RTF drops file to XLSTART | Grouped Behavior
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Trojan, Spyware

83b0d7926fb2c5bc0708d9201043107e8709d77f2cd2fb5cb7693b2d930378d2 (SHA256)

Invitation CBS 2018 .doc.rtf

RTF Document

Created at 2018-08-05 19:04:00

Monitored Processes

Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0xcdc Analysis Target Medium winword.exe "C:\Program Files\Microsoft Office\Office16\WINWORD.EXE" /n -
#2 0xd4c RPC Server Medium eqnedt32.exe "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding #1

Behavior Information - Grouped by Category

Process #1: winword.exe
0 0
»
Information Value
ID #1
File Name c:\program files\microsoft office\office16\winword.exe
Command Line "C:\Program Files\Microsoft Office\Office16\WINWORD.EXE" /n
Initial Working Directory C:\Users\Nd9E1FYi\Desktop\
Monitor Start Time: 00:00:16, Reason: Analysis Target
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:01:42
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcdc
Parent PID 0x770 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username X2VS1CUM\Nd9E1FYi
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9D8
0x 878
0x AD8
0x A84
0x 788
0x 2CC
0x 310
0x 558
0x EA0
0x C2C
0x C28
0x C30
0x C38
0x C74
0x CE8
0x D9C
0x E38
0x AAC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000076a7400000 0x76a7400000 0x76a75fffff Private Memory rw True False False -
private_0x00000076a7600000 0x76a7600000 0x76a76fffff Private Memory rw True False False -
private_0x00000076a7700000 0x76a7700000 0x76a77fffff Private Memory rw True False False -
private_0x00000076a7900000 0x76a7900000 0x76a79fffff Private Memory rw True False False -
private_0x00000076a7a00000 0x76a7a00000 0x76a7afffff Private Memory rw True False False -
private_0x00000076a7b00000 0x76a7b00000 0x76a7bfffff Private Memory rw True False False -
private_0x00000076a7c00000 0x76a7c00000 0x76a7cfffff Private Memory rw True False False -
private_0x00000076a7d00000 0x76a7d00000 0x76a7dfffff Private Memory rw True False False -
private_0x00000076a7e00000 0x76a7e00000 0x76a7efffff Private Memory rw True False False -
private_0x00000076a7f00000 0x76a7f00000 0x76a7ffffff Private Memory rw True False False -
private_0x00000076a8000000 0x76a8000000 0x76a80fffff Private Memory rw True False False -
private_0x00000076a8200000 0x76a8200000 0x76a82fffff Private Memory rw True False False -
private_0x00000076a8300000 0x76a8300000 0x76a83fffff Private Memory rw True False False -
private_0x00000076a8400000 0x76a8400000 0x76a84fffff Private Memory rw True False False -
private_0x00000076a8500000 0x76a8500000 0x76a85fffff Private Memory rw True False False -
private_0x00000076a8600000 0x76a8600000 0x76a86fffff Private Memory rw True False False -
pagefile_0x0000020f8c0c0000 0x20f8c0c0000 0x20f8c0cffff Pagefile Backed Memory rw True False False -
private_0x0000020f8c0d0000 0x20f8c0d0000 0x20f8c0d6fff Private Memory rw True False False -
pagefile_0x0000020f8c0e0000 0x20f8c0e0000 0x20f8c0f4fff Pagefile Backed Memory r True False False -
pagefile_0x0000020f8c100000 0x20f8c100000 0x20f8c103fff Pagefile Backed Memory r True False False -
pagefile_0x0000020f8c110000 0x20f8c110000 0x20f8c113fff Pagefile Backed Memory r True False False -
private_0x0000020f8c120000 0x20f8c120000 0x20f8c121fff Private Memory rw True False False -
private_0x0000020f8c130000 0x20f8c130000 0x20f8c136fff Private Memory rw True False False -
