Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

TACSAL.xlsx

CDFV2 Encrypted

initial sample

Details

Filetype:	CDFV2 Encrypted
Entropy:	7.996660916028192
Filename:	TACSAL.xlsx
Filesize:	2411520
MD5:	04295ba63eaeb18f062045b0d0106670
SHA1:	daf3e6043fa67319bf7090cdc60bec6303c7f78e
SHA256:	fbc7b775eaa32cdc8daffe7a3db74bc36e06bab32b53d5d65eceb76081f664cd
SHA512:	94c2d2652ad9bc2a37779afd9e7a81db0c27e6bd3649c4d598a806ac3db522b0d2ab8afa0eae5a96e10424a18b56a31041c3c69711feebbd468f5ba58cd521e7
SSDEEP:	49152:s+xg0pV0kFwQvsRH3twbJZv3+vYv9V8preXpjcmXWWs:skgchwQvsZ3twbJZUrCHGWs
Preview:	........................>...................%...................................................................................\|.......~...............z.......\|.......~...............z.......\|.......~...............z......................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection,
Document misses a certain OLE stream usually present in this Microsoft Office document type	System Summary,
Document contains OLE streams with high entropy indicating encrypted embedded content	Hooking and other Techniques for Hiding and Protection,
Sample is known by Antivirus	System Summary,
Document has a 'vbamacros' value indicative of goodware	System Summary,
Document has an 'encrypted' value indicative of goodware	System Summary,
Submission file is bigger than most known malware samples	System Summary,

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

downloaded

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe
IE cache URL:	http://suresb1sndyintercont.dns.army/receipst/winlog.exe
Category:	downloaded
Dump:	winlog[1].exe.2.dr
ID:	dr_4
Target ID:	2
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.4331792605351374
Encrypted:	false
Ssdeep:	12288:UEz/ihNaF49GIyUasgV3L84I3QHc4KJ77W1Do3oX/VwbN4+vtE+LtZ/NRMiWitvH:Xz/ihNaF49rgV7JFcLYo3o9wqYTfV
Size:	1073152
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: File Dropped By EQNEDT32EXE	System Summary,
Machine Learning detection for dropped file	AV Detection,
Office equation editor drops PE file	System Summary,
Drops PE files	Persistence and Installation Behavior,

C:\Users\user\Desktop\~$TACSAL.xlsx

data

dropped

Details

File:	C:\Users\user\Desktop\~$TACSAL.xlsx
Category:	dropped
Dump:	~$TACSAL.xlsx.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	1.4377382811115937
Encrypted:	false
Ssdeep:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
Size:	330
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection,
Document misses a certain OLE stream usually present in this Microsoft Office document type	System Summary,
Creates files inside the user directory	System Summary,	Masquerading
Document contains OLE streams with high entropy indicating encrypted embedded content	Hooking and other Techniques for Hiding and Protection,	Obfuscated Files or Information
Sample is known by Antivirus	System Summary,
Document has a 'vbamacros' value indicative of goodware	System Summary,
Document has an 'encrypted' value indicative of goodware	System Summary,
Submission file is bigger than most known malware samples	System Summary,

C:\Users\Public\vbc.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\Public\vbc.exe
Category:	dropped
Dump:	vbc.exe.2.dr
ID:	dr_5
Target ID:	2
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.4331792605351374
Encrypted:	false
Ssdeep:	12288:UEz/ihNaF49GIyUasgV3L84I3QHc4KJ77W1Do3oX/VwbN4+vtE+LtZ/NRMiWitvH:Xz/ihNaF49rgV7JFcLYo3o9wqYTfV
Size:	1073152
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary,
Drops PE files to the user root directory	Boot Survival,	Masquerading
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Machine Learning detection for dropped file	AV Detection,
Office equation editor drops PE file	System Summary,
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits,	Exploitation for Client Execution
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion,	System Information Discovery Windows Management Instrumentation
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion,	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Sigma detected: Executables Started in Suspicious Folder	System Summary,
Sigma detected: Execution in Non-Executable Folder	System Summary,
Sigma detected: Suspicious Program Location Process Starts	System Summary,
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information,	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information,	Data from Local System OS Credential Dumping
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information,	Data from Local System OS Credential Dumping
Tries to steal Mail credentials (via file access)	Stealing of Sensitive Information,	Email Collection
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)	System Summary,
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion,	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Detected potential crypto function	System Summary,	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior,
Drops PE files to the user directory	Persistence and Installation Behavior,	Masquerading
Enables debug privileges	Anti Debugging,
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion,
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities,	Obfuscated Files or Information
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion,	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection,	System Information Discovery
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation,	Obfuscated Files or Information
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging,	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection,
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary,
Queries a list of all running processes	Malware Analysis System Evasion,	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary,	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection,	System Information Discovery
Reads software policies	System Summary,	System Information Discovery
Reads the hosts file	System Summary,	Remote System Discovery
Spawns processes	System Summary,	Process Injection
Uses an in-process (OLE) Automation server	System Summary,
Uses Microsoft Silverlight	System Summary,

