Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
OR17233976_00019489_20170619154218.xlsx
|
CDFV2 Encrypted
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
|
downloaded
|
|
|
|
C:\Users\user\Desktop\~$OR17233976_00019489_20170619154218.xlsx
|
data
|
dropped
|
|
|
|
C:\Users\Public\vbc.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3288E575.png
|
PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\53BF4B19.wmf
|
ms-windows metafont .wmf
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\76413093.png
|
PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\90EF2157.emf
|
Windows Enhanced Metafile (EMF) image data version 0x10000
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B4D6F58F.jpeg
|
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 150x150, frames
3
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9050978.png
|
PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9F9AC7D.wmf
|
ms-windows metafont .wmf
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C49C905A.jpeg
|
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 150x150, frames
3
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CE13C646.wmf
|
ms-windows metafont .wmf
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CFB87244.png
|
PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4EC5B6C.wmf
|
ms-windows metafont .wmf
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\AEGISIIINVHelper.dll
|
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\AsSQLHelper.dll
|
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\CoverDes.exe.manifest
|
XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\Uforholdsvises7.wad
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\emblem-default-symbolic.symbolic.png
|
PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\face-crying.png
|
PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\nszEA61.tmp\System.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\wxbase30u_xml_gcc_custom.dll
|
PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\~DF356FB6003FFB313F.TMP
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\~DF6D478D5B0CAAFC00.TMP
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\~DFE089B71C9CC2CAF5.TMP
|
CDFV2 Encrypted
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\~DFEBF9B8A93FED7DB2.TMP
|
data
|
dropped
|
There are 17 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
|
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
|
|
|
|
C:\Users\Public\vbc.exe
|
"C:\Users\Public\vbc.exe"
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://103.149.13.182/365space/.svchost.exej
|
unknown
|
|
|
|
http://103.149.13.182/365space/.svchost.exe
|
103.149.13.182
|
|
|
|
http://103.149.13.182/365space/.svchost.exemmC:
|
unknown
|
|
|
|
http://ocsp2.globals)
|
unknown
|
||
|
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
|
unknown
|
||
|
http://nsis.sf.net/NSIS_ErrorError
|
unknown
|
||
|
http://ocsp.sectigo.com0
|
unknown
|
||
|
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
|
unknown
|
||
|
http://crl.globalsig
|
unknown
|
||
|
https://www.globalsign.9
|
unknown
|
||
|
https://sectigo.com/CPS0C
|
unknown
|
There are 1 hidden URLs, click here to show them.
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
103.149.13.182
|
unknown
|
unknown
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
?<0
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
|
MTTT
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
ReviewToken
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\675BC
|
675BC
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus
|
FontCachePath
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
VBAFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
3/0
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\6CB3B
|
6CB3B
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\6F122
|
6F122
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
|
Max Display
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
|
Item 1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Max Display
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 2
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 3
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 4
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 5
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 6
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 7
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 8
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 9
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 10
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 11
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 12
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 13
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 14
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 15
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 16
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 17
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 18
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 19
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 20
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 21
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
|
LastPurgeTime
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
EXCELFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\6CB3B
|
6CB3B
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
EquationEditorFilesIntl_1033
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
|
SavedLegacySettings
|
||
|
HKEY_CURRENT_USER\Software\Tilmaalingen\UMBILECTOMY
|
NATURLOVEN
|
There are 32 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
3A60000
|
direct allocation
|
page execute and read and write
|
|
|
|
2BDB000
|
heap
|
page read and write
|
||
|
2B0000
|
heap
|