private_0x0000020f8c140000 0x20f8c140000 0x20f8c140fff Private Memory rw True False False -
private_0x0000020f8c150000 0x20f8c150000 0x20f8c150fff Private Memory rw True False False -
pagefile_0x0000020f8c160000 0x20f8c160000 0x20f8c161fff Pagefile Backed Memory r True False False -
pagefile_0x0000020f8c170000 0x20f8c170000 0x20f8c171fff Pagefile Backed Memory r True False False -
private_0x0000020f8c180000 0x20f8c180000 0x20f8c180fff Private Memory rw True False False -
private_0x0000020f8c190000 0x20f8c190000 0x20f8c28ffff Private Memory rw True False False -
locale.nls 0x20f8c290000 0x20f8c34dfff Memory Mapped File r False False False -
private_0x0000020f8c350000 0x20f8c350000 0x20f8c350fff Private Memory rw True False False -
pagefile_0x0000020f8c360000 0x20f8c360000 0x20f8c361fff Pagefile Backed Memory r True False False -
private_0x0000020f8c370000 0x20f8c370000 0x20f8c37ffff Private Memory - True False False -
pagefile_0x0000020f8c380000 0x20f8c380000 0x20f8c381fff Pagefile Backed Memory r True False False -
pagefile_0x0000020f8c390000 0x20f8c390000 0x20f8c391fff Pagefile Backed Memory r True False False -
pagefile_0x0000020f8c3a0000 0x20f8c3a0000 0x20f8c3a1fff Pagefile Backed Memory r True False False -
pagefile_0x0000020f8c3b0000 0x20f8c3b0000 0x20f8c3b1fff Pagefile Backed Memory r True False False -
private_0x0000020f8c3c0000 0x20f8c3c0000 0x20f8c3cffff Private Memory rw True False False -
pagefile_0x0000020f8c3d0000 0x20f8c3d0000 0x20f8c557fff Pagefile Backed Memory r True False False -
pagefile_0x0000020f8c560000 0x20f8c560000 0x20f8c6e0fff Pagefile Backed Memory r True False False -
pagefile_0x0000020f8c6f0000 0x20f8c6f0000 0x20f8daeffff Pagefile Backed Memory r True False False -
pagefile_0x0000020f8daf0000 0x20f8daf0000 0x20f8daf1fff Pagefile Backed Memory r True False False -
winnlsres.dll 0x20f8db00000 0x20f8db04fff Memory Mapped File r False False False -
pagefile_0x0000020f8db10000 0x20f8db10000 0x20f8db11fff Pagefile Backed Memory r True False False -
pagefile_0x0000020f8db20000 0x20f8db20000 0x20f8db21fff Pagefile Backed Memory r True False False -
pagefile_0x0000020f8db30000 0x20f8db30000 0x20f8db30fff Pagefile Backed Memory rw True False False -
winnlsres.dll.mui 0x20f8db40000 0x20f8db4ffff Memory Mapped File r False False False -
msointl30.dll 0x20f8db50000 0x20f8db5efff Memory Mapped File r False False False -
pagefile_0x0000020f8db60000 0x20f8db60000 0x20f8db60fff Pagefile Backed Memory rw True False False -
private_0x0000020f8db70000 0x20f8db70000 0x20f8db76fff Private Memory rw True False False -
private_0x0000020f8dbb0000 0x20f8dbb0000 0x20f8dbbffff Private Memory rw True False False -
wwintl.dll 0x20f8dbc0000 0x20f8dc7bfff Memory Mapped File r False False False -
pagefile_0x0000020f8dca0000 0x20f8dca0000 0x20f8dca3fff Pagefile Backed Memory r True False False -
pagefile_0x0000020f8dcb0000 0x20f8dcb0000 0x20f8dcb0fff Pagefile Backed Memory rw True False False -
private_0x0000020f8dcc0000 0x20f8dcc0000 0x20f8dcdffff Private Memory rw True False False -
office.odf 0x20f8dce0000 0x20f8de98fff Memory Mapped File r False False False -
mso40uires.dll 0x20f8dea0000 0x20f8e1a7fff Memory Mapped File r False False False -
mso99lres.dll 0x20f8e1b0000 0x20f8ead0fff Memory Mapped File r False False False -
msores.dll 0x20f8eae0000 0x20f9391efff Memory Mapped File r False False False -
msointl.dll 0x20f93920000 0x20f93a9afff Memory Mapped File r False False False -
