Malware Analysis Report

2025-08-05 21:34

Sample ID 230329-jpmnlafc98
Target PO_23509-23510.xls
SHA256 64832b9f03d64470940e7481e9adfb6fa728d8a822cc7c649f8e32eafa18125b
Tags
remcos warzonerat sixthclients collection infostealer persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64832b9f03d64470940e7481e9adfb6fa728d8a822cc7c649f8e32eafa18125b

Threat Level: Known bad

The file PO_23509-23510.xls was found to be: Known bad.

Malicious Activity Summary

remcos warzonerat sixthclients collection infostealer persistence rat spyware stealer

WarzoneRat, AveMaria

Remcos

Modifies WinLogon for persistence

Nirsoft

Warzone RAT payload

NirSoft WebBrowserPassView

NirSoft MailPassView

Blocklisted process makes network request

Downloads MZ/PE file

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Uses the VBS compiler for execution

Accesses Microsoft Outlook profiles

Accesses Microsoft Outlook accounts

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

outlook_office_path

Enumerates system info in registry

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Modifies registry class

Runs ping.exe

Suspicious behavior: AddClipboardFormatListener

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

outlook_win_path

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Launches Equation Editor

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-29 07:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-29 07:50

Reported

2023-03-29 07:53

Platform

win7-20230220-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PO_23509-23510.xls

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dfsghjs\\iurdsfhgj.exe," C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dfsghjs\\uytedew.exe," C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dfsghjs\\uytresdfgh.exe," C:\Windows\SysWOW64\reg.exe N/A

Remcos

rat remcos

WarzoneRat, AveMaria

rat infostealer warzonerat

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Downloads MZ/PE file

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoie = "C:\\Users\\Admin\\AppData\\Roaming\\dnetoln\\qiyvhavtewgo.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ghibzkdm.exe\" C:\\Users\\Admin\\AppData\\Lo" C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\odsnqyon = "C:\\Users\\Admin\\AppData\\Roaming\\ukyerc\\irsqhssjjf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\tqchnnl.exe\" C:\\Users\\Admin\\AppData\\Local\\" C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\datrem.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 1592 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Public\vbc.exe
PID 1920 wrote to memory of 1592 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Public\vbc.exe
PID 1920 wrote to memory of 1592 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Public\vbc.exe
PID 1920 wrote to memory of 1592 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Public\vbc.exe
PID 1592 wrote to memory of 1948 N/A C:\Users\Public\vbc.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1592 wrote to memory of 1948 N/A C:\Users\Public\vbc.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1592 wrote to memory of 1948 N/A C:\Users\Public\vbc.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1592 wrote to memory of 1948 N/A C:\Users\Public\vbc.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1948 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1948 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1948 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1948 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 1948 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 700 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 700 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 700 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 700 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 700 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 700 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 700 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 700 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 700 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 700 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 700 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 700 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe
PID 700 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\fmwrz.exe
PID 700 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\fmwrz.exe
PID 700 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\fmwrz.exe
PID 700 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\fmwrz.exe
PID 112 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\fmwrz.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 112 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\fmwrz.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 112 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\fmwrz.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 112 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\fmwrz.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 700 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datrem.exe
PID 700 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datrem.exe
PID 700 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datrem.exe
PID 700 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datrem.exe
PID 1364 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 1364 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 1364 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 1364 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 1364 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe
PID 700 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datorg.exe
PID 700 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datorg.exe
PID 700 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datorg.exe
PID 700 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datorg.exe
PID 700 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datxld.exe
PID 700 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datxld.exe
PID 700 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datxld.exe
PID 700 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe C:\Users\Admin\AppData\Local\Temp\datxld.exe
PID 1524 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\datxld.exe C:\Windows\SysWOW64\cmd.exe
PID 1832 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1832 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1832 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1832 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1116 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\datorg.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1100 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PO_23509-23510.xls

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Public\vbc.exe

"C:\Users\Public\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

"C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe" C:\Users\Admin\AppData\Local\Temp\smpprgdmyr.v

