Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
listing new.xlsx
|
CDFV2 Encrypted
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\raki[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
|
downloaded
|
|
|
|
C:\Users\user\Desktop\~$listing new.xlsx
|
data
|
dropped
|
|
|
|
C:\Users\Public\vbc.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\19980AFC.png
|
PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5319FF63.png
|
PNG image data, 139 x 180, 8-bit colormap, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5BA3143E.png
|
PNG image data, 139 x 180, 8-bit colormap, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7E91C95F.png
|
PNG image data, 139 x 180, 8-bit colormap, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\84BE6A08.png
|
PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\948B366A.png
|
PNG image data, 139 x 180, 8-bit colormap, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9B66BB27.png
|
PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CED38AF1.emf
|
Windows Enhanced Metafile (EMF) image data version 0x10000
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F3B4F6CD.png
|
PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F6B29269.png
|
PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F9A84556.png
|
PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\forbrugersamfundet.dat
|
DOS executable (COM)
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\gamer.txt
|
ASCII text, with very long lines, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\nsj734E.tmp\System.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\~DF4BE3E1CBE08654A7.TMP
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\~DFBA4CF9152A1E9E13.TMP
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\~DFD3BE83FE1AD51971.TMP
|
CDFV2 Encrypted
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\~DFEB9B29E3F948747D.TMP
|
data
|
dropped
|
There are 12 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
|
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
|
|
|
|
C:\Users\Public\vbc.exe
|
"C:\Users\Public\vbc.exe"
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://50.16.4.125/E/raki.exe
|
50.16.4.125
|
|
|
|
https://dariamob.ro/wed/eee_XScUCMEVL
|
|
||
|
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
|
unknown
|
||
|
http://www.windows.com/pctv.
|
unknown
|
||
|
http://investor.msn.com
|
unknown
|
||
|
http://www.msnbc.com/news/ticker.txt
|
unknown
|
||
|
http://www.icra.org/vocabulary/.
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
|
unknown
|
||
|
http://investor.msn.com/
|
unknown
|
||
|
http://www.%s.comPA
|
unknown
|
||
|
http://nsis.sf.net/NSIS_ErrorError
|
unknown
|
||
|
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
|
unknown
|
||
|
http://www.hotmail.com/oe
|
unknown
|
There are 3 hidden URLs, click here to show them.
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
50.16.4.125
|
unknown
|
United States
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
&%-
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
|
MTTT
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
ReviewToken
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\2ED6B
|
2ED6B
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
VBAFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
v,-
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\33801
|
33801
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\34B91
|
34B91
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
|
Max Display
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
|
Item 1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Max Display
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 2
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 3
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 4
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 5
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 6
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 7
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 8
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 9
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 10
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 11
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 12
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 13
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 14
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 15
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 16
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 17
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 18
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 19
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 20
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 21
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
|
LastPurgeTime
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
EXCELFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\33801
|
33801
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