sortdefault.nls 0x20f93bb0000 0x20f93ee6fff Memory Mapped File r False False False -
pagefile_0x0000020f93ef0000 0x20f93ef0000 0x20f93fabfff Pagefile Backed Memory r True False False -
private_0x0000020f93fb0000 0x20f93fb0000 0x20f940affff Private Memory rw True False False -
pagefile_0x0000020f940b0000 0x20f940b0000 0x20f940ddfff Pagefile Backed Memory rw True False False -
private_0x0000020f940e0000 0x20f940e0000 0x20f940e0fff Private Memory rw True False False -
private_0x0000020f940f0000 0x20f940f0000 0x20f940f0fff Private Memory rw True False False -
private_0x0000020f94100000 0x20f94100000 0x20f94100fff Private Memory rw True False False -
private_0x0000020f94110000 0x20f94110000 0x20f94110fff Private Memory rw True False False -
~fontcache-system.dat 0x20f94120000 0x20f94195fff Memory Mapped File r False False False -
private_0x0000020f941a0000 0x20f941a0000 0x20f9429ffff Private Memory rw True False False -
~fontcache-s-1-5-21-2172869166-1497266965-2109836178-1000.dat 0x20f942a0000 0x20f94a9ffff Memory Mapped File r False False False -
private_0x0000020f94aa0000 0x20f94aa0000 0x20f94e9ffff Private Memory rw True False False -
pagefile_0x0000020f94ea0000 0x20f94ea0000 0x20f95391fff Pagefile Backed Memory rw True False False -
private_0x0000020f953a0000 0x20f953a0000 0x20f953a0fff Private Memory rw True False False -
private_0x0000020f953b0000 0x20f953b0000 0x20f953b0fff Private Memory rw True False False -
pagefile_0x0000020f953c0000 0x20f953c0000 0x20f953c0fff Pagefile Backed Memory rw True False False -
private_0x0000020f953d0000 0x20f953d0000 0x20f953d0fff Private Memory rw True False False -
private_0x0000020f953e0000 0x20f953e0000 0x20f953e6fff Private Memory rw True False False -
pagefile_0x0000020f953f0000 0x20f953f0000 0x20f953f4fff Pagefile Backed Memory rw True False False -
pagefile_0x0000020f95400000 0x20f95400000 0x20f95400fff Pagefile Backed Memory r True False False -
private_0x0000020f95410000 0x20f95410000 0x20f9541ffff Private Memory rw True False False -
pagefile_0x0000020f95420000 0x20f95420000 0x20f95420fff Pagefile Backed Memory r True False False -
pagefile_0x0000020f95430000 0x20f95430000 0x20f954bbfff Pagefile Backed Memory r True False False -
private_0x0000020f954c0000 0x20f954c0000 0x20f954c0fff Private Memory rw True False False -
msxml6r.dll 0x20f954d0000 0x20f954d0fff Memory Mapped File r False False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000025.db 0x20f954e0000 0x20f954fbfff Memory Mapped File r True False False -
pagefile_0x0000020f95500000 0x20f95500000 0x20f95500fff Pagefile Backed Memory rw True False False -
private_0x0000020f95510000 0x20f95510000 0x20f95516fff Private Memory rw True False False -
pagefile_0x0000020f95520000 0x20f95520000 0x20f95521fff Pagefile Backed Memory r True False False -
private_0x0000020f95530000 0x20f95530000 0x20f9553ffff Private Memory rw True False False -
private_0x0000020f95540000 0x20f95540000 0x20f9573ffff Private Memory rw True False False -
pagefile_0x0000020f95740000 0x20f95740000 0x20f95f3ffff Pagefile Backed Memory rw True False False -
private_0x0000020f96080000 0x20f96080000 0x20f9647ffff Private Memory rw True False False -
private_0x0000020f96480000 0x20f96480000 0x20f9657ffff Private Memory rw True False False -
private_0x0000020f96580000 0x20f96580000 0x20f96580fff Private Memory rw True False False -
d2d1.dll.mui 0x20f96590000 0x20f965d1fff Memory Mapped File r False False False -
