Malware analysis P.O.03019.xls Malicious activity | ANY.RUN

Add for printing

File name:	P.O.03019.xls
Full analysis:	https://app.any.run/tasks/d7b7a6ac-c88f-4046-9a0c-174942145271
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	April 01, 2023, 07:24:18
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	opendir exploit cve-2017-11882 loader
Indicators:
MIME:	application/vnd.ms-excel
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 00:00:00 2006, Last Saved Time/Date: Thu Mar 30 16:45:32 2023, Security: 0
MD5:	C9ABCCCFF82B1C656F933105FF2EF1FE
SHA1:	A13315BCD6303D712443DBC2BA28FA0A76C59011
SHA256:	2186F319B48330C907D13F58F4A2AA5D987E2E2551CC677886DF8D242B6D2E9A
SSDEEP:	24576:rLKZ2WQmmav30xRu9VHu9V+u9VI+MXUyu9Vz+MXUMKYPBShTPYw:rLKZrQmmQ30DuPuGuQ+MXbur+MXHBZS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 67.0.4 (x64 en-US) (67.0.4)
Mozilla Maintenance Service (67.0.4)
Notepad++ (64-bit x64) (7.5.1)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Equation Editor starts application (CVE-2017-11882)
  - EQNEDT32.EXE (PID: 2384)
- Application was dropped or rewritten from another process
  - vbc.exe (PID: 2972)
- Suspicious connection from the Equation Editor
  - EQNEDT32.EXE (PID: 2384)
SUSPICIOUS
- Reads the Internet Settings
  - EQNEDT32.EXE (PID: 2384)
  - vbc.exe (PID: 2972)
- Executable content was dropped or overwritten
  - EQNEDT32.EXE (PID: 2384)
- Process requests binary or script from the Internet
  - EQNEDT32.EXE (PID: 2384)
- Connects to the server without a host name
  - EQNEDT32.EXE (PID: 2384)
INFO
- Creates files or folders in the user directory
  - EQNEDT32.EXE (PID: 2384)
- The process checks LSA protection
  - EQNEDT32.EXE (PID: 2384)
  - vbc.exe (PID: 2972)
- Checks supported languages
  - EQNEDT32.EXE (PID: 2384)
  - vbc.exe (PID: 2972)
- Reads the computer name
  - EQNEDT32.EXE (PID: 2384)
  - vbc.exe (PID: 2972)
- Reads the machine GUID from the registry
  - EQNEDT32.EXE (PID: 2384)
- Reads Environment values
  - vbc.exe (PID: 2972)
- Checks proxy server information
  - EQNEDT32.EXE (PID: 2384)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.xls	\|	Microsoft Excel sheet (31.2)
.xls	\|	Microsoft Excel sheet (alternate) (25.5)

EXIF

FlashPix

CompObjUserType:	Microsoft Office Excel 2003 Worksheet
CompObjUserTypeLen:	38
HeadingPairs:	Worksheets 3
TitleOfParts:	Sheet1 Sheet2 Sheet3
HyperlinksChanged:	No
SharedDoc:	No
LinksUpToDate:	No
ScaleCrop:	No
AppVersion:	12
CodePage:	Windows Latin 1 (Western European)
Security:	None
ModifyDate:	2023:03:30 16:45:32
CreateDate:	2006:09:16 00:00:00
Software:	Microsoft Excel
LastModifiedBy:	-
Author:	-

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

412

"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Excel

Exit code:

Version:

14.0.4756.1000

Modules

Images
c:\program files\microsoft office\office14\excel.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll

2384

"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

svchost.exe

User:

admin

Company:

Design Science, Inc.

Integrity Level:

MEDIUM

Description:

Microsoft Equation Editor

Exit code:

Version:

00110900

Modules

Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll

2972

"C:\Users\Public\vbc.exe"

C:\Users\Public\vbc.exe

EQNEDT32.EXE

User:

admin

Company:

TODO: <Company name>

Integrity Level:

MEDIUM

Description:

TODO: <File description>

Exit code:

Version:

1.0.0.1

Modules

Images
c:\users\public\vbc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

Add for printing

Total events

3 718

Read events

3 620

Write events

Delete events

Modification events


(PID) Process:	(412) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: On
(PID) Process:	(412) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1041
Value: On
(PID) Process:	(412) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1042
Value: On
(PID) Process:	(412) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1046
Value: On
(PID) Process:	(412) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1036
Value: On
(PID) Process:	(412) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1031
Value: On
(PID) Process:	(412) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1040
Value: On
(PID) Process:	(412) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1049
Value: On
(PID) Process:	(412) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	3082
Value: On
(PID) Process:	(412) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1055
Value: On

