Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
audit-367497006.xlsb
|
Microsoft Excel 2007+
|
initial sample
|
 |
|
|
C:\Users\user\Desktop\~$audit-367497006.xlsb
|
data
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2A108F49.png
|
PNG image data, 246 x 108, 8-bit/color RGB, non-interlaced
|
dropped
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5C50E7CA.png
|
PNG image data, 521 x 246, 8-bit/color RGB, non-interlaced
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8F304143.png
|
PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9F7E393F.png
|
PNG image data, 490 x 30, 8-bit/color RGB, non-interlaced
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BA0F5CB6.png
|
PNG image data, 934 x 29, 8-bit/color RGB, non-interlaced
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\DEFF0268.png
|
PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Temp\05A40000
|
data
|
dropped
|
|
|
|
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
|
Little-endian UTF-16 Unicode text, with CR line terminators
|
dropped
|
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
|
|
|
|
C:\Windows\SysWOW64\regsvr32.exe
|
regsvr32 -s ..\werty1.dll
|
|
|
|
C:\Windows\SysWOW64\regsvr32.exe
|
regsvr32 -s ..\werty2.dll
|
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
forfacks.com
|
192.185.48.167
|
|
|
|
dreamhimalayan.com
|
192.185.113.120
|
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
192.185.48.167
|
forfacks.com
|
United States
|
|
|
|
192.185.113.120
|
dreamhimalayan.com
|
United States
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
l`+
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
m`+
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
LastBootTime
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
ReviewToken
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
49C0E
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
VBAFiles
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
MSForms
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
MSComctlLib
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
SpellingAndGrammarFiles_1036
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
SpellingAndGrammarFiles_3082
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
1
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
UpdateComplete
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
DefaultSheetR2L
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
UseSystemSeparators
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
ThousandsSeparator
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
DecimalSeparator
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
4A248
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
4A342
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
4A40D
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
4A565
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
/r+
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
ProductFiles
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
en-US
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
en-US
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
EXCELFiles
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
RoamingConfigurableSettings
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
RoamingLastSyncTime
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
RoamingLastWriteTime
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
ProductFiles
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
CacheReady
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
LastRequest
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
CacheReady
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
LastUpdate
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
NextUpdate
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
SpellingAndGrammarFiles_1033
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
SpellingAndGrammarFiles_1036
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
SpellingAndGrammarFiles_1036
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
SpellingAndGrammarFiles_1033
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
SpellingAndGrammarFiles_1033
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
SpellingAndGrammarFiles_3082
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
SpellingAndGrammarFiles_3082
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
ProductFiles