pagefile_0x0000020f965e0000 0x20f965e0000 0x20f965e1fff Pagefile Backed Memory r True False False -
pagefile_0x0000020f965f0000 0x20f965f0000 0x20f965fffff Pagefile Backed Memory rw True False False -
pagefile_0x0000020f96600000 0x20f96600000 0x20f9660ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000020f96610000 0x20f96610000 0x20f9661ffff Pagefile Backed Memory rw True False False -
c_1255.nls 0x20f96630000 0x20f96640fff Memory Mapped File r False False False -
private_0x0000020f96650000 0x20f96650000 0x20f9665ffff Private Memory rw True False False -
kernelbase.dll.mui 0x20f96660000 0x20f9673ffff Memory Mapped File r False False False -
private_0x0000020f96740000 0x20f96740000 0x20f9683ffff Private Memory rw True False False -
~fontcache-fontface.dat 0x20f96840000 0x20f9783ffff Memory Mapped File r False False False -
segoeui.ttf 0x20f97840000 0x20f9791efff Memory Mapped File r False False False -
pagefile_0x0000020f97920000 0x20f97920000 0x20f979f5fff Pagefile Backed Memory rw True False False -
pagefile_0x0000020f97a00000 0x20f97a00000 0x20f97ad5fff Pagefile Backed Memory rw True False False -
pagefile_0x0000020f97ae0000 0x20f97ae0000 0x20f97afefff Pagefile Backed Memory rw True False False -
pagefile_0x0000020f97b00000 0x20f97b00000 0x20f97b1efff Pagefile Backed Memory rw True False False -
private_0x0000020f97e00000 0x20f97e00000 0x20f9820dfff Private Memory rw True False False -
private_0x0000020f98210000 0x20f98210000 0x20f9861afff Private Memory rw True False False -
private_0x0000020f98620000 0x20f98620000 0x20f98a23fff Private Memory rw True False False -
private_0x0000020f98a30000 0x20f98a30000 0x20f98aaffff Private Memory rw True False False -
private_0x0000020f98ab0000 0x20f98ab0000 0x20f98caffff Private Memory rw True False False -
staticcache.dat 0x20f98cb0000 0x20f99ceffff Memory Mapped File r False False False -
private_0x0000020f99d10000 0x20f99d10000 0x20f9a50ffff Private Memory rw True False False -
pagefile_0x0000020f9a510000 0x20f9a510000 0x20f9a9edfff Pagefile Backed Memory rw True False False -
private_0x00007ff67b760000 0x7ff67b760000 0x7ff67b76ffff Private Memory - True False False -
private_0x00007ff67b770000 0x7ff67b770000 0x7ff67b77ffff Private Memory - True False False -
pagefile_0x00007ff67b780000 0x7ff67b780000 0x7ff67b87ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff67b880000 0x7ff67b880000 0x7ff67b8a2fff Pagefile Backed Memory r True False False -
winword.exe 0x7ff67c310000 0x7ff67c4e9fff Memory Mapped File rwx False False False -
private_0x00007ffb761a0000 0x7ffb761a0000 0x7ffb761affff Private Memory rwx True False False -
usp10.dll 0x7ffb95710000 0x7ffb95727fff Memory Mapped File rwx False False False -
chart.dll 0x7ffb95730000 0x7ffb96228fff Memory Mapped File rwx False False False -
mso.dll 0x7ffb968a0000 0x7ffb97b7bfff Memory Mapped File rwx False False False -
mso99lwin32client.dll 0x7ffb97b80000 0x7ffb9834bfff Memory Mapped File rwx False False False -
mso40uiwin32client.dll 0x7ffb98350000 0x7ffb98c3afff Memory Mapped File rwx False False False -
mso30win32client.dll 0x7ffb98c40000 0x7ffb990b7fff Memory Mapped File rwx False False False -
oart.dll 0x7ffb990c0000 0x7ffb9a22bfff Memory Mapped File rwx False False False -
wwlib.dll 0x7ffb9a230000 0x7ffb9c5cefff Memory Mapped File rwx False False False -
riched20.dll 0x7ffb9e340000 0x7ffb9e562fff Memory Mapped File rwx False False False -
