Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2316
Target ID:	0
Parent PID:	584
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Size:	27641504
MD5:	5FB0A0F93382ECD19F5F499A5CAA59F0
Time:	02:03:35
Date:	20/02/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f330000
Modulesize:	27758592
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Allocates a big amount of memory (probably used for heap spraying)	Software Vulnerabilities,	Extra Window Memory Injection
Spawns processes	System Summary,	Process Injection

C:\Windows\System32\rundll32.exe

rundll32 ..\BASE.BABAA,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	2524
Target ID:	3
Parent PID:	2316
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	rundll32 ..\BASE.BABAA,DllRegisterServer
Size:	45568
MD5:	DD81D91FF3B0763C392422865C9AC12E
Time:	02:03:41
Date:	20/02/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xff2f0000
Modulesize:	61440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected Trickbot	Stealing of Sensitive Information, Remote Access Functionality
Document exploit detected (process start blacklist hit)	Software Vulnerabilities,	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Runs a DLL by calling functions	System Summary,	Rundll32
Spawns processes	System Summary,	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary,

C:\Windows\SysWOW64\rundll32.exe

rundll32 ..\BASE.BABAA,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	2480
Target ID:	4
Parent PID:	2524
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	rundll32 ..\BASE.BABAA,DllRegisterServer
Size:	44544
MD5:	51138BEEA3E2C21EC44D0932C71762A8
Time:	02:03:41
Date:	20/02/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x960000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Trickbot	Stealing of Sensitive Information, Remote Access Functionality
Document exploit detected (process start blacklist hit)	Software Vulnerabilities,	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Runs a DLL by calling functions	System Summary,	Rundll32
Spawns processes	System Summary,	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary,

C:\Windows\System32\wermgr.exe

C:\Windows\system32\wermgr.exe

Details

Is windows:	true
Is dropped:	false
PID:	2492
Target ID:	5
Parent PID:	2480
Name:	wermgr.exe
Path:	C:\Windows\System32\wermgr.exe
Commandline:	C:\Windows\system32\wermgr.exe
Size:	50688
MD5:	41DF7355A5A907E2C1D7804EC028965D
Time:	02:03:43
Date:	20/02/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xffc90000
Modulesize:	69632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected Trickbot	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Sigma detected: Suspicious Svchost Process	System Summary,
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Spawns processes	System Summary,	Process Injection

C:\Windows\System32\wermgr.exe

C:\Windows\system32\wermgr.exe

Details

Is windows:	true
Is dropped:	false
PID:	2408
Target ID:	6
Parent PID:	2480
Name:	wermgr.exe
Path:	C:\Windows\System32\wermgr.exe
Commandline:	C:\Windows\system32\wermgr.exe
Size:	50688
MD5:	41DF7355A5A907E2C1D7804EC028965D
Time:	02:03:43
Date:	20/02/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xffc90000
Modulesize:	69632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected Trickbot	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Sigma detected: Suspicious Svchost Process	System Summary,
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Spawns processes	System Summary,	Process Injection

C:\Windows\System32\rundll32.exe

C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\QNetMonitor7737977537\rpBASEtx.rrd',DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	2284
Target ID:	9
Parent PID:	1544
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\QNetMonitor7737977537\rpBASEtx.rrd',DllRegisterServer
Size:	45568
MD5:	DD81D91FF3B0763C392422865C9AC12E
Time:	02:05:29
Date:	20/02/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xff2c0000
Modulesize:	61440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected Trickbot	Stealing of Sensitive Information, Remote Access Functionality
Document exploit detected (process start blacklist hit)	Software Vulnerabilities,	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Runs a DLL by calling functions	System Summary,	Rundll32
Spawns processes	System Summary,	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary,

C:\Windows\System32\svchost.exe

C:\Windows\system32\svchost.exe

Details

Is windows:	true
Is dropped:	false
PID:	2296
Target ID:	10
Parent PID:	2408
Name:	svchost.exe
Path:	C:\Windows\System32\svchost.exe
Commandline:	C:\Windows\system32\svchost.exe
Size:	27136
MD5:	C78655BC80301D76ED4FEF1C1EA40A7D
Time:	02:05:36
Date:	20/02/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xff0e0000
Modulesize:	45056
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Svchost Process	System Summary,
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Spawns processes	System Summary,	Process Injection

