IOCReport

loading gif

Files

File Path
Type
Category
Malicious
91476525608-04012021.xlsm
Microsoft Excel 2007+
initial sample
malicious
C:\Users\user\Desktop\~$91476525608-04012021.xlsm
data
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F5AD18CF.gif
GIF image data, version 89a, 1600 x 1600
dropped
clean
C:\Users\user\AppData\Local\Temp\7FCE0000
data
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\91476525608-04012021.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Fri Apr 2 03:53:38 2021, atime=Fri Apr 2 03:53:38 2021, length=177712, window=hide
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Fri Apr 2 03:53:38 2021, atime=Fri Apr 2 03:53:38 2021, length=8192, window=hide
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\Desktop\20DE0000
data
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\170F9197-F193-4F05-B2F8-6C4BDA897C38
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\457FCD63.gif
GIF image data, version 89a, 1600 x 1600
dropped
clean
C:\Users\user\AppData\Local\Temp\C1C10000
data
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
Little-endian UTF-16 Unicode text, with CR line terminators
dropped
clean
C:\Users\user\Desktop\72C10000
data
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FB206F33.gif
GIF image data, version 89a, 1600 x 1600
dropped
clean
C:\Users\user\AppData\Local\Temp\98DE0000
data
dropped
clean
C:\Users\user\Desktop\59DE0000
data
dropped
clean
There are 6 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
malicious
C:\Windows\System32\rundll32.exe
rundll32 ..\Hodas.vyur,PluginInit
malicious
C:\Windows\System32\rundll32.exe
rundll32 ..\Hodas.vyur1,PluginInit
malicious
C:\Windows\System32\rundll32.exe
rundll32 ..\Hodas.vyur2,PluginInit
malicious
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\Hodas.vyur,PluginInit
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\Hodas.vyur1,PluginInit
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\Hodas.vyur2,PluginInit
malicious

URLs

Name
IP
Malicious
http://195.123.210.186/44285,5327891204.dat
195.123.210.186
malicious
http://91.211.89.28/44285,5327891204.dat
91.211.89.28
malicious
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
unknown
clean
http://www.windows.com/pctv.
unknown
clean
http://investor.msn.com
unknown
clean
http://www.msnbc.com/news/ticker.txt
unknown
clean
http://www.icra.org/vocabulary/.
unknown
clean
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
unknown
clean
http://www.hotmail.com/oe
unknown
clean
http://45.150.67.243/44285,5327891204.dat
45.150.67.243
clean
http://investor.msn.com/
unknown
clean
https://api.diagnosticssdf.office.com
unknown
clean
https://login.microsoftonline.com/
unknown
clean
https://shell.suite.office.com:1443
unknown
clean
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
unknown
clean
https://autodiscover-s.outlook.com/
unknown
clean
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
unknown
clean
https://cdn.entity.
unknown
clean
https://api.addins.omex.office.net/appinfo/query
unknown
clean
https://clients.config.office.net/user/v1.0/tenantassociationkey
unknown
clean
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
unknown
clean
https://powerlift.acompli.net
unknown
clean
https://rpsticket.partnerservices.getmicrosoftkey.com
unknown
clean
https://lookup.onenote.com/lookup/geolocation/v1
unknown
clean
https://cortana.ai
unknown
clean
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
unknown
clean
https://cloudfiles.onenote.com/upload.aspx
unknown
clean
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
unknown
clean
https://entitlement.diagnosticssdf.office.com
unknown
clean
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
unknown
clean
https://api.aadrm.com/
unknown
clean
https://ofcrecsvcapi-int.azurewebsites.net/
unknown
clean
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
unknown
clean
https://api.microsoftstream.com/api/
unknown
clean
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
unknown
clean
https://cr.office.com
unknown
clean
https://portal.office.com/account/?ref=ClientMeControl
unknown
clean
https://ecs.office.com/config/v2/Office
unknown
clean
https://graph.ppe.windows.net
unknown
clean
https://res.getmicrosoftkey.com/api/redemptionevents
unknown
clean
https://powerlift-frontdesk.acompli.net
unknown
clean
https://tasks.office.com
unknown
clean
https://officeci.azurewebsites.net/api/
unknown
clean
https://sr.outlook.office.net/ws/speech/recognize/assistant/work
unknown