Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
yeni teklif talebi.xlsx
|
CDFV2 Encrypted
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Komiten6[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
|
downloaded
|
|
|
|
C:\Users\user\Desktop\~$yeni teklif talebi.xlsx
|
data
|
dropped
|
|
|
|
C:\Users\Public\vbc.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\189C2737.wmf
|
ms-windows metafont .wmf
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3E1683BB.emf
|
Windows Enhanced Metafile (EMF) image data version 0x10000
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\80E4BC8E.wmf
|
ms-windows metafont .wmf
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B2359081.wmf
|
ms-windows metafont .wmf
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FCE43280.wmf
|
ms-windows metafont .wmf
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\KONDEMNATIONERS.Heg
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\Overliggedagene225.ini
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\nshD0AF.tmp\System.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
modified
|
||
|
C:\Users\user\AppData\Local\Temp\~DF3EBA8DC817904F49.TMP
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\~DF8EEDDA710CFA1BC5.TMP
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\~DFD156472CF2DDFD4C.TMP
|
CDFV2 Encrypted
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\~DFFFED7F195E4B8B5F.TMP
|
data
|
dropped
|
There are 6 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
|
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
|
|
|
|
C:\Users\Public\vbc.exe
|
"C:\Users\Public\vbc.exe"
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://23.95.34.9/zaki/Komiten6.exe
|
23.95.34.9
|
|
|
|
http://23.95.34.9/zaki/Komiten6.exej
|
unknown
|
||
|
http://nsis.sf.net/NSIS_ErrorError
|
unknown
|
||
|
http://23.95.34.9/zaki/Komiten6.exemmC:
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
23.95.34.9
|
unknown
|
United States
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
#))
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
|
MTTT
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
ReviewToken
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\65EB3
|
65EB3
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus
|
FontCachePath
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
VBAFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
(:)
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\6B329
|
6B329
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\6CF41
|
6CF41
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
|
Max Display
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
|
Item 1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Max Display
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 2
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 3
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 4
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 5
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 6
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 7
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 8
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 9
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 10
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 11
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 12
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 13
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 14
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 15
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 16
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 17
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 18
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 19
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 20
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 21
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
|
LastPurgeTime
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
EXCELFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\6B329
|
6B329
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
EquationEditorFilesIntl_1033
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
|
SavedLegacySettings
|
||
|
HKEY_CURRENT_USER\Software\stemningsfulderes\DISINTENSIFY
|
Expand String Value
|
There are 32 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
3FB0000
|
direct allocation
|
page execute and read and write
|
|
|
|
64CF000
|
stack
|
page read and write
|
||
|
320000
|
heap
|
page read and write
|
||
|
1E00000
|
trusted library allocation
|
page read and write
|
||
|
73BF1000
|
unkown
|
page execute read
|
||
|
627E000
|
stack
|
page read and write
|
||
|
6F6000
|
heap
|
page read and write
|
||
|
3070000
|
trusted library section
|
page read and write
|
||
|
2C38000
|
heap
|
page read and write
|
||
|
5E4000
|
heap
|
page read and write
|
||
|
2C34000
|
heap
|
page read and write
|
||
|
5C0000
|
heap
|
page read and write
|
||
|
262000
|
heap
|
page read and write
|
||
|
650C000
|
stack
|
page read and write
|
||
|
10000
|
heap
|
page read and write
|
||
|
2680000
|
trusted library allocation
|
page read and write
|
||
|
40A000
|
unkown
|
page read and write
|
||
|
660000
|
heap
|
page read and write
|
||
|
664000
|
heap
|
page read and write
|
||
|
703000
|
heap
|
page read and write
|
||
|
408000
|
unkown
|
page readonly
|
||
|
1DFE000
|
stack
|
page read and write
|
||
|
2FD0000
|
trusted library allocation
|
page read and write
|
||
|
6520000
|
heap
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
