Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
474556085436219490680.xlsb
|
Microsoft Excel 2007+
|
initial sample
|
 |
|
|
C:\ProgramData\UXcqTE.rtf
|
HTML document, ASCII text, with very long lines, with CRLF line terminators
|
dropped
|
|
|
|
C:\Users\user\Desktop\~$474556085436219490680.xlsb
|
data
|
dropped
|
|
|
|
C:\ProgramData\VNsYnsilCvEhxr.txt
|
ASCII text, with no line terminators
|
dropped
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG[1].txt
|
ASCII text, with no line terminators
|
downloaded
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5EBBEF1D.png
|
PNG image data, 238 x 337, 8-bit/color RGBA, non-interlaced
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8150A08C.png
|
PNG image data, 298 x 42, 8-bit/color RGB, non-interlaced
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Temp\2D67.tmp
|
Microsoft Excel 2007+
|
dropped
|
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
|
|
|
|
C:\Windows\System32\wbem\WMIC.exe
|
wmic process call create "mshta C:\ProgramData\UXcqTE.rtf"
|
|
|
|
C:\Windows\System32\mshta.exe
|
mshta C:\ProgramData\UXcqTE.rtf
|
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
|
unknown
|
|
|
|
http://www.windows.com/pctv.
|
unknown
|
|
|
|
http://investor.msn.com
|
unknown
|
|
|
|
http://www.msnbc.com/news/ticker.txt
|
unknown
|
|
|
|
http://www.%s.comPA
|
unknown
|
|
|
|
http://www.icra.org/vocabulary/.
|
unknown
|
|
|
|
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
|
unknown
|
|
|
|
http://132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
|
132.148.135.183
|
|
|
|
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
|
unknown
|
|
|
|
http://www.hotmail.com/oe
|
unknown
|
|
|
|
http://servername/isapibackend.dll
|
unknown
|
|
|
|
http://investor.msn.com/
|
unknown
|
|
There are 2 hidden URLs, click here to show them.
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
132.148.135.183
|
unknown
|
United States
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
*o'
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
|
MTTT
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
ReviewToken
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\2CDAB
|
2CDAB
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
VBAFiles
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
hv'
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
ProductNonBootFilesIntl_1033
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
OriginalAttachmentPath
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
TemporaryAttachmentName
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109A10090400100000000F01FEC\Usage
|
OutlookMAPI2Intl_1033
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
|
LastPurgeTime
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
EXCELFiles
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
|
SavedLegacySettings
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
ProductNonBootFilesIntl_1033
|
|
There are 7 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
B50000
|
unkown image
|
page readonly
|
|
|
|
60000
|
unkown image
|
page readonly
|
|
|
|
1F7F000
|
heap private
|
page read and write
|
|
|
|
5D0000
|
unkown image
|
page readonly
|
|
|
|
2030000
|
unkown
|
page read and write
|
|
|
|
2940000
|
unkown
|
page read and write
|
|
|
|
203C000
|
unkown
|
page read and write
|
|
|
|
2BF000
|
unkown
|
page read and write
|
|
|
|
4050000
|
heap private
|
page read and write
|
|
|
|
3E6000
|
unkown
|
page read and write
|
|
|
|
1F50000
|
unkown image
|
page readonly
|
|
|
|
2AE7000
|
unkown
|
page read and write
|
|
|
|
40000
|
unkown image
|
page readonly
|
|
|
|
344000
|
heap default
|
page read and write
|
|
|
|
30000
|
unkown image
|
page readonly
|
|
|
|
