Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
subscription-673890410.xlsb
|
Microsoft Excel 2007+
|
initial sample
|
 |
|
|
C:\ProgramData\xkNURUQaCiKQrGY.rtf
|
HTML document, ASCII text, with very long lines, with CRLF line terminators
|
dropped
|
|
|
|
C:\Users\user\Desktop\~$subscription-673890410.xlsb
|
data
|
dropped
|
|
|
|
C:\ProgramData\dDVVHyrpueA.txt
|
ASCII text, with no line terminators
|
dropped
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG[1].txt
|
ASCII text, with no line terminators
|
downloaded
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F135607.png
|
PNG image data, 295 x 52, 8-bit/color RGB, non-interlaced
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BEF1285C.png
|
PNG image data, 238 x 337, 8-bit/color RGBA, non-interlaced
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Temp\5042.tmp
|
Microsoft Excel 2007+
|
dropped
|
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
|
|
|
|
C:\Windows\System32\wbem\WMIC.exe
|
wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf"
|
|
|
|
C:\Windows\System32\mshta.exe
|
mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf
|
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
|
unknown
|
|
|
|
http://www.windows.com/pctv.
|
unknown
|
|
|
|
http://investor.msn.com
|
unknown
|
|
|
|
http://www.msnbc.com/news/ticker.txt
|
unknown
|
|
|
|
http://www.%s.comPA
|
unknown
|
|
|
|
http://www.icra.org/vocabulary/.
|
unknown
|
|
|
|
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
|
unknown
|
|
|
|
http://132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
|
132.148.135.183
|
|
|
|
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
|
unknown
|
|
|
|
http://www.hotmail.com/oe
|
unknown
|
|
|
|
http://servername/isapibackend.dll
|
unknown
|
|
|
|
http://investor.msn.com/
|
unknown
|
|
There are 2 hidden URLs, click here to show them.
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
132.148.135.183
|
unknown
|
United States
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
?c$
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
|
MTTT
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
ReviewToken
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\2EB0A
|
2EB0A
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
VBAFiles
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
%l$
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
ProductNonBootFilesIntl_1033
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
OriginalAttachmentPath
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
TemporaryAttachmentName
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109A10090400100000000F01FEC\Usage
|
OutlookMAPI2Intl_1033
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
|
LastPurgeTime
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
EXCELFiles
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
|
SavedLegacySettings
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
ProductNonBootFilesIntl_1033
|
|
There are 7 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
278000
|
unkown
|
page read and write
|
|
|
|
5C8000
|
heap default
|
page read and write
|
|
|
|
175000
|
unkown
|
page read and write
|
|
|
|
595000
|
heap default
|
page read and write
|
|
|
|
10000
|
unkown image
|
page read and write
|
|
|
|
2730000
|
heap private
|
page read and write
|
|
|
|
29D000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
22E5000
|
heap private
|
page read and write
|
|
|
|
AD000
|
unkown
|
page read and write
|
|
|
|
19D000
|
heap default
|
page read and write
|
|
|
|
2DD5000
|
unkown
|
page read and write
|
|
|
|
39EF000
|
stack
|
page read and write
|
|
|
|
20000
|
unkown image
|
page read and write
|
|
|
|
18D000
|
unkown
|
page read and write
|
|
|
|
2BE0000
|
heap private
|
