Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
03332955311591163552.xlsb
|
Microsoft Excel 2007+
|
initial sample
|
 |
|
|
C:\ProgramData\EcsbNSOxkInoaK.rtf
|
HTML document, ASCII text, with very long lines, with CRLF line terminators
|
dropped
|
|
|
|
C:\Users\user\Desktop\~$03332955311591163552.xlsb
|
data
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7204226A.png
|
PNG image data, 224 x 317, 8-bit/color RGBA, non-interlaced
|
dropped
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\72E292CD.png
|
PNG image data, 256 x 42, 8-bit/color RGB, non-interlaced
|
dropped
|
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
|
|
|
|
C:\Windows\System32\wbem\WMIC.exe
|
wmic process call create "mshta C:\ProgramData\EcsbNSOxkInoaK.rtf"
|
|
|
|
C:\Windows\System32\mshta.exe
|
mshta C:\ProgramData\EcsbNSOxkInoaK.rtf
|
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
|
unknown
|
|
|
|
http://www.windows.com/pctv.
|
unknown
|
|
|
|
http://investor.msn.com
|
unknown
|
|
|
|
http://www.msnbc.com/news/ticker.txt
|
unknown
|
|
|
|
http://www.%s.comPA
|
unknown
|
|
|
|
http://www.icra.org/vocabulary/.
|
unknown
|
|
|
|
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
|
unknown
|
|
|
|
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
|
unknown
|
|
|
|
http://www.hotmail.com/oe
|
unknown
|
|
|
|
http://servername/isapibackend.dll
|
unknown
|
|
|
|
http://investor.msn.com/
|
unknown
|
|
There are 1 hidden URLs, click here to show them.
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
136.144.181.174
|
unknown
|
Netherlands
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
}|*
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
|
MTTT
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
ReviewToken
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\2D73C
|
2D73C
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
VBAFiles
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
;$*
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
ProductNonBootFilesIntl_1033
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
|
LastPurgeTime
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
EXCELFiles
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
|
SavedLegacySettings
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
ProductNonBootFilesIntl_1033
|
|
There are 4 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
3D4000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
3BA000
|
unkown
|
page read and write
|
|
|
|
2770000
|
unkown
|
page read and write
|
|
|
|
2EF3000
|
unkown
|
page read and write
|
|
|
|
27CC000
|
unkown
|
page read and write
|
|
|
|
30000
|
unkown image
|
page readonly
|
|
|
|
35F0000
|
heap private
|
page read and write
|
|
|
|
F0000
|
unkown
|
page read and write
|
|
|
|
27C8000
|
unkown
|
page read and write
|
|
|
|
216000
|
heap default
|
page read and write
|
|
|
|
3890000
|
unkown image
|
page readonly
|
|
|
|
250000
|
heap private
|
page read and write
|
|
|
|
212F000
|
stack
|
page read and write
|
|
|
|
5488000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
3B9000
|
unkown
|
page read and write
|
|
|
|
27E8000
|
unkown
|
page read and write
|
|
|
|
24A000
|
unkown
|
page read and write
|
|
|
|
307E000
|
stack
|
page read and write
|
|
|
|
1340000
|
unkown image
|
page readonly
|
|
|
|
10000
|
unkown image
|
page read and write
|
|
|
|
3E7000
|
unkown
|
page read and write
|
|
|
|
20000
|
unkown image
|
page read and write
|
|
|
|
B1E000
|
stack
|
page read and write
|
|
|
|
398000
|
unkown
|
page read and write
|
|
|
|
