Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
BookingXConfirm-11401.xlsb
|
Microsoft Excel 2007+
|
initial sample
|
 |
|
|
C:\ProgramData\BnnsIhc.rtf
|
HTML document, ASCII text, with very long lines, with CRLF line terminators
|
dropped
|
|
|
|
C:\Users\user\Desktop\~$BookingXConfirm-11401.xlsb
|
data
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3B01B891.png
|
PNG image data, 292 x 49, 8-bit/color RGB, non-interlaced
|
dropped
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B4C9255E.png
|
PNG image data, 237 x 336, 8-bit/color RGBA, non-interlaced
|
dropped
|
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
|
|
|
|
C:\Windows\System32\wbem\WMIC.exe
|
wmic.exe process call create 'mshta C:\\ProgramData\BnnsIhc.rtf'
|
|
|
|
C:\Windows\System32\mshta.exe
|
mshta C:\\ProgramData\BnnsIhc.rtf
|
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://103.117.180.99:8080/PJ3ZQWVJPYCYDCA9A6Q2Y6YA
|
103.117.180.99
|
|
|
|
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
|
unknown
|
|
|
|
http://www.windows.com/pctv.
|
unknown
|
|
|
|
http://investor.msn.com
|
unknown
|
|
|
|
http://www.msnbc.com/news/ticker.txt
|
unknown
|
|
|
|
http://www.%s.comPA
|
unknown
|
|
|
|
http://www.icra.org/vocabulary/.
|
unknown
|
|
|
|
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
|
unknown
|
|
|
|
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
|
unknown
|
|
|
|
http://www.hotmail.com/oe
|
unknown
|
|
|
|
http://servername/isapibackend.dll
|
unknown
|
|
|
|
http://investor.msn.com/
|
unknown
|
|
There are 2 hidden URLs, click here to show them.
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
103.117.180.99
|
unknown
|
India
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
? .
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
|
MTTT
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
ReviewToken
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\2D22D
|
2D22D
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
VBAFiles
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
;g.
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
ProductNonBootFilesIntl_1033
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
|
LastPurgeTime
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
EXCELFiles
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
ProductNonBootFilesIntl_1033
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
|
SavedLegacySettings
|
|
There are 4 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
524A000
|
unkown
|
page read and write
|
|
|
|
25C4000
|
unkown
|
page read and write
|
|
|
|
2EB000
|
unkown
|
page read and write
|
|
|
|
31A000
|
unkown
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
2905000
|
heap private
|
page read and write
|
|
|
|
2A97000
|
unkown
|
page read and write
|
|
|
|
25D0000
|
unkown
|
page read and write
|
|
|
|
104000
|
heap private
|
page read and write
|
|
|
|
4E30000
|
unkown
|
page read and write
|
|
|
|
F90000
|
unkown image
|
page readonly
|
|
|
|
53FB000
|
heap private
|
page read and write
|
|
|
|
2ED000
|
unkown
|
page read and write
|
|
|
|
31F000
|
unkown
|
page read and write
|
|
|
|
1DD000
|
heap default
|
page read and write
|
|
|
|
2E8000
|
unkown
|
page read and write
|
|
|
|
2638000
|
unkown
|
page read and write
|
|
|
|
25F9000
|
unkown
|
page read and write
|
|
|
|
344000
|
unkown
|
page read and write
|
|
|
|
2DB000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
25A8000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
