Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
Sale-8799306.xlsb
|
Microsoft Excel 2007+
|
initial sample
|
 |
|
|
C:\ProgramData\CjBEfxIRZH.rtf
|
HTML document, ASCII text, with very long lines, with CRLF line terminators
|
dropped
|
|
|
|
C:\Users\user\Desktop\~$Sale-8799306.xlsb
|
data
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\55A75020.png
|
PNG image data, 275 x 49, 8-bit/color RGB, non-interlaced
|
dropped
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D68BD1A1.png
|
PNG image data, 225 x 317, 8-bit/color RGBA, non-interlaced
|
dropped
|
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
|
|
|
|
C:\Windows\System32\wbem\WMIC.exe
|
wmic process call create "mshta C:\ProgramData\CjBEfxIRZH.rtf"
|
|
|
|
C:\Windows\System32\mshta.exe
|
mshta C:\ProgramData\CjBEfxIRZH.rtf
|
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
|
unknown
|
|
|
|
http://www.windows.com/pctv.
|
unknown
|
|
|
|
http://investor.msn.com
|
unknown
|
|
|
|
http://www.msnbc.com/news/ticker.txt
|
unknown
|
|
|
|
http://www.%s.comPA
|
unknown
|
|
|
|
http://www.icra.org/vocabulary/.
|
unknown
|
|
|
|
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
|
unknown
|
|
|
|
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
|
unknown
|
|
|
|
http://www.hotmail.com/oe
|
unknown
|
|
|
|
http://servername/isapibackend.dll
|
unknown
|
|
|
|
http://investor.msn.com/
|
unknown
|
|
There are 1 hidden URLs, click here to show them.
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
136.144.181.174
|
unknown
|
Netherlands
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
.a,
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
|
MTTT
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
ReviewToken
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\2CFCD
|
2CFCD
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
VBAFiles
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
mh,
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
ProductNonBootFilesIntl_1033
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
|
LastPurgeTime
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
EXCELFiles
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
|
SavedLegacySettings
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
ProductNonBootFilesIntl_1033
|
|
There are 4 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
106000
|
unkown
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
3E2000
|
unkown
|
page read and write
|
|
|
|
380000
|
unkown image
|
page readonly
|
|
|
|
2CA4000
|
unkown
|
page read and write
|
|
|
|
2CA0000
|
unkown
|
page read and write
|
|
|
|
2B04000
|
heap private
|
page read and write
|
|
|
|
2CA5000
|
unkown
|
page read and write
|
|
|
|
4FBE000
|
unkown
|
page read and write
|
|
|
|
233F000
|
heap private
|
page read and write
|
|
|
|
2BC4000
|
unkown
|
page read and write
|
|
|
|
2D90000
|
heap private
|
page read and write
|
|
|
|
4F84000
|
unkown
|
page read and write
|
|
|
|
2CA9000
|
unkown
|
page read and write
|
|
|
|
27F0000
|
heap private
|
page read and write
|
|
|
|
12F0000
|
unkown image
|
page readonly
|
|
|
|
2BD4000
|
unkown
|
page read and write
|
|
|
|
50A000
|
heap private
|
page read and write
|
|
|
|
52B0000
|
heap private
|
page read and write
|
|
|
|
7EFE0000
|
unkown image
|
page readonly
|
|
|
|
3CD000
|
heap default
|
page read and write
|
|
|
|
296000
|
unkown
|
page read and write
|
|
|
|
2BB0000
|
unkown
|
page read and write
|
|
|
|
7EFE0000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
2BD9000
|
unkown
|
