General Info

File name

Paymentadvice.xlsx

Full analysis
https://app.any.run/tasks/45245ab2-b94c-4068-a9c7-483b0fd7f90f
Verdict
Malicious activity
Analysis date
3/14/2019, 14:34:00
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
opendir
exploit
CVE-2017-11882
loader
stealer
evasion
trojan
rat
agenttesla
Indicators:

MIME:
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info:
Microsoft Excel 2007+
MD5

77c25f788ef53769bace7eeda30c2009

SHA1

d6956d7ab4df07c0025d0a5ed58a2a4f6d1c54f1

SHA256

f44ee86652999164c7d40d90c97f924c2c0e8d500e342ed1ec4b9558571dbff6

SSDEEP

768:NnSlNxqmSKKsxqCbTAX1QM8Txw3txxI0AVrQYDi3d08GmplnVkIz9EfxJ:FSlWJsgCfAFIxU0DoNkIzuJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
660 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
on
MITM proxy
on
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.0.9600.18860 KB4052978
  • 7-Zip 18.01 (x64) (18.01)
  • Adobe Acrobat Reader DC MUI (15.007.20033)
  • Adobe Flash Player 27 ActiveX (27.0.0.187)
  • Adobe Flash Player 27 NPAPI (27.0.0.187)
  • Adobe Flash Player 27 PPAPI (27.0.0.187)
  • CCleaner (5.35)
  • Google Chrome (61.0.3163.91)
  • Google Update Helper (1.3.33.5)
  • Java 8 Update 92 (64-bit) (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Professional 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Single Image 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
  • Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
  • Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
  • Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
  • Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x64) - 14.12.25810 (14.12.25810.0)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.11.25325 (14.11.25325.0)
  • Microsoft Visual C++ 2017 x64 Additional Runtime - 14.12.25810 (14.12.25810)
  • Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.12.25810 (14.12.25810)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.11.25325 (14.11.25325)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.11.25325 (14.11.25325)
  • Mozilla Firefox 56.0 (x64 en-US) (56.0)
  • Mozilla Maintenance Service (55.0.3)
  • Notepad++ (64-bit x64) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype™ 7.39 (7.39.102)
  • VLC media player (2.2.6)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2479943
  • KB2491683
  • KB2506014
  • KB2506212
  • KB2506928
  • KB2509553
  • KB2532531
  • KB2533552
  • KB2534111
  • KB2545698
  • KB2547666
  • KB2552343
  • KB2560656
  • KB2563227
  • KB2564958
  • KB2579686
  • KB2585542
  • KB2585542 SP1
  • KB2598845
  • KB2603229
  • KB2604115
  • KB2620704
  • KB2621440
  • KB2631813
  • KB2640148
  • KB2653956
  • KB2654428
  • KB2656356
  • KB2656356 SP1
  • KB2660075
  • KB2667402
  • KB2685811
  • KB2685813
  • KB2685939
  • KB2690533
  • KB2698365
  • KB2705219
  • KB2706045