2755000
|
heap private
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
2860000
|
unkown
|
page read and write
|
|
|
|
3FD000
|
unkown
|
page read and write
|
|
|
|
1A0000
|
heap private
|
page read and write
|
|
|
|
401000
|
unkown
|
page read and write
|
|
|
|
2A50000
|
heap private
|
page read and write
|
|
|
|
D0000
|
unkown image
|
page readonly
|
|
|
|
2819000
|
unkown
|
page read and write
|
|
|
|
2850000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
2F69000
|
heap private
|
page read and write
|
|
|
|
2E0F000
|
stack
|
page read and write
|
|
|
|
27F8000
|
unkown
|
page read and write
|
|
|
|
416000
|
unkown
|
page read and write
|
|
|
|
419000
|
unkown
|
page read and write
|
|
|
|
27D0000
|
unkown
|
page read and write
|
|
|
|
27BC000
|
unkown
|
page read and write
|
|
|
|
330000
|
heap default
|
page read and write
|
|
|
|
2F65000
|
heap private
|
page read and write
|
|
|
|
4C20000
|
heap private
|
page read and write
|
|
|
|
3BA000
|
unkown
|
page read and write
|
|
|
|
1C50000
|
unkown image
|
page readonly
|
|
|
|
2F60000
|
heap private
|
page read and write
|
|
|
|
54B1000
|
unkown
|
page read and write
|
|
|
|
466000
|
unkown
|
page read and write
|
|
|
|
30000
|
unkown image
|
page readonly
|
|
|
|
399000
|
unkown
|
page read and write
|
|
|
|
1FE0000
|
heap private
|
page read and write
|
|
|
|
3C70000
|
unkown
|
page read and write
|
|
|
|
2740000
|
unkown image
|
page readonly
|
|
|
|
400000
|
unkown
|
page read and write
|
|
|
|
2E70000
|
heap private
|
page read and write
|
|
|
|
398000
|
unkown
|
page read and write
|
|
|
|
3D6000
|
unkown
|
page read and write
|
|
|
|
27E4000
|
unkown
|
page read and write
|
|
|
|
80000
|
heap private
|
page read and write
|
|
|
|
548D000
|
unkown
|
page read and write
|
|
|
|
2F00000
|
unkown
|
page read and write
|
|
|
|
22E5000
|
heap private
|
page read and write
|
|
|
|
292000
|
heap default
|
page read and write
|
|
|
|
2960000
|
unkown image
|
page readonly
|
|
|
|
36E000
|
heap default
|
page read and write
|
|
|
|
3CD000
|
unkown
|
page read and write
|
|
|
|
400000
|
unkown
|
page read and write
|
|
|
|
5491000
|
unkown
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
54CE000
|
unkown
|
page read and write
|
|
|
|
200000
|
heap default
|
page read and write
|
|
|
|
3BA000
|
unkown
|
page read and write
|
|
|
|
27DC000
|
unkown
|
page read and write
|
|
|
|
1A6000
|
unkown
|
page read and write
|
|
|
|
2D0000
|
unkown
|
page read and write
|
|
|
|
54BE000
|
unkown
|
page read and write
|
|
|
|
56FF000
|
stack
|
page read and write
|
|
|
|
370000
|
unkown
|
page read and write
|
|
|
|
2810000
|
heap private
|
page read and write
|
|
|
|
A5F000
|
stack
|
page read and write
|
|
|
|
34C5000
|
heap private
|
page read and write
|
|
|
|
2344000
|
heap private
|
page read and write
|
|
|
|
2A60000
|
unkown image
|
page readonly
|
|
|
|
2EF9000
|
unkown
|
page read and write
|
|
|
|
3A77000
|
unkown image
|
page readonly
|
|
|
|
2C4000
|
heap default
|
page read and write
|
|
|
|
3E4000
|
unkown
|
page read and write
|
|
|
|
2864000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
282C000
|
unkown
|
page read and write
|
|
|
|
530000
|
unkown image
|
page readonly
|
|
|
|
27FC000
|
unkown
|
page read and write
|
|
|
|
3D2000
|
unkown
|
page read and write
|
|
|
|
98F000
|
stack
|
page read and write
|
|
|
|
2EF0000
|
unkown
|
page read and write
|
|
|
|
3A6000
|
unkown
|
page read and write
|
|
|
|
2326000
|
heap private
|
page read and write
|
|
|
|
3D2000
|
unkown
|
page read and write
|
|
|
|
5000000
|
heap private