EquationEditorFilesIntl_1033
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
|
SavedLegacySettings
|
There are 30 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
3750000
|
unkown
|
page execute and read and write
|
|
|
|
3E6000
|
heap default
|
page read and write
|
||
|
3D0000
|
unkown image
|
page readonly
|
||
|
7EFE0000
|
unkown image
|
page readonly
|
||
|
680000
|
heap private
|
page read and write
|
||
|
7FFFFFC2000
|
unkown image
|
page readonly
|
||
|
40A000
|
unkown image
|
page read and write
|
||
|
8B7000
|
heap default
|
page read and write
|
||
|
7EFC2000
|
unkown image
|
page readonly
|
||
|
7FFFFFB0000
|
unkown image
|
page readonly
|
||
|
3B0000
|
unkown image
|
page readonly
|
||
|
729A0000
|
unkown image
|
page readonly
|
||
|
2790000
|
unkown
|
page read and write
|
||
|
450000
|
unkown image
|
page readonly
|
||
|
400000
|
unkown image
|
page readonly
|
||
|
910000
|
heap default
|
page read and write
|
||
|
374E000
|
stack
|
page read and write
|
||
|
2904000
|
heap private
|
page read and write
|
||
|
8D4000
|
heap default
|
page read and write
|
||
|
3A7000
|
heap default
|
page read and write
|
||
|
400000
|
unkown image
|
page readonly
|
||
|
230000
|
unkown image
|
page readonly
|
||
|
401000
|
unkown image
|
page execute read
|
||
|
3E0000
|
unkown image
|
page read and write
|
||
|
810000
|
heap private
|
page read and write
|
||
|
1A0000
|
unkown image
|
page readonly
|
||
|
C1E000
|
stack
|
page read and write
|
||
|
408000
|
unkown image
|
page readonly
|
||
|
3DD000
|
heap default
|
page read and write
|
||
|
40A000
|
unkown image
|
page write copy
|
||
|
7EFC2000
|
unkown image
|
page readonly
|
||
|
3270000
|
unkown image
|
page readonly
|
||
|
7FFFFFB0000
|
unkown image
|
page readonly
|
||
|
3A0000
|
heap default
|
page read and write
|
||
|
7EFD0000
|
unkown image
|
page readonly
|
||
|
870000
|
heap private
|
page read and write
|
||
|
20000
|
unkown
|
page read and write
|
||
|
7FFFFFB2000
|
unkown image
|
page readonly
|
||
|
30000
|
unkown image
|
page readonly
|
||
|
5F0000
|
unkown image
|
page readonly
|
||
|
284D000
|
stack
|
page read and write
|
||
|
1C0000
|
unkown
|
page read and write
|
||
|
44C000
|
unkown image
|
page readonly
|
||
|
442000
|
unkown image
|
page read and write
|
||
|
401000
|
unkown image
|
page execute read
|
||
|
2790000
|
unkown
|
page read and write
|
||
|
640000
|
heap default
|
page read and write
|
||
|
408000
|
unkown image
|
page readonly
|
||
|
7FFFFFC2000
|
unkown image
|
page readonly
|
||
|
A6F000
|
stack
|
page read and write
|
||
|
610000
|
unkown image
|
page readonly
|
||
|
832000
|
heap private
|
page read and write
|
||
|
6C0000
|
unkown
|
page read and write
|
||
|
7EFB0000
|
unkown image
|
page readonly
|
||
|
1BD000
|
unkown
|
page read and write
|
||
|
729A6000
|
unkown image
|
page readonly
|
||
|
431000
|
unkown image
|
page read and write
|
||
|
3EB000
|
heap default
|
page read and write
|
||
|
2900000
|
heap private
|
page read and write
|
||
|
9B0000
|
unkown image
|
page readonly
|
||
|
290B000
|
heap private
|
page read and write
|
||
|
7FFFFFC0000
|
unkown image
|
page readonly
|
||
|
10000
|
unkown image
|
page read and write
|
||
|
34F000
|
stack
|
page read and write
|
||
|
1DB0000
|
unkown image
|
page readonly
|
||
|
7EFB2000
|
unkown image
|
page readonly
|
||
|
7EFC0000
|
unkown image
|
page readonly
|
||
|
7EFE0000
|
unkown image
|
page readonly
|
||
|
3C6000
|
heap private
|
page read and write
|
||
|
10000
|
unkown image
|
page read and write
|
||
|
7EFDF000
|
unkown
|
page read and write
|
||
|
2790000
|
unkown
|
page read and write
|
||
|
2908000
|
heap private
|
page read and write
|
||
|
1F6000
|
unkown
|
page read and write
|
||
|
7FFFFFD0000
|
unkown image
|
page readonly
|
||
|
7EFD0000
|
unkown image
|
page readonly
|
||
|
7FFFFFD0000
|
unkown image
|
page readonly
|
||
|
8B0000
|
heap default
|
page read and write
|
||
|
900000
|
heap default
|
page read and write
|
||
|
729A4000
|
unkown image
|
page readonly
|
||
|
729A1000
|
unkown image
|
page execute read
|
||
|
729A0000
|
unkown image
|
page readonly
|
||
|
7FFFFFC0000
|
unkown image
|
page readonly
|
||
|
190000
|
unkown image
|
page readonly
|
||
|
814000
|
heap private
|
page read and write
|
||
|
42C000
|
unkown image
|
page read and write
|
||
|
44C000
|
unkown image
|
page readonly
|
||
|
18C000
|
unkown
|
page read and write
|
||
|
7EFB2000
|
unkown image
|
page readonly
|
||
|
7FFFFFB2000
|
unkown image
|
page readonly
|
||
|
7EFB0000
|
unkown image
|
page readonly
|
||
|
2790000
|
unkown
|
page read and write
|
||
|
21A0000
|
unkown image
|
page readonly
|
||
|
7EFC0000
|
unkown image
|
page readonly
|
||
|
684000
|
heap private
|
page read and write
|
||
|
400000
|
unkown image
|
page readonly
|
||
|
3457000
|
unkown image
|
page readonly
|
||
|
40000
|
unkown image
|
page readonly
|
||
|
3C0000
|
heap private
|
page read and write
|
||
|
89000
|
unkown
|
page read and write
|
There are 90 hidden memdumps, click here to show them.