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\188B1E12.jpeg

gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\188B1E12.jpeg
Category:	dropped
Dump:	188B1E12.jpeg.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Entropy:	7.801842363879827
Encrypted:	false
Ssdeep:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
Size:	48770
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9CCDB2EB.jpeg

gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9CCDB2EB.jpeg
Category:	dropped
Dump:	9CCDB2EB.jpeg.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Entropy:	7.801842363879827
Encrypted:	false
Ssdeep:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
Size:	48770
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E243FB15.emf

Windows Enhanced Metafile (EMF) image data version 0x10000

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E243FB15.emf
Category:	dropped
Dump:	E243FB15.emf.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Entropy:	2.89864943318257
Encrypted:	false
Ssdeep:	3072:v34UL0tS6WB0JOqFVY5QcARI/McGdAT9kRLFdtSyUu50yknG/qc+x:v4UcLe0JOqQQZR8MDdATCR3tS+jqcC
Size:	653280
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Downloads files	Networking,	Ingress Tool Transfer

C:\Users\user\AppData\Roaming\x2nas2ex.vh2\Chrome\Default\Cookies

SQLite 3.x database, last written using SQLite version 3032001

dropped

Details

File:	C:\Users\user\AppData\Roaming\x2nas2ex.vh2\Chrome\Default\Cookies
Category:	dropped
Dump:	Cookies.5.dr
ID:	dr_6
Target ID:	5
Process:	C:\Users\Public\vbc.exe
Type:	SQLite 3.x database, last written using SQLite version 3032001
Entropy:	0.9650411582864293
Encrypted:	false
Ssdeep:	48:T2loMLOpEO5J/KdGU1jX983Gul4kEBrvK5GYWgqRSESXh:inNww9t9wGAE
Size:	28672
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Roaming\x2nas2ex.vh2\Firefox\Profiles\7xwghk55.default\cookies.sqlite

SQLite 3.x database, user version 7, last written using SQLite version 3017000

dropped

Details

File:	C:\Users\user\AppData\Roaming\x2nas2ex.vh2\Firefox\Profiles\7xwghk55.default\cookies.sqlite
Category:	dropped
Dump:	cookies.sqlite.5.dr
ID:	dr_7
Target ID:	5
Process:	C:\Users\Public\vbc.exe
Type:	SQLite 3.x database, user version 7, last written using SQLite version 3017000
Entropy:	0.08107860342777487
Encrypted:	false
Ssdeep:	48:DO8rmWT8cl+fpNDId7r+gUEl1B6nB6UnUqc8AqwIhY5wXwwAVshT:DOUm7ii+7Ue1AQ98VVY
Size:	524288
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2520
Target ID:	2
Parent PID:	584
Name:	EQNEDT32.EXE
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Size:	543304
MD5:	A87236E214F6D42A65F5DEDAC816AEC8
Time:	09:15:09
Date:	27/01/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	581632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary,
Sigma detected: EQNEDT32.EXE connecting to internet	System Summary,
Sigma detected: File Dropped By EQNEDT32EXE	System Summary,
Sigma detected: Executables Started in Suspicious Folder	System Summary,
Sigma detected: Execution in Non-Executable Folder	System Summary,
Sigma detected: Suspicious Program Location Process Starts	System Summary,
Office Equation Editor has been started	Exploits,
Spawns processes	System Summary,	Process Injection

C:\Users\Public\vbc.exe

'C:\Users\Public\vbc.exe'

