IOCReport

loading gif

Files

File Path
Type
Category
Malicious
policy#37820.xlsb
Zip archive data, at least v2.0 to extract
initial sample
malicious
C:\Users\Public\JavelinNew\Javelin.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\Public\Libraries\appscomhost
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\usa[1]
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
downloaded
malicious
C:\Users\user\Desktop\~$policy#37820.xlsb
data
dropped
malicious
C:\Users\Public\JavelinNew\inst801.7z
7-zip archive data, version 0.3
dropped
clean
C:\Users\Public\JavelinNew\instzip594.7z
7-zip archive data, version 0.3
dropped
clean
C:\Users\Public\JavelinNew\libeay32.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
clean
C:\Users\Public\JavelinNew\ssleay32.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\662FAE06-B8BB-4FD3-9343-79CB8671E669
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\85BBDE0D.png
PNG image data, 2260 x 952, 8-bit colormap, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B065FF3C.emf
Windows Enhanced Metafile (EMF) image data version 0x10000
dropped
clean
C:\Users\user\AppData\Local\Temp\53B10000
data
dropped
clean
C:\Users\user\AppData\Local\Temp\Excel8.0\MSForms.exd
data
dropped
clean
C:\Users\user\AppData\Local\Temp\nso349F.tmp\NSISList.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Temp\nso349F.tmp\System.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Temp\nso349F.tmp\nsis7z.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Temp\nso349F.tmp\registry.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
clean
\Device\ConDrv
ASCII text, with CRLF, CR line terminators
dropped
clean
There are 9 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
malicious
C:\Windows\SysWOW64\wbem\WMIC.exe
wmic process call create 'C:\Users\Public\Libraries/appscomhost'
malicious
C:\Users\Public\Libraries\appscomhost
C:\Users\Public\Libraries/appscomhost
malicious
C:\Users\Public\JavelinNew\Javelin.exe
'C:\Users\Public\JavelinNew\Javelin.exe'
malicious
C:\Users\Public\JavelinNew\Javelin.exe
C:\Users\Public\JavelinNew\Javelin.exe -run_agent -second
malicious
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean
C:\Windows\SysWOW64\net.exe
net user /domain
clean
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user /domain
clean

URLs

Name
IP
Malicious
http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
unknown
clean
http://nsis.sf.net/NSIS_ErrorError
unknown
clean
http://update.remoteutilities.net/upgrade_beta.ini
unknown
clean
http://www.indyproject.org/
unknown
clean
http://www.openssl.org/V
unknown
clean
http://rmansys.ru/internet-id/
unknown
clean
http://madExcept.comU
unknown
clean
http://www.openssl.org/support/faq.html
unknown
clean
http://schemas.xmlsoap.org/soap/envelope/
unknown
clean
http://update.remoteutilities.net/upgrade.ini
unknown
clean

Domains

Name
IP
Malicious
etisalatbuyback.com
212.2.198.90
clean
id70.remoteutilities.com
209.205.218.178
clean

IPs

IP
Domain
Country
Malicious
192.168.2.1
unknown
unknown
clean
192.119.14.178
unknown
United States
clean
198.147.28.34
unknown
United States
clean
209.205.218.178
id70.remoteutilities.com
United States
clean
212.2.198.90
etisalatbuyback.com
Turkey
clean
127.0.0.1
unknown
unknown
clean

Registry

Path
Value
Malicious
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
e/6
clean
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
f/6
clean
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
RemoteClearDate
clean
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Last
clean
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
FilePath
clean
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
StartDate
clean
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
EndDate
clean
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Properties
clean
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Url
clean
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
LastClean
clean
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
DisableWinHttpCertAuth
clean
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
DisableIsOwnerRegex
clean
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
DisableSessionAwareHttpClose
clean
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
DisableADALForExtendedApps