  • KB2719857
  • KB2726535
  • KB2727528
  • KB2729094
  • KB2729452
  • KB2732059
  • KB2732487
  • KB2736422
  • KB2742599
  • KB2750841
  • KB2758857
  • KB2761217
  • KB2763523
  • KB2770660
  • KB2773072
  • KB2786081
  • KB2789645
  • KB2789645 SP1
  • KB2791765
  • KB2799926
  • KB2800095
  • KB2807986
  • KB2808679
  • KB2813430
  • KB2834140
  • KB2836942
  • KB2836943
  • KB2840631
  • KB2843630
  • KB2847927
  • KB2852386
  • KB2853952
  • KB2861698
  • KB2862152
  • KB2862330
  • KB2862335
  • KB2864202
  • KB2868038
  • KB2871997
  • KB2884256
  • KB2888049
  • KB2891804
  • KB2892074
  • KB2893294
  • KB2893519
  • KB2894844
  • KB2900986
  • KB2908783
  • KB2911501
  • KB2912390
  • KB2918077
  • KB2919469
  • KB2931356
  • KB2937610
  • KB2943357
  • KB2952664
  • KB2966583
  • KB2968294
  • KB2970228
  • KB2972100
  • KB2972211
  • KB2973112
  • KB2973201
  • KB2973351
  • KB2977292
  • KB2978120
  • KB2978742
  • KB2984972
  • KB2985461
  • KB2991963
  • KB2992611
  • KB3003743
  • KB3004361
  • KB3004375
  • KB3006121
  • KB3006137
  • KB3010788
  • KB3011780
  • KB3013531
  • KB3019978
  • KB3020370
  • KB3021674
  • KB3021917
  • KB3022777
  • KB3023215
  • KB3030377
  • KB3031432
  • KB3035126
  • KB3035132
  • KB3037574
  • KB3042058
  • KB3045685
  • KB3046017
  • KB3046269
  • KB3054476
  • KB3055642
  • KB3059317
  • KB3060716
  • KB3067903
  • KB3068708
  • KB3071756
  • KB3072305
  • KB3074543
  • KB3075220
  • KB3076895
  • KB3078601
  • KB3078667
  • KB3080149
  • KB3084135
  • KB3086255
  • KB3092601
  • KB3092627
  • KB3093513
  • KB3097989
  • KB3101722
  • KB3107998
  • KB3108371
  • KB3108381
  • KB3108664
  • KB3109103
  • KB3109560
  • KB3110329
  • KB3115858
  • KB3115858 SP1
  • KB3122648
  • KB3124275
  • KB3126587
  • KB3127220
  • KB3133977
  • KB3137061
  • KB3138378
  • KB3138612
  • KB3138910
  • KB3139398
  • KB3139914
  • KB3140245
  • KB3147071
  • KB3150220
  • KB3155178
  • KB3156016
  • KB3156019
  • KB3159398
  • KB3161102
  • KB3161949
  • KB3161958
  • KB3170735
  • KB3170735 SP1
  • KB3172605
  • KB3177467
  • KB3179573
  • KB3184143
  • KB4019990
  • KB4040980
  • KB976902
  • KB982018
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • Package 1 for KB2656356
  • Package 1 for KB2789645
  • Package 1 for KB3115858
  • Package 1 for KB3170735
  • Package 2 for KB2585542
  • Package 2 for KB2656356
  • Package 2 for KB2789645
  • Package 2 for KB3115858
  • Package 2 for KB3170735
  • Package 3 for KB2585542
  • Package 3 for KB2656356
  • Package 4 for KB2656356
  • Package 4 for KB2789645
  • Package 5 for KB2656356
  • Package 7 for KB2656356
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • RollupFix
  • UltimateEdition
  • WUClient SelfUpdate ActiveX
  • WUClient SelfUpdate Aux TopLevel
  • WUClient SelfUpdate Core TopLevel