|
page read and write
|
|
|
|
27F0000
|
unkown
|
page read and write
|
|
|
|
27B8000
|
unkown
|
page read and write
|
|
|
|
419000
|
unkown
|
page read and write
|
|
|
|
337E000
|
stack
|
page read and write
|
|
|
|
38B000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
27F4000
|
unkown
|
page read and write
|
|
|
|
20D000
|
heap default
|
page read and write
|
|
|
|
3BA000
|
unkown
|
page read and write
|
|
|
|
2ABB000
|
heap private
|
page read and write
|
|
|
|
6B12000
|
unkown image
|
page readonly
|
|
|
|
11B0000
|
unkown image
|
page readonly
|
|
|
|
54A7000
|
unkown
|
page read and write
|
|
|
|
33B6000
|
unkown
|
page read and write
|
|
|
|
4F0000
|
heap private
|
page read and write
|
|
|
|
3E3000
|
unkown
|
page read and write
|
|
|
|
549E000
|
unkown
|
page read and write
|
|
|
|
4E10000
|
heap private
|
page read and write
|
|
|
|
2EFA000
|
unkown
|
page read and write
|
|
|
|
6C0000
|
unkown image
|
page readonly
|
|
|
|
27D4000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
2EF1000
|
unkown
|
page read and write
|
|
|
|
2C50000
|
heap private
|
page read and write
|
|
|
|
2EF5000
|
unkown
|
page read and write
|
|
|
|
3BA000
|
unkown
|
page read and write
|
|
|
|
2874000
|
unkown
|
page read and write
|
|
|
|
400000
|
unkown
|
page read and write
|
|
|
|
3FC000
|
unkown
|
page read and write
|
|
|
|
3BA000
|
unkown
|
page read and write
|
|
|
|
207000
|
heap default
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
54AA000
|
unkown
|
page read and write
|
|
|
|
E0000
|
unkown image
|
page read and write
|
|
|
|
2750000
|
unkown image
|
page read and write
|
|
|
|
3325000
|
heap private
|
page read and write
|
|
|
|
37B000
|
unkown
|
page read and write
|
|
|
|
400000
|
unkown
|
page read and write
|
|
|
|
2EF6000
|
unkown
|
page read and write
|
|
|
|
2800000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
40000
|
unkown image
|
page readonly
|
|
|
|
4BE000
|
stack
|
page read and write
|
|
|
|
2809000
|
unkown
|
page read and write
|
|
|
|
3FD000
|
unkown
|
page read and write
|
|
|
|
3BF000
|
unkown
|
page read and write
|
|
|
|
2EFC000
|
unkown
|
page read and write
|
|
|
|
11A0000
|
unkown image
|
page readonly
|
|
|
|
218000
|
heap default
|
page read and write
|
|
|
|
54B7000
|
unkown
|
page read and write
|
|
|
|
10000
|
unkown image
|
page read and write
|
|
|
|
1D7000
|
heap default
|
page read and write
|
|
|
|
30000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
388000
|
unkown
|
page read and write
|
|
|
|
54A5000
|
unkown
|
page read and write
|
|
|
|
180000
|
unkown image
|
page read and write
|
|
|
|
2EF8000
|
unkown
|
page read and write
|
|
|
|
27C0000
|
unkown
|
page read and write
|
|
|
|
7EFE0000
|
unkown image
|
page readonly
|
|
|
|
2EF7000
|
unkown
|
page read and write
|
|
|
|
150000
|
unkown
|
page read and write
|
|
|
|
28E0000
|
heap private
|
page read and write
|
|
|
|
2E9000
|
heap default
|
page read and write
|
|
|
|
2A85000
|
heap private
|
page read and write
|
|
|
|
2804000
|
unkown
|
page read and write
|
|
|
|
2858000
|
unkown
|
page read and write
|
|
|
|
398000
|
unkown
|
page read and write
|
|
|
|
549A000
|
unkown
|
page read and write
|
|
|
|
1A4000
|
heap private
|
page read and write
|
|
|
|
2870000
|
unkown
|
page read and write
|
|
|
|
3FD000
|
unkown
|
page read and write
|
|
|
|
7EFE0000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
231B000
|
heap private
|
page read and write
|
|
|
|
22E0000
|
heap private
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
4CF0000
|
heap private
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
35EE000
|
stack
|
page read and write
|
|
|
|
2A50000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
278B000
|
heap private
|
page read and write
|
|
|
|
32FF000
|
stack
|
page read and write
|
|
|
|
10000
|
unkown image
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
380000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
2830000
|
unkown
|
page read and write
|
|
|
|
23E000
|
heap default
|
page read and write
|
|
|
|
1020000
|
unkown image
|
page readonly
|
|
|
|
2A80000
|
heap private
|
page read and write
|
|
|
|
3D70000
|
unkown image
|
page readonly
|
|
|
|
2750000
|
heap private
|
page read and write
|
|
|
|
4F4000
|
heap private
|
page read and write
|
|
|
|
28E4000
|
heap private
|
page read and write
|
|
|
|
430000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
2838000
|
unkown
|
page read and write
|
|
|
|
1D0000
|
heap default
|
page read and write
|
|
|
|
6722000
|
unkown image
|
page read and write
|
|
|
|
306000
|
unkown
|
page read and write
|
|
|
|
6B0000
|
unkown image
|
page readonly
|
|
|
|
284C000
|
unkown
|
page read and write
|
|
|
|
4B40000
|
heap private
|
page read and write
|
|
|
|
2854000
|
unkown
|
page read and write
|
|
|
|
232F000
|
heap private
|
page read and write
|
|
|
|
234B000
|
heap private
|
page read and write
|
|
|
|
3BF000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
2820000
|
unkown
|
page read and write
|
|
|
|
2240000
|
heap private
|
page read and write
|
|
|
|
5480000
|
unkown
|
page read and write
|
|
|
|
5080000
|
unkown
|
page read and write
|
|
|
|
419000
|
unkown
|
page read and write
|
|
|
|
38A000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
2828000
|
unkown
|
page read and write
|
|
|
|
337000
|
heap default
|
page read and write
|
|
|
|
283C000
|
unkown
|
page read and write
|
|
|
|
40000
|
unkown image
|
page readonly
|
|
|
|
2340000
|
heap private
|
page read and write
|
|
|
|
2EF4000
|
unkown
|
page read and write
|
|
|
|
2BFE000
|
stack
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
3C5000
|
unkown
|
page read and write
|
|
|
|
4FA000
|
heap private
|
page read and write
|
|
|
|
54A3000
|
unkown
|
page read and write
|
|
|
|
84000
|
heap private
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
388E000
|
stack
|
page read and write
|
|
|
|
389000
|
unkown
|
page read and write
|
|
|
|
12D000
|
unkown
|
page read and write
|
|
|
|
3C2000
|
unkown
|
page read and write
|
|
|
|
75FF000
|
stack
|
page read and write
|
|
|
|
34CD000
|
stack
|
page read and write
|
|
|
|
7EFE0000
|
unkown image
|
page readonly
|
|
|
|
40000
|
unkown image
|
page readonly
|
|
|
|
54A0000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
2EFB000
|
unkown
|
page read and write
|
|
|
|
3380000
|
unkown
|
page read and write
|
|
|
|
27E0000
|
unkown
|
page read and write
|
|
|
|
2130000
|
heap private
|
page read and write
|
|
|
|
398000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
4FD000
|
heap private
|
page read and write
|
|
|
|
2890000
|
unkown image
|
page readonly
|
|
|
|
419000
|
unkown
|
page read and write
|
|
|
|
2EF2000
|
unkown
|
page read and write
|
|
|
|
3320000
|
heap private
|
page read and write
|
|
|
|
3BF000
|
unkown
|
page read and write
|
|
|
|
34C0000
|
heap private
|
page read and write
|
|
|
|
27D8000
|
unkown
|
page read and write
|
|
|
|
3DC000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
2EFE000
|
stack
|
page read and write
|
|
|
|
3DF000
|
unkown
|
page read and write
|
|
There are 256 hidden memdumps, click here to show them.