Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
ACP-2210825ORDER.xls
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application:
Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Nov 29 05:27:07 2022, Security: 1
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\VBC[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Temp\~DF688530565CAD41F4.TMP
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application:
Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Nov 29 05:27:07 2022, Security: 1
|
dropped
|
|
|
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac\libgiognutls.dll
|
PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
|
dropped
|
|
|
|
C:\Users\Public\vbc.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1F090A1F.emf
|
Windows Enhanced Metafile (EMF) image data version 0x10000
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2A84DD94.emf
|
Windows Enhanced Metafile (EMF) image data version 0x10000
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2C485423.emf
|
Windows Enhanced Metafile (EMF) image data version 0x10000
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\489D37C8.emf
|
Windows Enhanced Metafile (EMF) image data version 0x10000
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A546E2A.emf
|
Windows Enhanced Metafile (EMF) image data version 0x10000
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\628281DB.emf
|
Windows Enhanced Metafile (EMF) image data version 0x10000
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\95D0DCC2.emf
|
Windows Enhanced Metafile (EMF) image data version 0x10000
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9BAF1916.emf
|
Windows Enhanced Metafile (EMF) image data version 0x10000
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BC7C3885.emf
|
Windows Enhanced Metafile (EMF) image data version 0x10000
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C6BD8529.emf
|
Windows Enhanced Metafile (EMF) image data version 0x10000
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\nsp5B93.tmp\System.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
modified
|
||
|
C:\Users\user\AppData\Local\Temp\~DF15E3E53C3844A1B8.TMP
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\~DF357B58C09F937A89.TMP
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\~DFEB3257B002629434.TMP
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Obeyeo.Bib
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac\Urokkeligheden.Ord114
|
data
|
dropped
|
There are 11 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
|
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
|
|
|
|
C:\Users\Public\vbc.exe
|
"C:\Users\Public\vbc.exe"
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://172.245.34.91/5643/VBC.exe
|
172.245.34.91
|
|
|
|
http://172.245.34.91/5643/VBC.exej
|
unknown
|
||
|
http://172.245.34.91/5643/VBC.exel
|
unknown
|
||
|
http://nsis.sf.net/NSIS_ErrorError
|
unknown
|
||
|
http://172.245.34.91/5643/VBC.exehhC:
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
172.245.34.91
|
unknown
|
United States
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
qs+
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
|
MTTT
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
ReviewToken
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\688B0
|
688B0
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
VBAFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
f|+
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\6D3C3
|
6D3C3
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\6EDE7
|
6EDE7
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
|
Max Display
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
|
Item 1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Max Display
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 2
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 3
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 4
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 5
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 6
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 7
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 8
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 9
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 10
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 11
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 12
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 13
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 14
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 15
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 16
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 17
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 18
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 19
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 20
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 21
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
|
LastPurgeTime
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
EXCELFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\6D3C3
|
6D3C3
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
EquationEditorFilesIntl_1033
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
|
SavedLegacySettings
|
||
|
HKEY_CURRENT_USER\Software\Spaan\Pushfully
|
Trials101
|
There are 31 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
30C0000
|
direct allocation
|
page execute and read and write
|
|
|
|
400000
|
unkown
|
page readonly
|
||
|
6DF000
|
heap
|
page read and write
|
||
|
65F000
|
heap
|
page read and write
|
||
|
408000
|
unkown
|
page readonly
|
||
|
5540000
|
trusted library allocation
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
1F50000
|
trusted library allocation
|
page read and write
|
||
|
544000
|
heap
|
page read and write
|
||
|
46E000
|
unkown
|
page readonly
|
||
|
47EF000
|
trusted library allocation
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
10000000
|
unkown
|
page readonly
|
||
|
200E000
|
stack
|
page read and write
|
||
|
10003000
|
unkown
|
page readonly
|
||
|
637000
|
heap
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
5540000
|
trusted library allocation
|
page read and write
|
||
|