page read and write
|
|
|
|
2B00000
|
unkown
|
page read and write
|
|
|
|
57F000
|
stack
|
page read and write
|
|
|
|
4F7F000
|
unkown
|
page read and write
|
|
|
|
2CC5000
|
heap private
|
page read and write
|
|
|
|
14A000
|
unkown
|
page read and write
|
|
|
|
29F000
|
unkown
|
page read and write
|
|
|
|
193000
|
unkown
|
page read and write
|
|
|
|
54D0000
|
heap private
|
page read and write
|
|
|
|
3180000
|
heap private
|
page read and write
|
|
|
|
4F6F000
|
unkown
|
page read and write
|
|
|
|
2B2C000
|
unkown
|
page read and write
|
|
|
|
2B30000
|
unkown
|
page read and write
|
|
|
|
346000
|
unkown
|
page read and write
|
|
|
|
2CC0000
|
heap private
|
page read and write
|
|
|
|
3F4000
|
heap private
|
page read and write
|
|
|
|
4F56000
|
unkown
|
page read and write
|
|
|
|
120000
|
unkown
|
page read and write
|
|
|
|
26A000
|
unkown
|
page read and write
|
|
|
|
2630000
|
unkown image
|
page readonly
|
|
|
|
29D000
|
unkown
|
page read and write
|
|
|
|
29F000
|
unkown
|
page read and write
|
|
|
|
2B14000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
170000
|
unkown
|
page read and write
|
|
|
|
4F4000
|
heap private
|
page read and write
|
|
|
|
2B10000
|
unkown
|
page read and write
|
|
|
|
26B000
|
unkown
|
page read and write
|
|
|
|
29F000
|
unkown
|
page read and write
|
|
|
|
2D70000
|
heap private
|
page read and write
|
|
|
|
3580000
|
heap private
|
page read and write
|
|
|
|
2326000
|
heap private
|
page read and write
|
|
|
|
1D0000
|
unkown image
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
2B18000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
2B7C000
|
unkown
|
page read and write
|
|
|
|
2B39000
|
unkown
|
page read and write
|
|
|
|
29A000
|
unkown
|
page read and write
|
|
|
|
3110000
|
unkown
|
page read and write
|
|
|
|
2D50000
|
heap private
|
page read and write
|
|
|
|
7EFE0000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
25B000
|
unkown
|
page read and write
|
|
|
|
1670000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
2B60000
|
unkown
|
page read and write
|
|
|
|
160000
|
unkown image
|
page read and write
|
|
|
|
1C20000
|
unkown image
|
page readonly
|
|
|
|
7EFE0000
|
unkown image
|
page readonly
|
|
|
|
2BE4000
|
heap private
|
page read and write
|
|
|
|
1B2000
|
unkown
|
page read and write
|
|
|
|
2B24000
|
unkown
|
page read and write
|
|
|
|
500000
|
unkown image
|
page readonly
|
|
|
|
40000
|
unkown image
|
page readonly
|
|
|
|
2B08000
|
unkown
|
page read and write
|
|
|
|
54F000
|
heap default
|
page read and write
|
|
|
|
2AE8000
|
unkown
|
page read and write
|
|
|
|
2B88000
|
unkown
|
page read and write
|
|
|
|
690000
|
unkown image
|
page readonly
|
|
|
|
2DD1000
|
unkown
|
page read and write
|
|
|
|
1C9000
|
unkown
|
page read and write
|
|
|
|
345E000
|
stack
|
page read and write
|
|
|
|
2BA0000
|
unkown
|
page read and write
|
|
|
|
378D000
|
stack
|
page read and write
|
|
|
|
5FF000
|
stack
|
page read and write
|
|
|
|
2B28000
|
unkown
|
page read and write
|
|
|
|
4F7000
|
heap default
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
182000
|
unkown
|
page read and write
|
|
|
|
543E000
|
stack
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
50C0000
|
heap private
|
page read and write
|
|
|
|
4F54000
|
unkown
|
page read and write
|
|
|
|
160000
|
heap default
|
page read and write
|
|
|
|
2DD8000
|
unkown
|
page read and write
|
|
|
|
1F40000
|
heap private
|
page read and write
|
|
|
|
56B000
|
heap default
|
page read and write
|
|
|
|
2CFB000
|
heap private
|
page read and write
|
|
|
|
219F000
|
stack
|
page read and write
|
|
|
|
52C0000
|
heap private
|
page read and write
|
|
|
|
22E0000
|
heap private
|
page read and write
|
|
|
|
4F58000
|
unkown
|
page read and write
|
|
|
|