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
412	EXCEL.EXE	C:\Users\admin\AppData\Local\Temp\CVRFCB5.tmp.cvr		—
		MD5:—	SHA256:—
412	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\858C2C86.emf		emf
		MD5:—	SHA256:—
412	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FAF1A6CF.emf		emf
		MD5:—	SHA256:—
412	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1D6F4610.emf		emf
		MD5:—	SHA256:—
2384	EQNEDT32.EXE	C:\Users\Public\vbc.exe		executable
		MD5:—	SHA256:—
2384	EQNEDT32.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\vbc[1].exe		executable
		MD5:—	SHA256:—
412	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\15D6118B.emf		emf
		MD5:35E141964E2698FC12D087516D116C9A	SHA256:6A3A2ADDC5D6B554EED64B7C24B699E09BCF019E4F42AB14EC6D40C7CB749538
412	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A882EF32.emf		emf
		MD5:4D59A7E93170340B5EC4009F7FA3AD31	SHA256:83473215E5C2160333AA92EA7F9B1276D8ED7DD66AFC472DC92C88055D189D7D
412	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\97DAE8B5.emf		emf
		MD5:0FFCA2E0D06FD9393E46F20F4AE6B53E	SHA256:FA91A49FBA91AF8F9F6487B69D5D3265DFAAA123563A0558B79C0F72792C41C3
412	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\50F2F284.emf		emf
		MD5:A093C09997099539B4CA7D8903F3227D	SHA256:49F2800A0C860D89167CCCB5F3E87960D8F71881DC47521238AA0C6F5A546951

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

151

DNS requests

Threats

126

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2384	EQNEDT32.EXE	GET	200	23.95.122.239:80	http://23.95.122.239/65/vbc.exe	US	executable	315 Kb	malicious
2972	vbc.exe	GET	301	112.213.89.85:80	http://www.trao.com.vn/wp-includes/images/Cryqoqlhhw.png	VN	html	707 b	suspicious
2972	vbc.exe	GET	301	112.213.89.85:80	http://www.trao.com.vn/wp-includes/images/Cryqoqlhhw.png	VN	html	707 b	suspicious
2972	vbc.exe	GET	301	112.213.89.85:80	http://www.trao.com.vn/wp-includes/images/Cryqoqlhhw.png	VN	html	707 b	suspicious
2972	vbc.exe	GET	301	112.213.89.85:80	http://www.trao.com.vn/wp-includes/images/Cryqoqlhhw.png	VN	html	707 b	suspicious
2972	vbc.exe	GET	301	112.213.89.85:80	http://www.trao.com.vn/wp-includes/images/Cryqoqlhhw.png	VN	html	707 b	suspicious
2972	vbc.exe	GET	301	112.213.89.85:80	http://www.trao.com.vn/wp-includes/images/Cryqoqlhhw.png	VN	html	707 b	suspicious
2972	vbc.exe	GET	301	112.213.89.85:80	http://www.trao.com.vn/wp-includes/images/Cryqoqlhhw.png	VN	html	707 b	suspicious
2972	vbc.exe	GET	301	112.213.89.85:80	http://www.trao.com.vn/wp-includes/images/Cryqoqlhhw.png	VN	html	707 b	suspicious
2972	vbc.exe	GET	301	112.213.89.85:80	http://www.trao.com.vn/wp-includes/images/Cryqoqlhhw.png	VN	html	707 b	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2384	EQNEDT32.EXE	23.95.122.239:80	—	AS-COLOCROSSING	US	malicious
2972	vbc.exe	112.213.89.85:443	www.trao.com.vn	SUPERDATA	VN	suspicious
2972	vbc.exe	112.213.89.85:80	www.trao.com.vn	SUPERDATA	VN	suspicious
—	—	112.213.89.85:80	www.trao.com.vn	SUPERDATA	VN	suspicious
—	—	112.213.89.85:443	www.trao.com.vn	SUPERDATA	VN	suspicious

DNS requests

Domain	IP	Reputation
www.trao.com.vn	112.213.89.85	suspicious

Threats

PID	Process	Class	Message
2384	EQNEDT32.EXE	A Network Trojan was detected	ET INFO Executable Download from dotted-quad Host
2384	EQNEDT32.EXE	Potentially Bad Traffic	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
2384	EQNEDT32.EXE	A Network Trojan was detected	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
2384	EQNEDT32.EXE	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2384	EQNEDT32.EXE	A Network Trojan was detected	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
2384	EQNEDT32.EXE	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
2972	vbc.exe	Unknown Traffic	ET JA3 Hash - [Abuse.ch] Possible Tofsee
2972	vbc.exe	Unknown Traffic	ET JA3 Hash - [Abuse.ch] Possible Tofsee
2972	vbc.exe	Potentially Bad Traffic	ET INFO TLS Handshake Failure
2972	vbc.exe	Unknown Traffic	ET JA3 Hash - [Abuse.ch] Possible Tofsee

2 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

P.O.03019.xls

C9ABCCCFF82B1C656F933105FF2EF1FE

A13315BCD6303D712443DBC2BA28FA0A76C59011

2186F319B48330C907D13F58F4A2AA5D987E2E2551CC677886DF8D242B6D2E9A

24576:rLKZ2WQmmav30xRu9VHu9V+u9VI+MXUyu9Vz+MXUMKYPBShTPYw:rLKZrQmmQ30DuPuGuQ+MXbur+MXHBZS

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Equation Editor starts application (CVE-2017-11882)

Application was dropped or rewritten from another process

Suspicious connection from the Equation Editor

SUSPICIOUS

Reads the Internet Settings

Executable content was dropped or overwritten

Process requests binary or script from the Internet

Connects to the server without a host name

INFO

Creates files or folders in the user directory

The process checks LSA protection

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Reads Environment values

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings