Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
ScannedXfileX2.xlam.xlsx
|
Microsoft Excel 2007+
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Temp\~$imgs.xlsx
|
data
|
dropped
|
||
|
C:\Users\user\Desktop\~$ScannedXfileX2.xlam.xls
|
data
|
dropped
|
||
|
C:\Users\user\Desktop\~$ScannedXfileX2.xlam.xlsx
|
data
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
|
|
|
|
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
|
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
|
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://speedy34.myvnc.com/WZM.exe
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
speedy34.myvnc.com
|
31.214.157.14
|
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
31.214.157.14
|
speedy34.myvnc.com
|
Germany
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
$*'
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Excel
|
Enabled
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
|
MTTT
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
ReviewToken
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
7/'
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
|
LastPurgeTime
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
EXCELFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
VBAFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
EquationEditorFilesIntl_1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
EquationEditorFilesIntl_1033
|
There are 3 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
663000
|
heap
|
page read and write
|
||
|
5A0000
|
heap
|
page read and write
|
||
|
65C000
|
heap
|
page read and write
|
||
|
6F30000
|
heap
|
page read and write
|
||
|
260000
|
remote allocation
|
page read and write
|
||
|
89000
|
stack
|
page read and write
|
||
|
5F7000
|
heap
|
page read and write
|
||
|
689000
|
heap
|
page read and write
|
||
|
5F0000
|
heap
|
page read and write
|
||
|
260000
|
remote allocation
|
page read and write
|
||
|
689000
|
heap
|
page read and write
|
||
|
657000
|
heap
|
page read and write
|
||
|
5A7000
|
heap
|
page read and write
|
||
|
289F000
|
stack
|
page read and write
|
||
|
61F000
|
heap
|
page read and write
|
||
|
2FD000
|
stack
|
page read and write
|
||
|
72B1000
|
heap
|
page read and write
|
||
|
7320000
|
heap
|
page read and write
|
||
|
320000
|
heap
|
page read and write
|
||
|
66F000
|
heap
|
page read and write
|
||
|
1F0F000
|
stack
|
page read and write
|
||
|
24B2000
|
heap
|
page read and write
|
||
|
660000
|
heap
|
page read and write
|
||
|
2490000
|
heap
|
page read and write
|
||
|
671000
|
heap
|
page read and write
|
||
|
2494000
|
heap
|
page read and write
|
||
|
2B24000
|
heap
|
page read and write
|
||
|
66A000
|
heap
|
page read and write
|
||
|
246E000
|
stack
|
page read and write
|
||
|
5EE000
|
stack
|
page read and write
|
||
|
1F20000
|
heap
|
page read and write
|
||
|
2B2B000
|
heap
|
page read and write
|
||
|
72A0000
|
heap
|
page read and write
|
||
|
689000
|
heap
|
page read and write
|
||
|
2B20000
|
heap
|
page read and write
|
||
|
35A1000
|
heap
|
page read and write
|
||
|
2BF000
|
stack
|
page read and write
|
||
|
614000
|
heap
|
page read and write
|
||
|
3DF000
|
stack
|
page read and write
|
||
|
7140000
|
heap
|
page read and write
|
||
|
2B28000
|
heap
|
page read and write
|
||
|
2B1C000
|
stack
|
page read and write
|
||
|
270000
|
heap
|
page read and write
|
||
|
3590000
|
heap
|
page read and write
|
||
|
299F000
|
stack
|
page read and write
|
||
|
70EE000
|
stack
|
page read and write
|
||
|
665000
|
heap
|
page read and write
|
||
|
7100000
|
heap
|
page read and write
|
||
|
66F000
|
heap
|
page read and write
|
||
|
18C000
|
stack
|
page read and write
|
||
|
6F2D000
|
stack
|
page read and write
|
||
|
1F30000
|
direct allocation
|
page read and write
|
||
|
242F000
|
stack
|
page read and write
|
||
|
70AF000
|
stack
|
page read and write
|
||
|
745F000
|
stack
|
page read and write
|
||
|
6FAE000
|
stack
|
page read and write
|
||
|
715D000
|
heap
|
page read and write
|
||
|
62E000
|
heap
|
page read and write
|
||
|
358F000
|
stack
|
page read and write
|
||
|
10000
|
heap
|
page read and write
|
There are 50 hidden memdumps, click here to show them.