileTracingMask
4294901760
3508
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
ConsoleTracingMask
4294901760
3508
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
MaxFileSize
1048576
3508
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS
FileDirectory
%windir%\tracing
3508
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3508
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3508
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3508
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3736
vbc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3736
vbc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
256
control.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
3FOPLNA8
C:\Program Files\Kvpx4\Cookiesalm.exe
256
control.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
256
control.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
256
control.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Implementing
1C00000001000000E2070B0004000800170014003A001E0000000000

Files activity

Executable files
6
Suspicious files
79
Text files
48
Unknown types
2

Dropped files

PID
Process
Filename
Type
256
control.exe
C:\Users\admin\AppData\Local\Temp\sqlite3.dll
executable
MD5: e477a96c8f2b18d6b5c27bde49c990bf
SHA256: 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\rns.exe
executable
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
3508
EQNEDT32.EXE
C:\Users\Public\vbc.exe
executable
MD5: 2251d5713e8114609fb6aa3e9bd36673
SHA256: 1be3a2eaa351611c6510f6cb036d07acdc7b46e4a83b49062951bf14b80c8334
3508
EQNEDT32.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\frank[1].exe
executable
MD5: 2251d5713e8114609fb6aa3e9bd36673
SHA256: 1be3a2eaa351611c6510f6cb036d07acdc7b46e4a83b49062951bf14b80c8334
628
rns.exe
C:\Users\admin\AppData\Local\Temp\RegSvcs.exe
executable
MD5: be5073ae05e68612ba0fc1a3d339e64c
SHA256: 1735ba356794975169a93ee2babd33862229a1842c6e2c6a0b67366f5856894e
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\rlk.docx
text
MD5: 1067180307976f3eee72cc2e0fce8378
SHA256: 9fd077e17653d896e4d857cf4b3c0ee00e02aa4dff0901d5e5c0a6e769b32754
256
control.exe
C:\Users\admin\AppData\Roaming\J-PQPS2W\J-Plogrv.ini
binary
MD5: ba3b6bc807d4f76794c4b81b09bb9ba5
SHA256: 6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
256
control.exe
C:\Users\admin\AppData\Roaming\J-PQPS2W\J-Plogri.ini
binary
MD5: a91326b17ffc60ffa0db96a24bc0080c
SHA256: 7df0ac1eb893dc02b3a5f65fcee6d054ffcb34596b7863a339c279d6ef1f5f78
256
control.exe
C:\Users\admin\AppData\Roaming\J-PQPS2W\J-Plogrc.ini
binary
MD5: 2855a82ecdd565b4d957ec2ee05aed26
SHA256: 88e38da5b12dd96afd9dc90c79929ec31d8604b1afdebdd5a02b19249c08c939
256
control.exe
C:\Users\admin\AppData\Roaming\J-PQPS2W\J-Plogrg.ini
binary
MD5: 662cfc0604d7f53153c80ee6ab8931d6
SHA256: 9881e9c578289eabffeb84a3d87b255c732cd7d8af087f71e2d970ab5f704840
3308
rns.exe
C:\Users\admin\AppData\Local\Temp\90407336\FVIEZ
text
MD5: ee5fc51b8e4a417064ae3523b75b9f9a
SHA256: 0a0b6cac53655ec01f9c8ed37bdadda7290540f77ee6174dace321b9d723be80
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\slc.xl
text
MD5: 28881d47a86f70198d2b612808dd4325
SHA256: c8372ab9da9220822c3ac71610b0c8e64b4234ab71f71f9d17eb2b26ef3a88b8
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\cwk.xl
text
MD5: 900796cbebc322e2fc2c552609fbb908
SHA256: ea6daad8c7bbf1d0ef6353fd8c74a77db6c4537dec6c60b1fe1c990dd7a7dff6
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\fxq.docx
text
MD5: 43d947b3e6763f10faff0298cfb9368a
SHA256: 48e418f949aac1b837f4785ee28b3dbff3caf734bd17ace99f35c82c61fe8a08
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\tff.txt
text
MD5: 1e925f33b223b23ca93ad92afd3887b2
SHA256: ec2ae4c62fdca58df6ec01fd379caeccfef33b9d8184e2ef4d533cbe9fab2c36
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\uxa.mp4
text
MD5: a13ad3345cb17735445c2f7c9dd1b355
SHA256: 52258eba5b561d7a65d23116f501f11851bcfaef15f51b6e6d2ec0dc3b81b293
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\pvl.dat
