IOCReport

loading gif

Files

File Path
Type
Category
Malicious
plan-1053707320.xlsb
Microsoft Excel 2007+
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ka[1].htm
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
downloaded
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\ka[1].htm
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
downloaded
malicious
C:\Users\user\Desktop\~$plan-1053707320.xlsb
data
dropped
malicious
C:\Users\user\gihi1.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\gihi2.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_d6c4e44bbad4515086a963364165f93d4a33398_7a325c51_04e1cb83\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_d6c4e44bbad4515086a963364165f93d4a33398_7a325c51_101b5502\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER510A.tmp.dmp
Mini DuMP crash report, 14 streams, Fri Jun 25 03:45:03 2021, 0x1205a4 type
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER53CA.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER54C5.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC79B.tmp.dmp
Mini DuMP crash report, 14 streams, Fri Jun 25 03:43:22 2021, 0x1205a4 type
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9CF.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA8B.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\83AEEBD5-3CD1-4EBB-B8A2-37AF63012E6F
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9A86AAF3.png
PNG image data, 1133 x 589, 8-bit/color RGB, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Temp\8A810000
data
dropped
clean
There are 7 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
malicious
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 ..\gihi1.dll
malicious
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
malicious
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 ..\gihi2.dll
malicious
C:\Windows\SysWOW64\schtasks.exe
'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn nowkkbo /tr 'regsvr32.exe -s \'C:\Users\user\gihi1.dll\'' /SC ONCE /Z /ST 20:45 /ET 20:57
malicious
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
malicious
C:\Windows\System32\regsvr32.exe
regsvr32.exe -s 'C:\Users\user\gihi1.dll'
malicious
C:\Windows\SysWOW64\regsvr32.exe
-s 'C:\Users\user\gihi1.dll'
malicious
C:\Windows\System32\regsvr32.exe
regsvr32.exe -s 'C:\Users\user\gihi1.dll'
malicious
C:\Windows\SysWOW64\regsvr32.exe
-s 'C:\Users\user\gihi1.dll'
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5312 -s 652
clean
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 652
clean
There are 3 hidden processes, click here to show them.

URLs

Name
IP
Malicious
https://api.diagnosticssdf.office.com
unknown
clean
https://login.microsoftonline.com/
unknown
clean
https://shell.suite.office.com:1443
unknown
clean
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
unknown
clean
https://autodiscover-s.outlook.com/
unknown
clean
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
unknown
clean
https://cdn.entity.
unknown
clean
https://api.addins.omex.office.net/appinfo/query
unknown
clean
https://clients.config.office.net/user/v1.0/tenantassociationkey
unknown
clean
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
unknown
clean
https://powerlift.acompli.net
unknown
clean
https://rpsticket.partnerservices.getmicrosoftkey.com
unknown
clean
https://lookup.onenote.com/lookup/geolocation/v1
unknown
clean
https://cortana.ai
unknown
clean
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
unknown
clean
https://cloudfiles.onenote.com/upload.aspx
unknown
clean
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
unknown
clean
https://entitlement.diagnosticssdf.office.com
unknown
clean
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
unknown
clean
https://api.aadrm.com/
unknown
clean
https://ofcrecsvcapi-int.azurewebsites.net/
unknown
clean
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
unknown
clean
https://api.microsoftstream.com/api/
unknown
clean
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
unknown
clean
https://cr.office.com
unknown
clean
https://gruasphenbogota.com/C74hwGGxi/ka.html
unknown
clean
https://portal.office.com/account/?ref=ClientMeControl
unknown
clean