Malware Analysis Report

2025-06-16 05:12

Sample ID 230125-mkjypafg32
Target Doc_230125.xlsx
SHA256 8d9987b12667c1d3cfd71161c7d18fe4b152557157bed38264120baa49b184be
Tags
formbook xloader poub loader persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8d9987b12667c1d3cfd71161c7d18fe4b152557157bed38264120baa49b184be

Threat Level: Known bad

The file Doc_230125.xlsx was found to be: Known bad.

Malicious Activity Summary

formbook xloader poub loader persistence rat spyware stealer trojan

Formbook

Xloader

Xloader payload

Executes dropped EXE

Adds policy Run key to start application

Downloads MZ/PE file

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Launches Equation Editor

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-25 10:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-25 10:31

Reported

2023-01-25 10:33

Platform

win7-20220812-en

Max time kernel

148s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Xloader

loader xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YHLXCRW8HH = "C:\\Program Files (x86)\\Aer4pdx_h\\mfcjrsd1nep.exe" C:\Windows\SysWOW64\raserver.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\raserver.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Public\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 748 set thread context of 1656 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1656 set thread context of 1224 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Windows\Explorer.EXE
PID 920 set thread context of 1224 N/A C:\Windows\SysWOW64\raserver.exe C:\Windows\Explorer.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Aer4pdx_h\mfcjrsd1nep.exe C:\Windows\SysWOW64\raserver.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\raserver.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\raserver.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1536 wrote to memory of 368 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 368 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 368 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 368 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 368 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\name.exe
PID 368 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\name.exe
PID 368 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\name.exe
PID 368 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\name.exe
PID 1168 wrote to memory of 748 N/A C:\Users\Public\name.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1168 wrote to memory of 748 N/A C:\Users\Public\name.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1168 wrote to memory of 748 N/A C:\Users\Public\name.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1168 wrote to memory of 748 N/A C:\Users\Public\name.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 748 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 748 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 748 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 748 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 748 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1224 wrote to memory of 920 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\raserver.exe
PID 1224 wrote to memory of 920 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\raserver.exe
PID 1224 wrote to memory of 920 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\raserver.exe
PID 1224 wrote to memory of 920 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\raserver.exe
PID 920 wrote to memory of 1336 N/A C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 1336 N/A C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 1336 N/A C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 1336 N/A C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 780 N/A C:\Windows\SysWOW64\raserver.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 920 wrote to memory of 780 N/A C:\Windows\SysWOW64\raserver.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 920 wrote to memory of 780 N/A C:\Windows\SysWOW64\raserver.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 920 wrote to memory of 780 N/A C:\Windows\SysWOW64\raserver.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 920 wrote to memory of 780 N/A C:\Windows\SysWOW64\raserver.exe C:\Program Files\Mozilla Firefox\Firefox.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Doc_230125.xlsx

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe

C:\Users\Public\name.exe

C:\Users\Public\name.exe

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

"C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe" C:\Users\Admin\AppData\Local\Temp\ucpha.v

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

"C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe"

C:\Windows\SysWOW64\raserver.exe

"C:\Windows\SysWOW64\raserver.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe"

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

Network

Country Destination Domain Proto
N/A 64.93.80.148:80 64.93.80.148 tcp
N/A 8.8.8.8:53 www.drzjup.space udp
N/A 172.255.33.179:80 www.drzjup.space tcp
N/A 8.8.8.8:53 www.rejuvenescerzero.site udp
N/A 8.8.8.8:53 www.crusadia.net udp
N/A 212.192.29.71:80 www.crusadia.net tcp
N/A 8.8.8.8:53 www.anaygus.com udp
N/A 72.167.68.223:80 www.anaygus.com tcp
N/A 8.8.8.8:53 www.valenteimmigration.com udp
N/A 8.8.8.8:53 www.dwwproductions.net udp
N/A 208.113.213.231:80 www.dwwproductions.net tcp
N/A 8.8.8.8:53 www.craftedinglass.com udp
N/A 185.199.220.38:80 www.craftedinglass.com tcp
N/A 8.8.8.8:53 www.asu4tqr.icu udp
N/A 38.85.254.111:80 www.asu4tqr.icu tcp
N/A 8.8.8.8:53 www.w3bsports.club udp
N/A 34.102.136.180:80 www.w3bsports.club tcp
N/A 8.8.8.8:53 www.look856.com udp
N/A 180.215.68.138:80 www.look856.com tcp
N/A 8.8.8.8:53 www.anglicanadebrasilia.com udp
N/A 149.62.37.97:80 www.anglicanadebrasilia.com tcp
N/A 8.8.8.8:53 www.peiphitan.com udp
N/A 192.64.115.133:80 www.peiphitan.com tcp
N/A 8.8.8.8:53 www.sqlite.org udp
N/A 45.33.6.223:80 www.sqlite.org tcp
N/A 8.8.8.8:53 www.bayuerlangga.com udp
N/A 203.175.9.15:80 www.bayuerlangga.com tcp