C:\Windows\System32\taskeng.exe

taskeng.exe {DA6299CA-95CA-4E9D-8945-2CC05321254C} S-1-5-18:NT AUTHORITY\System:Service:

Details

Is windows:	true
Is dropped:	false
PID:	1544
Target ID:	8
Parent PID:	860
Name:	taskeng.exe
Path:	C:\Windows\System32\taskeng.exe
Commandline:	taskeng.exe {DA6299CA-95CA-4E9D-8945-2CC05321254C} S-1-5-18:NT AUTHORITY\System:Service:
Size:	464384
MD5:	65EA57712340C09B1B0C427B4848AE05
Time:	02:05:29
Date:	20/02/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xfffe0000
Modulesize:	475136
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary,	Process Injection

URLs

Name

Malicious

http://www.chipmania.it/mails/open.php

185.81.0.78

https://116.68.162.92:443/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/83/

116.68.162.92

http://www.windows.com/pctv.

unknown

http://109.69.4.201:443

unknown

http://123.231.180.130:443

unknown

http://investor.msn.com

unknown

http://www.msnbc.com/news/ticker.txt

unknown

https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/64/pwgrab/DPST//3

unknown

http://crl.entrust.net/server1.crl0

unknown

http://ocsp.entrust.net03

unknown

http://116.68.162.92:443

unknown

http://crl.use

unknown

https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/rznnTbpNFJV19x1x/o

unknown

http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0

unknown

http://www.diginotar.nl/cps/pkioverheid0

unknown

https://185.109.54.99:447/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/5/pwgrab64/

unknown

https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/64/pwgrab/DPST//

unknown

http://windowsmedia.com/redir/services.asp?WMPFriendly=true

unknown

http://www.hotmail.com/oe

unknown

http://190.239.34.181:443

unknown

http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check

unknown

https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/64/pwgrab/DPST//W

unknown

http://crl.pkioverheid.nl/DomOvLatestCRL.crl0

unknown

http://www.icra.org/vocabulary/.

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.

unknown

Https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/bnfhZJn91PhwAc8eqCIkI2c

unknown

https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/rznnTbpNFJV19x1x/U

unknown

https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/rznnTbpNFJV19x1x/

unknown

http://154.0.134.130:443

unknown

http://187.95.136.38:443

unknown

http://investor.msn.com/

unknown

http://logo.veri

unknown

http://www.%s.comPA

unknown

https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/64/pwgrab/DEBG//e

unknown

http://ocsp.entrust.net0D

unknown

http://wtfismyip.com/text

95.217.228.176

https://secure.comodo.com/CPS0

unknown

http://servername/isapibackend.dll

unknown

https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/jvvnxhpdjrND3fPr33rZPHh

unknown

http://crl.entrust.net/2048ca.crl0

unknown

http://45.184.189.34:443

unknown

There are 31 hidden URLs, click here to show them.

Domains

Name

Malicious

38.52.17.84.dnsbl-1.uceprotect.net

unknown

www.chipmania.it

unknown

Details

Name:	www.chipmania.it
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities,	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking,	Application Layer Protocol
Downloads files from webservers via HTTP	Networking,	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking,	Application Layer Protocol Non-Application Layer Protocol

chipmania.it

185.81.0.78

Details

Name:	chipmania.it
IP:	185.81.0.78
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking,	Application Layer Protocol
Downloads files from webservers via HTTP	Networking,	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking,	Application Layer Protocol Non-Application Layer Protocol

wtfismyip.com

95.217.228.176

Details

Name:	wtfismyip.com
IP:	95.217.228.176
TargetID:	6
Current Path:	C:\Windows\System32\wermgr.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking,	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking,	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

38.52.17.84.zen.spamhaus.org

unknown

38.52.17.84.cbl.abuseat.org

unknown

38.52.17.84.b.barracudacentral.org

unknown

38.52.17.84.spam.dnsbl.sorbs.net

unknown

IPs

Domain

Country

Active

Malicious

154.0.134.130

unknown

Uganda

unknown

123.231.180.130

unknown

Indonesia

unknown

190.239.34.181

unknown

Peru

unknown

45.184.189.34

unknown

Brazil

unknown

185.109.54.99

unknown

Ukraine

unknown

193.8.194.96

unknown

United Kingdom

unknown

116.68.162.92

unknown

Indonesia

unknown

94.140.114.136

unknown

Latvia

unknown

187.95.136.38

unknown

Brazil

unknown

109.69.4.201

unknown

Albania

unknown

185.81.0.78

unknown

Italy

unknown

95.217.228.176

unknown

Germany

unknown

194.5.249.156

unknown

Romania

unknown

There are 3 hidden IPs, click here to show them.