Behavior activities

MALICIOUS SUSPICIOUS INFO
AGENTTESLA was detected
  • nbvcx.exe (PID: 2312)
Actions looks like stealing of personal data
  • nbvcx.exe (PID: 2312)
  • 8edf29e3-ce99-451c-884e-2303f15ee2a2.exe (PID: 544)
Changes the autorun value in the registry
  • nbvcx.exe (PID: 2312)
Stealing of credential data
  • 8edf29e3-ce99-451c-884e-2303f15ee2a2.exe (PID: 544)
Application was dropped or rewritten from another process
  • 8edf29e3-ce99-451c-884e-2303f15ee2a2.exe (PID: 544)
  • nbvcx.exe (PID: 2312)
  • nbvcx.exe (PID: 3000)
Known privilege escalation attack
  • nbvcx.exe (PID: 2312)
Equation Editor starts application (CVE-2017-11882)
  • EQNEDT32.EXE (PID: 2596)
Downloads executable files from the Internet
  • EQNEDT32.EXE (PID: 2596)
Suspicious connection from the Equation Editor
  • EQNEDT32.EXE (PID: 2596)
Checks for external IP
  • nbvcx.exe (PID: 2312)
Loads DLL from Mozilla Firefox
  • 8edf29e3-ce99-451c-884e-2303f15ee2a2.exe (PID: 544)
Connects to SMTP port
  • nbvcx.exe (PID: 2312)
Reads the machine GUID from the registry
  • 8edf29e3-ce99-451c-884e-2303f15ee2a2.exe (PID: 544)
Executable content was dropped or overwritten
  • nbvcx.exe (PID: 2312)
  • EQNEDT32.EXE (PID: 2596)
Modifies the open verb of a shell class
  • nbvcx.exe (PID: 2312)
Application launched itself
  • nbvcx.exe (PID: 3000)
Reads the machine GUID from the registry
  • EXCEL.EXE (PID: 1640)
Creates files in the user directory
  • EXCEL.EXE (PID: 1640)
Reads Microsoft Office registry keys
  • EXCEL.EXE (PID: 1640)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.xlsx
|   Excel Microsoft Office Open XML Format document (61.2%)
.zip
|   Open Packaging Conventions container (31.5%)
.zip
|   ZIP compressed archive (7.2%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
0x0002
ZipCompression:
Deflated
ZipModifyDate:
2019:03:13 23:44:18
ZipCRC:
0xf9b9528b
ZipCompressedSize:
425
ZipUncompressedSize:
1947
ZipFileName:
[Content_Types].xml
XMP
Creator:
null
XML
LastModifiedBy:
null
CreateDate:
2006:09:16 00:00:00Z
ModifyDate:
2019:03:04 04:41:20Z
Application:
Microsoft Excel
DocSecurity:
None
ScaleCrop:
No
HeadingPairs
null
null
TitlesOfParts
null
null
null
Company:
null
LinksUpToDate:
No
SharedDoc:
No
HyperlinksChanged:
No
AppVersion:
12

Video and screenshots

Processes

Total processes
47
Monitored processes
7
Malicious processes
3
Suspicious processes
1

Behavior graph

+
start download and start drop and start excel.exe no specs eqnedt32.exe nbvcx.exe no specs #AGENTTESLA nbvcx.exe eventvwr.exe no specs eventvwr.exe 8edf29e3-ce99-451c-884e-2303f15ee2a2.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1640
CMD
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde
Path
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Excel
Version
14.0.4756.1000
Modules
Image
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\msvcr90.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\version.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_145eb2808b8d6928\gdiplus.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\winsta.dll
c:\program files\microsoft office\office14\msohev.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\userenv.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\mpr.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\winmm.dll
c:\program files\microsoft office\office14\msostyle.dll
c:\program files\microsoft office\office14\gkexcel.dll
c:\windows\system32\oleacc.dll
c:\program files\common files\system\ado\msadox.dll
c:\windows\system32\netutils.dll

PID
2596
CMD
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Path
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Design Science, Inc.
Description
Microsoft Equation Editor
Version
00110900
Modules
Image
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\msi.dll
c:\program files\common files\microsoft shared\equation\1033\eeintl.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\wshqos.dll
c:\windows\syswow64\apphelp.dll
c:\users\admin\appdata\local\temp\nbvcx.exe

PID
3000
CMD
C:\Users\admin\AppData\Local\Temp\nbvcx.exe
Path
C:\Users\admin\AppData\Local\Temp\nbvcx.exe
Indicators
No indicators
Parent process
EQNEDT32.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Umps
Description
Augiteporphyrite
Version
8.08.0001
Modules
Image
c:\users\admin\appdata\local\temp\nbvcx.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvbvm60.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\sxs.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\apphelp.dll