page read and write
|
|
|
|
1EC0000
|
heap private
|
page read and write
|
|
|
|
2CA6000
|
unkown
|
page read and write
|
|
|
|
1C8000
|
unkown
|
page read and write
|
|
|
|
4F8E000
|
unkown
|
page read and write
|
|
|
|
2C00000
|
unkown
|
page read and write
|
|
|
|
4F93000
|
unkown
|
page read and write
|
|
|
|
5330000
|
heap private
|
page read and write
|
|
|
|
204000
|
unkown
|
page read and write
|
|
|
|
6F72000
|
unkown image
|
page readonly
|
|
|
|
2BF0000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
3DD0000
|
unkown
|
page read and write
|
|
|
|
2C28000
|
unkown
|
page read and write
|
|
|
|
3250000
|
heap private
|
page read and write
|
|
|
|
1C8000
|
unkown
|
page read and write
|
|
|
|
340F000
|
stack
|
page read and write
|
|
|
|
630000
|
heap private
|
page read and write
|
|
|
|
500000
|
unkown image
|
page readonly
|
|
|
|
2BC8000
|
unkown
|
page read and write
|
|
|
|
2BA4000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
429000
|
unkown
|
page read and write
|
|
|
|
3255000
|
heap private
|
page read and write
|
|
|
|
2354000
|
heap private
|
page read and write
|
|
|
|
160000
|
heap default
|
page read and write
|
|
|
|
2BF8000
|
unkown
|
page read and write
|
|
|
|
2AC0000
|
unkown image
|
page readonly
|
|
|
|
2CAB000
|
unkown
|
page read and write
|
|
|
|
22F5000
|
heap private
|
page read and write
|
|
|
|
20B000
|
unkown
|
page read and write
|
|
|
|
2C44000
|
unkown
|
page read and write
|
|
|
|
369000
|
heap default
|
page read and write
|
|
|
|
4EF5000
|
heap private
|
page read and write
|
|
|
|
2C34000
|
unkown
|
page read and write
|
|
|
|
30000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
40000
|
unkown image
|
page readonly
|
|
|
|
1ED000
|
unkown
|
page read and write
|
|
|
|
1EF000
|
unkown
|
page read and write
|
|
|
|
4FA7000
|
unkown
|
page read and write
|
|
|
|
360000
|
unkown image
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
2C20000
|
heap private
|
page read and write
|
|
|
|
4F87000
|
unkown
|
page read and write
|
|
|
|
2CA3000
|
unkown
|
page read and write
|
|
|
|
3DB000
|
heap default
|
page read and write
|
|
|
|
5530000
|
heap private
|
page read and write
|
|
|
|
30000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
79F000
|
stack
|
page read and write
|
|
|
|
2C24000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
2A40000
|
heap private
|
page read and write
|
|
|
|
1EF000
|
unkown
|
page read and write
|
|
|
|
3ED000
|
unkown
|
page read and write
|
|
|
|
3B6000
|
unkown
|
page read and write
|
|
|
|
2CA2000
|
unkown
|
page read and write
|
|
|
|
71F000
|
stack
|
page read and write
|
|
|
|
3C9000
|
unkown
|
page read and write
|
|
|
|
4F9A000
|
unkown
|
page read and write
|
|
|
|
140000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
2B90000
|
unkown
|
page read and write
|
|
|
|
2C08000
|
unkown
|
page read and write
|
|
|
|
136000
|
unkown
|
page read and write
|
|
|
|
2640000
|
unkown image
|
page readonly
|
|
|
|
10000
|
unkown image
|
page read and write
|
|
|
|
3275000
|
heap private
|
page read and write
|
|
|
|
429000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
397000
|
heap default
|
page read and write
|
|
|
|
223E000
|
stack
|
page read and write
|
|
|
|
1B0000
|
unkown
|
page read and write
|
|
|
|
2B9C000
|
unkown
|
page read and write
|
|
|
|
1EF000
|
unkown
|
page read and write
|
|
|
|
40E000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
4F97000
|
unkown
|
page read and write
|
|
|
|
50D000
|
heap private
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
2A20000