Registry

Path

Value

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

}=8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

MTTT

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ReviewToken

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EC8EA

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

VBAFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DefaultSheetR2L

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

UseSystemSeparators

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ThousandsSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DecimalSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ECE28

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ECFCD

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ED385

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ED421

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} {000214E6-0000-0000-C000-000000000046} 0xFFFF

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

gm8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F4AC6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F4F0A

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

LastPurgeTime

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EXCELFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SavedLegacySettings

C:\Windows\System32\wermgr.exe

@%SystemRoot%\system32\qagentrt.dll,-10

C:\Windows\System32\wermgr.exe

@%SystemRoot%\System32\fveui.dll,-843

C:\Windows\System32\wermgr.exe

@%SystemRoot%\System32\fveui.dll,-844

C:\Windows\System32\wermgr.exe

@%SystemRoot%\System32\wuaueng.dll,-400

C:\Windows\System32\wermgr.exe

Blob

C:\Windows\System32\wermgr.exe

Blob

C:\Windows\System32\wermgr.exe

Blob

C:\Windows\System32\wermgr.exe

Blob

C:\Windows\System32\wermgr.exe

Blob

C:\Windows\System32\wermgr.exe

Blob

C:\Windows\System32\taskeng.exe

data

C:\Windows\System32\svchost.exe

SavedLegacySettings

There are 107 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

180000

unkown

page execute and read and write

6C4000

unkown

page read and write

6C4000

unkown

page read and write

690000

heap default

page read and write

2198000

unkown

page read and write

2030000

unkown

page read and write

2520000

unkown

page read and write

1FC0000

unkown

page read and write

EA0000

unkown

page readonly

3206D000

heap private

page read and write

1FC0000

unkown

page read and write

100000

unkown

page readonly

2520000

unkown

page read and write

6F0000

unkown

page read and write

33421000

unkown

page read and write

33367000

unkown

page read and write

654000

heap default

page read and write

290000

unkown

page read and write

43C000

unkown

page read and write

32DE0000

heap private

page read and write

1FD9000

heap private

page read and write

356000

unkown

page read and write

32EE0000

unkown

page readonly

460000

unkown

page readonly

3130000

unkown

page read and write

334F0000

unkown

page read and write

3235A000

heap private

page read and write

6BA000

unkown

page read and write

336C0000

heap private

page read and write

6D0000

unkown

page read and write

33395000

unkown

page read and write

350000

heap private

page read and write

1FD0000

unkown

page read and write

90000

unkown

page write copy

1F3F000

unkown

page read and write

1496000

unkown

page readonly

151000

heap default

page read and write

334F0000

unkown

page read and write

2730000

unkown

page read and write

368000

unkown

page read and write

41A000

heap default

page read and write

147F000

unkown

page read and write

90000

unkown

page readonly

154000

heap default

page read and write

6DD41000

unkown image

page execute read

33356000

unkown

page read and write

476000

unkown

page read and write

1515000

unkown

page readonly

1FB0000

unkown

page read and write

32A53000

heap private

page read and write

1770000

unkown

page readonly

2D0000

unkown

page execute and read and write

6C0000

unkown

page readonly

1F80000

unkown

page read and write

60000

unkown

page readonly

14D2000

unkown

page readonly

2060000

heap private

page read and write

6DD40000

unkown image

page readonly

343A2000

unkown

page read and write

CA0000

heap private

page read and write

32756000

heap private

page read and write

29EE000

unkown

page read and write

2F30000

unkown

page read and write

2A60000

unkown

page read and write

1444000

unkown

page readonly

3C0000

heap default

page read and write

2048000

unkown

page read and write

33B30000

unkown

page readonly

EE0000

unkown

page read and write

740000

unkown

page readonly

15A9000

unkown

page readonly

139000

heap default

page read and write

20000

heap private

page read and write

66D000

heap default

page read and write

1F80000

unkown

page read and write

2529000

unkown

page read and write

204B000

unkown