Details

Is windows:	false
Is dropped:	true
PID:	2736
Target ID:	4
Parent PID:	2520
Name:	vbc.exe
Path:	C:\Users\Public\vbc.exe
Commandline:	'C:\Users\Public\vbc.exe'
Size:	1073152
MD5:	411FA0337649AD03B57D223E60680397
Time:	09:15:12
Date:	27/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc20000
Modulesize:	1097728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary,
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM_3	Malware Analysis System Evasion,
Drops PE files to the user root directory	Boot Survival,	Masquerading
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Office equation editor drops PE file	System Summary,
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits,	Exploitation for Client Execution
Sigma detected: Executables Started in Suspicious Folder	System Summary,
Sigma detected: Execution in Non-Executable Folder	System Summary,
Sigma detected: Suspicious Program Location Process Starts	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Drops PE files	Persistence and Installation Behavior,
Drops PE files to the user directory	Persistence and Installation Behavior,	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection,	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information,
Spawns processes	System Summary,	Process Injection

C:\Users\Public\vbc.exe

Details

Is windows:	false
Is dropped:	true
PID:	2836
Target ID:	5
Parent PID:	2736
Name:	vbc.exe
Path:	C:\Users\Public\vbc.exe
Commandline:	C:\Users\Public\vbc.exe
Size:	1073152
MD5:	411FA0337649AD03B57D223E60680397
Time:	09:15:13
Date:	27/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc20000
Modulesize:	1097728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary,
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM_3	Malware Analysis System Evasion,
Drops PE files to the user root directory	Boot Survival,	Masquerading
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Office equation editor drops PE file	System Summary,
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits,	Exploitation for Client Execution
Sigma detected: Executables Started in Suspicious Folder	System Summary,
Sigma detected: Execution in Non-Executable Folder	System Summary,
Sigma detected: Suspicious Program Location Process Starts	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Drops PE files	Persistence and Installation Behavior,
Drops PE files to the user directory	Persistence and Installation Behavior,	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection,	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information,
Spawns processes	System Summary,	Process Injection

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	532
Target ID:	0
Parent PID:	584
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Size:	27641504
MD5:	5FB0A0F93382ECD19F5F499A5CAA59F0
Time:	09:14:49
Date:	27/01/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13feb0000
Modulesize:	27758592
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary,	Process Injection

URLs

Name

Malicious

http://suresb1sndyintercont.dns.army/receipst/winlog.exe

103.153.76.181

https://FTlR0ss5usK.net

http://127.0.0.1:HTTP/1.1

unknown

http://DynDns.comDynDNS

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.

unknown

http://us2.smtp.mailhostbox.com

unknown

http://www.day.com/dam/1.0

unknown

https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

unknown

http://smtp.migeulez.com

unknown

http://GhlhtO.com

unknown

https://api.ipify.org%GETMozilla/5.0

unknown

http://www.%s.comPA

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://api.ipify.org%

unknown

https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

unknown

There are 5 hidden URLs, click here to show them.

Domains

Name

Malicious

suresb1sndyintercont.dns.army

103.153.76.181

Details

Name:	suresb1sndyintercont.dns.army
IP:	103.153.76.181
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	System Summary,
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking,	Application Layer Protocol
Downloads files from webservers via HTTP	Networking,	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking,	Application Layer Protocol Non-Application Layer Protocol

smtp.migeulez.com

unknown

us2.smtp.mailhostbox.com

208.91.199.225

Details

Name:	us2.smtp.mailhostbox.com
IP:	208.91.199.225
TargetID:	5
Current Path:	C:\Users\Public\vbc.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking,
Detected TCP or UDP traffic on non-standard ports	Networking,	Non-Standard Port
Uses SMTP (mail sending)	Networking,	Application Layer Protocol
Urls found in memory or binary data	Networking,

IPs

Domain

Country

Active

Malicious

208.91.198.143

unknown

United States

unknown

Details

IP:	208.91.198.143
TargetID:	5
Current Path:	C:\Users\Public\vbc.exe
Country:	United States
Countrycode:	USA
ASN number:	394695
ASN name:	PUBLIC-DOMAIN-REGISTRYUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking,
Detected TCP or UDP traffic on non-standard ports	Networking,	Non-Standard Port
Uses SMTP (mail sending)	Networking,	Application Layer Protocol

103.153.76.181

unknown

Details

IP:	103.153.76.181
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
ASN number:	134687
ASN name:	TWIDC-AS-APTWIDCLimitedHK
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	System Summary,
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution

208.91.199.225

unknown

United States

unknown

Details

IP:	208.91.199.225
TargetID:	5
Current Path:	C:\Users\Public\vbc.exe
Country:	United States
Countrycode:	USA
ASN number:	394695
ASN name:	PUBLIC-DOMAIN-REGISTRYUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking,
Detected TCP or UDP traffic on non-standard ports	Networking,	Non-Standard Port
Uses SMTP (mail sending)	Networking,	Application Layer Protocol

Registry

Path

Value

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

el5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

MTTT

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ReviewToken

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F0030

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

VBAFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DefaultSheetR2L

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

UseSystemSeparators

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ThousandsSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DecimalSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

mr5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F47F9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F5725

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 21

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

LastPurgeTime

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EXCELFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F47F9

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

EquationEditorFilesIntl_1033

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

SavedLegacySettings

There are 50 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

23DA000

unkown

page read and write

2591000

unkown

page read and write

402000

unkown

page execute and read and write

23C1000

unkown

page read and write

2618000

unkown

page read and write

33C8000

unkown

page read and write

760000

unkown

page readonly

5C7E000

unkown

page read and write

6A0000

unkown

page read and write

245000

unkown

page read and write

6A0000

unkown

page read and write

5B7E000

unkown

page read and write | page guard

B70000

heap private

page execute and read and write

1C0000

heap private

page execute and read and write

192000

unkown

page read and write

589000

unkown

page read and write

601000

unkown

page read and write

6B40000

heap private

page read and write

600000

unkown

page read and write

600000

unkown

page read and write

6A0000

unkown

page read and write

600000

unkown

page read and write

670000

unkown

page read and write

245000

unkown

page read and write

600000

unkown

page read and write

6DA000

heap default

page read and write

3A8000

stack

page read and write

604000

unkown

page read and write

63BE000

unkown

page read and write

600000

unkown

page read and write

240000

unkown

page read and write

580000

unkown

page read and write

EA000

unkown

page read and write

590000

unkown

page read and write

245000

unkown

page read and write

70A000

unkown

page read and write

110000

unkown

page read and write

600000

unkown

page read and write

606000

unkown

page read and write

695E000

unkown

page read and write

644000

unkown

page read and write

6742000

heap private

page read and write

245000

unkown

page read and write

C22000

unkown image

page execute read

580000

unkown

page read and write

163000

unkown

page execute and read and write

6A0000

unkown

page read and write

582000

unkown

page read and write

215000

unkown

page read and write

186000

unkown

page execute and read and write

6B4000

heap default

page read and write

460D000

unkown

page read and write

585000

unkown

page read and write

4AA5000

unkown

page read and write

4ABF000

stack

page read and write

4C0000

heap private

page read and write

6A0000

unkown

page read and write

240000

unkown

page read and write

33C1000

unkown

page read and write

5A0000

unkown

page read and write

BF0000

unkown

page read and write

4D0000

unkown

page read and write

6A4000

unkown

page read and write

4D0000

unkown

page read and write

889000

unkown

page read and write

680000

unkown

page read and write

7D0000

unkown

page readonly

14A000

unkown

page execute and read and write

240000

unkown

page read and write

6A0000

unkown

page read and write

96E000

heap default

page read and write

240000

unkown

page read and write

4AC0000

unkown

page read and write

590000

unkown

page read and write

4D0000

unkown

page read and write

26E4000

unkown

page read and write

5B0000

unkown

page read and write

23BF000

unkown

page read and write

280000

heap private

page read and write

AB0000

unkown

page read and write

245000

unkown

page read and write

6DAE000

unkown

page read and write

5A0000

unkown

page read and write

240000

unkown

page read and write

157000

unkown

page execute and read and write

164000

unkown

page read and write

240000

unkown

page read and write

290000

unkown

page readonly

240000

unkown

page read and write

580000

unkown

page read and write

3ED000