|
unkown image
|
page read and write
|
|
|
|
2BAC000
|
unkown
|
page read and write
|
|
|
|
D0F000
|
stack
|
page read and write
|
|
|
|
500000
|
heap private
|
page read and write
|
|
|
|
287000
|
heap default
|
page read and write
|
|
|
|
2BA8000
|
unkown
|
page read and write
|
|
|
|
56E0000
|
heap private
|
page read and write
|
|
|
|
40E000
|
unkown
|
page read and write
|
|
|
|
20B000
|
unkown
|
page read and write
|
|
|
|
510000
|
unkown image
|
page readonly
|
|
|
|
2BB8000
|
unkown
|
page read and write
|
|
|
|
4F7F000
|
unkown
|
page read and write
|
|
|
|
504000
|
heap private
|
page read and write
|
|
|
|
3220000
|
heap private
|
page read and write
|
|
|
|
232B000
|
heap private
|
page read and write
|
|
|
|
2B8C000
|
unkown
|
page read and write
|
|
|
|
4F91000
|
unkown
|
page read and write
|
|
|
|
3279000
|
heap private
|
page read and write
|
|
|
|
1470000
|
unkown image
|
page readonly
|
|
|
|
2336000
|
heap private
|
page read and write
|
|
|
|
634000
|
heap private
|
page read and write
|
|
|
|
38EF000
|
stack
|
page read and write
|
|
|
|
4FA1000
|
unkown
|
page read and write
|
|
|
|
3EF000
|
unkown
|
page read and write
|
|
|
|
2C30000
|
unkown
|
page read and write
|
|
|
|
3DD000
|
unkown
|
page read and write
|
|
|
|
2C0C000
|
unkown
|
page read and write
|
|
|
|
29D000
|
unkown
|
page read and write
|
|
|
|
1EA000
|
unkown
|
page read and write
|
|
|
|
2CA8000
|
unkown
|
page read and write
|
|
|
|
EA000
|
unkown
|
page read and write
|
|
|
|
40000
|
unkown image
|
page readonly
|
|
|
|
1EB0000
|
unkown image
|
page read and write
|
|
|
|
2350000
|
heap private
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
1C8000
|
unkown
|
page read and write
|
|
|
|
2B88000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
2BA0000
|
unkown
|
page read and write
|
|
|
|
1ED000
|
unkown
|
page read and write
|
|
|
|
3D5000
|
unkown
|
page read and write
|
|
|
|
344000
|
heap default
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
20B000
|
unkown
|
page read and write
|
|
|
|
2BB4000
|
unkown
|
page read and write
|
|
|
|
5760000
|
unkown
|
page read and write
|
|
|
|
429000
|
unkown
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
4EF0000
|
heap private
|
page read and write
|
|
|
|
390000
|
heap default
|
page read and write
|
|
|
|
20000
|
unkown image
|
page read and write
|
|
|
|
2240000
|
heap private
|
page read and write
|
|
|
|
3E6000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
2C40000
|
unkown
|
page read and write
|
|
|
|
280000
|
heap default
|
page read and write
|
|
|
|
1BB000
|
unkown
|
page read and write
|
|
|
|
20FF000
|
stack
|
page read and write
|
|
|
|
40E000
|
unkown
|
page read and write
|
|
|
|
2DCB000
|
heap private
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
3D6000
|
heap default
|
page read and write
|
|
|
|
30000
|
unkown image
|
page readonly
|
|
|
|
202000
|
unkown
|
page read and write
|
|
|
|
3BD7000
|
unkown image
|
page readonly
|
|
|
|
2A40000
|
unkown
|
page read and write
|
|
|
|
7EFE0000
|
unkown image
|
page readonly
|
|
|
|
2BE9000
|
unkown
|
page read and write
|
|
|
|
1AA0000
|
unkown image
|
page readonly
|
|
|
|
2CAC000
|
unkown
|
page read and write
|
|
|
|
2BE000
|
heap default
|
page read and write
|
|
|
|
374000
|
heap private
|
page read and write
|
|
|
|
2A10000
|
unkown image
|
page readonly
|
|
|
|
1EA000
|
unkown
|
page read and write
|
|
|
|
10000
|
unkown image
|
page read and write
|
|
|
|
2CA7000
|
unkown
|
page read and write
|
|
|
|
1C8000
|
unkown
|
page read and write
|