text
MD5: 96ae13bea2760a1ab19dc4be06ce4d4a
SHA256: ae925a612a94ccb0b77599cf237135666ce84160fff2944bfb93b411c1f92b11
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\vnx.txt
text
MD5: f1a57e0c11b0f912c4b7dda64a26e3a0
SHA256: fc594d588d315e939712aa10877ce835902368beca444e0b0668805d756ab447
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\rjh.jpg
text
MD5: e1ee0cd1e6cd51552994b59b14097546
SHA256: f9c299aceb2022858eeec5aca6f9700418ee68156baf796884a99dcd78ef146d
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\euf.ppt
text
MD5: 4b674a0c7433468b8aa081f4adecf7a3
SHA256: 9f2aa715b00761111d6e8c919cf2d198c9d07ae5d133ffc49a9873a6752c2c65
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\adv.jpg
text
MD5: 4a2ffbad9f4458359340d27e4ecb219f
SHA256: d5fee810a07e071f4c64c32e70b62015ec98b53228e4ca80a40cd9fa23773ecf
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\qse.mp3
text
MD5: 39e13b4d2c406c034def2445ee2689ed
SHA256: a738feac14836da96b1b48c2882e70fec48199cf604d31af4efc362ca12c70ee
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\igm.jpg
text
MD5: 66da9a9bbe9e7b3171c9692b039ae388
SHA256: d0ab5aa9dbda0df467fd8c2c9f4fd1fa314adb51bd3d963fb7e64483ef30dc10
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\sdj.docx
text
MD5: d88dd21b5384269cc3c0e67917b6d1b0
SHA256: bd464499ee0a6da8128300de74f2abef132a6a679a8c03a4dc4274bfefa79e0f
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\tal.mp3
text
MD5: e784cd632c54d824280d78ba3ab983d3
SHA256: 3ce1f1446bb08013c3ad12b78fa965c1e82de49ddbd91be326d4b9df6d0f9931
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\btu.mp3
text
MD5: 7c57b10afbbdf1d283c35faf79494b7b
SHA256: 02af6a730a78ed3db3185f16ddd8ae5be7d488f8a922e8127ef0f777d3293dd6
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\khl.jpg
text
MD5: 47a1f74bd8889e55e086d350e235d482
SHA256: 20d50b3bb80c1fb270fa9b37497f49290f900f96401a080e9c6c18f87a15dc7d
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\ckr.icm
text
MD5: 81fbf186fd0eb8341c1b07a97da23c07
SHA256: 4a4dda880014952cfa919f28cae7562f86a34c8e94ecc75d509bc5025080fbe6
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\dhp.pdf
text
MD5: 424406acb59cdd2f84904d79ade574d7
SHA256: bb2f52b22d47449e76e41233037759fea3cc0310286aab4ab22cbf90a3ae2430
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\phg.icm
text
MD5: 4589ef76f4fbbdc67d9e16dc70c64187
SHA256: 29a039da0aaf5fc41065ab6ff1bddd96bf1f7c3c3f59f8b11986d9f6009aea32
3924
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\CVRA1AA.tmp.cvr
––
MD5:  ––
SHA256:  ––
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\nob.icm
text
MD5: a87ea5b9695f85c556795cceb62f0644
SHA256: ef260c2bc2aa8d553c897b1f0fe53bd765e19ddfec453bb4ac74d0b20ffb048d
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\vxg.pdf
text
MD5: 06c96189899ffecdf12c18e28401215e
SHA256: b36c5c24f3c9b0b53c4d3855bfee6130394ac83003c10ff42f74536bd92eae45
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\rnb.mp3
text
MD5: b0f71ca11296656477794f1c34f8eccd
SHA256: 7f37b8844e31ef1077a15cb37906df5fc875a329497c286787b4e3ed2068267c
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\ufw.mp4
text
MD5: 50580e5ccfdb3145eb226af74abe192e
SHA256: 928db1a5cc99a5eaeb36a0267acfe6d483077208beb909d4d7294193ddb993fb
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\rnc.docx
text
MD5: ea6c8bfc92d5757b1f723e0c3d87f2ff
SHA256: 3855c9b73acb924cc8999e93fab3a258a90f2e2e530e14b6e6e11adcbe1fb540
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\gul.ppt
text
MD5: 18de5328db1975bd280afb7f403cfc2a
SHA256: 603889da5e55ccf61e71844913d8e866ee5df64b01c990a48379b4c003641021
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\uwa.xl
text
MD5: b249641587b3a38e2d2b7ba0ffcc3f3b
SHA256: f62c8747fd1bed6bf7eaddb15890e7b64b80a0b11496fcb9e1134d54c2a23dc3
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\pve.ppt
text
MD5: 79127906685bb68804ac5b829adeba6e
SHA256: 7806f940e20f081e363ec4a14c6076388d5a771f6c6e708307dfcee95742829b