unkown

page read and write

248000

unkown

page read and write

5B0000

unkown

page read and write

600000

unkown

page read and write

D10000

unkown image

page readonly

4AE000

unkown

page read and write

C22000

unkown image

page execute read

170000

unkown

page read and write

604000

unkown

page read and write

6F0000

unkown

page read and write

603000

unkown

page read and write

240000

unkown

page read and write

C20000

unkown image

page readonly

C22000

unkown image

page execute read

26D6000

unkown

page read and write

473E000

unkown

page read and write

3A7000

unkown

page read and write

211000

unkown

page read and write

44B4000

heap private

page read and write

554F000

stack

page read and write

240000

unkown

page read and write

580000

unkown

page read and write

245000

unkown

page read and write

D10000

unkown image

page readonly

C20000

unkown image

page readonly

548D000

unkown

page read and write

585000

unkown

page read and write

8A4000

heap default

page read and write

D10000

unkown image

page readonly

601000

unkown

page read and write

6A0000

unkown

page read and write

240000

unkown

page read and write

6DC000

heap default

page read and write

A90000

unkown

page read and write

600000

unkown

page read and write

23EE000

unkown

page read and write

870000

unkown

page read and write

650000

unkown

page read and write

4440000

unkown

page read and write

5B4000

unkown

page read and write

65CE000

unkown

page read and write

5B0000

unkown

page read and write

580000

unkown

page read and write

5B0000

unkown

page read and write

20000

unkown

page read and write

6A0000

unkown

page read and write

5060000

unkown

page read and write

55F5000

heap private

page read and write

EC0000

unkown

page readonly

245000

unkown

page read and write

58DD000

unkown

page read and write

5A0000

unkown

page read and write

600000

unkown

page read and write

6A0000

unkown

page read and write

600000

unkown

page read and write

5612000

heap private

page read and write

245000

unkown

page read and write

4B0000

unkown

page read and write

240000

unkown

page read and write

860000

heap private

page read and write

AD9000

heap private

page read and write

ACE000

unkown

page read and write

5A2000

unkown

page read and write

6A0000

unkown

page read and write

600000

unkown

page read and write

580000

unkown

page read and write

6A3000

unkown

page read and write

600000

unkown

page read and write

767000

unkown

page read and write

56E0000

heap private

page read and write

580000

unkown

page read and write

600000

unkown

page read and write

760000

unkown

page read and write

590000

unkown

page read and write

C20000

unkown image

page readonly

C20000

unkown image

page readonly

710000

unkown

page read and write

4400000

heap private

page read and write

5B0000

unkown

page read and write

220000

unkown

page execute and read and write

26C2000

unkown

page read and write

7EFDF000

unkown

page read and write

660000

unkown

page read and write

5A0000

unkown

page read and write

258F000

unkown

page read and write

720000

heap private

page read and write

248000

unkown

page read and write

4C5C000

unkown

page read and write

564F000

stack

page read and write

600000

unkown

page read and write

4C7D000

unkown

page read and write

710000

unkown

page read and write

580000

unkown

page readonly

2729000

unkown

page read and write

240000

unkown

page read and write

585000

unkown

page read and write

5B0000

unkown

page read and write

6EE000

unkown

page read and write

3591000

unkown

page read and write

240000

unkown

page read and write

280000

unkown

page readonly

230000

heap private

page execute and read and write

611000

unkown

page read and write

245000

unkown

page read and write

16D000

unkown

page execute and read and write

13D000

unkown

page execute and read and write

4C0E000

stack

page read and write

4C22000

heap private

page read and write

2400000

heap private

page read and write

6F0000

unkown

page read and write

4B0000

unkown

page read and write

6A0000

unkown

page read and write

245000

unkown

page read and write

245000

unkown

page read and write

5B0000

unkown

page read and write

270000

unkown

page readonly

5A1E000

stack

page read and write

5B0000

unkown

page read and write

4D80000

unkown

page readonly

245000

unkown

page read and write

5B5000

unkown

page read and write

5A5000

unkown

page read and write

4B0000

unkown

page read and write

400000

unkown

page execute and read and write

B00000

unkown

page readonly

240000

unkown

page read and write

760000

unkown

page read and write

5B0000

unkown

page read and write

580000

unkown

page read and write

245000

unkown

page read and write

5E0000

heap private

page read and write

8A0000

heap private

page execute and read and write

6F0000

unkown

page read and write

20000

unkown

page read and write

26FF000

unkown

page read and write

601000

unkown