page read and write

2A0000

unkown

page read and write

1502000

unkown

page readonly

6E1A4000

unkown image

page readonly

1D8F000

unkown

page read and write

3130000

unkown

page read and write

32657000

heap private

page read and write

343A6000

unkown

page read and write

204A000

unkown

page read and write

2529000

unkown

page read and write

210000

unkown

page readonly

33395000

unkown

page read and write

3AA000

heap default

page read and write

32A53000

heap private

page read and write

331B0000

unkown

page readonly

2FC0000

unkown

page read and write

1FC0000

unkown

page read and write

691000

unkown

page read and write

33475000

heap private

page read and write

667000

heap default

page read and write

35E000

heap default

page read and write

1B0000

unkown

page readonly

2910000

unkown

page read and write

1248000

unkown

page readonly

1D70000

unkown

page readonly

20000

unkown

page read and write

33387000

unkown

page read and write

2260000

heap private

page read and write

6E169000

unkown image

page readonly

14E5000

unkown

page readonly

60000

unkown

page readonly

69E000

unkown

page read and write

1565000

unkown

page readonly

33395000

unkown

page read and write

140000

unkown

page read and write

33F70000

heap private

page read and write

1F40000

unkown

page readonly

60000

unkown

page execute and read and write

130000

unkown

page readonly

27C0000

unkown

page read and write

3A0000

heap default

page read and write

356B0000

heap private

page read and write

356C0000

unkown

page read and write

333FD000

unkown

page read and write

2730000

unkown

page read and write

2B60000

heap private

page read and write

220000

unkown

page read and write

33395000

unkown

page read and write

6D0000

unkown

page read and write

2048000

unkown

page read and write

204D000

unkown

page read and write

6E18C000

unkown image

page readonly

3620000

unkown

page read and write

D10000

unkown

page write copy

33422000

unkown

page read and write

280000

unkown

page readonly

627000

stack

page read and write

334F0000

unkown

page read and write

C90000

heap private

page read and write

34395000

unkown

page read and write

1FD0000

unkown

page read and write

2C1E000

unkown

page read and write

32954000

heap private

page read and write

5A0000

unkown

page readonly

31D60000

heap private

page read and write

20000

unkown

page readonly

1DA0000

heap private

page read and write

1D0000

unkown

page read and write

2950000

unkown

page read and write

32D50000

heap private

page read and write

D0000

unkown

page read and write

17B0000

unkown

page readonly

2041000

unkown

page read and write

1595000

unkown

page readonly

250000

unkown

page write copy

35590000

unkown

page read and write

330000

heap default

page read and write

343B3000

unkown

page read and write

18010C000

unkown

page readonly

1FD0000

unkown

page read and write

1FB0000

unkown

page read and write

256000

unkown

page read and write

691000

unkown

page read and write

3439E000

unkown

page read and write

271B000

unkown

page read and write

2629000

heap private

page read and write

6D0000

unkown

page read and write

32D56000

heap private

page read and write

280000

heap private

page read and write

2910000

unkown

page read and write

CA4000

heap private

page read and write

800000

unkown

page readonly

E0000

unkown

page read and write

1FB0000

unkown

page read and write

3090000

unkown

page read and write

31C0000

unkown

page read and write

210000

unkown

page readonly

2520000

unkown

page read and write

6F1000

unkown

page read and write

2264000

heap private

page read and write

90000

unkown

page readonly

3337E000

unkown

page read and write

2BB0000

unkown

page read and write

33395000

unkown

page read and write

23AC000

unkown

page read and write

1F57000

unkown

page readonly

32D8C000

heap private

page read and write

1FBF000

unkown

page read and write

36E000

heap default

page read and write

3630000

unkown

page read and write

EC0000

unkown

page readonly

6B0000

unkown

page readonly

2F30000

unkown

page read and write

180000

unkown

page read and write

35590000

unkown

page read and write

1342000

unkown

page readonly

33376000

unkown

page read and write

17B000

unkown

page read and write

383000

heap default

page read and write

2AB0000

unkown

page read and write

300000

unkown

page execute and read and write

DEF000

unkown

page read and write

33395000

unkown

page read and write

1FC0000

unkown

page read and write

33385000

unkown

page read and write

180000

unkown

page read and write

2F0000

unkown

page execute and read and write

33D17000

unkown

page readonly

13D000

unkown

page read and write

1FD0000

heap private

page read and write

3368F000