2084000
|
unkown
|
page read and write
|
|
|
|
30FF000
|
stack
|
page read and write
|
|
|
|
64EF000
|
stack
|
page read and write
|
|
|
|
74E000
|
stack
|
page read and write
|
|
|
|
3DA0000
|
unkown
|
page read and write
|
|
|
|
2BBF000
|
stack
|
page read and write
|
|
|
|
3210000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
51A000
|
heap private
|
page read and write
|
|
|
|
830000
|
unkown image
|
page readonly
|
|
|
|
2800000
|
heap private
|
page read and write
|
|
|
|
2AE1000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
1B70000
|
unkown image
|
page readonly
|
|
|
|
288F000
|
stack
|
page read and write
|
|
|
|
2BF000
|
unkown
|
page read and write
|
|
|
|
28B000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
2AE5000
|
unkown
|
page read and write
|
|
|
|
2BF000
|
unkown
|
page read and write
|
|
|
|
9B0000
|
unkown image
|
page readonly
|
|
|
|
2BF000
|
unkown
|
page read and write
|
|
|
|
1FD0000
|
unkown
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
3D7B000
|
unkown
|
page read and write
|
|
|
|
2976000
|
unkown
|
page read and write
|
|
|
|
2FC5000
|
heap private
|
page read and write
|
|
|
|
366000
|
unkown
|
page read and write
|
|
|
|
39A000
|
heap default
|
page read and write
|
|
|
|
3D72000
|
unkown
|
page read and write
|
|
|
|
459000
|
unkown
|
page read and write
|
|
|
|
2068000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
3D70000
|
unkown
|
page read and write
|
|
|
|
2AE0000
|
unkown
|
page read and write
|
|
|
|
1F35000
|
heap private
|
page read and write
|
|
|
|
2150000
|
unkown image
|
page readonly
|
|
|
|
366000
|
unkown
|
page read and write
|
|
|
|
7EFE0000
|
unkown image
|
page readonly
|
|
|
|
3D5F000
|
unkown
|
page read and write
|
|
|
|
3C10000
|
heap private
|
page read and write
|
|
|
|
205C000
|
unkown
|
page read and write
|
|
|
|
2AE3000
|
unkown
|
page read and write
|
|
|
|
50F000
|
stack
|
page read and write
|
|
|
|
1FC8000
|
unkown
|
page read and write
|
|
|
|
3D90000
|
unkown
|
page read and write
|
|
|
|
2AE9000
|
unkown
|
page read and write
|
|
|
|
200C000
|
unkown
|
page read and write
|
|
|
|
2000000
|
unkown
|
page read and write
|
|
|
|
2E2000
|
unkown
|
page read and write
|
|
|
|
3D54000
|
unkown
|
page read and write
|
|
|
|
5B32000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
2230000
|
heap private
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
5E0000
|
unkown image
|
page readonly
|
|
|
|
3E90000
|
heap private
|
page read and write
|
|
|
|
298000
|
unkown
|
page read and write
|
|
|
|
10000
|
unkown image
|
page read and write
|
|
|
|
1FF8000
|
unkown
|
page read and write
|
|
|
|
2EE000
|
heap default
|
page read and write
|
|
|
|
2AEC000
|
unkown
|
page read and write
|
|
|
|
16D000
|
unkown
|
page read and write
|
|
|
|
403F000
|
stack
|
page read and write
|
|
|
|
7EFE0000
|
unkown image
|
page readonly
|
|
|
|
289000
|
unkown
|
page read and write
|
|
|
|
2710000
|
heap private
|
page read and write
|
|
|
|
41F000
|
unkown
|
page read and write
|
|
|
|
1EA0000
|
heap private
|
page read and write
|
|
|
|
2235000
|
heap private
|
page read and write
|
|
|
|
459000
|
unkown
|
page read and write
|
|
|
|
402000
|
unkown
|
page read and write
|
|
|
|
237000
|
heap default
|
page read and write
|
|
|
|
5742000
|
unkown image
|
page read and write
|
|
|
|
218F000
|
stack
|
page read and write
|
|
|
|
280000
|
unkown
|
page read and write
|
|
|
|
1FE8000
|
unkown
|
page read and write
|
|
|
|
298000
|
unkown
|
page read and write
|
|
|
|
30FF000
|
stack
|
page read and write
|
|
|
|
26D000
|
heap default
|
page read and write
|
|
|
|
2D4000
|
unkown
|
page read and write
|
|
|
|
459000
|
unkown
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
2E4000
|