29A000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
4F4E000
|
unkown
|
page read and write
|
|
|
|
4F60000
|
unkown
|
page read and write
|
|
|
|
2DD4000
|
unkown
|
page read and write
|
|
|
|
2A70000
|
unkown image
|
page readonly
|
|
|
|
172000
|
unkown
|
page read and write
|
|
|
|
1FC0000
|
heap private
|
page read and write
|
|
|
|
278000
|
unkown
|
page read and write
|
|
|
|
450000
|
heap private
|
page read and write
|
|
|
|
4F96000
|
unkown
|
page read and write
|
|
|
|
1C9000
|
unkown
|
page read and write
|
|
|
|
2DDB000
|
unkown
|
page read and write
|
|
|
|
4F49000
|
unkown
|
page read and write
|
|
|
|
17D000
|
unkown
|
page read and write
|
|
|
|
2B4000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
1AE000
|
unkown
|
page read and write
|
|
|
|
217000
|
heap default
|
page read and write
|
|
|
|
586000
|
heap default
|
page read and write
|
|
|
|
296000
|
unkown
|
page read and write
|
|
|
|
200000
|
heap private
|
page read and write
|
|
|
|
2DD9000
|
unkown
|
page read and write
|
|
|
|
2AFC000
|
unkown
|
page read and write
|
|
|
|
2B20000
|
unkown
|
page read and write
|
|
|
|
278000
|
unkown
|
page read and write
|
|
|
|
2DD2000
|
unkown
|
page read and write
|
|
|
|
2DD0000
|
unkown
|
page read and write
|
|
|
|
2DDA000
|
unkown
|
page read and write
|
|
|
|
2A80000
|
unkown image
|
page read and write
|
|
|
|
1350000
|
unkown image
|
page readonly
|
|
|
|
2C7000
|
unkown
|
page read and write
|
|
|
|
355F000
|
stack
|
page read and write
|
|
|
|
2C70000
|
unkown image
|
page readonly
|
|
|
|
1AC000
|
unkown
|
page read and write
|
|
|
|
232F000
|
heap private
|
page read and write
|
|
|
|
1C9000
|
unkown
|
page read and write
|
|
|
|
4F66000
|
unkown
|
page read and write
|
|
|
|
169000
|
unkown
|
page read and write
|
|
|
|
2050000
|
heap private
|
page read and write
|
|
|
|
2B94000
|
unkown
|
page read and write
|
|
|
|
6B72000
|
unkown image
|
page read and write
|
|
|
|
2950000
|
heap private
|
page read and write
|
|
|
|
2B80000
|
unkown
|
page read and write
|
|
|
|
C0000
|
unkown image
|
page readonly
|
|
|
|
1AB000
|
heap default
|
page read and write
|
|
|
|
3F0000
|
heap private
|
page read and write
|
|
|
|
2DDC000
|
unkown
|
page read and write
|
|
|
|
4F40000
|
unkown
|
page read and write
|
|
|
|
260000
|
unkown
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
5750000
|
unkown
|
page read and write
|
|
|
|
186000
|
unkown
|
page read and write
|
|
|
|
268000
|
unkown
|
page read and write
|
|
|
|
2B68000
|
unkown
|
page read and write
|
|
|
|
4F68000
|
unkown
|
page read and write
|
|
|
|
4EC0000
|
heap private
|
page read and write
|
|
|
|
4F6B000
|
unkown
|
page read and write
|
|
|
|
2B6C000
|
unkown
|
page read and write
|
|
|
|
2A7E000
|
stack
|
page read and write
|
|
|
|
2AA0000
|
unkown
|
page read and write
|
|
|
|
3EE7000
|
unkown image
|
page readonly
|
|
|
|
3CFF000
|
stack
|
page read and write
|
|
|
|
316000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
3300000
|
unkown
|
page read and write
|
|
|
|
205000
|
heap private
|
page read and write
|
|
|
|
1C9000
|
unkown
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
2DAB000
|
heap private
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
269000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
2C2E000
|
stack
|
page read and write
|
|
|
|
40000
|
unkown image
|
page readonly
|
|
|
|
2AF8000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
2DD3000
|
unkown
|
page read and write
|
|
|
|
4F0000
|
heap private
|
page read and write
|
|
|
|
10000
|
unkown image
|
page read and write
|
|
|
|
5B7000
|
heap default
|
page read and write
|
|
|
|
30E0000
|
unkown image
|
page readonly
|
|
|
|
1AE000
|
unkown
|
page read and write
|
|
|
|
56D0000
|
heap private
|
page read and write
|
|