unkown

page read and write

2520000

unkown

page read and write

333AB000

unkown

page read and write

1FC0000

unkown

page read and write

3000000

unkown

page read and write

1579000

unkown

page readonly

2148000

unkown

page read and write

104000

heap private

page read and write

7EFDF000

unkown

page read and write

5E0000

unkown

page readonly

2330000

heap private

page read and write

1FC0000

unkown

page read and write

3630000

unkown

page read and write

33385000

unkown

page read and write

1C0000

unkown

page execute and read and write

1FC0000

unkown

page read and write

33395000

unkown

page read and write

34371000

unkown

page read and write

29C0000

unkown

page read and write

20CF000

unkown

page read and write

101000

unkown

page read and write

14C6000

unkown

page readonly

850000

unkown

page readonly

1CD0000

heap private

page read and write

440000

unkown

page read and write

244000

heap private

page read and write

3214C000

heap private

page read and write

3406C000

unkown

page read and write

22C000

unkown

page read and write

150D000

unkown

page read and write

1FB0000

unkown

page read and write

1FB0000

unkown

page read and write

430000

unkown

page read and write

32D51000

heap private

page read and write

100000

unkown

page read and write

1800DC000

unkown

page readonly

87000

heap default

page read and write

1FE0000

unkown

page readonly

70000

unkown

page read and write

33330000

unkown

page read and write

420000

unkown

page readonly

35590000

unkown

page read and write

2550000

heap private

page read and write

334F0000

unkown

page read and write

200F000

heap private

page read and write

180000

unkown

page read and write

337000

heap default

page read and write

265F000

heap private

page read and write

222E000

unkown

page read and write

335FD000

unkown

page read and write

327000

heap default

page read and write

34371000

unkown

page read and write

333B9000

unkown

page read and write

A37000

unkown

page readonly

860000

unkown

page readonly

115000

heap default

page read and write

35590000

unkown

page read and write

691000

unkown

page read and write

3338A000

unkown

page read and write

1FC0000

unkown

page read and write

1E9C000

unkown

page read and write

6DD40000

unkown image

page readonly

2D60000

heap private

page read and write

466000

unkown

page read and write

1526000

unkown

page readonly

2BB0000

unkown

page read and write

2A8E000

unkown

page read and write

60000

unkown

page read and write

2980000

unkown

page read and write

4C0000

unkown

page readonly

37E000

heap default

page read and write

32459000

heap private

page read and write

5A0000

unkown

page readonly

343A0000

unkown

page read and write

25BC000

unkown

page read and write

3620000

unkown

page read and write

110000

unkown

page read and write

3640000

unkown

page read and write

33421000

unkown

page read and write

530000

unkown

page readonly

BD000

heap default

page read and write

105000

unkown

page read and write

14B5000

unkown

page readonly

2520000

unkown

page read and write

1F80000

unkown

page read and write

284000

heap private

page read and write

19F000

unkown

page read and write

34070000

unkown

page readonly

36C0000

unkown

page read and write

1404000

unkown

page readonly

3FE000

heap default

page read and write

343B3000

unkown

page read and write

32756000

heap private

page read and write

33422000

unkown

page read and write

333A0000

unkown

page read and write

3E0000

heap default

page read and write

334F0000

unkown

page read and write

35590000

unkown

page read and write

333A6000

unkown

page read and write

3BA000

unkown

page read and write

434000

unkown

page read and write

180000

unkown

page read and write

2529000

unkown

page read and write

43C000

unkown

page read and write

33395000

unkown

page read and write

130000

heap private

page read and write

1549000

unkown

page readonly

347000

heap default

page read and write

3AC000

unkown

page read and write

1FD0000

unkown

page read and write

15A2000

unkown

page readonly

1DC7000

unkown

page readonly

111000

unkown

page read and write

1424000

unkown

page readonly

1FC0000

unkown

page read and write

37D000

unkown

page read and write

14A2000

unkown

page readonly

2070000

heap private

page read and write

2282000

heap private

page read and write

3C7000

heap default

page read and write

1472000

unkown

page readonly

33470000

heap private

page read and write

3334F000

unkown

page read and write

421000

heap default

page read and write

33422000

unkown

page read and write

203C000

unkown

page read and write

FB000

unkown

page read and write

1BE0000

unkown

page readonly

3205D000

heap private

page read and write

2033000

