IOCReport

loading gif

Files

File Path
Type
Category
Malicious
documents-1819557117.xlsm
Microsoft Excel 2007+
initial sample
 malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0604[1].gif
PE32+ executable (DLL) (native) x86-64, for MS Windows
downloaded
 malicious
C:\Users\user\Desktop\~$documents-1819557117.xlsm
data
dropped
 malicious
C:\Users\user\ghnrope2.dll
PE32+ executable (DLL) (native) x86-64, for MS Windows
dropped
 malicious
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, 58596 bytes, 1 file
dropped
 clean
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
data
dropped
 clean
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
dropped
 clean
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
data
dropped
 clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3318F1C.png
PNG image data, 205 x 58, 8-bit/color RGB, non-interlaced
dropped
 clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BD5EEF8A.png
PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
dropped
 clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D5BD2603.png
PNG image data, 364 x 139, 8-bit/color RGBA, non-interlaced
dropped
 clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E2456C6D.png
PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
dropped
 clean
C:\Users\user\AppData\Local\Temp\98CE0000
data
dropped
 clean
C:\Users\user\AppData\Local\Temp\CabD911.tmp
Microsoft Cabinet archive data, 58596 bytes, 1 file
dropped
 clean
C:\Users\user\AppData\Local\Temp\TarD912.tmp
data
dropped
 clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Fri Apr 9 22:25:36 2021, atime=Fri Apr 9 22:25:36 2021, length=12288, window=hide
dropped
 clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\documents-1819557117.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Fri Apr 9 22:25:36 2021, atime=Fri Apr 9 22:25:36 2021, length=98202, window=hide
dropped
 clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
dropped
 clean
C:\Users\user\Desktop\69CE0000
data
dropped
 clean
There are 9 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
 malicious
C:\Windows\System32\regsvr32.exe
regsvr32 -s ..\ghnrope
 malicious
C:\Windows\System32\regsvr32.exe
regsvr32 -s
malicious
C:\Windows\System32\regsvr32.exe
regsvr32 -s
malicious
C:\Windows\System32\regsvr32.exe
regsvr32 -s
malicious
C:\Windows\System32\regsvr32.exe
regsvr32 -s
malicious

URLs

Name
IP
Malicious
http://runolfsson-jayde07s.ru.com/ind.html
8.211.4.209
 clean
http://cremin-ian07u.ru.com/ind.html
8.211.4.209
 clean
http://servername/isapibackend.dll
unknown
 clean

Domains

Name
IP
Malicious
runolfsson-jayde07s.ru.com
8.211.4.209
 clean
cremin-ian07u.ru.com
8.211.4.209
 clean
cesiroinsurance.com
67.222.38.97
 clean
shalombaptistchapel.com
162.251.80.27
 clean
innermetransformation.com
173.201.252.173
 clean

IPs

IP
Domain
Country
Malicious
162.251.80.27
shalombaptistchapel.com
United States
clean
67.222.38.97
cesiroinsurance.com
United States
clean
173.201.252.173
innermetransformation.com
United States
clean
8.211.4.209
runolfsson-jayde07s.ru.com
Singapore
clean