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

"C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe /stext "C:\Users\Admin\AppData\Local\Temp\mlxx"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe /stext "C:\Users\Admin\AppData\Local\Temp\wfcqmon"

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe /stext "C:\Users\Admin\AppData\Local\Temp\hhpinhyjya"

C:\Users\Admin\AppData\Local\Temp\fmwrz.exe

"C:\Users\Admin\AppData\Local\Temp\fmwrz.exe"

C:\Users\Admin\AppData\Local\Temp\datrem.exe

"C:\Users\Admin\AppData\Local\Temp\datrem.exe"

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

"C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe" C:\Users\Admin\AppData\Local\Temp\xaaktctbkvc.h

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

"C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe"

C:\Users\Admin\AppData\Local\Temp\datorg.exe

"C:\Users\Admin\AppData\Local\Temp\datorg.exe"

C:\Users\Admin\AppData\Local\Temp\datxld.exe

"C:\Users\Admin\AppData\Local\Temp\datxld.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe,"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 37

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe,"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 35

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe,"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 37

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 45 > nul && copy "C:\Users\Admin\AppData\Local\Temp\datxld.exe" "C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe" && ping 127.0.0.1 -n 45 > nul && "C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 45

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 44 > nul && copy "C:\Users\Admin\AppData\Local\Temp\datorg.exe" "C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe" && ping 127.0.0.1 -n 44 > nul && "C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 44

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 48 > nul && copy "C:\Users\Admin\AppData\Local\Temp\datrem.exe" "C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe" && ping 127.0.0.1 -n 48 > nul && "C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 48

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe,"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe,"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe,"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 44

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 45

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 48

Network

Country Destination Domain Proto
IN 13.126.112.247:80 13.126.112.247 tcp
US 8.8.8.8:53 top.not2beabused01.xyz udp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
CA 38.117.65.122:1558 top.not2beabused01.xyz tcp
CA 38.117.65.122:1668 top.not2beabused01.xyz tcp
US 8.8.8.8:53 microsoft.com udp
US 20.112.52.29:80 microsoft.com tcp

Files

memory/1296-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Public\vbc.exe

MD5 4da41093eb4cce80c18d1e6a2391ba80
SHA1 c6e1338fb7c3ffc9d39d5362722110e8482216ea
SHA256 f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43
SHA512 43ea46aeeda700e7b7e1f1f3fdede845e8d5723204d854e5452f9af785a20a9a915e1d9e4f44162777f2e5f569eda06904548114667ae05a285a980cb426dcd3

\Users\Public\vbc.exe

MD5 4da41093eb4cce80c18d1e6a2391ba80
SHA1 c6e1338fb7c3ffc9d39d5362722110e8482216ea
SHA256 f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43
SHA512 43ea46aeeda700e7b7e1f1f3fdede845e8d5723204d854e5452f9af785a20a9a915e1d9e4f44162777f2e5f569eda06904548114667ae05a285a980cb426dcd3

C:\Users\Public\vbc.exe

MD5 4da41093eb4cce80c18d1e6a2391ba80
SHA1 c6e1338fb7c3ffc9d39d5362722110e8482216ea
SHA256 f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43
SHA512 43ea46aeeda700e7b7e1f1f3fdede845e8d5723204d854e5452f9af785a20a9a915e1d9e4f44162777f2e5f569eda06904548114667ae05a285a980cb426dcd3

C:\Users\Public\vbc.exe

MD5 4da41093eb4cce80c18d1e6a2391ba80
SHA1 c6e1338fb7c3ffc9d39d5362722110e8482216ea
SHA256 f628532a482840b66c9fdf0ed09de86b63418e1f2cc3bbff139f54482f895d43
SHA512 43ea46aeeda700e7b7e1f1f3fdede845e8d5723204d854e5452f9af785a20a9a915e1d9e4f44162777f2e5f569eda06904548114667ae05a285a980cb426dcd3

