Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
7165.xlsb
|
Microsoft Excel 2007+
|
initial sample
|
 |
|
|
C:\ProgramData\HIXhaYv.rtf
|
HTML document, ASCII text, with very long lines, with CRLF line terminators
|
dropped
|
|
|
|
C:\Users\user\Desktop\~$7165.xlsb
|
data
|
dropped
|
|
|
|
C:\ProgramData\uLbchwVzJ.txt
|
ASCII text, with no line terminators
|
dropped
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG[1].txt
|
ASCII text, with no line terminators
|
downloaded
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B1075D7F.png
|
PNG image data, 256 x 51, 8-bit/color RGB, non-interlaced
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E075974.png
|
PNG image data, 237 x 336, 8-bit/color RGBA, non-interlaced
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Temp\33DC.tmp
|
Microsoft Excel 2007+
|
dropped
|
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
|
|
|
|
C:\Windows\System32\wbem\WMIC.exe
|
wmic process call create "mshta C:\ProgramData\HIXhaYv.rtf"
|
|
|
|
C:\Windows\System32\mshta.exe
|
mshta C:\ProgramData\HIXhaYv.rtf
|
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
|
unknown
|
|
|
|
http://www.windows.com/pctv.
|
unknown
|
|
|
|
http://investor.msn.com
|
unknown
|
|
|
|
http://www.msnbc.com/news/ticker.txt
|
unknown
|
|
|
|
http://www.%s.comPA
|
unknown
|
|
|
|
http://www.icra.org/vocabulary/.
|
unknown
|
|
|
|
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
|
unknown
|
|
|
|
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
|
unknown
|
|
|
|
http://www.hotmail.com/oe
|
unknown
|
|
|
|
http://servername/isapibackend.dll
|
unknown
|
|
|
|
http://investor.msn.com/
|
unknown
|
|
|
|
http://157.245.108.215:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
|
157.245.108.215
|
|
There are 2 hidden URLs, click here to show them.
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
157.245.108.215
|
unknown
|
United States
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
$i*
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
|
MTTT
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
ReviewToken
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\2D384
|
2D384
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
VBAFiles
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
wo*
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
ProductNonBootFilesIntl_1033
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
OriginalAttachmentPath
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
TemporaryAttachmentName
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109A10090400100000000F01FEC\Usage
|
OutlookMAPI2Intl_1033
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
|
LastPurgeTime
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
EXCELFiles
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
|
SavedLegacySettings
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
ProductNonBootFilesIntl_1033
|
|
There are 7 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
264000
|
heap private
|
page read and write
|
|
|
|
408000
|
unkown
|
page read and write
|
|
|
|
179000
|
unkown
|
page read and write
|
|
|
|
1DA000
|
heap private
|
page read and write
|
|
|
|
30EE000
|
stack
|
page read and write
|
|
|
|
442000
|
unkown
|
page read and write
|
|
|
|
3F37000
|
unkown
|
page read and write
|
|
|
|
7EFE0000
|
unkown image
|
page readonly
|
|
|
|
25D0000
|
heap private
|
page read and write
|
|
|
|
3E60000
|
heap private
|
page read and write
|
|
|
|
2370000
|
unkown
|
page read and write
|
|
|
|
22E0000
|
unkown
|
page read and write
|
|
|
|
1F0000
|
unkown
|
page read and write
|
|
|
|
2E73000
|
unkown
|
page read and write
|
|
|
|
420000
|