unkown

page read and write

15C5000

unkown

page readonly

334F0000

unkown

page read and write

20000

unkown

page readonly

2043000

unkown

page read and write

3338C000

unkown

page read and write

28D0000

unkown

page read and write

416000

heap default

page read and write

10001000

unkown

page execute and read and write

1FC0000

unkown

page read and write

1542000

unkown

page readonly

1FB0000

unkown

page read and write

34370000

unkown

page read and write

33385000

unkown

page read and write

33740000

unkown

page readonly

378000

unkown

page read and write

540000

unkown

page readonly

420000

unkown

page readonly

266000

unkown

page read and write

6F2000

unkown

page read and write

EB000

unkown

page read and write

314000

heap private

page read and write

D0000

unkown

page read and write

6F2000

unkown

page read and write

2A10000

unkown

page read and write

80000

heap default

page read and write

230000

unkown

page read and write

E0000

unkown

page read and write

1529000

unkown

page readonly

27B0000

heap private

page read and write

CDB000

heap private

page read and write

740000

unkown

page readonly

20000

unkown

page read and write

1790000

unkown

page readonly

6AC000

unkown

page read and write

EDC000

unkown

page read and write

1FB0000

unkown

page read and write

1D0000

unkown

page read and write

33331000

unkown

page read and write

29A0000

unkown

page read and write

140000

unkown

page readonly

240000

heap private

page read and write

630000

heap default

page read and write

2043000

unkown

page read and write

340000

heap default

page read and write

6BA000

unkown

page read and write

3206E000

heap private

page read and write

2520000

unkown

page read and write

FA000

heap default

page read and write

3630000

unkown

page read and write

2520000

unkown

page read and write

28DB000

unkown

page read and write

152D000

unkown

page readonly

34395000

unkown

page read and write

33422000

unkown

page read and write

2620000

heap private

page read and write

180001000

unkown

page execute read

2540000

unkown

page read and write

2046000

unkown

page read and write

180106000

unkown

page read and write

104000

heap default

page read and write

32DF3000

heap private

page read and write

32C51000

heap private

page read and write

1442000

unkown

page readonly

334AB000

heap private

page read and write

310000

heap private

page read and write

6E18A000

unkown image

page read and write

691000

unkown

page read and write

2230000

unkown

page readonly

6D0000

unkown

page read and write

130000

unkown

page readonly

21C000

unkown

page read and write

204C000

unkown

page read and write

1C6000

unkown

page read and write

31F5E000

heap private

page read and write

3000000

unkown

page read and write

1F80000

unkown

page read and write

43C000

unkown

page read and write

2980000

unkown

page read and write

E20000

heap private

page read and write

C7E000

unkown

page read and write

2043000

unkown

page read and write

1485000

unkown

page readonly

110000

unkown

page execute and read and write

640000

unkown

page readonly

370000

unkown

page execute and read and write

134000

heap private

page read and write

2041000

unkown

page read and write

637000

heap default

page read and write

320000

heap default

page read and write

FC000

heap default

page read and write

3630000

unkown

page read and write

100000

heap private

page read and write

33385000

unkown

page read and write

20000

unkown

page readonly

1572000

unkown

page readonly

1F50000

heap private

page read and write

20C000

unkown

page read and write

3332C000

unkown

page read and write

1422000

unkown

page readonly

691000

unkown

page read and write

1FC0000

unkown

page read and write

2150000

unkown

page read and write

333DE000

unkown

page read and write

423000

heap default

page read and write

3620000

unkown

page read and write

1B40000

unkown

page readonly

320000

unkown

page read and write

252A000

unkown

page read and write

2520000

unkown

page read and write

FE0000

unkown

page readonly

60000

unkown

page execute and read and write

14F6000

unkown

page readonly

E29000

heap private

page read and write

1F2000

stack

page read and write

2B10000

unkown

page read and write

2035000

unkown

page read and write

E9000

unkown

page read and write

1242000

unkown

page readonly

3630000

unkown

page read and write

1732000

unkown

page readonly

1FC0000

unkown

page read and write

1402000

unkown

page readonly

2850000

unkown

page read and write

3339B000

unkown

page read and write

1FB0000

unkown

page read and write

3BD000

heap default

page read and write

There are 452 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Domains

IPs

Registry

Memdumps