General Info

File name

Payment Advice.xlsx

Full analysis
https://app.any.run/tasks/e6af4c8b-90a0-4461-92f2-99621993bae8
Verdict
Malicious activity
Analysis date
3/14/2019, 12:53:47
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

encrypted

Indicators:

MIME:
application/encrypted
File info:
CDFV2 Encrypted
MD5

f2b666c80ee1b2e8b0436310d32e570e

SHA1

1303be021dee2f044832c1a494dc64da25a8ff39

SHA256

87ece9e0eadb20ff0a6c8d8837782b687c9004e0b621939e5c3b232e6fce1a00

SSDEEP

1536:tVNohZ96GmtbkdAheHEDfB4qSLx0F6A29ZXy+P1l:vNoOxkdAcmfB4qSLDR9VD1l

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
240 seconds
Additional time used
180 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Suspicious connection from the Equation Editor
  • EQNEDT32.EXE (PID: 2624)

No suspicious indicators.

Reads Microsoft Office registry keys
  • EXCEL.EXE (PID: 2868)
Application was crashed
  • EQNEDT32.EXE (PID: 2624)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

Screenshots

Processes

Total processes
33
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

+
start excel.exe no specs eqnedt32.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2868
CMD
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde
Path
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Excel
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\version.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\winsta.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mpr.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\winmm.dll

PID
2624
CMD
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Path
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Design Science, Inc.
Description
Microsoft Equation Editor
Version
00110900
Modules
Image
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msi.dll
c:\program files\common files\microsoft shared\equation\1033\eeintl.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\credssp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\apphelp.dll

Registry activity

Total events
594
Read events
523
Write events
66
Delete events
5

Modification events

PID
Process
Operation
Key
Name
Value
2868
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
2868
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
2868
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\20E813
2868
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery
2868
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
.;,
2E3B2C00340B0000010000000000000000000000
2868
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
2868
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
2868
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTT
340B0000988E749D5CDAD40100000000
2868
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2868
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2868
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\20E813
20E813
04000000340B00003500000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C005000610079006D0065006E00740020004100640076006900630065002E0078006C0073007800000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0001000000000000004024909E5CDAD40113E8200013E8200000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2868
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\20E813
20E813
04000000340B00003500000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C005000610079006D0065006E00740020004100640076006900630065002E0078006C0073007800000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0001000000000000004024909E5CDAD40113E8200013E8200000000000AC020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2868
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{CA2A41E9-C701-4101-A8D5-2265FB464711}
2868
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
EXCELFiles
1315831831
2868
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1315831952
2868
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\21686E
21686E
04000000340B00003500000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C005000610079006D0065006E00740020004100640076006900630065002E0078006C0073007800000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C00010000000100000000000000000000006E6821006E68210000000000AC020000640000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2868
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Max Display
25
2868
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Max Display
25
2868
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
538F6C892AD540068154C6670774E980
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
2868
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
LastPurgeTime
25876075
2624
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
EquationEditorFilesIntl_1033
1315831811
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\General
Zoom
200
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\General
CustomZoom
150
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\General
ShowAll
0
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\General
Version
3.1
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\General
ForceOpen
0
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\General
ToolbarDocked
1
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\General
ToolbarShown
1
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\General
ToolbarDockPos
1
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\General
MTUpgradeDialog
4
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Sizes
Full
12 pt
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Sizes
Script
7 pt
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Sizes
ScriptScript
5 pt
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Sizes
Symbol
18 pt
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Sizes
SubSymbol
12 pt
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
LineSpacing
150%
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
MatrixRowSpacing
150%
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
MatrixColSpacing
100%
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
SuperscriptHeight
45%
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
SubscriptDepth
25%
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
LimHeight
25%
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
LimDepth
100%
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
LimLineSpacing
100%
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
NumerHeight
35%
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
DenomDepth
100%
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
FractBarOver
1 pt
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
FractBarThick
0.5 pt
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
SubFractBarThick
0.25 pt
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
FenceOver
1 pt
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
SpacingFactor
100%
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
MinGap
8%
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
RadicalGap
2 pt
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
EmbellGap
1.5 pt
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Spacing
PrimeHeight
45%
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Fonts
Text
Times New Roman
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Fonts
Function
Times New Roman
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Fonts
Variable
Times New Roman,I
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Fonts
LCGreek
Symbol,I
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Fonts
UCGreek
Symbol
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Fonts
Symbol
Symbol
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Fonts
Vector
Times New Roman,B
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Fonts
Number
Times New Roman
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Fonts
User1
Courier New TUR
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Fonts
User2
Times New Roman
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Windows
EquationWindow
120,213,600,1066
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Windows
SpacingWindow
40,20,124,493
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Windows
TextLanguage
Any
2624
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options\Windows
MathLanguage
Any

Files activity

Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2624
EQNEDT32.EXE
C:\Users\Public\vbc.exe
––
MD5:  ––
SHA256:  ––
2868
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\CVRE38E.tmp.cvr
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
3

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2624 EQNEDT32.EXE GET 301 91.224.140.71:80 http://gg.gg/d7qst NL
––
––
malicious
2624 EQNEDT32.EXE GET –– 192.81.132.172:80 http://grabilla.com/0930e-e698aa0f-54f0-4448-9aa9-90e29f81b57a.exe?download US
––
––
suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2624 EQNEDT32.EXE 91.224.140.71:80 Innovation IT Solutions LTD NL suspicious
2624 EQNEDT32.EXE 192.81.132.172:80 Linode, LLC US suspicious

DNS requests

Domain IP Reputation
gg.gg 91.224.140.71
malicious
grabilla.com 192.81.132.172
suspicious

Threats

PID Process Class Message
2624 EQNEDT32.EXE Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
2624 EQNEDT32.EXE Potentially Bad Traffic ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2624 EQNEDT32.EXE Misc activity ET INFO EXE - Served Attached HTTP

Debug output strings

No debug info.