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

C:\Users\Admin\AppData\Local\Temp\smpprgdmyr.v

MD5 8bba552e868d530af56dadd00d38ce78
SHA1 e8f76dd15c91b3c42d42ce83a06c299d900cedf6
SHA256 dd99bf95cbfb93c236cdfe239dddce5aa54f6355a50a7b2ed7606afd00958b9b
SHA512 ff8fe38ed26720865f57fa69a9dd3806109cb688ea22e38ff44ca05f6a7d95795705ac2ccff1e7eb964696a0a0843b370fe76c96373a580ef66ada63054ce35f

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

C:\Users\Admin\AppData\Local\Temp\wahquzerdw.vl

MD5 b8e0694c7d8f49c6bab7b2f38a068cc7
SHA1 b19f8174f08d3e844b5ae2e74cb6eb7a7e6f7923
SHA256 6a0e2c58b2be31c768cd2dd0236ebef7d8ef9839c6398931f6f9b9a20b62dd4c
SHA512 ead2ee5aeec1a2df1d244b8b5502bc0e84e85c5024602fb9cc4e3b09f687e9af77c2427d6e59661319217306494d50ea77d623b18e586baebeecc7b72a05c14f

\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/700-85-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/700-89-0x0000000000400000-0x0000000000480000-memory.dmp

memory/700-93-0x0000000000400000-0x0000000000480000-memory.dmp

memory/700-91-0x0000000000400000-0x0000000000480000-memory.dmp

memory/700-96-0x0000000000400000-0x0000000000480000-memory.dmp

memory/700-94-0x0000000000400000-0x0000000000480000-memory.dmp

memory/700-97-0x0000000000400000-0x0000000000480000-memory.dmp

memory/700-99-0x0000000000400000-0x0000000000480000-memory.dmp

memory/700-100-0x0000000000400000-0x0000000000480000-memory.dmp

memory/700-101-0x0000000000400000-0x0000000000480000-memory.dmp

memory/700-102-0x0000000000400000-0x0000000000480000-memory.dmp

memory/700-103-0x0000000000400000-0x0000000000480000-memory.dmp

memory/700-104-0x0000000000400000-0x0000000000480000-memory.dmp

memory/700-105-0x0000000000400000-0x0000000000480000-memory.dmp

memory/700-110-0x0000000000400000-0x0000000000480000-memory.dmp

memory/700-111-0x0000000000400000-0x0000000000480000-memory.dmp

\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/832-113-0x0000000000400000-0x0000000000478000-memory.dmp

memory/832-130-0x0000000000400000-0x0000000000478000-memory.dmp

memory/832-118-0x0000000000400000-0x0000000000478000-memory.dmp

memory/780-129-0x0000000000400000-0x0000000000457000-memory.dmp

memory/844-128-0x0000000000400000-0x0000000000424000-memory.dmp

memory/844-127-0x0000000000400000-0x0000000000424000-memory.dmp

memory/700-126-0x0000000000400000-0x0000000000480000-memory.dmp

memory/780-125-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/844-121-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

\Users\Admin\AppData\Local\Temp\tqchnnl.exe

MD5 78d3f22fed32bf75725573cf8df7d666
SHA1 2e0c049c4b58a7db1259bfa7023473ebe6785025
SHA256 4a6d211f626c08754049b36707cbb5316d4f8fc5a3e4cfbf28616ed1c39f66c0
SHA512 bf01b209f4d3ba488a798a65a9d346bba04343d5a694619c350a3eff660a507c28fc63bf0464668118b26777945f1d0216659798baabaabb1d77d535cb02668c

memory/780-117-0x0000000000400000-0x0000000000457000-memory.dmp

memory/844-131-0x0000000000400000-0x0000000000424000-memory.dmp

memory/832-133-0x0000000000400000-0x0000000000478000-memory.dmp

memory/780-134-0x0000000000400000-0x0000000000457000-memory.dmp

memory/832-141-0x0000000000400000-0x0000000000478000-memory.dmp

\Users\Admin\AppData\Local\Temp\fmwrz.exe

MD5 a3a47448f45b0374c3cde59e1a7bfb0d
SHA1 e00b404f1a143c99e1cf095ef27678022539be43
SHA256 9b1cd01f7d8e52a581fa6d6b2fd0dbb61361c3e6bda603f0f5fded0f938ada10
SHA512 cc70d6c4829a13a7b5819c6924d0309beb083131c59d8cb3e81f13b1bc38d02413f48447064b7f5948bdb2d162c450863c9bc0c47f51735375264d31bbc48dd4