unkown
|
page read and write
|
|
|
|
1FDC000
|
unkown
|
page read and write
|
|
|
|
26E000
|
heap default
|
page read and write
|
|
|
|
510000
|
heap private
|
page read and write
|
|
|
|
412000
|
unkown
|
page read and write
|
|
|
|
444000
|
heap private
|
page read and write
|
|
|
|
43E000
|
unkown
|
page read and write
|
|
|
|
2A60000
|
heap private
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
1A6000
|
unkown
|
page read and write
|
|
|
|
404000
|
unkown
|
page read and write
|
|
|
|
200000
|
unkown image
|
page read and write
|
|
|
|
2060000
|
heap private
|
page read and write
|
|
|
|
2BA000
|
unkown
|
page read and write
|
|
|
|
2048000
|
unkown
|
page read and write
|
|
|
|
450000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
3B0000
|
unkown
|
page read and write
|
|
|
|
1F76000
|
heap private
|
page read and write
|
|
|
|
204C000
|
unkown
|
page read and write
|
|
|
|
1E0000
|
heap private
|
page read and write
|
|
|
|
25A0000
|
heap private
|
page read and write
|
|
|
|
440000
|
heap private
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
3F9000
|
unkown
|
page read and write
|
|
|
|
2038000
|
unkown
|
page read and write
|
|
|
|
276000
|
heap default
|
page read and write
|
|
|
|
3D58000
|
unkown
|
page read and write
|
|
|
|
2B7000
|
heap default
|
page read and write
|
|
|
|
43E000
|
unkown
|
page read and write
|
|
|
|
3D74000
|
unkown
|
page read and write
|
|
|
|
40000
|
unkown image
|
page readonly
|
|
|
|
230000
|
heap default
|
page read and write
|
|
|
|
3D50000
|
unkown
|
page read and write
|
|
|
|
1FE4000
|
unkown
|
page read and write
|
|
|
|
2080000
|
unkown
|
page read and write
|
|
|
|
1FF0000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
226B000
|
heap private
|
page read and write
|
|
|
|
2CF0000
|
unkown
|
page read and write
|
|
|
|
3D63000
|
unkown
|
page read and write
|
|
|
|
1F80000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
4320000
|
unkown
|
page read and write
|
|
|
|
40D000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
2805000
|
heap private
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
20D0000
|
heap private
|
page read and write
|
|
|
|
416000
|
unkown
|
page read and write
|
|
|
|
2FAE000
|
stack
|
page read and write
|
|
|
|
2D2000
|
unkown
|
page read and write
|
|
|
|
1FEC000
|
unkown
|
page read and write
|
|
|
|
1D0000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
1E4000
|
heap private
|
page read and write
|
|
|
|
2BA000
|
unkown
|
page read and write
|
|
|
|
459000
|
unkown
|
page read and write
|
|
|
|
41A0000
|
heap private
|
page read and write
|
|
|
|
2FFB000
|
heap private
|
page read and write
|
|
|
|
40000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
2060000
|
unkown
|
page read and write
|
|
|
|
30000
|
unkown image
|
page readonly
|
|
|
|
1FE0000
|
unkown
|
page read and write
|
|
|
|
2BA000
|
unkown
|
page read and write
|
|
|
|
3D88000
|
unkown
|
page read and write
|
|
|
|
2AE4000
|
unkown
|
page read and write
|
|
|
|
3CD0000
|
heap private
|
page read and write
|
|
|
|
70000
|
unkown image
|
page read and write
|
|
|
|
397000
|
heap default
|
page read and write
|
|
|
|
2008000
|
unkown
|
page read and write
|
|
|
|
41D000
|
unkown
|
page read and write
|
|
|
|
330000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
2AE2000
|
unkown
|
page read and write
|
|
|
|
51D000
|
heap private
|
page read and write
|
|
|
|
2640000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
230000
|
heap default
|
page read and write
|
|
|
|
BDF000
|
stack
|
page read and write
|
|
|
|
25C0000
|
unkown image
|
page readonly
|
|
|
|
440000
|
unkown
|
page read and write
|
|
|
|
261E000
|
stack
|
page read and write
|
|
|
|