PID
2312
CMD
:\Users\admin\AppData\Local\Temp\nbvcx.exe
Path
C:\Users\admin\AppData\Local\Temp\nbvcx.exe
Indicators
Parent process
nbvcx.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Umps
Description
Augiteporphyrite
Version
8.08.0001
Modules
Image
c:\users\admin\appdata\local\temp\nbvcx.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvbvm60.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\api-ms-win-core-synch-l1-2-0.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\syswow64\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\syswow64\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\ad92dab7f418877d6a1e0358ce35658a\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\ce3c98f2bf220ef17b0cf4233cac6ceb\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\367e5b8a038ac76eba17528bb7b3688e\system.windows.forms.ni.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\6f5bf6427122bfc30b5be76bcd651018\microsoft.visualbasic.ni.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\wbem\wbemdisp.dll
c:\windows\syswow64\wbemcomn.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\wbem\wbemprox.dll
c:\windows\syswow64\wbem\wmiutils.dll
c:\windows\syswow64\wbem\wbemsvc.dll
c:\windows\syswow64\wbem\fastprox.dll
c:\windows\syswow64\ntdsapi.dll
c:\windows\syswow64\sxs.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\custommarshalers\de24926257994a2a2e174a1de5caf8c1\custommarshalers.ni.dll
c:\windows\assembly\gac_32\custommarshalers\2.0.0.0__b03f5f7f11d50a3a\custommarshalers.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\00c2b464e52d4e82c04d61592a12a89d\system.management.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll
c:\windows\syswow64\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\ntmarta.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\eventvwr.exe
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\shfolder.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.security\8882514d4272aa702f3889d7aff7a647\system.security.ni.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\shdocvw.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\users\admin\appdata\local\temp\8edf29e3-ce99-451c-884e-2303f15ee2a2.exe
c:\windows\syswow64\ieframe.dll
c:\windows\syswow64\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\program files (x86)\internet explorer\ieproxy.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\mlang.dll
c:\windows\syswow64\wshom.ocx
c:\windows\syswow64\scrrun.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\ad8dd536906e94c4bc9cb9b82285580b\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\77c1dc46ea139bf5e1eaa9b87ef03c7a\system.xml.ni.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\rtutils.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\credssp.dll

PID
2800
CMD
"C:\Windows\System32\eventvwr.exe"
Path
C:\Windows\SysWOW64\eventvwr.exe
Indicators
No indicators
Parent process
nbvcx.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Microsoft Corporation
Description
Event Viewer Snapin Launcher
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\eventvwr.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll

PID
2772
CMD
"C:\Windows\SysWOW64\eventvwr.exe"
Path
C:\Windows\SysWOW64\eventvwr.exe
Indicators
Parent process
nbvcx.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Event Viewer Snapin Launcher
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\eventvwr.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\ntmarta.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\secur32.dll

PID
544
CMD
"C:\Users\admin\AppData\Local\Temp\8edf29e3-ce99-451c-884e-2303f15ee2a2.exe" C:\Users\admin\AppData\Local\Temp\4572c12e-00a9-461c-918c-1d7734a7d6fc.tmp
Path
C:\Users\admin\AppData\Local\Temp\8edf29e3-ce99-451c-884e-2303f15ee2a2.exe
Indicators
Parent process
nbvcx.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\8edf29e3-ce99-451c-884e-2303f15ee2a2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorwks.dll
c:\windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\mscorlib\0478aed7fc25ae268474c704fd2a3e0f\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system\9b0615d346556a8ae639dcec168731cc\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.visualbas#\09d99942fc786d52d85b3b11aed1f2b9\microsoft.visualbasic.ni.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\api-ms-win-core-file-l2-1-0.dll
c:\windows\system32\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
c:\windows\system32\api-ms-win-core-file-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-string-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-heap-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-stdio-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-convert-l1-1-0.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-math-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-time-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-filesystem-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-environment-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-utility-l1-1-0.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\program files\mozilla firefox\softokn3.dll
c:\program files\mozilla firefox\nssdbm3.dll
c:\program files\mozilla firefox\freebl3.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