C:\Users\Admin\AppData\Local\Temp\fmwrz.exe

MD5 a3a47448f45b0374c3cde59e1a7bfb0d
SHA1 e00b404f1a143c99e1cf095ef27678022539be43
SHA256 9b1cd01f7d8e52a581fa6d6b2fd0dbb61361c3e6bda603f0f5fded0f938ada10
SHA512 cc70d6c4829a13a7b5819c6924d0309beb083131c59d8cb3e81f13b1bc38d02413f48447064b7f5948bdb2d162c450863c9bc0c47f51735375264d31bbc48dd4

C:\Users\Admin\AppData\Local\Temp\fmwrz.exe

MD5 a3a47448f45b0374c3cde59e1a7bfb0d
SHA1 e00b404f1a143c99e1cf095ef27678022539be43
SHA256 9b1cd01f7d8e52a581fa6d6b2fd0dbb61361c3e6bda603f0f5fded0f938ada10
SHA512 cc70d6c4829a13a7b5819c6924d0309beb083131c59d8cb3e81f13b1bc38d02413f48447064b7f5948bdb2d162c450863c9bc0c47f51735375264d31bbc48dd4

memory/700-152-0x0000000000400000-0x0000000000480000-memory.dmp

\Users\Admin\AppData\Local\Temp\datrem.exe

MD5 96ab89f81c025afe746d86333ce945f7
SHA1 d88cf814dbf9236c51b6a2914212765d289b2e8b
SHA256 c8a73b8edabb6fb2597a642abb53b5a33aca53cf494a8b9b35a2dd020744d27b
SHA512 f9a68e6f174c022fc67c58cd6f172f633111af38765b81e6b578dae89f90cbc18c3d77c47dff4d3e166f59b5574fff30316991275c31aaedb91feec83ea6930d

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

MD5 fb4d8f685c26d5958cb092ef90cc8e7f
SHA1 accfc973351957db7fe4584e24c3989b5df8d3b9
SHA256 b78e622cab41dcf6e311a6d53dc1325d6e1851526baf036f9cbd5168000b8901
SHA512 89878fa3efba0cb880d8973085b69eea0733260fc7fe6d3b276b33259cf99243363010d7dd753b98d629271834e2cf310bec514db0e1ea8a50d1aba3d200f4e3

C:\Users\Admin\AppData\Local\Temp\xaaktctbkvc.h

MD5 bab85673afd9040f8fffe381439cf5cc
SHA1 8d13dfa7f0047acb464e3ed534580c60bdabed6b
SHA256 76aee090b77973c9e217601cd168c181c0e4639b2073a0f52db7eb5c32fa77c2
SHA512 df2694645b1ed4d2e9b2ffb901cb0d0af8ac192665c81214bbc8157fab7b6b5fe7203d8f6ebdbe070796ff6185c3535efed97a515f7ed413c0f7f689d1b0f16c

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

MD5 fb4d8f685c26d5958cb092ef90cc8e7f
SHA1 accfc973351957db7fe4584e24c3989b5df8d3b9
SHA256 b78e622cab41dcf6e311a6d53dc1325d6e1851526baf036f9cbd5168000b8901
SHA512 89878fa3efba0cb880d8973085b69eea0733260fc7fe6d3b276b33259cf99243363010d7dd753b98d629271834e2cf310bec514db0e1ea8a50d1aba3d200f4e3

C:\Users\Admin\AppData\Local\Temp\datrem.exe

MD5 96ab89f81c025afe746d86333ce945f7
SHA1 d88cf814dbf9236c51b6a2914212765d289b2e8b
SHA256 c8a73b8edabb6fb2597a642abb53b5a33aca53cf494a8b9b35a2dd020744d27b
SHA512 f9a68e6f174c022fc67c58cd6f172f633111af38765b81e6b578dae89f90cbc18c3d77c47dff4d3e166f59b5574fff30316991275c31aaedb91feec83ea6930d