page read and write

2A0000

unkown

page read and write

5B0000

unkown

page read and write

230000

unkown

page read and write

240000

unkown

page read and write

7D0000

unkown

page read and write

600000

unkown

page read and write

580000

unkown

page read and write

980000

unkown

page readonly

5B0000

unkown

page read and write

197000

unkown

page execute and read and write

5B0000

unkown

page read and write

600000

unkown

page read and write

5A0000

unkown

page read and write

8C0000

heap default

page read and write

245000

unkown

page read and write

52B2000

unkown

page read and write

5F0000

unkown

page read and write

23BE000

unkown

page read and write | page guard

5DEC000

unkown

page read and write

5A0000

unkown

page read and write

240000

unkown

page read and write

7BF000

unkown

page read and write

610000

unkown

page read and write

4E70000

unkown

page readonly

5B0000

unkown

page read and write

270000

unkown

page read and write

6D0000

heap default

page read and write

4E0000

heap default

page read and write

940000

heap default

page read and write

580000

unkown

page read and write

6A0000

unkown

page read and write

245000

unkown

page read and write

887000

heap default

page read and write

5DF0000

unkown

page readonly

580000

unkown

page read and write

700000

unkown

page read and write

240000

unkown

page read and write

585000

unkown

page read and write

4ACC000

unkown

page read and write

133000

unkown

page read and write

80000

unkown

page readonly

6A0000

unkown

page read and write

19B000

unkown

page execute and read and write

5B0000

unkown

page read and write

44AE000

unkown

page read and write

44B0000

heap private

page read and write

600000

unkown

page read and write

5250000

unkown

page read and write

620000

heap default

page read and write

6A0000

unkown

page read and write

600000

unkown

page read and write

130000

unkown

page read and write

585000

unkown

page read and write

15B000

unkown

page execute and read and write

3F0000

unkown

page execute and read and write

580000

unkown

page read and write

240000

unkown

page read and write

4AC4000

unkown

page read and write

195000

unkown

page execute and read and write

66A000

unkown

page read and write

63E000

unkown

page read and write

4C00000

heap private

page read and write

580000

unkown

page read and write

840000

unkown

page execute and read and write

4E6E000

unkown

page read and write

BB0000

unkown

page readonly

5B0000

unkown

page read and write

7C7000

heap private

page read and write

17D000

unkown

page execute and read and write

55F0000

heap private

page read and write

57BE000

stack

page read and write

60A000

unkown

page read and write

240000

unkown

page read and write

6A0000

unkown

page read and write

5BB000

unkown

page read and write

585000

unkown

page read and write

754000

heap default

page read and write

240000

unkown

page read and write

5A0000

unkown

page read and write

A80000

unkown

page read and write

4D3F000

unkown

page read and write

600000

unkown

page read and write

5C0000

heap private

page execute and read and write

450000

unkown

page read and write

6A7000

unkown

page read and write

5A0000

unkown

page read and write

180000

unkown

page read and write

6F0000

unkown

page read and write

7EFDF000

unkown

page read and write

450000

unkown

page read and write

5A0000

unkown

page read and write

600000

unkown

page read and write

610000

unkown

page read and write

290000

unkown

page read and write

600000

unkown

page read and write

240000

unkown

page read and write

123000

unkown

page execute and read and write

270B000

unkown

page read and write

19A000

unkown

page read and write

580000

unkown

page read and write

4A7C000

unkown

page read and write

979000

heap default

page read and write

240000

unkown

page read and write

53DE000

unkown

page read and write

245000

unkown

page read and write

600000

unkown

page read and write

580000

unkown

page read and write

4640000

unkown

page readonly

250000

unkown

page read and write

8CD000

heap default

page read and write

2670000

unkown

page read and write

4910000

unkown

page read and write

587E000

unkown

page read and write

600000

unkown

page read and write

4AA5000

unkown

page read and write

770000

unkown

page read and write

5B0000

unkown

page read and write

585000

unkown

page read and write

44D2000

heap private

page read and write

A70000

unkown

page read and write

245000

unkown

page read and write

245000

unkown

page read and write

240000

unkown

page read and write

C22000

unkown image

page execute read

240000

unkown

page read and write

C20000

unkown image

page readonly

AA0000

unkown

page read and write

590000

unkown

page read and write

580000

unkown

page read and write

26D0000

unkown

page read and write

B1D000

unkown

page read and write

AD0000

heap private

page read and write

4740000

unkown

page readonly

6F0000

unkown