Registry activity

Total events
1074
Read events
989
Write events
76
Delete events
9

Modification events

PID
Process
Operation
Key
Name
Value
1640
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
1640
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
1640
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\1C04AC
1640
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery
1640
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\1C8824
1640
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
v2$
7632240068060000010000000000000000000000
1640
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
1640
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
1640
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTT
680600000EB4B89B6ADAD40100000000
1640
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
EXCELFiles
1315831831
1640
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
ProductFiles
1315831934
1640
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
1640
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
1640
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
1640
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
1640
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\1C04AC
1C04AC
04000000680600002900000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C005000610079006D0065006E0074006100640076006900630065002E0078006C0073007800000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0001000000000000003068959D6ADAD401AC041C00AC041C0000000000B8020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1640
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\1C04AC
1C04AC
04000000680600002900000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C005000610079006D0065006E0074006100640076006900630065002E0078006C0073007800000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0001000000000000003068959D6ADAD401AC041C00AC041C0000000000B8020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1640
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{68BC4EDD-0E4D-40E3-8D97-6EC6FF3907D4}
1640
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\1C8824
1C8824
04000000680600002900000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C005000610079006D0065006E0074006100640076006900630065002E0078006C0073007800000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000001000000008DB19B6ADAD40124881C0024881C0000000000B8020000640000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1640
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Max Display
25
1640
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Item 1
[F00000000][T01D4DA6AB1AC3AB0][O00000000]*C:\Users\admin\Desktop\
1640
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Max Display
25
1640
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Item 1
[F00000000][T01D4DA6AB1B0F5A0][O00000000]*C:\Users\admin\Desktop\Paymentadvice.xlsx
1640
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
8B1BF0B4A1CA4656AA46D11C50BC55A4
01000000270000007B39303134303030302D303033442D303030302D313030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
1640
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
LastPurgeTime
25876175
1640
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
ProductFiles
1315831935
1640
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
ProductFiles
1315831936
1640
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTF
207
1640
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTA
207
2596
EQNEDT32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
EquationEditorFilesIntl_1033
1315831813
2596
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2596
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2596
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2596
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2596
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2596
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000067000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2596
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
2596
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
2596
EQNEDT32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
2312
nbvcx.exe
delete key
HKEY_CLASSES_ROOT\mscfile\shell\open\command
2312
nbvcx.exe
write
HKEY_CLASSES_ROOT\mscfile\shell\open\command
2312
nbvcx.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2312
nbvcx.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2312
nbvcx.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2312
nbvcx.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2312
nbvcx.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
MydddApp
C:\Users\admin\AppData\Local\Temp\MydddApp\MydddApp.exe
2312
nbvcx.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
2312
nbvcx.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
2312
nbvcx.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
2312
nbvcx.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing
EnableConsoleTracing
0
2312
nbvcx.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\nbvcx_RASAPI32
EnableFileTracing
0
2312
nbvcx.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\nbvcx_RASAPI32
EnableConsoleTracing
0
2312
nbvcx.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\nbvcx_RASAPI32
FileTracingMask
4294901760
2312
nbvcx.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\nbvcx_RASAPI32
ConsoleTracingMask
4294901760
2312
nbvcx.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\nbvcx_RASAPI32
MaxFileSize
1048576
2312
nbvcx.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\nbvcx_RASAPI32
FileDirectory
%windir%\tracing
2312
nbvcx.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\nbvcx_RASMANCS
EnableFileTracing
0
2312
nbvcx.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\nbvcx_RASMANCS
EnableConsoleTracing
0
2312
nbvcx.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\nbvcx_RASMANCS
FileTracingMask
4294901760
2312
nbvcx.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\nbvcx_RASMANCS
ConsoleTracingMask
4294901760
2312
nbvcx.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\nbvcx_RASMANCS
MaxFileSize
1048576
2312
nbvcx.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\nbvcx_RASMANCS
FileDirectory
%windir%\tracing
2772
eventvwr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2772
eventvwr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2772
eventvwr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2772
eventvwr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0

