Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
_FM_BUSAN_HOCHIMINH_.xlsx
|
CDFV2 Encrypted
|
initial sample
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.win32[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
downloaded
|
||
C:\Users\user\Desktop\~$_FM_BUSAN_HOCHIMINH_.xlsx
|
data
|
dropped
|
||
C:\Users\Public\vbc.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\364E3B76.png
|
PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\53C8C381.png
|
PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\56B0538E.png
|
PNG image data, 139 x 180, 8-bit colormap, non-interlaced
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5FD2FA65.png
|
PNG image data, 139 x 180, 8-bit colormap, non-interlaced
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6157F522.jpeg
|
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames
3
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6EA96328.jpeg
|
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames
3
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\87C9FA8A.emf
|
Windows Enhanced Metafile (EMF) image data version 0x10000
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8CB27180.png
|
PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\92ED0EF4.png
|
PNG image data, 139 x 180, 8-bit colormap, non-interlaced
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BC3008FF.png
|
PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CB03F909.png
|
PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D68EB503.png
|
PNG image data, 139 x 180, 8-bit colormap, non-interlaced
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ED74FEBB.png
|
PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\~DF0E35C54C087F7535.TMP
|
CDFV2 Encrypted
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\~DF2D24CE383036F6FE.TMP
|
data
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\~DF6D2E29A086E66B49.TMP
|
data
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\~DFE7F835AEEEC2A8C9.TMP
|
data
|
dropped
|
There are 11 hidden files, click here to show them.
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
|
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
|
||
C:\Users\Public\vbc.exe
|
"C:\Users\Public\vbc.exe"
|
||
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://198.46.132.195/ProgramFile/.win32.exe
|
198.46.132.195
|
||
http://crl.thawte.com/ThawteTimestampingCA.crl0
|
unknown
|
||
https://www.chiark.greenend.org.uk/~sgtatham/putty/
|
unknown
|
||
https://www.chiark.greenend.org.uk/~sgtatham/putty/0
|
unknown
|
||
http://ocsp.thawte.com0
|
unknown
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
198.46.132.195
|
unknown
|
United States
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
un,
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
|
MTTT
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
ReviewToken
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\2FF36
|
2FF36
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
VBAFiles
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
yw,
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\34A78
|
34A78
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\35E94
|
35E94
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
|
Max Display
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
|
Item 1
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Max Display
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 1
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 2
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 3
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 4
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 5
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 6
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 7
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 8
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 9
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 10
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 11
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 12
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 13
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 14
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 15
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 16
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 17
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 18
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 19
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 20
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 21
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
|
LastPurgeTime
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
EXCELFiles
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\34A78
|
34A78
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
EquationEditorFilesIntl_1033
|
||
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
|
SavedLegacySettings
|
There are 30 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
8DB000
|
heap
|
page read and write
|
||
2F0000
|
heap
|
page read and write
|
||
8D4000
|
heap
|
page read and write
|
||
F4000
|
heap
|
page read and write
|
||
1391000
|
unkown
|
page execute read
|
||
320000
|
heap
|
page read and write
|
||
882000
|
heap
|
page read and write
|
||
1499000
|
unkown
|
page readonly
|
||
1499000
|
unkown
|
page readonly
|
||
141F000
|
unkown
|
page readonly
|
||
8D8000
|
heap
|
page read and write
|
||
2E6000
|
heap
|
page read and write
|
||
9D0000
|
heap
|
page read and write
|
||
4C0000
|
heap
|
page read and write
|
||
1390000
|
unkown
|
page readonly
|
||
344000
|
heap
|
page read and write
|
||
420000
|
trusted library allocation
|
page read and write
|
||
1446000
|
unkown
|
page write copy
|
||
327000
|
heap
|
page read and write
|
||
144C000
|
unkown
|
page readonly
|
||
230000
|
heap
|
page read and write
|
||
144C000
|
unkown
|
page readonly
|
||
B8F000
|
stack
|
page read and write
|
||
56F000
|
stack
|
page read and write
|
||
7EFE0000
|
unkown
|
page readonly
|
||
1B7000
|
heap
|
page read and write
|
||
1446000
|
unkown
|
page read and write
|
||
F0000
|
heap
|
page read and write
|
||
1F6000
|
heap
|
page read and write
|
||
1449000
|
unkown
|
page read and write
|
||
8D0000
|
heap
|
page read and write
|
||
1ED000
|
heap
|
page read and write
|
||
1390000
|
unkown
|
page readonly
|
||
10000
|
heap
|
page read and write
|
||
10000
|
heap
|
page read and write
|
||
1B0000
|
heap
|
page read and write
|
||
89000
|
stack
|
page read and write
|
||
860000
|
heap
|
page read and write
|
||
864000
|
heap
|
page read and write
|
||
1F8000
|
heap
|
page read and write
|
||
1391000
|
unkown
|
page execute read
|
||
141F000
|
unkown
|
page readonly
|
||
18C000
|
stack
|
page read and write
|
||
2B0000
|
heap
|
page read and write
|
||
18D000
|
stack
|
page read and write
|
||
5FF000
|
stack
|
page read and write
|
There are 36 hidden memdumps, click here to show them.