mscoreei.dll 0x7ffb9e940000 0x7ffb9e9d7fff Memory Mapped File rwx True False False -
mscoree.dll 0x7ffb9e9e0000 0x7ffb9ea47fff Memory Mapped File rwx True False False -
msptls.dll 0x7ffb9ea50000 0x7ffb9ebbffff Memory Mapped File rwx False False False -
mso20win32client.dll 0x7ffb9ebc0000 0x7ffb9eec3fff Memory Mapped File rwx False False False -
mlang.dll 0x7ffba3630000 0x7ffba366dfff Memory Mapped File rwx False False False -
d3d10_1core.dll 0x7ffba3d00000 0x7ffba3d61fff Memory Mapped File rwx False False False -
msxml6.dll 0x7ffba59e0000 0x7ffba5c59fff Memory Mapped File rwx False False False -
msvcp140.dll 0x7ffba6050000 0x7ffba60ebfff Memory Mapped File rwx False False False -
vcruntime140.dll 0x7ffba60f0000 0x7ffba6105fff Memory Mapped File rwx False False False -
msi.dll 0x7ffba6820000 0x7ffba6b59fff Memory Mapped File rwx False False False -
winspool.drv 0x7ffba6b60000 0x7ffba6be3fff Memory Mapped File rwx False False False -
twinapi.dll 0x7ffba83e0000 0x7ffba8490fff Memory Mapped File rwx False False False -
netprofm.dll 0x7ffba96d0000 0x7ffba970ffff Memory Mapped File rwx False False False -
secur32.dll 0x7ffbaac00000 0x7ffbaac0bfff Memory Mapped File rwx False False False -
version.dll 0x7ffbaac40000 0x7ffbaac49fff Memory Mapped File rwx False False False -
gdiplus.dll 0x7ffbaac70000 0x7ffbaae18fff Memory Mapped File rwx False False False -
For performance reasons, the remaining 201 entries are omitted.
The remaining entries can be found in flog.txt.
Process #2: eqnedt32.exe
9 0
»
Information Value
ID #2
File Name c:\program files\common files\microsoft shared\equation\eqnedt32.exe
Command Line "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:27, Reason: RPC Server
Unmonitor End Time: 00:00:32, Reason: Self Terminated
Monitor Duration 00:00:05
OS Process Information
»
Information Value
PID 0xd4c
Parent PID 0x248 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username X2VS1CUM\Nd9E1FYi
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D68
0x D0C
0x D44
0x D40
0x D28
0x D38
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00023fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory rw True False False -
pagefile_0x0000000000040000 0x00040000 0x00054fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x001d0fff Private Memory rw True False False -
pagefile_0x00000000001e0000 0x001e0000 0x001e1fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001f0000 0x001f0000 0x001f0fff Pagefile Backed Memory r True False False -
private_0x0000000000200000 0x00200000 0x003fffff Private Memory rw True False False -
eqnedt32.exe 0x00400000 0x0048dfff Memory Mapped File rwx False False False -
private_0x0000000000490000 0x00490000 0x004cffff Private Memory rw True False False -
pagefile_0x00000000004d0000 0x004d0000 0x004d1fff Pagefile Backed Memory r True False False -
winnlsres.dll 0x004e0000 0x004e4fff Memory Mapped File r False False False -
private_0x00000000004f0000 0x004f0000 0x004fffff Private Memory rw True False False -
pagefile_0x0000000000500000 0x00500000 0x00501fff Pagefile Backed Memory r True False False -
private_0x0000000000510000 0x00510000 0x0060ffff Private Memory rw True False False -
private_0x0000000000610000 0x00610000 0x0064ffff Private Memory rw True False False -
private_0x0000000000650000 0x00650000 0x0065ffff Private Memory rw True False False -
locale.nls 0x00660000 0x0071dfff Memory Mapped File r False False False -
private_0x0000000000720000 0x00720000 0x0081ffff Private Memory rw True False False -