2A9A000
|
unkown
|
page read and write
|
|
|
|
390000
|
unkown
|
page read and write
|
|
|
|
2610000
|
unkown
|
page read and write
|
|
|
|
2A93000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
457000
|
heap default
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
7EFE0000
|
unkown image
|
page readonly
|
|
|
|
216000
|
heap private
|
page read and write
|
|
|
|
31D5000
|
heap private
|
page read and write
|
|
|
|
2630000
|
unkown
|
page read and write
|
|
|
|
290000
|
heap default
|
page read and write
|
|
|
|
24D0000
|
heap private
|
page read and write
|
|
|
|
C0000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
280000
|
unkown
|
page read and write
|
|
|
|
5243000
|
unkown
|
page read and write
|
|
|
|
25D4000
|
unkown
|
page read and write
|
|
|
|
2F9000
|
unkown
|
page read and write
|
|
|
|
10A000
|
heap private
|
page read and write
|
|
|
|
30F6000
|
unkown
|
page read and write
|
|
|
|
1C80000
|
unkown image
|
page readonly
|
|
|
|
234000
|
heap private
|
page read and write
|
|
|
|
2A10000
|
heap private
|
page read and write
|
|
|
|
2D2000
|
unkown
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
40000
|
unkown image
|
page readonly
|
|
|
|
A3F000
|
stack
|
page read and write
|
|
|
|
2640000
|
unkown
|
page read and write
|
|
|
|
3B4000
|
heap private
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
524C000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
1A7000
|
heap default
|
page read and write
|
|
|
|
2E4F000
|
stack
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
2635000
|
heap private
|
page read and write
|
|
|
|
2930000
|
heap private
|
page read and write
|
|
|
|
31D0000
|
heap private
|
page read and write
|
|
|
|
2520000
|
unkown image
|
page readonly
|
|
|
|
51F000
|
stack
|
page read and write
|
|
|
|
20C0000
|
heap private
|
page read and write
|
|
|
|
2A90000
|
unkown
|
page read and write
|
|
|
|
31F000
|
unkown
|
page read and write
|
|
|
|
10D000
|
heap private
|
page read and write
|
|
|
|
4AB0000
|
heap private
|
page read and write
|
|
|
|
2F4000
|
unkown
|
page read and write
|
|
|
|
2900000
|
heap private
|
page read and write
|
|
|
|
334000
|
unkown
|
page read and write
|
|
|
|
5262000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
1120000
|
unkown image
|
page readonly
|
|
|
|
318F000
|
stack
|
page read and write
|
|
|
|
25E0000
|
unkown
|
page read and write
|
|
|
|
7EFE0000
|
unkown image
|
page readonly
|
|
|
|
5254000
|
unkown
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
260C000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
2530000
|
unkown image
|
page read and write
|
|
|
|
30C000
|
unkown
|
page read and write
|
|
|
|
26B0000
|
unkown image
|
page readonly
|
|
|
|
308F000
|
stack
|
page read and write
|
|
|
|
B0000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
35D0000
|
heap private
|
page read and write
|
|
|
|
3C6000
|
unkown
|
page read and write
|
|
|
|
2550000
|
unkown
|
page read and write
|
|
|
|
30000
|
unkown image
|
page readonly
|
|
|
|
2E2000
|
unkown
|
page read and write
|
|
|
|
5230000
|
unkown
|
page read and write
|
|
|
|
4F3000
|
heap default
|
page read and write
|
|
|
|
2D5000
|
unkown
|
page read and write
|
|
|
|
2694000
|
heap private
|
page read and write
|
|
|
|
25BC000
|
unkown
|
page read and write
|
|
|
|
2F8000
|
unkown
|
page read and write
|
|
|
|
3B0000
|
heap private
|
page read and write
|
|
|
|
10000
|
unkown image
|
page read and write
|
|
|
|
2658000
|
unkown
|
page read and write
|
|
|
|