Files activity

Executable files
3
Suspicious files
2
Text files
3
Unknown types
2

Dropped files

PID
Process
Filename
Type
2312
nbvcx.exe
C:\Users\admin\AppData\Local\Temp\8edf29e3-ce99-451c-884e-2303f15ee2a2.exe
executable
MD5: afc242f6e1d17a413e034f9eab70e28b
SHA256: 5ff4bea99b66da3e069f890d298b54cbb4809631cad7224e2ad8664e8bc3729d
2596
EQNEDT32.EXE
C:\Users\admin\AppData\Local\Temp\nbvcx.exe
executable
MD5: 5c173c26c57e0d0249f6e5e3ec1362f0
SHA256: b4bf672cfc8f70d09393eac68d203b204c14ecad7f00ed2fb17d7d39aa4baba4
2596
EQNEDT32.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\du[1].com
executable
MD5: 5c173c26c57e0d0249f6e5e3ec1362f0
SHA256: b4bf672cfc8f70d09393eac68d203b204c14ecad7f00ed2fb17d7d39aa4baba4
3000
nbvcx.exe
C:\Users\admin\AppData\Local\Temp\~DF83CCBF87CC1F2FBF.TMP
binary
MD5: 7b7bcac37973bc6ccda8396e9a021c8e
SHA256: cab361d91cb67b0ba82071c4e6ea912364e94d35e5eca3ff95b5defb75644f0c
1640
EXCEL.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\865586FE.png
––
MD5:  ––
SHA256:  ––
1640
EXCEL.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E997D8B1.png
––
MD5:  ––
SHA256:  ––
1640
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\CVRFAF6.tmp.cvr
––
MD5:  ––
SHA256:  ––
1640
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
text
MD5: f7b6cac7f188eb792d18081cdbea3a0b
SHA256: e6cb618fdcef31ba718560dd734a256c03a61cfa496ffd9f2ec5d4dab1d4f04e
1640
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Paymentadvice.LNK
lnk
MD5: 28624137ffb5c14bed6247749251ce2f
SHA256: 110008c8f5e7a80ae450b801ad9766cfa9f54ca0b40b2e9c54306e36561fd916
2312
nbvcx.exe
C:\Users\admin\AppData\Local\Temp\temp.tmp
binary
MD5: c4ca4238a0b923820dcc509a6f75849b
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
1640
EXCEL.EXE
C:\Users\admin\Desktop\~$Paymentadvice.xlsx
––
MD5:  ––
SHA256:  ––
544
8edf29e3-ce99-451c-884e-2303f15ee2a2.exe
C:\Users\admin\AppData\Local\Temp\4572c12e-00a9-461c-918c-1d7734a7d6fc.tmp
text
MD5: 30cd4256d44a43e0630e46aa53593a33
SHA256: 700215fa803c8868dbae6d5f965e84ce246c603b9188b8ef2b9fa92be498a707

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
3
Threats
7

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2596 EQNEDT32.EXE GET 200 204.93.161.26:80 http://simplex-express.com/zs/du.com US
executable
suspicious
2312 nbvcx.exe GET 200 52.200.125.74:80 http://checkip.amazonaws.com/ US
text
shared

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2596 EQNEDT32.EXE 204.93.161.26:80 Server Central Network US suspicious
2312 nbvcx.exe 208.91.199.223:587 PDR US shared
2312 nbvcx.exe 52.200.125.74:80 Amazon.com, Inc. US shared

DNS requests

Domain IP Reputation
simplex-express.com 204.93.161.26
suspicious
smtp.tpczj.biz 208.91.199.223
208.91.199.225
208.91.198.143
208.91.199.224
malicious
checkip.amazonaws.com 52.200.125.74
34.196.82.108
34.233.102.38
18.233.42.138
52.0.208.170
52.202.139.131
shared

Threats

PID Process Class Message
2596 EQNEDT32.EXE Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
2596 EQNEDT32.EXE A Network Trojan was detected ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2312 nbvcx.exe Generic Protocol Command Decode SURICATA Applayer Detect protocol only one direction
2312 nbvcx.exe A Network Trojan was detected MALWARE [PTsecurity] AgentTesla IP Check
2312 nbvcx.exe A Network Trojan was detected MALWARE [PTsecurity] Trojan-Spy.Keylogger.AgentTesla Exfiltration by SMTP

2 ETPRO signatures available at the full report

Debug output strings

No debug info.