\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

MD5 fb4d8f685c26d5958cb092ef90cc8e7f
SHA1 accfc973351957db7fe4584e24c3989b5df8d3b9
SHA256 b78e622cab41dcf6e311a6d53dc1325d6e1851526baf036f9cbd5168000b8901
SHA512 89878fa3efba0cb880d8973085b69eea0733260fc7fe6d3b276b33259cf99243363010d7dd753b98d629271834e2cf310bec514db0e1ea8a50d1aba3d200f4e3

\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

MD5 fb4d8f685c26d5958cb092ef90cc8e7f
SHA1 accfc973351957db7fe4584e24c3989b5df8d3b9
SHA256 b78e622cab41dcf6e311a6d53dc1325d6e1851526baf036f9cbd5168000b8901
SHA512 89878fa3efba0cb880d8973085b69eea0733260fc7fe6d3b276b33259cf99243363010d7dd753b98d629271834e2cf310bec514db0e1ea8a50d1aba3d200f4e3

C:\Users\Admin\AppData\Local\Temp\datrem.exe

MD5 96ab89f81c025afe746d86333ce945f7
SHA1 d88cf814dbf9236c51b6a2914212765d289b2e8b
SHA256 c8a73b8edabb6fb2597a642abb53b5a33aca53cf494a8b9b35a2dd020744d27b
SHA512 f9a68e6f174c022fc67c58cd6f172f633111af38765b81e6b578dae89f90cbc18c3d77c47dff4d3e166f59b5574fff30316991275c31aaedb91feec83ea6930d

memory/700-169-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mlxx

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

MD5 fb4d8f685c26d5958cb092ef90cc8e7f
SHA1 accfc973351957db7fe4584e24c3989b5df8d3b9
SHA256 b78e622cab41dcf6e311a6d53dc1325d6e1851526baf036f9cbd5168000b8901
SHA512 89878fa3efba0cb880d8973085b69eea0733260fc7fe6d3b276b33259cf99243363010d7dd753b98d629271834e2cf310bec514db0e1ea8a50d1aba3d200f4e3

\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

MD5 fb4d8f685c26d5958cb092ef90cc8e7f
SHA1 accfc973351957db7fe4584e24c3989b5df8d3b9
SHA256 b78e622cab41dcf6e311a6d53dc1325d6e1851526baf036f9cbd5168000b8901
SHA512 89878fa3efba0cb880d8973085b69eea0733260fc7fe6d3b276b33259cf99243363010d7dd753b98d629271834e2cf310bec514db0e1ea8a50d1aba3d200f4e3

C:\Users\Admin\AppData\Local\Temp\tmbugjrwpz.kh

MD5 12c7d6f0b173d7d369ae8bf93dd1c384
SHA1 bcb512d7fe890bb980206788d15c494ca02ede8a
SHA256 ae4add2b61f783f6d4faa3216ff68960302f76230ef0a371edf6778188bf86f3
SHA512 53e8b9337544218ab38f319d34752161ad974db1b370dae10786695554d0541dc21209e48c819b5e9e48f339e0afa843d750e8e5105e5abf18aa84e7bb3c24be

memory/1364-171-0x0000000000220000-0x0000000000222000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ghibzkdm.exe

MD5 fb4d8f685c26d5958cb092ef90cc8e7f
SHA1 accfc973351957db7fe4584e24c3989b5df8d3b9
SHA256 b78e622cab41dcf6e311a6d53dc1325d6e1851526baf036f9cbd5168000b8901
SHA512 89878fa3efba0cb880d8973085b69eea0733260fc7fe6d3b276b33259cf99243363010d7dd753b98d629271834e2cf310bec514db0e1ea8a50d1aba3d200f4e3

memory/848-176-0x0000000000400000-0x000000000055C000-memory.dmp

memory/848-180-0x0000000000400000-0x000000000055C000-memory.dmp

memory/1508-181-0x0000000001120000-0x00000000012B2000-memory.dmp

memory/1508-182-0x0000000000AD0000-0x0000000000B1A000-memory.dmp

memory/848-183-0x0000000000400000-0x000000000055C000-memory.dmp

memory/1508-184-0x0000000000B80000-0x0000000000BC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\datorg.exe