2830000
|
unkown image
|
page readonly
|
|
|
|
2840000
|
unkown image
|
page readonly
|
|
|
|
2A92000
|
unkown
|
page read and write
|
|
|
|
10000
|
unkown image
|
page read and write
|
|
|
|
2A98000
|
unkown
|
page read and write
|
|
|
|
1E6000
|
heap default
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
2720000
|
unkown image
|
page readonly
|
|
|
|
5260000
|
unkown
|
page read and write
|
|
|
|
4CF0000
|
heap private
|
page read and write
|
|
|
|
2A95000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
4A0000
|
heap private
|
page read and write
|
|
|
|
5257000
|
unkown
|
page read and write
|
|
|
|
554000
|
heap private
|
page read and write
|
|
|
|
5269000
|
unkown
|
page read and write
|
|
|
|
334D000
|
stack
|
page read and write
|
|
|
|
2DD000
|
unkown
|
page read and write
|
|
|
|
30C0000
|
unkown
|
page read and write
|
|
|
|
301F000
|
stack
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
31A000
|
unkown
|
page read and write
|
|
|
|
3230000
|
heap private
|
page read and write
|
|
|
|
1D5000
|
heap private
|
page read and write
|
|
|
|
5277000
|
unkown
|
page read and write
|
|
|
|
31D9000
|
heap private
|
page read and write
|
|
|
|
2690000
|
heap private
|
page read and write
|
|
|
|
5248000
|
unkown
|
page read and write
|
|
|
|
2598000
|
unkown
|
page read and write
|
|
|
|
250000
|
unkown image
|
page read and write
|
|
|
|
1BA000
|
unkown
|
page read and write
|
|
|
|
2F8000
|
unkown
|
page read and write
|
|
|
|
1ED000
|
heap default
|
page read and write
|
|
|
|
25AC000
|
unkown
|
page read and write
|
|
|
|
30BE000
|
stack
|
page read and write
|
|
|
|
21F000
|
heap private
|
page read and write
|
|
|
|
2E3000
|
unkown
|
page read and write
|
|
|
|
31A000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
20B000
|
heap private
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
2A99000
|
unkown
|
page read and write
|
|
|
|
4C10000
|
heap private
|
page read and write
|
|
|
|
10000
|
unkown image
|
page read and write
|
|
|
|
31A000
|
unkown
|
page read and write
|
|
|
|
6F0000
|
unkown image
|
page readonly
|
|
|
|
48F0000
|
heap private
|
page read and write
|
|
|
|
3235000
|
heap private
|
page read and write
|
|
|
|
100000
|
heap private
|
page read and write
|
|
|
|
525D000
|
unkown
|
page read and write
|
|
|
|
3B40000
|
unkown image
|
page readonly
|
|
|
|
F80000
|
unkown image
|
page readonly
|
|
|
|
2630000
|
heap private
|
page read and write
|
|
|
|
1D0000
|
heap private
|
page read and write
|
|
|
|
31F000
|
unkown
|
page read and write
|
|
|
|
2A94000
|
unkown
|
page read and write
|
|
|
|
202F000
|
stack
|
page read and write
|
|
|
|
2B6000
|
unkown
|
page read and write
|
|
|
|
2D0F000
|
stack
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
2F0000
|
unkown
|
page read and write
|
|
|
|
7EFE0000
|
unkown image
|
page readonly
|
|
|
|
25B0000
|
unkown
|
page read and write
|
|
|
|
550000
|
heap private
|
page read and write
|
|
|
|
55EF000
|
stack
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
2E6000
|
unkown
|
page read and write
|
|
|
|
25E9000
|
unkown
|
page read and write
|
|
|
|
347000
|
unkown
|
page read and write
|
|
|
|
25D8000
|
unkown
|
page read and write
|
|
|
|
519000
|
heap default
|
page read and write
|
|
|
|
2D6000
|
unkown
|
page read and write
|
|
|
|
332000
|
unkown
|
page read and write
|
|
|
|
259C000
|
unkown
|
page read and write
|
|
|
|
31A000
|
unkown
|
page read and write
|
|
|
|
2EA000
|
unkown
|
page read and write
|
|
|
|
2A96000
|
unkown
|