heap default
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
23E5000
|
heap private
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
3F4F000
|
unkown
|
page read and write
|
|
|
|
3700000
|
unkown image
|
page readonly
|
|
|
|
1E0000
|
unkown image
|
page read and write
|
|
|
|
5E4000
|
heap private
|
page read and write
|
|
|
|
18D000
|
unkown
|
page read and write
|
|
|
|
3FF0000
|
heap private
|
page read and write
|
|
|
|
2DB0000
|
heap private
|
page read and write
|
|
|
|
3F9000
|
unkown
|
page read and write
|
|
|
|
20000
|
unkown image
|
page read and write
|
|
|
|
2860000
|
unkown
|
page read and write
|
|
|
|
4E6000
|
heap default
|
page read and write
|
|
|
|
2328000
|
unkown
|
page read and write
|
|
|
|
427000
|
heap default
|
page read and write
|
|
|
|
3F14000
|
unkown
|
page read and write
|
|
|
|
22DC000
|
unkown
|
page read and write
|
|
|
|
160000
|
unkown
|
page read and write
|
|
|
|
22FC000
|
unkown
|
page read and write
|
|
|
|
409000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
3C50000
|
heap private
|
page read and write
|
|
|
|
BF0000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
408000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
5DA2000
|
unkown image
|
page readonly
|
|
|
|
2E72000
|
unkown
|
page read and write
|
|
|
|
42A000
|
unkown
|
page read and write
|
|
|
|
30000
|
unkown image
|
page readonly
|
|
|
|
3FA000
|
unkown
|
page read and write
|
|
|
|
452000
|
unkown
|
page read and write
|
|
|
|
2DAB000
|
heap private
|
page read and write
|
|
|
|
23E0000
|
heap private
|
page read and write
|
|
|
|
BE0000
|
unkown image
|
page readonly
|
|
|
|
132000
|
unkown
|
page read and write
|
|
|
|
162000
|
unkown
|
page read and write
|
|
|
|
3320000
|
unkown image
|
page readonly
|
|
|
|
15E000
|
unkown
|
page read and write
|
|
|
|
42A000
|
unkown
|
page read and write
|
|
|
|
2095000
|
heap private
|
page read and write
|
|
|
|
2C50000
|
unkown
|
page read and write
|
|
|
|
2D70000
|
heap private
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
2309000
|
unkown
|
page read and write
|
|
|
|
53F000
|
stack
|
page read and write
|
|
|
|
3F00000
|
unkown
|
page read and write
|
|
|
|
1D0000
|
heap private
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
2C7F000
|
stack
|
page read and write
|
|
|
|
2F6000
|
unkown
|
page read and write
|
|
|
|
2E75000
|
unkown
|
page read and write
|
|
|
|
2304000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
42A000
|
unkown
|
page read and write
|
|
|
|
3F21000
|
unkown
|
page read and write
|
|
|
|
3F0000
|
unkown
|
page read and write
|
|
|
|
2460000
|
unkown image
|
page readonly
|
|
|
|
45E000
|
heap default
|
page read and write
|
|
|
|
2320000
|
unkown
|
page read and write
|
|
|
|
2DB5000
|
heap private
|
page read and write
|
|
|
|
20F4000
|
heap private
|
page read and write
|
|
|
|
A60000
|
unkown image
|
page readonly
|
|
|
|
1D4000
|
heap private
|
page read and write
|
|
|
|
22E4000
|
unkown
|
page read and write
|
|
|
|
22D4000
|
unkown
|
page read and write
|
|
|
|
20CB000
|
heap private
|
page read and write
|
|
|
|
3507000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
2E7C000
|
unkown
|
page read and write
|
|
|
|
2CD000
|
heap default
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
2AAF000
|
stack
|
page read and write
|
|
|
|
3F25000
|
unkown
|
page read and write
|
|
|
|
1DD000
|
heap private
|
page read and write
|
|
|
|
4C9000
|
heap default
|
page read and write
|
|
|
|
3FB000
|
unkown
|
page read and write
|
|
|
|
4C3000
|
heap default
|
page read and write
|
|
|
|
2DB000
|
heap default
|
page read and write
|
|
|
|
2180000
|
unkown image
|
page readonly
|
|
|
|
22D8000
|
unkown
|