3D76000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
1F30000
|
heap private
|
page read and write
|
|
|
|
298000
|
unkown
|
page read and write
|
|
|
|
20D4000
|
heap private
|
page read and write
|
|
|
|
3D6B000
|
unkown
|
page read and write
|
|
|
|
43E000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
2AE8000
|
unkown
|
page read and write
|
|
|
|
42A0000
|
heap private
|
page read and write
|
|
|
|
2F7F000
|
stack
|
page read and write
|
|
|
|
10000
|
unkown image
|
page read and write
|
|
|
|
6BF000
|
stack
|
page read and write
|
|
|
|
1F94000
|
heap private
|
page read and write
|
|
|
|
330000
|
unkown
|
page read and write
|
|
|
|
2014000
|
unkown
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
27B000
|
heap default
|
page read and write
|
|
|
|
2CED000
|
stack
|
page read and write
|
|
|
|
3D5C000
|
unkown
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
423000
|
unkown
|
page read and write
|
|
|
|
2AE6000
|
unkown
|
page read and write
|
|
|
|
1FF4000
|
unkown
|
page read and write
|
|
|
|
2520000
|
heap private
|
page read and write
|
|
|
|
1FCC000
|
unkown
|
page read and write
|
|
|
|
359000
|
heap default
|
page read and write
|
|
|
|
2004000
|
unkown
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
27B000
|
unkown
|
page read and write
|
|
|
|
7EFE0000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
2019000
|
unkown
|
page read and write
|
|
|
|
3D82000
|
unkown
|
page read and write
|
|
|
|
2040000
|
unkown
|
page read and write
|
|
|
|
2029000
|
unkown
|
page read and write
|
|
|
|
2AEA000
|
unkown
|
page read and write
|
|
|
|
298000
|
unkown
|
page read and write
|
|
|
|
2620000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
456000
|
unkown
|
page read and write
|
|
|
|
1F60000
|
unkown image
|
page read and write
|
|
|
|
10000
|
unkown image
|
page read and write
|
|
|
|
3AA0000
|
heap private
|
page read and write
|
|
|
|
442000
|
unkown
|
page read and write
|
|
|
|
1FD0000
|
heap private
|
page read and write
|
|
|
|
20000
|
unkown image
|
page read and write
|
|
|
|
237000
|
heap default
|
page read and write
|
|
|
|
2B0000
|
heap default
|
page read and write
|
|
|
|
3CD5000
|
heap private
|
page read and write
|
|
|
|
2FC0000
|
heap private
|
page read and write
|
|
|
|
58F000
|
stack
|
page read and write
|
|
|
|
1FD8000
|
unkown
|
page read and write
|
|
|
|
288000
|
unkown
|
page read and write
|
|
|
|
3D79000
|
unkown
|
page read and write
|
|
|
|
2AEB000
|
unkown
|
page read and write
|
|
|
|
35F0000
|
unkown image
|
page readonly
|
|
|
|
1F6B000
|
heap private
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
374000
|
heap default
|
page read and write
|
|
|
|
2074000
|
unkown
|
page read and write
|
|
|
|
1F90000
|
heap private
|
page read and write
|
|
|
|
28A000
|
unkown
|
page read and write
|
|
|
|
30000
|
unkown image
|
page readonly
|
|
|
|
25B0000
|
unkown image
|
page readonly
|
|
|
|
33F7000
|
unkown image
|
page readonly
|
|
|
|
43C000
|
unkown
|
page read and write
|
|
|
|
2070000
|
unkown
|
page read and write
|
|
|
|
2BF000
|
unkown
|
page read and write
|
|
|
|
28C0000
|
heap private
|
page read and write
|
|
|
|
1F9B000
|
heap private
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
12A000
|
unkown
|
page read and write
|
|
|
|
29DF000
|
stack
|
page read and write
|
|
|
|
80000
|
unkown
|
page read and write
|
|
|
|
2850000
|
heap private
|
page read and write
|
|
|
|
514000
|
heap private
|
page read and write
|
|
|
|
2010000
|
unkown
|
page read and write
|
|
|
|
9C0000
|
unkown image
|
page readonly
|
|
|
|
2064000
|
unkown
|
page read and write
|
|
|
|
281F000
|
stack
|
page read and write
|
|
|
|
2BF000
|
unkown
|
page read and write
|
|
There are 256 hidden memdumps, click here to show them.