|
|
|
1B9000
|
unkown
|
page read and write
|
|
|
|
39F0000
|
unkown image
|
page readonly
|
|
|
|
1B8000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
19E000
|
heap default
|
page read and write
|
|
|
|
4F76000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
1BA000
|
unkown
|
page read and write
|
|
|
|
380000
|
unkown
|
page read and write
|
|
|
|
429000
|
unkown
|
page read and write
|
|
|
|
1480000
|
unkown image
|
page readonly
|
|
|
|
1EA000
|
unkown
|
page read and write
|
|
|
|
60000
|
unkown image
|
page readonly
|
|
|
|
527E000
|
stack
|
page read and write
|
|
|
|
214000
|
unkown
|
page read and write
|
|
|
|
3270000
|
heap private
|
page read and write
|
|
|
|
2BD0000
|
unkown
|
page read and write
|
|
|
|
4020000
|
unkown image
|
page readonly
|
|
|
|
412000
|
unkown
|
page read and write
|
|
|
|
30E0000
|
unkown
|
page read and write
|
|
|
|
2CA1000
|
unkown
|
page read and write
|
|
|
|
426000
|
unkown
|
page read and write
|
|
|
|
2B98000
|
unkown
|
page read and write
|
|
|
|
2BC0000
|
unkown
|
page read and write
|
|
|
|
2C1E000
|
stack
|
page read and write
|
|
|
|
2C20000
|
unkown
|
page read and write
|
|
|
|
2BCC000
|
unkown
|
page read and write
|
|
|
|
260000
|
unkown
|
page read and write
|
|
|
|
328B000
|
heap private
|
page read and write
|
|
|
|
1F50000
|
heap private
|
page read and write
|
|
|
|
D0000
|
unkown
|
page read and write
|
|
|
|
1FD0000
|
heap private
|
page read and write
|
|
|
|
30D6000
|
unkown
|
page read and write
|
|
|
|
4F70000
|
unkown
|
page read and write
|
|
|
|
321F000
|
stack
|
page read and write
|
|
|
|
3225000
|
heap private
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
10000
|
unkown image
|
page read and write
|
|
|
|
321000
|
heap default
|
page read and write
|
|
|
|
1AB000
|
unkown
|
page read and write
|
|
|
|
6B82000
|
unkown image
|
page read and write
|
|
|
|
167000
|
heap default
|
page read and write
|
|
|
|
4FAE000
|
unkown
|
page read and write
|
|
|
|
4F95000
|
unkown
|
page read and write
|
|
|
|
1E20000
|
heap private
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
1ED000
|
unkown
|
page read and write
|
|
|
|
370000
|
heap private
|
page read and write
|
|
|
|
376D000
|
stack
|
page read and write
|
|
|
|
2AD0000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
358F000
|
stack
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
1DA0000
|
unkown
|
page read and write
|
|
|
|
2C1C000
|
unkown
|
page read and write
|
|
|
|
30A0000
|
unkown
|
page read and write
|
|
|
|
50E0000
|
heap private
|
page read and write
|
|
|
|
79AF000
|
stack
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
345F000
|
stack
|
page read and write
|
|
|
|
29AE000
|
stack
|
page read and write
|
|
|
|
3F3000
|
unkown
|
page read and write
|
|
|
|
2C80000
|
unkown image
|
page readonly
|
|
|
|
3D2000
|
unkown
|
page read and write
|
|
|
|
40C000
|
unkown
|
page read and write
|
|
|
|
2B00000
|
heap private
|
page read and write
|
|
|
|
22F0000
|
heap private
|
page read and write
|
|
|
|
4DF0000
|
heap private
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
1610000
|
unkown image
|
page readonly
|
|
|
|
212000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
2CAA000
|
unkown
|
page read and write
|
|
|
|
410000
|
unkown
|
page read and write
|
|
|
|
1E00000
|
unkown
|
page read and write
|
|
|
|
235B000
|
heap private
|
page read and write
|
|
|
|
2BFC000
|
unkown
|
page read and write
|
|
|
|
2D95000
|
heap private
|
page read and write
|
|
There are 254 hidden memdumps, click here to show them.