page read and write
|
|
|
|
B6F000
|
stack
|
page read and write
|
|
|
|
2E77000
|
unkown
|
page read and write
|
|
|
|
3F12000
|
unkown
|
page read and write
|
|
|
|
2D60000
|
heap private
|
page read and write
|
|
|
|
10000
|
unkown image
|
page read and write
|
|
|
|
20FB000
|
heap private
|
page read and write
|
|
|
|
2364000
|
unkown
|
page read and write
|
|
|
|
22E8000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
23B0000
|
unkown image
|
page readonly
|
|
|
|
4400000
|
unkown
|
page read and write
|
|
|
|
42A000
|
unkown
|
page read and write
|
|
|
|
260000
|
heap private
|
page read and write
|
|
|
|
50B000
|
heap default
|
page read and write
|
|
|
|
3F08000
|
unkown
|
page read and write
|
|
|
|
23C0000
|
unkown image
|
page readonly
|
|
|
|
5BF000
|
stack
|
page read and write
|
|
|
|
444000
|
unkown
|
page read and write
|
|
|
|
179000
|
unkown
|
page read and write
|
|
|
|
15E000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
27A000
|
unkown
|
page read and write
|
|
|
|
297000
|
heap default
|
page read and write
|
|
|
|
22F8000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
2358000
|
unkown
|
page read and write
|
|
|
|
30000
|
unkown image
|
page readonly
|
|
|
|
20D6000
|
heap private
|
page read and write
|
|
|
|
2B6F000
|
stack
|
page read and write
|
|
|
|
234C000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
2300000
|
unkown
|
page read and write
|
|
|
|
42F000
|
unkown
|
page read and write
|
|
|
|
2DF0000
|
heap private
|
page read and write
|
|
|
|
3A0000
|
heap default
|
page read and write
|
|
|
|
10000
|
unkown image
|
page read and write
|
|
|
|
179000
|
unkown
|
page read and write
|
|
|
|
22BC000
|
unkown
|
page read and write
|
|
|
|
77F000
|
stack
|
page read and write
|
|
|
|
2360000
|
unkown
|
page read and write
|
|
|
|
454000
|
unkown
|
page read and write
|
|
|
|
436F000
|
stack
|
page read and write
|
|
|
|
2354000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
2E7B000
|
unkown
|
page read and write
|
|
|
|
2190000
|
unkown image
|
page read and write
|
|
|
|
2319000
|
unkown
|
page read and write
|
|
|
|
30000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
3F2A000
|
unkown
|
page read and write
|
|
|
|
408000
|
unkown
|
page read and write
|
|
|
|
136000
|
unkown
|
page read and write
|
|
|
|
3F23000
|
unkown
|
page read and write
|
|
|
|
12D000
|
unkown
|
page read and write
|
|
|
|
232C000
|
unkown
|
page read and write
|
|
|
|
42A000
|
unkown
|
page read and write
|
|
|
|
498F000
|
stack
|
page read and write
|
|
|
|
5F0000
|
unkown image
|
page readonly
|
|
|
|
2234000
|
heap private
|
page read and write
|
|
|
|
2350000
|
unkown
|
page read and write
|
|
|
|
176000
|
unkown
|
page read and write
|
|
|
|
3EE0000
|
unkown
|
page read and write
|
|
|
|
21B0000
|
unkown
|
page read and write
|
|
|
|
3D10000
|
heap private
|
page read and write
|
|
|
|
390000
|
unkown
|
page read and write
|
|
|
|
22F4000
|
unkown
|
page read and write
|
|
|
|
13F000
|
unkown
|
page read and write
|
|
|
|
3F8000
|
unkown
|
page read and write
|
|
|
|
179000
|
unkown
|
page read and write
|
|
|
|
D0000
|
unkown
|
page read and write
|
|
|
|
42F000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
7EFE0000
|
unkown image
|
page readonly
|
|
|
|
1D10000
|
unkown image
|
page readonly
|
|
|
|
3F27000
|
unkown
|
page read and write
|
|
|
|
D0000
|
unkown
|
page read and write
|
|
|
|
770000
|
unkown image
|
page readonly
|
|
|
|
22C0000
|
unkown
|
page read and write
|
|
|
|
4180000
|
heap private
|
page read and write
|
|
|
|
122000
|
unkown
|
page read and write
|
|
|
|
3F1F000
|
unkown
|
page read and write
|
|
|
|
2C86000
|
unkown
|
page read and write
|
|
|
|
