Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
7027521.xlsx
|
CDFV2 Encrypted
|
initial sample
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\raki[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
|
downloaded
|
||
C:\Users\user\Desktop\~$7027521.xlsx
|
data
|
dropped
|
||
C:\Users\Public\vbc.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2864187B.emf
|
Windows Enhanced Metafile (EMF) image data version 0x10000
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\38B5F198.png
|
PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3A630C1D.png
|
PNG image data, 139 x 180, 8-bit colormap, non-interlaced
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\52D94040.png
|
PNG image data, 139 x 180, 8-bit colormap, non-interlaced
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\54488366.png
|
PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5AE1F18C.png
|
PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\652ED133.jpeg
|
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames
3
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\929BD04E.png
|
PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9CB02B7A.png
|
PNG image data, 139 x 180, 8-bit colormap, non-interlaced
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AE1C341.jpeg
|
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames
3
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DE86A7F7.png
|
PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F757D4B9.png
|
PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FF502F.png
|
PNG image data, 139 x 180, 8-bit colormap, non-interlaced
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\Pyknisk.dat
|
data
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\nsb1814.tmp\System.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\secur32.dll
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\sxsstore.dll
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\~DF12666A7CD415755E.TMP
|
data
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\~DF505DD9AFA69CB501.TMP
|
data
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\~DF5384EF3ECDAC44CB.TMP
|
CDFV2 Encrypted
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\~DF928E213DED05A15C.TMP
|
data
|
dropped
|
There are 15 hidden files, click here to show them.
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
|
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
|
||
C:\Users\Public\vbc.exe
|
"C:\Users\Public\vbc.exe"
|
||
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://50.16.4.125/E/raki.exe
|
50.16.4.125
|
||
https://dariamob.ro/wed/eee_XScUCMEVL47.
|
|||
http://nsis.sf.net/NSIS_ErrorError
|
unknown
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
50.16.4.125
|
unknown
|
United States
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
) +
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
|
MTTT
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
ReviewToken
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\2ED8A
|
2ED8A
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
VBAFiles
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
o)+
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\33A13
|
33A13
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\34CA9
|
34CA9
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
|
Max Display
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
|
Item 1
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Max Display
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 1
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 2
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 3
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 4
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 5
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 6
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 7
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 8
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 9
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 10
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 11
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 12
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 13
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 14
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 15
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 16
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 17
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 18
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 19
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 20
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 21
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
|
LastPurgeTime
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
EXCELFiles
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\33A13
|
33A13
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
EquationEditorFilesIntl_1033
|
||
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
|
SavedLegacySettings
|
There are 30 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
3790000
|
trusted library allocation
|
page execute and read and write
|
||
460000
|
trusted library allocation
|
page read and write
|
||
408000
|
unkown
|
page readonly
|
||
2E0000
|
heap
|
page read and write
|
||
73196000
|
unkown
|
page readonly
|
||
2948000
|
heap
|
page read and write
|
||
71F000
|
stack
|
page read and write
|
||
22D000
|
heap
|
page read and write
|
||
42C000
|
unkown
|
page read and write
|
||
2790000
|
trusted library allocation
|
page read and write
|
||
400000
|
unkown
|
page readonly
|
||
89000
|
stack
|
page read and write
|
||
1F20000
|
trusted library allocation
|
page read and write
|
||
10000
|
heap
|
page read and write
|
||
1EE0000
|
heap
|
page read and write
|
||
5DF000
|
stack
|
page read and write
|
||
2790000
|
trusted library allocation
|
page read and write
|
||
40A000
|
unkown
|
page write copy
|
||
7EFE0000
|
unkown
|
page readonly
|
||
431000
|
unkown
|
page read and write
|
||
1EE4000
|
heap
|
page read and write
|
||
442000
|
unkown
|
page read and write
|
||
5A4000
|
heap
|
page read and write
|
||
587000
|
heap
|
page read and write
|
||
400000
|
unkown
|
page readonly
|
||
5CF000
|
heap
|
page read and write
|
||
2F0000
|
heap
|
page read and write
|
||
73191000
|
unkown
|
page execute read
|
||
73194000
|
unkown
|
page readonly
|
||
1F7000
|
heap
|
page read and write
|
||
326000
|
heap
|
page read and write
|
||
401000
|
unkown
|
page execute read
|
||
1D0000
|
heap
|
page read and write
|
||
40A000
|
unkown
|
page read and write
|
||
401000
|
unkown
|
page execute read
|
||
2944000
|
heap
|
page read and write
|
||
BBE000
|
stack
|
page read and write
|
||
1F0000
|
heap
|
page read and write
|
||
73190000
|
unkown
|
page readonly
|
||
1D4000
|
heap
|
page read and write
|
||
16D000
|
stack
|
page read and write
|
||
408000
|
unkown
|
page readonly
|
||
2790000
|
trusted library allocation
|
page read and write
|
||
2940000
|
heap
|
page read and write
|
||
236000
|
heap
|
page read and write
|
||
10000
|
heap
|
page read and write
|
||
580000
|
heap
|
page read and write
|
||
856000
|
heap
|
page read and write
|
||
1F02000
|
heap
|
page read and write
|
||
18C000
|
stack
|
page read and write
|
||
52F000
|
stack
|
page read and write
|
||
44C000
|
unkown
|
page readonly
|
||
378E000
|
stack
|
page read and write
|
||
5D4000
|
heap
|
page read and write
|
||
44C000
|
unkown
|
page readonly
|
||
84D000
|
stack
|
page read and write
|
||
5E3000
|
heap
|
page read and write
|
||
294B000
|
heap
|
page read and write
|
||
23B000
|
heap
|
page read and write
|
||
1FC0000
|
heap
|
page read and write
|
||
850000
|
heap
|
page read and write
|
There are 51 hidden memdumps, click here to show them.