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\ftw.txt
text
MD5: ba75ccdb2e8715a157f8f851fbaa7e02
SHA256: e875942545042b7866b3d3ec3e1b849c4752b4acd6096b6760d54a7692869821
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\gbn.txt
text
MD5: fc0e33d5d57a0e80c4713046c61b54c8
SHA256: 09d98303cd755632bc58191eb7c7bf5bcab92b1127394ba8377f17b39aa3e491
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\xem.bmp
text
MD5: e3d47c2d2c4a0ef10f4d6b99b7025d31
SHA256: 770f3a4ccc41c3293dcba46014aa9c359d89d26344281ead28750f0934f027a5
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\nwh.jpg
text
MD5: 2f9f2c16ef8fd0285d0f34746808fe2d
SHA256: e3dd79c4e3ffa2a017481f1cac0cb8fbf002ecef93c1809cedcaad386d9f327d
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\cgm.mp3
text
MD5: 134051898b2d9e9464116b9a8e9b9770
SHA256: 6701c0e71b49a127e2a24ccaf1cb7e9f1642dfb8b3586932d15aa1399df1593e
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\hhe.dat
text
MD5: 42757dc1dc1cfe02246bbd13745f3344
SHA256: dfc5a1892aa7f13b26441de319b51634a985530d4b41bab6a3518079c6915291
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\jug.xl
text
MD5: a22055e3af5206eea00531258489e2c5
SHA256: 14f1bf6efbbf9960908489e9329f3a126e4b8c6ac5c74e319a05910650df544c
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\ocj.dat
text
MD5: 2bfeabc8b449a09668371e8371091f24
SHA256: 48de13701c9eb1c969023c389574c19381d598e1b9773257be045b10563c5764
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\hnq.mp3
text
MD5: fab79b481c319b651fdbeba163abac34
SHA256: ed44651d5fcee90fce6c71c6c0f97c234b28b70d147667b62ff637c8b8cb2acc
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\jpp.jpg
text
MD5: 63f078adb3f851122cca3b51ecb73c87
SHA256: b331506b36a0f787a1f317e91a1b392e9f515fffc8fdc3bfee3ef447d69fa0ee
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\igw.pdf
text
MD5: 44af209b75353ffa7a0181b8a141f84b
SHA256: 8f182ddd391ca6dde8eced6322e6d5542b70e427ad7f91d5cf5d905feec4a21f
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\bqd.xl
text
MD5: 8b4e174ca7350758a33b0490971f84f4
SHA256: 1ef293d70fa9c5b505ee9d61f449ad200b06dadd7c3ef28012a57713d4241a3f
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\cfc.ppt
text
MD5: a814740493e0fb0db6eb848f59085281
SHA256: 006cdda94df2ce9491afef945051e483dcba8db309e4511104df3e9f7463512d
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\uvd.xl
text
MD5: 25f21ff87d98e106980a10c3942dd418
SHA256: 47f713dda2e6cc66b91da78524874b182be1775e23a121701812dff705a69ffb
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\aaq.docx
text
MD5: 4a2927fdf8596bf0ab5eee6923a6db0c
SHA256: 3f6d12ea89fabda15d79acc2068532d01ce0340974c7d83e087033e1a12538f5
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\efr.bmp
text
MD5: ac17706881b5eca4108ac69d7756b202
SHA256: 5b6328cf41a13dca9388fd9a4f0e6b97fadf859677d925b898b100eb72a8345d
256
control.exe
C:\Users\admin\AppData\Local\Temp\mjopaz-x.zip
compressed
MD5: 10c809cdc0ff1b7a4a26fec1d1370ee8
SHA256: 065a83ab4e942fe61837cbf10739c381f76c9be41448969ae5f4baf90285c324
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\qgx=vbw
text
MD5: 0106092deba205cb68ac70845856cbe1
SHA256: e8730684be006116371f1c6e8a4b206866ce88da340e23a587439a28c4413019
3736
vbc.exe
C:\Users\admin\AppData\Local\Temp\90407336\nrw.mp3
text
MD5: d19084d895a74ddf37208c9a2a04d808
SHA256: d05f2464e8baa4e01b80fcde1cb1e06f32e09f2fc96be9c4af11ce13db6fe68e
3732
Firefox.exe
C:\Users\admin\AppData\Roaming\J-PQPS2W\J-Plogrf.ini
binary
MD5: 53028481b5b5795f1501241ccc7abff6
SHA256: 75b5f3045e20c80f264568707e2d444dc7498db119d9661ae51a91575960fc5a
256
control.exe
C:\Users\admin\AppData\Roaming\J-PQPS2W\J-Plogim.jpeg
image
MD5: dcc835a22d1f9dd577e80fc8d4606c45
SHA256: becd3865cd86f1aba56fe35f12e09ae73732fecee2931ab1281216e4bcd0e940
1580
cmd.exe
C:\Users\admin\AppData\Local\Temp\DB1
sqlite
MD5: 01a1ee033f117197d52dc1ca978ad16b
SHA256: 6d4babaebea2f5450bd4bbe07e43c7e84a67e78f8b508cf2731a45a1ec5f9e2e