MD5 8b0e574f3db376044a84cb315777dd80
SHA1 95a9baee9753204301faba46444cde42f724c1d6
SHA256 adbe453aa3a0209fc356b1fd2ceaad057f5ff3a82fa54b0b0cf49d2c4788d263
SHA512 d95d77fcd16d26c84e80697b109b9fbab2f8a7eb8ef3f10f463319ff193647e280ddc061506645c449a6c365aa5856e178fa4791242c5638be6f469a4b93b7ea

C:\Users\Admin\AppData\Local\Temp\datorg.exe

MD5 8b0e574f3db376044a84cb315777dd80
SHA1 95a9baee9753204301faba46444cde42f724c1d6
SHA256 adbe453aa3a0209fc356b1fd2ceaad057f5ff3a82fa54b0b0cf49d2c4788d263
SHA512 d95d77fcd16d26c84e80697b109b9fbab2f8a7eb8ef3f10f463319ff193647e280ddc061506645c449a6c365aa5856e178fa4791242c5638be6f469a4b93b7ea

\Users\Admin\AppData\Local\Temp\datorg.exe

MD5 8b0e574f3db376044a84cb315777dd80
SHA1 95a9baee9753204301faba46444cde42f724c1d6
SHA256 adbe453aa3a0209fc356b1fd2ceaad057f5ff3a82fa54b0b0cf49d2c4788d263
SHA512 d95d77fcd16d26c84e80697b109b9fbab2f8a7eb8ef3f10f463319ff193647e280ddc061506645c449a6c365aa5856e178fa4791242c5638be6f469a4b93b7ea

memory/1116-192-0x00000000008E0000-0x0000000000A00000-memory.dmp

memory/700-193-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1508-196-0x0000000000980000-0x0000000000998000-memory.dmp

\Users\Admin\AppData\Local\Temp\datxld.exe

MD5 4cfc1701fe7974c640796586a7130f70
SHA1 329f3b2b6d4c29c785085178e7ff9c1813839d84
SHA256 1100225cfbdf3ac536e1cc3bc6e77a4ba01a5b2fc582655a3b67c23183c2048c
SHA512 0a280c11af661d006c3041d7819e9b4b3b3541ce0ed4fa54fc06180fa5132722a39c91c6bb334d282e6afea455ebb647bad02bace182f561aead3de468bf68ed

C:\Users\Admin\AppData\Local\Temp\datxld.exe

MD5 4cfc1701fe7974c640796586a7130f70
SHA1 329f3b2b6d4c29c785085178e7ff9c1813839d84
SHA256 1100225cfbdf3ac536e1cc3bc6e77a4ba01a5b2fc582655a3b67c23183c2048c
SHA512 0a280c11af661d006c3041d7819e9b4b3b3541ce0ed4fa54fc06180fa5132722a39c91c6bb334d282e6afea455ebb647bad02bace182f561aead3de468bf68ed

C:\Users\Admin\AppData\Local\Temp\datxld.exe

MD5 4cfc1701fe7974c640796586a7130f70
SHA1 329f3b2b6d4c29c785085178e7ff9c1813839d84
SHA256 1100225cfbdf3ac536e1cc3bc6e77a4ba01a5b2fc582655a3b67c23183c2048c
SHA512 0a280c11af661d006c3041d7819e9b4b3b3541ce0ed4fa54fc06180fa5132722a39c91c6bb334d282e6afea455ebb647bad02bace182f561aead3de468bf68ed

memory/700-202-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1524-203-0x0000000000840000-0x0000000000966000-memory.dmp

memory/1116-205-0x00000000043B0000-0x00000000043F0000-memory.dmp

memory/1116-206-0x00000000043B0000-0x00000000043F0000-memory.dmp

memory/1508-207-0x0000000000B80000-0x0000000000BC0000-memory.dmp

memory/1508-208-0x0000000000B80000-0x0000000000BC0000-memory.dmp

memory/780-209-0x0000000000400000-0x0000000000457000-memory.dmp

memory/700-211-0x0000000010000000-0x0000000010019000-memory.dmp

memory/700-215-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1524-216-0x0000000004F00000-0x0000000004F40000-memory.dmp