page read and write

5A0000

unkown

page read and write

600000

unkown

page read and write

600000

unkown

page read and write

746000

heap private

page read and write

580000

unkown

page read and write

53FE000

unkown

page read and write

124000

unkown

page read and write

524E000

stack

page read and write

B10000

unkown

page readonly

5A0000

unkown

page read and write

2A0000

unkown

page read and write

580000

unkown

page read and write

2673000

unkown

page read and write

152000

unkown

page read and write

585000

unkown

page read and write

245000

unkown

page read and write

271E000

unkown

page read and write

728000

heap private

page read and write

580000

unkown

page read and write

220000

unkown

page execute and read and write

25E5000

unkown

page read and write

6730000

heap private

page read and write

80000

unkown

page read and write

4C04000

heap private

page read and write

52AE000

unkown

page read and write

590000

unkown

page read and write

5B0000

unkown

page read and write

147000

unkown

page execute and read and write

6F0000

unkown

page read and write

585000

unkown

page read and write

245000

unkown

page read and write

136000

unkown

page read and write

5B0000

unkown

page read and write

580000

unkown

page read and write

5251000

unkown

page read and write

240000

unkown

page read and write

245000

unkown

page read and write

580000

unkown

page read and write

5A0000

unkown

page read and write

245000

unkown

page read and write

880000

unkown

page read and write

240000

unkown

page read and write

4A70000

unkown

page read and write

4A6E000

unkown

page read and write

580000

unkown

page read and write

240000

unkown

page read and write

790000

unkown

page readonly

600000

unkown

page read and write

240000

unkown

page read and write

710000

unkown

page read and write

601000

unkown

page read and write

600000

unkown

page read and write

245000

unkown

page read and write

3B8000

unkown

page read and write

545E000

unkown

page read and write

182000

unkown

page read and write

890000

unkown

page read and write

6A5000

unkown

page read and write

C20000

unkown image

page readonly

4A9E000

unkown

page read and write

A0000

unkown

page read and write

1D0000

heap private

page read and write

850000

unkown

page read and write

520000

unkown

page readonly

585000

unkown

page read and write

240000

unkown

page read and write

600000

unkown

page read and write

5A0D000

unkown

page read and write

245000

unkown

page read and write

600000

unkown

page read and write

26CC000

unkown

page read and write

24B000

unkown

page read and write

D10000

unkown image

page readonly

460000

unkown

page read and write

610000

unkown

page read and write

697000

heap default

page read and write

F0000

unkown

page readonly

600000

unkown

page read and write

5A10000

unkown

page read and write

4D70000

heap private

page read and write

245000

unkown

page read and write

47E000

unkown

page read and write

610000

unkown

page read and write

7C0000

heap private

page read and write

585000

unkown

page read and write

5A5000

unkown

page read and write

600000

unkown

page read and write

240000

unkown

page read and write

580000

unkown

page read and write

700000

unkown

page execute and read and write

560000

unkown

page read and write

240000

unkown

page read and write

5AE000

unkown

page read and write

51BE000

unkown

page read and write

690000

heap default

page read and write

5B7F000

unkown

page read and write

4AA0000

unkown

page read and write

5A0000

unkown

page readonly

18A000

unkown

page execute and read and write

523E000

unkown

page read and write

250000

unkown

page read and write

6F0000

unkown

page read and write

8E0000

unkown

page readonly

245000

unkown

page read and write

210000

unkown

page read and write

530000

unkown

page read and write

580000

unkown

page read and write

A60000

unkown

page readonly

250000

unkown

page read and write

2702000

unkown

page read and write

585000

unkown

page read and write

4C60000

unkown

page read and write

26E8000

unkown

page read and write

4B0000

unkown

page read and write

26A9000

unkown

page read and write

5470000

unkown

page read and write

7E0000

unkown

page read and write

463E000

stack

page read and write

582000

unkown

page read and write

5B0000

unkown

page read and write

580000

unkown

page read and write

585000

unkown

page read and write

880000

heap default

page read and write

621D000

unkown

page read and write

B6E000

unkown

page read and write

600000

unkown

page read and write

64CE000

unkown

page read and write

540000

heap private

page execute and read and write

560000

unkown

page read and write

12D000

unkown

page execute and read and write

22C0000

unkown

page write copy

2724000

unkown

page read and write

5B0000

unkown

page read and write

There are 483 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Domains

IPs

Registry

Memdumps