pagefile_0x0000000000820000 0x00820000 0x009a7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000009b0000 0x009b0000 0x00b30fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000b40000 0x00b40000 0x01f3ffff Pagefile Backed Memory r True False False -
private_0x0000000001f40000 0x01f40000 0x0203ffff Private Memory rw True False False -
private_0x0000000002040000 0x02040000 0x0207ffff Private Memory rw True False False -
pagefile_0x0000000002080000 0x02080000 0x02080fff Pagefile Backed Memory rw True False False -
winnlsres.dll.mui 0x02090000 0x0209ffff Memory Mapped File r False False False -
private_0x00000000020a0000 0x020a0000 0x020affff Private Memory rw True False False -
private_0x00000000020b0000 0x020b0000 0x021affff Private Memory rw True False False -
private_0x00000000021b0000 0x021b0000 0x021effff Private Memory rw True False False -
private_0x00000000021f0000 0x021f0000 0x0222ffff Private Memory rw True False False -
pagefile_0x0000000002230000 0x02230000 0x02233fff Pagefile Backed Memory r True False False -
private_0x0000000002240000 0x02240000 0x0224ffff Private Memory rw True False False -
private_0x0000000002250000 0x02250000 0x0264ffff Private Memory rw True False False -
private_0x0000000002650000 0x02650000 0x0274ffff Private Memory rw True False False -
private_0x0000000002750000 0x02750000 0x027cffff Private Memory rw True False False -
private_0x00000000027d0000 0x027d0000 0x027d3fff Private Memory rw True False False -
pagefile_0x00000000027e0000 0x027e0000 0x027e0fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000027f0000 0x027f0000 0x027f0fff Pagefile Backed Memory rw True False False -
private_0x0000000002800000 0x02800000 0x0280ffff Private Memory rw True False False -
private_0x0000000002810000 0x02810000 0x0290ffff Private Memory rw True False False -
pagefile_0x0000000002910000 0x02910000 0x029cbfff Pagefile Backed Memory r True False False -
sortdefault.nls 0x029d0000 0x02d06fff Memory Mapped File r False False False -
pagefile_0x0000000002d10000 0x02d10000 0x02d10fff Pagefile Backed Memory r True False False -
pagefile_0x0000000002d20000 0x02d20000 0x03211fff Pagefile Backed Memory rw True False False -
staticcache.dat 0x03220000 0x0425ffff Memory Mapped File r False False False -
pagefile_0x0000000004260000 0x04260000 0x042ebfff Pagefile Backed Memory r True False False -
eeintl.dll 0x3de20000 0x3de2dfff Memory Mapped File rwx False False False -
wow64.dll 0x51da0000 0x51deffff Memory Mapped File rwx False False False -
wow64win.dll 0x51df0000 0x51e69fff Memory Mapped File rwx False False False -
wow64cpu.dll 0x51e70000 0x51e77fff Memory Mapped File rwx False False False -
comctl32.dll 0x6f2f0000 0x6f4fefff Memory Mapped File rwx False False False -
msi.dll 0x6f500000 0x6f888fff Memory Mapped File rwx False False False -
comctl32.dll 0x6f890000 0x6f921fff Memory Mapped File rwx False False False -
dwmapi.dll 0x6f930000 0x6f94cfff Memory Mapped File rwx False False False -
uxtheme.dll 0x70420000 0x70494fff Memory Mapped File rwx False False False -
bcrypt.dll 0x73c40000 0x73c5afff Memory Mapped File rwx False False False -
apphelp.dll 0x73ef0000 0x73f81fff Memory Mapped File rwx False False False -
cryptbase.dll 0x73f90000 0x73f99fff Memory Mapped File rwx False False False -
sspicli.dll 0x73fa0000 0x73fbdfff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x73fe0000 0x73febfff Memory Mapped File rwx False False False -