|
|
4EC5000
|
heap private
|
page read and write
|
|
|
|
4F86000
|
unkown
|
page read and write
|
|
|
|
3300000
|
unkown
|
page read and write
|
|
|
|
32FF000
|
stack
|
page read and write
|
|
|
|
7EFE0000
|
unkown image
|
page readonly
|
|
|
|
B0000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
114000
|
heap private
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
52E000
|
heap default
|
page read and write
|
|
|
|
2DD7000
|
unkown
|
page read and write
|
|
|
|
29A000
|
unkown
|
page read and write
|
|
|
|
30000
|
unkown image
|
page readonly
|
|
|
|
285E000
|
stack
|
page read and write
|
|
|
|
3185000
|
heap private
|
page read and write
|
|
|
|
2B3000
|
unkown
|
page read and write
|
|
|
|
2C4000
|
unkown
|
page read and write
|
|
|
|
234B000
|
heap private
|
page read and write
|
|
|
|
2B0C000
|
unkown
|
page read and write
|
|
|
|
2B50000
|
unkown
|
page read and write
|
|
|
|
2B58000
|
unkown
|
page read and write
|
|
|
|
278000
|
unkown
|
page read and write
|
|
|
|
2BA4000
|
unkown
|
page read and write
|
|
|
|
2DD6000
|
unkown
|
page read and write
|
|
|
|
2340000
|
heap private
|
page read and write
|
|
|
|
4F79000
|
unkown
|
page read and write
|
|
|
|
6F62000
|
unkown image
|
page readonly
|
|
|
|
3B3F000
|
stack
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
3D00000
|
unkown image
|
page readonly
|
|
|
|
2B34000
|
unkown
|
page read and write
|
|
|
|
40E0000
|
unkown image
|
page readonly
|
|
|
|
1A6000
|
heap default
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
110000
|
heap private
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
1AE000
|
unkown
|
page read and write
|
|
|
|
2D75000
|
heap private
|
page read and write
|
|
|
|
11A000
|
heap private
|
page read and write
|
|
|
|
B5F000
|
stack
|
page read and write
|
|
|
|
3336000
|
unkown
|
page read and write
|
|
|
|
310000
|
unkown
|
page read and write
|
|
|
|
14D0000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
1C6000
|
unkown
|
page read and write
|
|
|
|
2AEC000
|
unkown
|
page read and write
|
|
|
|
2B49000
|
unkown
|
page read and write
|
|
|
|
4F72000
|
unkown
|
page read and write
|
|
|
|
30D0000
|
unkown image
|
page readonly
|
|
|
|
30000
|
unkown image
|
page readonly
|
|
|
|
1D0000
|
unkown
|
page read and write
|
|
|
|
150000
|
unkown image
|
page readonly
|
|
|
|
5040000
|
heap private
|
page read and write
|
|
|
|
4F52000
|
unkown
|
page read and write
|
|
|
|
231B000
|
heap private
|
page read and write
|
|
|
|
14E0000
|
unkown image
|
page readonly
|
|
|
|
156000
|
unkown
|
page read and write
|
|
|
|
680000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
1B0000
|
unkown
|
page read and write
|
|
|
|
260000
|
unkown
|
page read and write
|
|
|
|
2B10000
|
heap private
|
page read and write
|
|
|
|
5DD000
|
heap default
|
page read and write
|
|
|
|
2B90000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
210000
|
heap default
|
page read and write
|
|
|
|
3189000
|
heap private
|
page read and write
|
|
|
|
24E000
|
heap default
|
page read and write
|
|
|
|
167000
|
heap default
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
10000
|
unkown image
|
page read and write
|
|
|
|
18F000
|
unkown
|
page read and write
|
|
|
|
29D000
|
unkown
|
page read and write
|
|
|
|
2AF0000
|
unkown
|
page read and write
|
|
|
|
2B5C000
|
unkown
|
page read and write
|
|
|
|
56AF000
|
stack
|
page read and write
|
|
|
|
2B84000
|
unkown
|
page read and write
|
|
|
|
11D000
|
heap private
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
2B04000
|
unkown
|
page read and write
|
|
|
|
4F0000
|
heap default
|
page read and write
|
|
|
|
4F6D000
|
unkown
|
page read and write
|
|
|
|
2344000
|
heap private
|
page read and write
|
|
There are 259 hidden memdumps, click here to show them.