page read and write
|
||
|
18A000
|
stack
|
page read and write
|
||
|
9A7000
|
heap
|
page read and write
|
||
|
22A0000
|
heap
|
page read and write
|
||
|
786000
|
unkown
|
page read and write
|
||
|
71A000
|
heap
|
page read and write
|
||
|
395D000
|
stack
|
page read and write
|
||
|
6C50000
|
trusted library allocation
|
page read and write
|
||
|
7A9000
|
unkown
|
page read and write
|
||
|
292F000
|
stack
|
page read and write
|
||
|
408000
|
unkown
|
page readonly
|
||
|
7330000
|
trusted library allocation
|
page read and write
|
||
|
231C000
|
stack
|
page read and write
|
||
|
693D000
|
stack
|
page read and write
|
||
|
732C000
|
stack
|
page read and write
|
||
|
6240000
|
trusted library allocation
|
page read and write
|
||
|
6C0F000
|
stack
|
page read and write
|
||
|
2B4000
|
heap
|
page read and write
|
||
|
2BF000
|
stack
|
page read and write
|
||
|
788000
|
unkown
|
page read and write
|
||
|
673D000
|
stack
|
page read and write
|
||
|
614F000
|
stack
|
page read and write
|
||
|
2B40000
|
trusted library allocation
|
page read and write
|
||
|
1DA0000
|
heap
|
page read and write
|
||
|
683D000
|
stack
|
page read and write
|
||
|
2320000
|
heap
|
page read and write
|
||
|
711000
|
heap
|
page read and write
|
||
|
7D6000
|
unkown
|
page readonly
|
||
|
350000
|
heap
|
page read and write
|
||
|
255F000
|
stack
|
page read and write
|
||
|
A0D000
|
heap
|
page read and write
|
||
|
77C000
|
unkown
|
page read and write
|
||
|
310000
|
heap
|
page read and write
|
||
|
C96000
|
heap
|
page read and write
|
||
|
10000
|
heap
|
page read and write
|
||
|
625D000
|
trusted library allocation
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
64FC000
|
stack
|
page read and write
|
||
|
6B00000
|
heap
|
page read and write
|
||
|
89000
|
stack
|
page read and write
|
||
|
6D4C000
|
stack
|
page read and write
|
||
|
1DB0000
|
direct allocation
|
page read and write
|
||
|
627F000
|
trusted library allocation
|
page read and write
|
||
|
7D6000
|
unkown
|
page readonly
|
||
|
647000
|
heap
|
page read and write
|
||
|
647E000
|
stack
|
page read and write
|
||
|
1D99000
|
trusted library section
|
page readonly
|
||
|
2BD0000
|
heap
|
page read and write
|
||
|
708A4000
|
unkown
|
page readonly
|
||
|
6D2000
|
heap
|
page read and write
|
||
|
9C4000
|
heap
|
page read and write
|
||
|
22A8000
|
heap
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
69D000
|
heap
|
page read and write
|
||
|
708A0000
|
unkown
|
page readonly
|
||
|
3A5E000
|
stack
|
page read and write
|
||
|
6200000
|
heap
|
page read and write
|
||
|
664000
|
heap
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
61C0000
|
heap
|
page read and write
|
||
|
2342000
|
heap
|
page read and write
|
||
|
270000
|
heap
|
page read and write
|
||
|
708A6000
|
unkown
|
page readonly
|
||
|
3420000
|
trusted library allocation
|
page read and write
|
||
|
6ABF000
|
stack
|
page read and write
|
||
|
663F000
|
stack
|
page read and write
|
||
|
1D0E000
|
stack
|
page read and write
|
||
|
2490000
|
trusted library allocation
|
page read and write
|
||
|
2B40000
|
trusted library allocation
|
page read and write
|
||
|
408000
|
unkown
|
page readonly
|
||
|
2A2F000
|
stack
|
page read and write
|
||
|
2FE000
|
stack
|
page read and write
|
||
|
2BD4000
|
heap
|
page read and write
|
||
|
40A000
|
unkown
|
page write copy
|
||
|
6A7E000
|
stack
|
page read and write
|
||
|
89000
|
stack
|
page read and write
|
||
|
70D000
|
heap
|
page read and write
|
||
|
1D94000
|
trusted library section
|
page readonly
|
||
|
C90000
|
heap
|
page read and write
|
||
|
35D000
|
stack
|
page read and write
|
||
|
722000
|
heap
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
370000
|
heap
|
page read and write
|
||
|
6C10000
|
trusted library allocation
|
page read and write
|
||
|
2D2000
|
heap
|
page read and write
|
||
|
22A4000
|
heap
|
page read and write
|
||
|
277000
|
heap
|
page read and write
|
||
|
697E000
|
stack
|
page read and write
|
||
|
6500000
|
heap
|
page read and write
|
||
|
6B1000
|
heap
|
page read and write
|
||
|
782000
|
unkown
|
page read and write
|
||
|
A0A000
|
heap
|
page read and write
|
||
|
370000
|
heap
|
page read and write
|
||
|
626F000
|
trusted library allocation
|
page read and write
|
||
|
7B5000
|
unkown
|
page read and write
|
||
|
7A4000
|
unkown
|
page read and write
|
||
|
2324000
|
heap
|
page read and write
|
||
|
9FB000
|
heap
|
page read and write
|
||
|
1D10000
|
trusted library allocation
|
page read and write
|
||
|
7330000
|
trusted library allocation
|
page read and write
|
||
|
2BD8000
|
heap
|
page read and write
|
||
|
708A1000
|
unkown
|
page execute read
|
||
|
22AB000
|
heap
|
page read and write
|
||
|
640000
|
heap
|
page read and write
|
||
|
2A40000
|
trusted library allocation
|
page read and write
|
||
|
643F000
|
stack
|
page read and write
|
||
|
6503000
|
heap
|
page read and write
|
||
|
6E00000
|
heap
|
page read and write
|
||
|
618E000
|
stack
|
page read and write
|
||
|
10000
|
heap
|
page read and write
|
||
|
18C000
|
stack
|
page read and write
|
||
|
9EF000
|
heap
|
page read and write
|
||
|
7AD000
|
unkown
|
page read and write
|
||
|
1D90000
|
trusted library section
|
page readonly
|
||
|
245F000
|
stack
|
page read and write
|
||
|
7330000
|
trusted library allocation
|
page read and write
|
||
|
64BD000
|
stack
|
page read and write
|
||
|
7A6000
|
unkown
|
page read and write
|
||
|
1D9F000
|
trusted library section
|
page readonly
|
||
|
2A40000
|
trusted library allocation
|
page read and write
|
||
|
610D000
|
stack
|
page read and write
|
||
|
9A0000
|
heap
|
page read and write
|
||
|
40A000
|
unkown
|
page read and write
|
||
|
6284000
|
trusted library allocation
|
page read and write
|
There are 116 hidden memdumps, click here to show them.