memory/1524-217-0x0000000004F00000-0x0000000004F40000-memory.dmp

memory/1116-218-0x00000000043B0000-0x00000000043F0000-memory.dmp

memory/700-219-0x0000000000400000-0x0000000000480000-memory.dmp

memory/700-220-0x0000000000400000-0x0000000000480000-memory.dmp

memory/700-223-0x0000000000400000-0x0000000000480000-memory.dmp

memory/700-224-0x0000000000400000-0x0000000000480000-memory.dmp

memory/700-225-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Roaming\Appsync\logs.dat

MD5 30e591976ab99e870396155ddb245180
SHA1 d988f16a9277bdf80197d0c7ead428cd949dd091
SHA256 77a2d4cd56481ba46cb2fb0110ef5013d0a7fe62e6aa26ccafc2dbb08dccaac7
SHA512 09eac3f128f69444d6beb662e0b7d8daed4bc3426b800daea64038c9bad072b7766b7a8cf3668f4403447c5768ace49b1a51e5cd79644ee69ab07d571af92cbb

memory/1508-227-0x0000000000B80000-0x0000000000BC0000-memory.dmp

memory/1116-228-0x00000000043B0000-0x00000000043F0000-memory.dmp

memory/1524-229-0x0000000004F00000-0x0000000004F40000-memory.dmp

memory/1116-231-0x00000000043B0000-0x00000000043F0000-memory.dmp

memory/1508-232-0x0000000000B80000-0x0000000000BC0000-memory.dmp

memory/1524-233-0x0000000004F00000-0x0000000004F40000-memory.dmp

memory/1508-234-0x0000000000B80000-0x0000000000BC0000-memory.dmp

memory/1524-236-0x0000000004F00000-0x0000000004F40000-memory.dmp

memory/1524-237-0x0000000004F00000-0x0000000004F40000-memory.dmp

memory/1116-238-0x00000000043B0000-0x00000000043F0000-memory.dmp

memory/700-239-0x0000000010000000-0x0000000010019000-memory.dmp

memory/700-240-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1116-242-0x00000000043B0000-0x00000000043F0000-memory.dmp

memory/700-245-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1524-246-0x0000000004F00000-0x0000000004F40000-memory.dmp

memory/700-247-0x0000000000400000-0x0000000000480000-memory.dmp

memory/848-275-0x0000000008410000-0x00000000084B7000-memory.dmp

\Users\Admin\AppData\Local\Temp\msvcp140.dll

MD5 109f0f02fd37c84bfc7508d4227d7ed5
SHA1 ef7420141bb15ac334d3964082361a460bfdb975
SHA256 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA512 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

\Users\Admin\AppData\Local\Temp\vcruntime140.dll

MD5 7587bf9cb4147022cd5681b015183046
SHA1 f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256 c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA512 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

\Users\Admin\AppData\Local\Temp\mozglue.dll

MD5 75f8cc548cabf0cc800c25047e4d3124
SHA1 602676768f9faecd35b48c38a0632781dfbde10c
SHA256 fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0
SHA512 ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f

\Users\Admin\AppData\Local\Temp\nss3.dll

MD5 d7858e8449004e21b01d468e9fd04b82
SHA1 9524352071ede21c167e7e4f106e9526dc23ef4e
SHA256 78758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db
SHA512 1e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440

\Users\Admin\AppData\Local\Temp\softokn3.dll

MD5 471c983513694ac3002590345f2be0da
SHA1 6612b9af4ff6830fa9b7d4193078434ef72f775b
SHA256 bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f
SHA512 a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410

\Users\Admin\AppData\Local\Temp\freebl3.dll

MD5 ef12ab9d0b231b8f898067b2114b1bc0
SHA1 6d90f27b2105945f9bb77039e8b892070a5f9442
SHA256 2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7
SHA512 2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FC5836EC.emf