Registry

Path
Value
Malicious
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
n87
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
MTTT
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
ReviewToken
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
EC41A
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
VBAFiles
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
DefaultSheetR2L
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
UseSystemSeparators
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
ThousandsSeparator
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
DecimalSeparator
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Max Display
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Max Display
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 1
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 2
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 3
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 4
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 5
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 6
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 7
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 8
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 9
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 10
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 11
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 12
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 13
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 14
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 15
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 16
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 17
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 18
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 19
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 20
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
EC707
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
EC84E
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Max Display
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Max Display
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 1
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 2
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 3
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 4
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 5
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 6
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 7
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 8
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 9
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 10
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 11
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 12
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 13
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 14
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 15
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 16
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 17
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 18
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 19
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 20
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
EC929
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
EC9D4
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} {000214E6-0000-0000-C000-000000000046} 0xFFFF
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
p'7
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
@%SystemRoot%\system32\qagentrt.dll,-10
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
@%SystemRoot%\System32\fveui.dll,-843
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
@%SystemRoot%\System32\fveui.dll,-844
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
@%SystemRoot%\System32\wuaueng.dll,-400
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
F6E3D
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Max Display
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Max Display
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 1
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 2
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 3
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 4
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 5
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 6
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 7
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 8
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 9
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 10
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 11
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 12
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 13
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 14
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 15
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 16
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 17
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 18
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 19
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 20
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
F7F2E
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
LastPurgeTime
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
1033
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
1033
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
EXCELFiles
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
ProductFiles
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
ProductFiles
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
SpellingAndGrammarFiles_3082
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
SpellingAndGrammarFiles_3082
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
SpellingAndGrammarFiles_1036
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
SpellingAndGrammarFiles_1036
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
SpellingAndGrammarFiles_1033
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
SpellingAndGrammarFiles_1033
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
SpellingAndGrammarFiles_3082
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
SpellingAndGrammarFiles_3082
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
SpellingAndGrammarFiles_1036
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
SpellingAndGrammarFiles_1036
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
SpellingAndGrammarFiles_1033
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
SpellingAndGrammarFiles_1033
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
ProductFiles
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
ProductFiles
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
ProductFiles
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
ProductFiles
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
SavedLegacySettings
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Blob
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Blob
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Blob
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Blob
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Blob
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Blob
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Blob
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Blob
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Blob
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Blob
 clean
There are 110 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
5E4000
heap private
page read and write
 clean
640000
unkown
page readonly
 clean
70000
unkown
page readonly
 clean
7B0000
unkown
page readonly
 clean
70000
unkown
page read and write
 clean
A0000
heap private
page read and write
 clean
650000
unkown
page readonly
 clean
270000
unkown
page readonly
 clean
450000
heap private
page read and write
 clean
130000
heap default
page read and write
 clean
123000
heap default
page read and write
 clean
20000
unkown
page readonly
 clean
24000
heap private
page read and write
 clean
2D6000
unkown
page read and write
 clean
20000
unkown
page readonly
 clean
2BA000
heap default
page read and write
 clean
476000
unkown
page read and write
 clean
20F0000
unkown
page write copy
 clean
2EA000
heap default
page read and write
 clean
360000
unkown
page read and write
 clean
566000
unkown
page read and write
 clean
530000
unkown
page read and write
 clean
1DD000
unkown
page read and write
 clean
4D6000
unkown
page read and write
 clean
1C60000
unkown
page readonly
 clean
29E000
heap default
page read and write
 clean
1FCB000
heap private
page read and write
 clean
3C0000
heap private
page read and write
 clean
2E3000
heap default
page read and write
 clean
326000
unkown
page read and write
 clean
3C6000
unkown
page read and write
 clean
770000
unkown
page readonly
 clean
F0000
unkown
page readonly
 clean
20000
unkown
page readonly
 clean
20000
heap private
page read and write
 clean
1BF0000
unkown
page readonly
 clean
12A000
heap default
page read and write
 clean
70000
unkown
page read and write
 clean
520000
heap private
page read and write
 clean
290000
heap default
page read and write
 clean
390000
unkown
page read and write
 clean
A4000
heap private
page read and write
 clean
260000
heap private
page read and write
 clean
630000
unkown
page readonly
 clean
2A0000
unkown
page read and write
 clean
2B3000
heap default
page read and write
 clean
280000
unkown
page readonly
 clean
110000
unkown
page read and write
 clean
4A0000
unkown
page read and write
 clean
137000
heap default
page read and write
 clean
434000
heap private
page read and write
 clean
70000
unkown
page read and write
 clean
1F95000
heap private
page read and write
 clean
316000
unkown
page read and write
 clean
1F90000
heap private
page read and write
 clean
A7000
heap default
page read and write
 clean
80000
unkown
page read and write
 clean
5F0000
unkown
page readonly
 clean
80000
unkown
page read and write
 clean
230000
unkown
page readonly
 clean
267000
heap default
page read and write
 clean
264000
heap private
page read and write
 clean
1D60000
unkown
page readonly
 clean
6C0000
unkown
page readonly
 clean
2E0000
unkown
page read and write
 clean
FA000
heap default
page read and write
 clean
D0000
heap default
page read and write
 clean
A0000
heap default
page read and write
 clean
140000
unkown
page readonly
 clean
530000
heap private
page read and write
 clean
18A000
heap default
page read and write
 clean
430000
heap private
page read and write
 clean
4D0000
unkown
page readonly
 clean
297000
heap default
page read and write
 clean
DE000
heap default
page read and write
 clean
2CE000
heap default
page read and write
 clean
27C000
unkown
page read and write
 clean
13C000
unkown
page read and write
 clean
80000
unkown
page read and write
 clean
183000
heap default
page read and write
 clean
534000
heap private
page read and write
 clean
F0000
unkown
page read and write
 clean
396000
unkown
page read and write
 clean
494000
heap private
page read and write
 clean
7C0000
unkown
page readonly
 clean
20000
unkown
page readonly
 clean
406000
unkown
page read and write
 clean
16E000
heap default
page read and write
 clean
D7000
heap default
page read and write
 clean
1D50000
unkown
page readonly
 clean
490000
heap private
page read and write
 clean
2F0000
unkown
page read and write
 clean
26D000
unkown
page read and write
 clean
100000
unkown
page read and write
 clean
10E000
heap default
page read and write
 clean
524000
heap private
page read and write
 clean
540000
unkown
page readonly
 clean
260000
heap default
page read and write
 clean
440000
unkown
page read and write
 clean
1D10000
unkown
page readonly
 clean
3D0000
unkown
page read and write
 clean
576000
unkown
page read and write
 clean
F3000
heap default
page read and write
 clean
E0000
unkown
page read and write
 clean
540000
unkown
page read and write
 clean
EC000
unkown
page read and write
 clean
2010000
unkown
page readonly
 clean
5E0000
heap private
page read and write
 clean
3C4000
heap private
page read and write
 clean
454000
heap private
page read and write
 clean
There are 100 hidden memdumps, click here to show them.