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
ProductFiles
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
ProductFiles
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
ProductFiles
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
LastBootTime
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
LastPurgeTime
|
|
There are 37 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
2CA8000
|
unkown
|
page readonly
|
|
|
|
3097000
|
unkown
|
page read and write
|
|
|
|
2CB3000
|
unkown
|
page readonly
|
|
|
|
2BF0000
|
unkown
|
page readonly
|
|
|
|
3310000
|
unkown
|
page readonly
|
|
|
|
3320000
|
heap private
|
page read and write
|
|
|
|
2537000
|
unkown
|
page readonly
|
|
|
|
2C1A000
|
unkown
|
page readonly
|
|
|
|
24D9000
|
unkown
|
page readonly
|
|
|
|
2990000
|
unkown
|
page readonly
|
|
|
|
2407000
|
unkown
|
page readonly
|
|
|
|
2BAC000
|
unkown
|
page readonly
|
|
|
|
2C71000
|
heap default
|
page read and write
|
|
|
|
2AD7000
|
unkown
|
page readonly
|
|
|
|
25D2000
|
unkown
|
page readonly
|
|
|
|
253F000
|
unkown
|
page readonly
|
|
|
|
2C50000
|
heap default
|
page read and write
|
|
|
|
2C13000
|
unkown
|
page readonly
|
|
|
|
2BDC000
|
unkown
|
page readonly
|
|
|
|
2C3B000
|
unkown
|
page readonly
|
|
|
|
2543000
|
unkown
|
page readonly
|
|
|
|
2D50000
|
unkown
|
page readonly
|
|
|
|
2BB3000
|
unkown
|
page readonly
|
|
|
|
24EA000
|
unkown
|
page readonly
|
|
|
|
2E20000
|
unkown
|
page readonly
|
|
|
|
2FBB000
|
unkown
|
page read and write
|
|
|
|
2CA2000
|
unkown
|
page readonly
|
|
|
|
2551000
|
unkown
|
page readonly
|
|
|
|
3330000
|
unkown
|
page readonly
|
|
|
|
24DC000
|
unkown
|
page readonly
|
|
|
|
2C36000
|
unkown
|
page readonly
|
|
|
|
2C94000
|
unkown
|
page readonly
|
|
|
|
253D000
|
unkown
|
page readonly
|
|
|
|
2C0D000
|
unkown
|
page readonly
|
|
|
|
28AC000
|
unkown
|
page read and write
|
|
|
|
25B1000
|
unkown
|
page readonly
|
|
|
|
2B21000
|
unkown
|
page read and write
|
|
|
|
4630000
|
heap private
|
page read and write
|
|
|
|
33F0000
|
heap default
|
page read and write
|
|
|
|
2505000
|
unkown
|
page readonly
|
|
|
|
2529000
|
unkown
|
page readonly
|
|
|
|
2C5A000
|
heap default
|
page read and write
|
|
|
|
28B4000
|
unkown
|
page readonly
|
|
|
|
2BE3000
|
unkown
|
page readonly
|
|
|
|
2980000
|
heap default
|
page read and write
|
|
|
|
256B000
|
unkown
|
page readonly
|
|
|
|
3680000
|
unkown
|
page readonly
|
|
|
|
254F000
|
unkown
|
page readonly
|
|
|
|
358A000
|
heap default
|
page read and write
|
|
|
|
2C32000
|
unkown
|
page readonly
|
|
|
|
2BEC000
|
unkown
|
page readonly
|
|
|
|
2C07000
|
unkown
|
page readonly
|
|
|
|
4640000
|
unkown
|
page readonly
|
|
|
|
2566000
|
unkown
|
page readonly
|
|
|
|
25D8000
|
unkown
|
page readonly
|
|
|
|
25C4000
|
unkown
|
page readonly
|
|
|
|
254A000
|
unkown
|
page readonly
|
|
|
|
251C000
|
unkown
|
page readonly
|
|
|
|
25B5000
|
unkown
|
page readonly
|
|
|
|
25E3000
|
unkown
|
page readonly
|
|
|
|
25E3000
|
unkown
|
page readonly
|
|
|
|
2970000
|
unkown
|
page readonly
|
|
|
|
2BD5000
|
unkown
|
page readonly
|
|
|
|
2BA9000
|
unkown
|
page readonly
|
|
|
|
2CB3000
|
unkown
|
page readonly
|
|
|
|
2535000
|
unkown
|
page readonly
|
|
|
|
29F0000
|
heap private
|
page read and write
|
|
|
|
28EB000
|
unkown
|
page read and write
|
|
|
|
2C1F000
|
unkown
|
page readonly
|
|
|
|
2C81000
|
unkown
|
page readonly
|
|
|
|
2C0F000
|
unkown
|
page readonly
|
|
|
|
2BBA000
|
unkown
|
page readonly
|
|
|
|
2B1D000
|
unkown
|
page read and write
|
|
|
|
2520000
|
unkown
|
page readonly
|
|
|
|
3580000
|
heap default
|
page read and write
|
|
|
|
32F0000
|
unkown
|
page read and write
|
|
|
|
3220000
|
unkown
|
page readonly
|
|
|
|
2F7C000
|
unkown
|
page read and write
|
|
|
|
24E3000
|
unkown
|
page readonly
|
|
|
|
2513000
|
unkown
|
page readonly
|
|
|
|
2950000
|
unkown
|
page read and write
|
|
|
|
2BF9000
|
unkown
|
page readonly
|
|
|
|
2C05000
|
unkown
|
page readonly
|
|
|
|
309B000
|
unkown
|
page read and write
|
|
|
|
35A1000
|
heap default
|
page read and write
|
|
|
|
250C000
|
unkown
|
page readonly
|
|
|
|
3400000
|
unkown
|
page readonly
|
|
|
|
2562000
|
unkown
|
page readonly
|
|
|
|
21E4000
|
unkown
|
page readonly
|
|
|
|
2C85000
|
unkown
|
page readonly
|
|
|
|
4FF0000
|
heap private
|
page read and write
|
|
|
|
2C21000
|
unkown
|
page readonly
|
|
There are 82 hidden memdumps, click here to show them.