File name: | documento1_653.xls |
Full analysis: | https://app.any.run/tasks/c3958e76-647b-475d-83e2-2b6781935904 |
Verdict: | Malicious activity |
Analysis date: | October 20, 2020, 12:01:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: LCsGRzym, Last Saved By: administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Oct 20 05:51:55 2020, Last Saved Time/Date: Tue Oct 20 06:24:11 2020, Security: 1 |
MD5: | A3AEDEC7404DE298C5712A7E43F4F5E7 |
SHA1: | E8D8A38D9FFE9FFF4B69378D753D73A49D6CECE4 |
SHA256: | C3082633DFDFD21BF76F895E16AE0B7F024D4525F06E8A515B9341763E8D97BA |
SSDEEP: | 3072:83Dsg/3P3i0gkAKSew3Xe7m8YNKtIxv98oizHX/KpRp/n8nVQTF1DhGhv:83Qu3v9onESKtI/8/HypRpBp1yv |
.xls | | | Microsoft Excel sheet (78.9) |
---|
Author: | LCsGRzym |
---|---|
LastModifiedBy: | administrator |
Software: | Microsoft Excel |
CreateDate: | 2020:10:20 04:51:55 |
ModifyDate: | 2020:10:20 05:24:11 |
Security: | Password protected |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: |
|
HeadingPairs: |
|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3068 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
2864 | "C:\Windows\System32\rundll32.exe" qOJmoVb.dll,DllRegisterServer | C:\Windows\System32\rundll32.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3068 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR5028.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3068 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\documento1_653.xls.LNK | lnk | |
MD5:08221B24B1AEA216816381A12818794E | SHA256:2F7846E858F44DDBA03CE2F1DE0A0343551FD57C624EE35BBEF732E4FB484795 | |||
3068 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:758CA97567DBB0AF9920EAEC4DDAAC30 | SHA256:ACD61882BFD5A3B2110234533AB8FC10F6A915C8F1D6905C40077546392AE2BE |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3068 | EXCEL.EXE | 176.32.32.16:80 | linksystems.bar | LLC Baxet | RU | suspicious |
Domain | IP | Reputation |
---|---|---|
linksystems.bar |
| suspicious |
dns.msftncsi.com |
| shared |