MD5 5c65827565e89d5357d6f81294701c19
SHA1 600aa1899bdc58d12671774e84033366dc931c04
SHA256 dec6f35ceb48260f3ba4e6487c48d3f97b274f2eff29cab00c2c7e677eef4b4f
SHA512 052c177c606d30f4f3b658f60bb3643fffec498cc8fa931b4380aa6b93ac20fa9ef4600645740e99ba2f6d43e333fe783378d14395132819d6fb44787aad196a

C:\Users\Admin\AppData\Roaming\dfsghjs\iurdsfhgj.exe

MD5 8b0e574f3db376044a84cb315777dd80
SHA1 95a9baee9753204301faba46444cde42f724c1d6
SHA256 adbe453aa3a0209fc356b1fd2ceaad057f5ff3a82fa54b0b0cf49d2c4788d263
SHA512 d95d77fcd16d26c84e80697b109b9fbab2f8a7eb8ef3f10f463319ff193647e280ddc061506645c449a6c365aa5856e178fa4791242c5638be6f469a4b93b7ea

C:\Users\Admin\AppData\Roaming\dfsghjs\uytedew.exe

MD5 4cfc1701fe7974c640796586a7130f70
SHA1 329f3b2b6d4c29c785085178e7ff9c1813839d84
SHA256 1100225cfbdf3ac536e1cc3bc6e77a4ba01a5b2fc582655a3b67c23183c2048c
SHA512 0a280c11af661d006c3041d7819e9b4b3b3541ce0ed4fa54fc06180fa5132722a39c91c6bb334d282e6afea455ebb647bad02bace182f561aead3de468bf68ed

C:\Users\Admin\AppData\Roaming\dfsghjs\uytresdfgh.exe

MD5 96ab89f81c025afe746d86333ce945f7
SHA1 d88cf814dbf9236c51b6a2914212765d289b2e8b
SHA256 c8a73b8edabb6fb2597a642abb53b5a33aca53cf494a8b9b35a2dd020744d27b
SHA512 f9a68e6f174c022fc67c58cd6f172f633111af38765b81e6b578dae89f90cbc18c3d77c47dff4d3e166f59b5574fff30316991275c31aaedb91feec83ea6930d

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-29 07:50

Reported

2023-03-29 07:53

Platform

win10v2004-20230220-en

Max time kernel

104s

Max time network

125s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO_23509-23510.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO_23509-23510.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 191.88.109.52.in-addr.arpa udp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
IE 20.54.89.15:443 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 67.24.35.254:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

memory/4132-133-0x00007FF7D0130000-0x00007FF7D0140000-memory.dmp

memory/4132-134-0x00007FF7D0130000-0x00007FF7D0140000-memory.dmp

memory/4132-135-0x00007FF7D0130000-0x00007FF7D0140000-memory.dmp

memory/4132-136-0x00007FF7D0130000-0x00007FF7D0140000-memory.dmp

memory/4132-137-0x00007FF7D0130000-0x00007FF7D0140000-memory.dmp

memory/4132-138-0x00007FF7CDEC0000-0x00007FF7CDED0000-memory.dmp

memory/4132-139-0x00007FF7CDEC0000-0x00007FF7CDED0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\FCC2E451.emf

MD5 5c65827565e89d5357d6f81294701c19
SHA1 600aa1899bdc58d12671774e84033366dc931c04
SHA256 dec6f35ceb48260f3ba4e6487c48d3f97b274f2eff29cab00c2c7e677eef4b4f
SHA512 052c177c606d30f4f3b658f60bb3643fffec498cc8fa931b4380aa6b93ac20fa9ef4600645740e99ba2f6d43e333fe783378d14395132819d6fb44787aad196a

memory/4132-176-0x00007FF7D0130000-0x00007FF7D0140000-memory.dmp

memory/4132-177-0x00007FF7D0130000-0x00007FF7D0140000-memory.dmp

memory/4132-178-0x00007FF7D0130000-0x00007FF7D0140000-memory.dmp

memory/4132-179-0x00007FF7D0130000-0x00007FF7D0140000-memory.dmp