clbcatq.dll 0x741a0000 0x74223fff Memory Mapped File rwx False False False -
user32.dll 0x74230000 0x74376fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74380000 0x743d7fff Memory Mapped File rwx False False False -
imm32.dll 0x743e0000 0x7440afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x74410000 0x744bcfff Memory Mapped File rwx False False False -
gdi32.dll 0x744c0000 0x7460efff Memory Mapped File rwx False False False -
powrprof.dll 0x74610000 0x74653fff Memory Mapped File rwx False False False -
msvcrt.dll 0x747e0000 0x7489dfff Memory Mapped File rwx False False False -
sechost.dll 0x748a0000 0x748e3fff Memory Mapped File rwx False False False -
msctf.dll 0x748f0000 0x74a0efff Memory Mapped File rwx False False False -
ole32.dll 0x74b80000 0x74c6afff Memory Mapped File rwx False False False -
profapi.dll 0x74c80000 0x74c8efff Memory Mapped File rwx False False False -
advapi32.dll 0x74c90000 0x74d0afff Memory Mapped File rwx False False False -
kernel32.dll 0x74d10000 0x74deffff Memory Mapped File rwx False False False -
windows.storage.dll 0x74df0000 0x752e8fff Memory Mapped File rwx False False False -
combase.dll 0x75360000 0x7551cfff Memory Mapped File rwx False False False -
coml2.dll 0x75520000 0x75579fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x755f0000 0x75626fff Memory Mapped File rwx False False False -
shlwapi.dll 0x75630000 0x75674fff Memory Mapped File rwx False False False -
shcore.dll 0x75a90000 0x75b1cfff Memory Mapped File rwx False False False -
shell32.dll 0x75b20000 0x76f1efff Memory Mapped File rwx False False False -
kernelbase.dll 0x76f20000 0x7709dfff Memory Mapped File rwx False False False -
ntdll.dll 0x77270000 0x773eafff Memory Mapped File rwx False False False -
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7ffbb8b3ffff Private Memory r True False False -
ntdll.dll 0x7ffbb8b40000 0x7ffbb8d00fff Memory Mapped File rwx False False False -
private_0x00007ffbb8d01000 0x7ffbb8d01000 0x7ffffffeffff Private Memory r True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Excel\XLSTART\AddIn.XLAM 306.89 KB MD5: ec9f3c5bf085338ca182dac6a4e6aaab
SHA1: f5d638ed93d06834af8bc7df7d2737ab645b7fd7
SHA256: ea4a4162cd6ffad02d142c48067c1239253f688b8f163fd2887229d8a3240253
SSDeep: 6144:WeXipcxLylQa5fVkfxLo5rmf4cpNQsgw2a/2Bi8GKjnloh4ios:WeXiUOFfy1+rmAMNKwTeY8GQloh4ios
True
Host Behavior
File (3)
»
Operation Filename Additional Information Success Count Logfile
Create Directory C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Excel - False 1
Fn
Create Directory C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Excel\XLSTART - False 1
Fn
Move C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Excel\XLSTART\AddIn.XLAM source_filename = C:\Users\Nd9E1FYi\AppData\Local\Temp\~ZqSpEj.tmp True 1
Fn
Module (5)
»
Operation Module Additional Information Success Count Logfile
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathA, address_out = 0x74d36b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x74d2a8a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x74d36850 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileA, address_out = 0x74d33c90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x74d37b30 True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String name = APPDATA, result_out = C:\Users\Nd9E1FYi\AppData\Roaming True 1
Fn
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image