Files

memory/968-54-0x000000002F4B1000-0x000000002F4B4000-memory.dmp

memory/968-55-0x0000000071371000-0x0000000071373000-memory.dmp

memory/968-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/968-57-0x000000007235D000-0x0000000072368000-memory.dmp

memory/968-58-0x0000000075501000-0x0000000075503000-memory.dmp

memory/368-60-0x0000000000000000-mapping.dmp

\Users\Public\name.exe

MD5 58a93d1d064b9e8265ea798531adb0bf
SHA1 d5e30f238fabd304d30ba2c726c71fb47765b494
SHA256 d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c
SHA512 c5e9c0e07ea8904a45011380836ff8f0b936954729df4fb18f62414322f5815ec8ebc5803729a13b783cf87a5bd723fc821405e3579e017c7b19059e57f76bfb

C:\Users\Public\name.exe

MD5 58a93d1d064b9e8265ea798531adb0bf
SHA1 d5e30f238fabd304d30ba2c726c71fb47765b494
SHA256 d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c
SHA512 c5e9c0e07ea8904a45011380836ff8f0b936954729df4fb18f62414322f5815ec8ebc5803729a13b783cf87a5bd723fc821405e3579e017c7b19059e57f76bfb

memory/1168-63-0x0000000000000000-mapping.dmp

C:\Users\Public\name.exe

MD5 58a93d1d064b9e8265ea798531adb0bf
SHA1 d5e30f238fabd304d30ba2c726c71fb47765b494
SHA256 d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c
SHA512 c5e9c0e07ea8904a45011380836ff8f0b936954729df4fb18f62414322f5815ec8ebc5803729a13b783cf87a5bd723fc821405e3579e017c7b19059e57f76bfb

\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

memory/748-67-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

memory/968-69-0x000000006C641000-0x000000006C643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ucpha.v

MD5 d934356067b6133646fad1aa12371a1e
SHA1 23fe2ea62be0949a32ea6609345a8b8d27ce3757
SHA256 81f2eb3bd3c2135b0d6abdcc4f2e6427a76dac558928d4c8beb648a045010ae5
SHA512 26b50a5599353328bfc4609754ead9efd9e4084e4fdb6a9479ad56ea79aed81648de897e66c3dd1c9de1cdb6eba04855e4498f0d8d09f7804224ba27ceab91d8

C:\Users\Admin\AppData\Local\Temp\hcmpu.cqa

MD5 28eed71dacb4522dbf2c1aeca39e2c5d
SHA1 b5633dcf66f1657552ba992c55e7124250c23a35
SHA256 22bfb554d299b3fc4686643b0522384db2c92ebf64bd80475439b8dd9bbe7bc5
SHA512 7f08bc8237868fb6509baafd3c4a01663b0577ebec86aef9cb185bec13acb8c5787604329a85c74a2ebbc3f39933929a2f36ea21513330124bd2d66363e54cae

\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

memory/1656-74-0x000000000041FF10-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

memory/1656-76-0x0000000000400000-0x000000000042C000-memory.dmp

memory/968-77-0x000000006CB11000-0x000000006CB13000-memory.dmp

memory/1656-78-0x0000000000830000-0x0000000000B33000-memory.dmp

memory/1656-79-0x00000000002C0000-0x00000000002D1000-memory.dmp

memory/1224-80-0x0000000006B70000-0x0000000006CCD000-memory.dmp

memory/968-81-0x000000007235D000-0x0000000072368000-memory.dmp

memory/1656-83-0x0000000000400000-0x000000000042C000-memory.dmp

memory/920-82-0x0000000000000000-mapping.dmp

memory/1336-85-0x0000000000000000-mapping.dmp

memory/920-86-0x00000000000F0000-0x000000000010C000-memory.dmp

memory/920-87-0x0000000000080000-0x00000000000AC000-memory.dmp

memory/920-88-0x0000000001F90000-0x0000000002293000-memory.dmp

memory/920-89-0x0000000001D50000-0x0000000001DE0000-memory.dmp

memory/920-90-0x0000000000080000-0x00000000000AC000-memory.dmp

memory/1224-91-0x0000000006CD0000-0x0000000006E18000-memory.dmp

memory/1224-92-0x0000000006CD0000-0x0000000006E18000-memory.dmp

memory/968-93-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/968-94-0x000000007235D000-0x0000000072368000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-25 10:31

Reported

2023-01-25 10:33

Platform

win10v2004-20221111-en

Max time kernel

104s

Max time network

139s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Doc_230125.xlsx"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Doc_230125.xlsx"

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 104.80.225.205:443 tcp

Files

memory/2876-132-0x00007FF82E9F0000-0x00007FF82EA00000-memory.dmp

memory/2876-133-0x00007FF82E9F0000-0x00007FF82EA00000-memory.dmp

memory/2876-134-0x00007FF82E9F0000-0x00007FF82EA00000-memory.dmp

memory/2876-135-0x00007FF82E9F0000-0x00007FF82EA00000-memory.dmp

memory/2876-136-0x00007FF82E9F0000-0x00007FF82EA00000-memory.dmp

memory/2876-137-0x00007FF82C530000-0x00007FF82C540000-memory.dmp

memory/2876-138-0x00007FF82C530000-0x00007FF82C540000-memory.dmp

memory/2876-140-0x00007FF82E9F0000-0x00007FF82EA00000-memory.dmp

memory/2876-141-0x00007FF82E9F0000-0x00007FF82EA00000-memory.dmp

memory/2876-142-0x00007FF82E9F0000-0x00007FF82EA00000-memory.dmp

memory/2876-143-0x00007FF82E9F0000-0x00007FF82EA00000-memory.dmp