46E000
|
unkown
|
page readonly
|
||
|
408000
|
unkown
|
page readonly
|
||
|
35A000
|
heap
|
page read and write
|
||
|
3040000
|
trusted library allocation
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
2040000
|
direct allocation
|
page read and write
|
||
|
2865000
|
trusted library allocation
|
page read and write
|
||
|
2E4000
|
heap
|
page read and write
|
||
|
46E000
|
unkown
|
page readonly
|
||
|
31F4000
|
heap
|
page read and write
|
||
|
5C4000
|
trusted library section
|
page readonly
|
||
|
87000
|
stack
|
page read and write
|
||
|
408000
|
unkown
|
page readonly
|
||
|
42B000
|
unkown
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
2830000
|
trusted library allocation
|
page read and write
|
||
|
324000
|
heap
|
page read and write
|
||
|
5C0000
|
trusted library section
|
page readonly
|
||
|
5D7000
|
heap
|
page read and write
|
||
|
42D000
|
unkown
|
page read and write
|
||
|
32F000
|
heap
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
2A2000
|
heap
|
page read and write
|
||
|
18B000
|
stack
|
page read and write
|
||
|
7EFE0000
|
unkown
|
page readonly
|
||
|
5E6000
|
heap
|
page read and write
|
||
|
6FE000
|
stack
|
page read and write
|
||
|
6B9000
|
heap
|
page read and write
|
||
|
40A000
|
unkown
|
page write copy
|
||
|
4A2C000
|
stack
|
page read and write
|
||
|
61E000
|
stack
|
page read and write
|
||
|
2C7000
|
heap
|
page read and write
|
||
|
10000
|
heap
|
page read and write
|
||
|
49EF000
|
stack
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
400000
|
unkown
|
page readonly
|
||
|
335000
|
heap
|
page read and write
|
||
|
6A5000
|
heap
|
page read and write
|
||
|
46E000
|
unkown
|
page readonly
|
||
|
699000
|
heap
|
page read and write
|
||
|
4BDD000
|
stack
|
page read and write
|
||
|
40A000
|
unkown
|
page write copy
|
||
|
427000
|
unkown
|
page read and write
|
||
|
562000
|
heap
|
page read and write
|
||
|
10000
|
heap
|
page read and write
|
||
|
2A0F000
|
stack
|
page read and write
|
||
|
2830000
|
trusted library allocation
|
page read and write
|
||
|
344000
|
heap
|
page read and write
|
||
|
3540000
|
trusted library allocation
|
page read and write
|
||
|
284000
|
heap
|
page read and write
|
||
|
4A6C000
|
stack
|
page read and write
|
||
|
1F4F000
|
stack
|
page read and write
|
||
|
46E000
|
unkown
|
page readonly
|
||
|
61F000
|
stack
|
page read and write
|
||
|
360000
|
heap
|
page read and write
|
||
|
6F2000
|
heap
|
page read and write
|
||
|
4E5F000
|
stack
|
page read and write
|
||
|
1D10000
|
trusted library allocation
|
page read and write
|
||
|
18A000
|
stack
|
page read and write
|
||
|
10001000
|
unkown
|
page execute read
|
||
|
2830000
|
trusted library allocation
|
page read and write
|
||
|
2BD0000
|
heap
|
page read and write
|
||
|
6D9000
|
heap
|
page read and write
|
||
|
540000
|
heap
|
page read and write
|
||
|
6EC000
|
heap
|
page read and write
|
||
|
BDE000
|
stack
|
page read and write
|
||
|
4AA0000
|
heap
|
page read and write
|
||
|
31FB000
|
heap
|
page read and write
|
||
|
4CDD000
|
stack
|
page read and write
|
||
|
630000
|
heap
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
2BDB000
|
heap
|
page read and write
|
||
|
435000
|
unkown
|
page read and write
|
||
|
47B0000
|
trusted library allocation
|
page read and write
|
||
|
2830000
|
trusted library allocation
|
page read and write
|
||
|
3C0000
|
heap
|
page read and write
|
||
|
40A000
|
unkown
|
page write copy
|
||
|
40A000
|
unkown
|
page read and write
|
||
|
2BD4000
|
heap
|
page read and write
|
||
|
4F30000
|
heap
|
page read and write
|
||
|
27F000
|
stack
|
page read and write
|
||
|
69E000
|
heap
|
page read and write
|
||
|
4770000
|
heap
|
page read and write
|
||
|
89000
|
stack
|
page read and write
|
||
|
691000
|
heap
|
page read and write
|
||
|
253F000
|
stack
|
page read and write
|
||
|
2C6000
|
heap
|
page read and write
|
||
|
6F2000
|
heap
|
page read and write
|
||
|
503F000
|
stack
|
page read and write
|
||
|
30D000
|
stack
|
page read and write
|
||
|
290000
|
heap
|
page read and write
|
||
|
40A000
|
unkown
|
page write copy
|
||
|
5D0000
|
heap
|
page read and write
|
||
|
4710000
|
heap
|
page read and write
|
||
|
2030000
|
heap
|
page read and write
|
||
|
46C000
|
unkown
|
page read and write
|
||
|
4D1F000
|
stack
|
page read and write
|
||
|
47CD000
|
trusted library allocation
|
page read and write
|
||
|
280000
|
heap
|
page read and write
|
||
|
654000
|
heap
|
page read and write
|
||
|
10000
|
heap
|
page read and write
|
||
|
280000
|
heap
|
page read and write
|
||
|
6F9000
|
heap
|
page read and write
|
||
|
320000
|
heap
|
page read and write
|
||
|
356000
|
heap
|
page read and write
|
||
|
46E000
|
unkown
|
page readonly
|
||
|
3FD000
|
heap
|
page read and write
|
||
|
40A000
|
unkown
|
page write copy
|
||
|
48EE000
|
stack
|
page read and write
|
||
|
406000
|
heap
|
page read and write
|
||
|
2BCD000
|
stack
|
page read and write
|
||
|
47F4000
|
trusted library allocation
|
page read and write
|
||
|
408000
|
unkown
|
page readonly
|
||
|
408000
|
unkown
|
page readonly
|
||
|
10005000
|
unkown
|
page readonly
|
||
|
5E0000
|
heap
|
page read and write
|
||
|
408000
|
unkown
|
page readonly
|
||
|
284000
|
heap
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
31F0000
|
heap
|
page read and write
|
||
|
38B000
|
heap
|
page read and write
|
||
|
1E80000
|
heap
|
page read and write
|
||
|
3C7000
|
heap
|
page read and write
|
||
|
1DD000
|
stack
|
page read and write
|
||
|
310000
|
heap
|
page read and write
|
||
|
5540000
|
trusted library allocation
|
page read and write
|
||
|
408000
|
heap
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
4E1F000
|
stack
|
page read and write
|
||
|
5CF000
|
trusted library section
|
page readonly
|
||
|
31F8000
|
heap
|
page read and write
|
||
|
290F000
|
stack
|
page read and write
|
||
|
2C0000
|
heap
|
page read and write
|
||
|
5110000
|
heap
|
page read and write
|
||
|
2BD8000
|
heap
|
page read and write
|
||
|
5AE000
|
stack
|
page read and write
|
||
|
200000
|
heap
|
page read and write
|
||
|
47DF000
|
trusted library allocation
|
page read and write
|
There are 146 hidden memdumps, click here to show them.