page read and write
|
|
|
|
523D000
|
unkown
|
page read and write
|
|
|
|
2600000
|
unkown
|
page read and write
|
|
|
|
20000
|
unkown image
|
page read and write
|
|
|
|
D0000
|
unkown image
|
page readonly
|
|
|
|
2F4000
|
unkown
|
page read and write
|
|
|
|
2A0000
|
unkown
|
page read and write
|
|
|
|
3947000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
2A9C000
|
unkown
|
page read and write
|
|
|
|
2CE000
|
heap default
|
page read and write
|
|
|
|
23B000
|
heap private
|
page read and write
|
|
|
|
5270000
|
unkown
|
page read and write
|
|
|
|
450000
|
heap default
|
page read and write
|
|
|
|
25DC000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
E00000
|
unkown image
|
page readonly
|
|
|
|
230000
|
heap private
|
page read and write
|
|
|
|
3480000
|
unkown
|
page read and write
|
|
|
|
2E0000
|
unkown
|
page read and write
|
|
|
|
3760000
|
unkown image
|
page readonly
|
|
|
|
E0000
|
unkown image
|
page read and write
|
|
|
|
5246000
|
unkown
|
page read and write
|
|
|
|
250000
|
unkown
|
page read and write
|
|
|
|
B0E000
|
stack
|
page read and write
|
|
|
|
2C9000
|
unkown
|
page read and write
|
|
|
|
297000
|
heap default
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
25B8000
|
unkown
|
page read and write
|
|
|
|
AD000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
5259000
|
unkown
|
page read and write
|
|
|
|
2608000
|
unkown
|
page read and write
|
|
|
|
560000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
6E0000
|
unkown image
|
page readonly
|
|
|
|
2644000
|
unkown
|
page read and write
|
|
|
|
25B0000
|
heap private
|
page read and write
|
|
|
|
31A000
|
unkown
|
page read and write
|
|
|
|
F0000
|
unkown
|
page read and write
|
|
|
|
277000
|
unkown
|
page read and write
|
|
|
|
1A0000
|
heap default
|
page read and write
|
|
|
|
2870000
|
unkown
|
page read and write
|
|
|
|
266B000
|
heap private
|
page read and write
|
|
|
|
27A0000
|
heap private
|
page read and write
|
|
|
|
525B000
|
unkown
|
page read and write
|
|
|
|
25B4000
|
unkown
|
page read and write
|
|
|
|
25A0000
|
unkown
|
page read and write
|
|
|
|
2618000
|
unkown
|
page read and write
|
|
|
|
261C000
|
unkown
|
page read and write
|
|
|
|
48E000
|
heap default
|
page read and write
|
|
|
|
49F000
|
stack
|
page read and write
|
|
|
|
293B000
|
heap private
|
page read and write
|
|
|
|
2A91000
|
unkown
|
page read and write
|
|
|
|
2040000
|
heap private
|
page read and write
|
|
|
|
2F8000
|
unkown
|
page read and write
|
|
|
|
2A9B000
|
unkown
|
page read and write
|
|
|
|
2F8000
|
unkown
|
page read and write
|
|
|
|
53C0000
|
heap private
|
page read and write
|
|
|
|
588F000
|
stack
|
page read and write
|
|
|
|
25C8000
|
unkown
|
page read and write
|
|
|
|
53C4000
|
heap private
|
page read and write
|
|
|
|
2660000
|
unkown
|
page read and write
|
|
|
|
2634000
|
unkown
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
2F7E000
|
stack
|
page read and write
|
|
|
|
2E9000
|
unkown
|
page read and write
|
|
|
|
48F5000
|
heap private
|
page read and write
|
|
|
|
4B30000
|
heap private
|
page read and write
|
|
|
|
2F7F000
|
stack
|
page read and write
|
|
|
|
53E000
|
heap default
|
page read and write
|
|
|
|
25C0000
|
unkown
|
page read and write
|
|
|
|
4A10000
|
heap private
|
page read and write
|
|
|
|
30000
|
unkown image
|
page readonly
|
|
|
|
25E4000
|
unkown
|
page read and write
|
|
|
|
40000
|
unkown image
|
page readonly
|
|
There are 247 hidden memdumps, click here to show them.