Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
Documents (252).xlsm
|
Zip archive data, at least v2.0 to extract
|
initial sample
|
 |
|
|
C:\Users\user\Desktop\~$Documents (252).xlsm
|
data
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\842F6688.png
|
PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced
|
dropped
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C8A64E9.png
|
PNG image data, 287 x 78, 8-bit/color RGBA, non-interlaced
|
modified
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ABD84DE3.png
|
PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C16FFF7C.png
|
PNG image data, 287 x 78, 8-bit/color RGBA, non-interlaced
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F0A1E1A7.png
|
PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F763B4BE.png
|
PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Temp\D2CE0000
|
data
|
dropped
|
|
|
|
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue
Oct 17 10:04:00 2017, mtime=Wed Apr 7 08:09:35 2021, atime=Wed Apr 7 08:09:35 2021, length=8192, window=hide
|
dropped
|
|
|
|
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Documents (252).LNK
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13
2020, mtime=Wed Apr 7 08:09:35 2021, atime=Wed Apr 7 08:09:35 2021, length=279279, window=hide
|
dropped
|
|
|
|
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
C:\Users\user\Desktop\A3CE0000
|
data
|
dropped
|
|
There are 3 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
|
|
|
|
C:\Windows\System32\wbem\WMIC.exe
|
wmic.exe process call create 'regsvr32 -s C:/Users/Public/dbhfr.xref'
|
|
|
|
C:\Windows\System32\regsvr32.exe
|
regsvr32 -s C:/Users/Public/dbhfr.xref
|
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://servername/isapibackend.dll
|
unknown
|
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
xherzog24pv.xyz
|
unknown
|
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
192.168.2.255
|
unknown
|
unknown
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
n?7
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
MTTT
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
ReviewToken
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
EBF49
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
VBAFiles
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
DefaultSheetR2L
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
UseSystemSeparators
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
ThousandsSeparator
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
DecimalSeparator
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Max Display
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Max Display
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 1
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 2
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 3
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 4
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 5
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 6
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 7
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 8
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 9
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 10
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 11
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 12
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 13
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 14
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 15
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 16
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 17
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 18
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 19
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 20
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
EC217
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Max Display
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Max Display
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 1
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 2
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 3
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 4
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 5
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 6
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 7
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 8
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 9
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 10
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 11
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 12
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 13
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 14
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 15
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 16
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 17
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 18
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 19
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 20
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
EC35F
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
EC41A
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} {000214E6-0000-0000-C000-000000000046} 0xFFFF
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
%h7
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
F1555
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
F1600
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Max Display
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 1
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Max Display
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 1
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 2
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 3
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 4
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 5
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 6
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 7
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 8
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 9
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 10
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 11
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 12
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 13
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 14
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 15
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 16
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 17
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 18
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 19
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 20
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 21
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
LastPurgeTime
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
1033
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
1033