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
12
TCP/UDP connections
12
DNS requests
8
Threats
22

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3508 EQNEDT32.EXE GET 200 23.249.161.100:80 http://23.249.161.100/frankm/frank.exe US
executable
malicious
1604 explorer.exe GET –– 160.153.136.3:80 http://www.duetassetmanagement.com/aa8/?ib-T4z9p=B2fTNwRIgNPUIBaqQetYCPINXRQ9KqEA564Rq7KNLlEZU7QnvW7V6e8rWbQFdZCZocJpPw==&TZ=ytg4Dt6Xj US
––
––
malicious
1604 explorer.exe GET –– 47.52.142.209:80 http://www.fluorysports.com/aa8/?ib-T4z9p=8QtQh+QKR4X7xXWpsWgmLAzc5/T6YCkTzuAoZm2VrSe2knya/26h47lQL8rgD55NpSkKog==&TZ=ytg4Dt6Xj&sql=1 HK
––
––
malicious
1604 explorer.exe POST –– 47.52.142.209:80 http://www.fluorysports.com/aa8/ HK
text
––
––
malicious
1604 explorer.exe POST –– 47.52.142.209:80 http://www.fluorysports.com/aa8/ HK
text
––
––
malicious
1604 explorer.exe POST –– 47.52.142.209:80 http://www.fluorysports.com/aa8/ HK
text
––
––
malicious
1604 explorer.exe POST –– 47.52.142.209:80 http://www.fluorysports.com/aa8/ HK
text
––
––
malicious
1604 explorer.exe GET 200 162.213.255.220:80 http://www.nadidetadllar.com/aa8/?ib-T4z9p=RHDVyMGFPOescSk8fBVyz7avp6vl173cjAxPM1VuTIfp3KGJQuEcxaOelH6TQ4dkTsIRxg==&TZ=ytg4Dt6Xj&sql=1 US
binary
malicious
1604 explorer.exe POST 404 162.213.255.220:80 http://www.nadidetadllar.com/aa8/ US
text
html
malicious
1604 explorer.exe POST 404 162.213.255.220:80 http://www.nadidetadllar.com/aa8/ US
text
html
malicious
1604 explorer.exe POST 404 162.213.255.220:80 http://www.nadidetadllar.com/aa8/ US
text
html
malicious
1604 explorer.exe POST –– 162.213.255.220:80 http://www.nadidetadllar.com/aa8/ US
text
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3508 EQNEDT32.EXE 23.249.161.100:80 ColoCrossing US malicious
1604 explorer.exe 160.153.136.3:80 GoDaddy.com, LLC US malicious
1604 explorer.exe 47.52.142.209:80 Alibaba (China) Technology Co., Ltd. HK malicious
1604 explorer.exe 162.213.255.220:80 Namecheap, Inc. US malicious

DNS requests

Domain IP Reputation
www.duetassetmanagement.com 160.153.136.3
malicious
www.fluorysports.com 47.52.142.209
malicious
www.nadidetadllar.com 162.213.255.220
malicious
www.yg6669.com No response unknown

Threats

PID Process Class Message
3508 EQNEDT32.EXE A Network Trojan was detected ET INFO Executable Download from dotted-quad Host
3508 EQNEDT32.EXE A Network Trojan was detected ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
3508 EQNEDT32.EXE Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
3508 EQNEDT32.EXE A Network Trojan was detected ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
3508 EQNEDT32.EXE Potentially Bad Traffic ET INFO SUSPICIOUS Dotted Quad Host MZ Response
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (GET)
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (GET)
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (GET)
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
1604 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (POST)

7 ETPRO signatures available at the full report

Debug output strings

No debug info.