327000
|
heap
|
page read and write
|
||
|
36D000
|
stack
|
page read and write
|
||
|
69FE000
|
stack
|
page read and write
|
||
|
27C0000
|
trusted library allocation
|
page read and write
|
||
|
67F000
|
heap
|
page read and write
|
||
|
3060000
|
trusted library section
|
page read and write
|
||
|
40A000
|
unkown
|
page write copy
|
||
|
2C3B000
|
heap
|
page read and write
|
||
|
73BF4000
|
unkown
|
page readonly
|
||
|
6B1F000
|
stack
|
page read and write
|
||
|
295F000
|
stack
|
page read and write
|
||
|
47D000
|
unkown
|
page readonly
|
||
|
30E000
|
stack
|
page read and write
|
||
|
369F000
|
stack
|
page read and write
|
||
|
30BD000
|
stack
|
page read and write
|
||
|
701000
|
heap
|
page read and write
|
||
|
660000
|
heap
|
page read and write
|
||
|
262000
|
heap
|
page read and write
|
||
|
2074000
|
trusted library section
|
page readonly
|
||
|
590000
|
heap
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
36A0000
|
trusted library allocation
|
page read and write
|
||
|
657000
|
heap
|
page read and write
|
||
|
1E90000
|
heap
|
page read and write
|
||
|
739000
|
heap
|
page read and write
|
||
|
300000
|
heap
|
page read and write
|
||
|
207F000
|
trusted library section
|
page readonly
|
||
|
408000
|
unkown
|
page readonly
|
||
|
2C30000
|
heap
|
page read and write
|
||
|
664000
|
heap
|
page read and write
|
||
|
2F0000
|
heap
|
page read and write
|
||
|
18C000
|
stack
|
page read and write
|
||
|
89000
|
stack
|
page read and write
|
||
|
2080000
|
heap
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
73BF6000
|
unkown
|
page readonly
|
||
|
3260000
|
heap
|
page read and write
|
||
|
6EC000
|
heap
|
page read and write
|
||
|
73BF0000
|
unkown
|
page readonly
|
||
|
401000
|
unkown
|
page execute read
|
||
|
89000
|
stack
|
page read and write
|
||
|
596000
|
heap
|
page read and write
|
||
|
437000
|
unkown
|
page read and write
|
||
|
623D000
|
stack
|
page read and write
|
||
|
66BD000
|
stack
|
page read and write
|
||
|
40A000
|
unkown
|
page write copy
|
||
|
2A9C000
|
stack
|
page read and write
|
||
|
722000
|
heap
|
page read and write
|
||
|
60D000
|
heap
|
page read and write
|
||
|
2070000
|
trusted library section
|
page readonly
|
||
|
400000
|
unkown
|
page readonly
|
||
|
408000
|
unkown
|
page readonly
|
||
|
6580000
|
heap
|
page read and write
|
||
|
624000
|
heap
|
page read and write
|
||
|
3050000
|
trusted library section
|
page read and write
|
||
|
6DD000
|
heap
|
page read and write
|
||
|
40A000
|
unkown
|
page write copy
|
||
|
408000
|
unkown
|
page readonly
|
||
|
400000
|
unkown
|
page readonly
|
||
|
2BF000
|
stack
|
page read and write
|
||
|
674000
|
heap
|
page read and write
|
||
|
2A5F000
|
stack
|
page read and write
|
||
|
6C50000
|
heap
|
page read and write
|
||
|
7080000
|
trusted library allocation
|
page read and write
|
||
|
380000
|
heap
|
page read and write
|
||
|
47D000
|
unkown
|
page readonly
|
||
|
240000
|
heap
|
page read and write
|
||
|
68BE000
|
stack
|
page read and write
|
||
|
3268000
|
heap
|
page read and write
|
||
|
630F000
|
trusted library allocation
|
page read and write
|
||
|
40A000
|
unkown
|
page write copy
|
||
|
61F000
|
heap
|
page read and write
|
||
|
244000
|
heap
|
page read and write
|
||
|
49D000
|
trusted library allocation
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
401000
|
unkown
|
page execute read
|
||
|
480000
|
trusted library allocation
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
6A10000
|
heap
|
page read and write
|
||
|
40A000
|
unkown
|
page write copy
|
||
|
5C7000
|
heap
|
page read and write
|
||
|
1F9F000
|
stack
|
page read and write
|
||
|
623000
|
heap
|
page read and write
|
||
|
61FE000
|
stack
|
page read and write
|
||
|
72C000
|
heap
|
page read and write
|
||
|
2B9D000
|
stack
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
2680000
|
trusted library allocation
|
page read and write
|
||
|
47D000
|
unkown
|
page readonly
|
||
|
67BE000
|
stack
|
page read and write
|
||
|
724000
|
heap
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
2C1E000
|
stack
|
page read and write
|
||
|
62C000
|
heap
|
page read and write
|
||
|
31BE000
|
stack
|
page read and write
|
||
|
3264000
|
heap
|
page read and write
|
||
|
47D000
|
unkown
|
page readonly
|
||
|
47D000
|
unkown
|
page readonly
|
||
|
2090000
|
direct allocation
|
page read and write
|
||
|
427000
|
unkown
|
page read and write
|
||
|
18A000
|
stack
|
page read and write
|
||
|
62ED000
|
trusted library allocation
|
page read and write
|
||
|
10000
|
heap
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
6314000
|
trusted library allocation
|
page read and write
|
||
|
62D0000
|
trusted library allocation
|
page read and write
|
||
|
240000
|
heap
|
page read and write
|
||
|
258F000
|
stack
|
page read and write
|
||
|
408000
|
unkown
|
page readonly
|
||
|
6290000
|
heap
|
page read and write
|
||
|
2BDE000
|
stack
|
page read and write
|
||
|
650000
|
heap
|
page read and write
|
||
|
408000
|
unkown
|
page readonly
|
||
|
326B000
|
heap
|
page read and write
|
||
|
7080000
|
trusted library allocation
|
page read and write
|
||
|
7080000
|
trusted library allocation
|
page read and write
|
||
|
6F1000
|
heap
|
page read and write
|
||
|
244000
|
heap
|
page read and write
|
||
|
69BD000
|
stack
|
page read and write
|
||
|
62FF000
|
trusted library allocation
|
page read and write
|
||
|
47D000
|
unkown
|
page readonly
|
||
|
2680000
|
trusted library allocation
|
page read and write
|
There are 137 hidden memdumps, click here to show them.