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
EXCELFiles
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
ProductFiles
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
ProductFiles
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
SpellingAndGrammarFiles_3082
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
SpellingAndGrammarFiles_3082
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
SpellingAndGrammarFiles_1036
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
SpellingAndGrammarFiles_1036
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
SpellingAndGrammarFiles_1033
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
SpellingAndGrammarFiles_1033
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
SpellingAndGrammarFiles_3082
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
SpellingAndGrammarFiles_3082
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
SpellingAndGrammarFiles_1036
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
SpellingAndGrammarFiles_1036
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
SpellingAndGrammarFiles_1033
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
SpellingAndGrammarFiles_1033
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
ProductFiles
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
ProductFiles
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
ProductFiles
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
ProductFiles
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
SavedLegacySettings
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
F1555
|
|
There are 98 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
436000
|
unkown
|
page read and write
|
|
|
|
2550000
|
heap private
|
page read and write
|
|
|
|
724000
|
heap private
|
page read and write
|
|
|
|
2190000
|
unkown
|
page write copy
|
|
|
|
248000
|
unkown
|
page read and write
|
|
|
|
1F5F000
|
unkown
|
page read and write
|
|
|
|
21E000
|
heap default
|
page read and write
|
|
|
|
720000
|
heap private
|
page read and write
|
|
|
|
2C6B000
|
unkown
|
page read and write
|
|
|
|
26F000
|
unkown
|
page read and write
|
|
|
|
2C68000
|
unkown
|
page read and write
|
|
|
|
3210000
|
heap private
|
page read and write
|
|
|
|
214B000
|
heap private
|
page read and write
|
|
|
|
307000
|
heap default
|
page read and write
|
|
|
|
1E7000
|
heap default
|
page read and write
|
|
|
|
2156000
|
heap private
|
page read and write
|
|
|
|
2C65000
|
unkown
|
page read and write
|
|
|
|
70000
|
unkown
|
page read and write
|
|
|
|
3B0000
|
unkown
|
page read and write
|
|
|
|
26F000
|
unkown
|
page read and write
|
|
|
|
60000
|
unkown
|
page readonly
|
|
|
|
20000
|
heap private
|
page read and write
|
|
|
|
1FC0000
|
unkown
|
page readonly
|
|
|
|
292000
|
unkown
|
page read and write
|
|
|
|
248000
|
unkown
|
page read and write
|
|
|
|
D0000
|
unkown
|
page readonly
|
|
|
|
2630000
|
heap private
|
page read and write
|
|
|
|
217B000
|
heap private
|
page read and write
|
|
|
|
1F6000
|
unkown
|
page read and write
|
|
|
|
2070000
|
heap private
|
page read and write
|
|
|
|
28B000
|
unkown
|
page read and write
|
|
|
|
E0000
|
unkown
|
page read and write
|
|
|
|
2840000
|
heap private
|
page read and write
|
|
|
|
284000
|
unkown
|
page read and write
|
|
|
|
215F000
|
heap private
|
page read and write
|
|
|
|
2C66000
|
unkown
|
page read and write
|
|
|
|
33E000
|
heap default
|
page read and write
|
|
|
|
150000
|
unkown
|
page readonly
|
|
|
|
26D000
|
unkown
|
page read and write
|
|
|
|
1F70000
|
heap private
|
page read and write
|
|
|
|
F0000
|
unkown
|
page read and write
|
|
|
|
23A000
|
unkown
|
page read and write
|
|
|
|
710000
|
unkown
|
page readonly
|
|
|
|
2C61000
|
unkown
|
page read and write
|
|
|
|
230000
|
unkown
|
page read and write
|
|
|
|
3A0000
|
heap private
|
page read and write
|
|
|
|
3060000
|
unkown
|
page read and write
|
|
|
|
2C63000
|
unkown
|
page read and write
|
|
|
|
2C67000
|
unkown
|
page read and write
|
|
|
|
26A000
|
unkown
|
page read and write
|
|
|
|
26B0000
|
unkown
|
page readonly
|
|
|
|
324B000
|
heap private
|
page read and write
|
|
|
|
22B000
|
unkown
|
page read and write
|
|
|
|
2C62000
|
unkown
|
page read and write
|
|
|
|
2170000
|
heap private
|
page read and write
|
|
|
|
2C60000
|
unkown
|
page read and write
|
|
|
|
2174000
|
heap private
|
page read and write
|
|
|
|
3215000
|
heap private
|
page read and write
|
|
|
|
580000
|
heap private
|
page read and write
|
|
|
|
2460000
|
unkown
|
page write copy
|
|
|
|
400000
|
unkown
|
page read and write
|
|
|
|
2E0000
|
unkown
|
page read and write
|
|
|
|
3450000
|
heap private
|
page read and write
|
|
|
|
2BE0000
|
heap private
|
page read and write
|
|
|
|
2C6A000
|
unkown
|
page read and write
|
|
|
|
296F000
|
unkown
|
page read and write
|
|
|
|
238000
|
unkown
|
page read and write
|
|
|
|
320E000
|
unkown
|
page read and write
|
|
|
|
4B0000
|
unkown
|
page readonly
|
|
|
|
300000
|
heap default
|
page read and write
|
|
|
|
2B8F000
|
unkown
|
page read and write
|
|
|
|
3096000
|
unkown
|
page read and write
|
|
|
|
2110000
|
heap private
|
page read and write
|
|
|
|
3455000
|
heap private
|
page read and write
|
|
|
|
584000
|
heap private
|
page read and write
|
|
|
|
214B000
|
heap private
|
page read and write
|
|
|
|
239000
|
unkown
|
page read and write
|
|
|
|
17A000
|
unkown
|
page read and write
|
|
|
|
300000
|
heap private
|
page read and write
|
|
|
|
2C6C000
|
unkown
|
page read and write
|
|
|
|
29F0000
|
heap private
|
page read and write
|
|
|
|
294000
|
unkown
|
page read and write
|
|
|
|
2C69000
|
unkown
|
page read and write
|
|
|
|
80000
|
unkown
|
page read and write
|
|
|
|
1E0000
|
heap default
|
page read and write
|
|
|
|
590000
|
unkown
|
page readonly
|
|
|
|
26F000
|
unkown
|
page read and write
|
|
|
|
26A000
|
unkown
|
page read and write
|
|
|
|
1C0000
|
unkown
|
page read and write
|
|
|
|
2110000
|
heap private
|
page read and write
|
|
|
|
630000
|
unkown
|
page readonly
|
|
|
|
14C000
|
unkown
|
page read and write
|
|
|
|
2115000
|
heap private
|
page read and write
|
|
|
|
35A000
|
heap default
|
page read and write
|
|
|
|
3A4000
|
heap private
|
page read and write
|
|
|
|
2115000
|
heap private
|
page read and write
|
|
|
|
282000
|
unkown
|
page read and write
|
|
|
|
28B000
|
unkown
|
page read and write
|
|
|
|
1BD0000
|
unkown
|
page readonly
|
|
|
|
2190000
|
unkown
|
page readonly
|
|
|
|
2C64000
|
unkown
|
page read and write
|
|
|
|
1CC0000
|
unkown
|
page readonly
|
|
|
|
26D000
|
unkown
|
page read and write
|
|
|
|
380000
|
unkown
|
page read and write
|
|
|
|
26A000
|
unkown
|
page read and write
|
|
|
|
3E6000
|
unkown
|
page read and write
|
|
|
|
353000
|
heap default
|
page read and write
|
|
|
|
248000
|
unkown
|
page read and write
|
|
|
|
26D000
|
unkown
|
page read and write
|
|
|
|
28B000
|
unkown
|
page read and write
|
|
|
|
23B000
|
unkown
|
page read and write
|
|
|
|
248000
|
unkown
|
page read and write
|
|
|
|
20000
|
unkown
|
page readonly
|
|
There are 103 hidden memdumps, click here to show them.