28C0000
|
unkown image
|
page readonly
|
|
|
|
143000
|
unkown
|
page read and write
|
|
|
|
20F0000
|
heap private
|
page read and write
|
|
|
|
2E70000
|
unkown
|
page read and write
|
|
|
|
5E0000
|
heap private
|
page read and write
|
|
|
|
290000
|
heap default
|
page read and write
|
|
|
|
3F3F000
|
unkown
|
page read and write
|
|
|
|
241B000
|
heap private
|
page read and write
|
|
|
|
3EB000
|
unkown
|
page read and write
|
|
|
|
2BD0000
|
heap private
|
page read and write
|
|
|
|
22D0000
|
unkown
|
page read and write
|
|
|
|
22B8000
|
unkown
|
page read and write
|
|
|
|
15E000
|
unkown
|
page read and write
|
|
|
|
5C0000
|
unkown image
|
page read and write
|
|
|
|
2E78000
|
unkown
|
page read and write
|
|
|
|
2090000
|
heap private
|
page read and write
|
|
|
|
2330000
|
unkown
|
page read and write
|
|
|
|
2BAF000
|
stack
|
page read and write
|
|
|
|
408000
|
unkown
|
page read and write
|
|
|
|
22CC000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
2D8D000
|
stack
|
page read and write
|
|
|
|
233C000
|
unkown
|
page read and write
|
|
|
|
C5E000
|
stack
|
page read and write
|
|
|
|
2E79000
|
unkown
|
page read and write
|
|
|
|
119000
|
unkown
|
page read and write
|
|
|
|
10000
|
unkown image
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
3F18000
|
unkown
|
page read and write
|
|
|
|
2820000
|
unkown
|
page read and write
|
|
|
|
106000
|
unkown
|
page read and write
|
|
|
|
2E71000
|
unkown
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
21C0000
|
heap private
|
page read and write
|
|
|
|
2D6000
|
heap default
|
page read and write
|
|
|
|
125000
|
unkown
|
page read and write
|
|
|
|
2D75000
|
heap private
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
2840000
|
heap private
|
page read and write
|
|
|
|
3F31000
|
unkown
|
page read and write
|
|
|
|
20DF000
|
heap private
|
page read and write
|
|
|
|
40000
|
unkown image
|
page readonly
|
|
|
|
2E7A000
|
unkown
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
1D0000
|
unkown image
|
page readonly
|
|
|
|
D80000
|
unkown image
|
page readonly
|
|
|
|
42F000
|
unkown
|
page read and write
|
|
|
|
2230000
|
heap private
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
780000
|
unkown image
|
page readonly
|
|
|
|
106000
|
unkown
|
page read and write
|
|
|
|
59B2000
|
unkown image
|
page read and write
|
|
|
|
53F000
|
stack
|
page read and write
|
|
|
|
219E000
|
stack
|
page read and write
|
|
|
|
2F3F000
|
stack
|
page read and write
|
|
|
|
2D65000
|
heap private
|
page read and write
|
|
|
|
2338000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
3C6000
|
unkown
|
page read and write
|
|
|
|
42A000
|
unkown
|
page read and write
|
|
|
|
2740000
|
heap private
|
page read and write
|
|
|
|
40000
|
unkown image
|
page readonly
|
|
|
|
4A0000
|
unkown
|
page read and write
|
|
|
|
22F0000
|
unkown
|
page read and write
|
|
|
|
3DE000
|
heap default
|
page read and write
|
|
|
|
7EFE0000
|
unkown image
|
page readonly
|
|
|
|
3B80000
|
heap private
|
page read and write
|
|
|
|
3A7000
|
heap default
|
page read and write
|
|
|
|
4380000
|
heap private
|
page read and write
|
|
|
|
26C0000
|
heap private
|
page read and write
|
|
|
|
3F3A000
|
unkown
|
page read and write
|
|
|
|
3F0F000
|
unkown
|
page read and write
|
|
|
|
2E76000
|
unkown
|
page read and write
|
|
|
|
2374000
|
unkown
|
page read and write
|
|
|
|
2A40000
|
heap private
|
page read and write
|
|
|
|
3F16000
|
unkown
|
page read and write
|
|
|
|
15C000
|
unkown
|
page read and write
|
|
|
|
13D000
|
unkown
|
page read and write
|
|
|
|
22C8000
|
unkown
|
page read and write
|
|
|
|
40000
|
unkown image
|
page readonly
|
|
|
|
2E74000
|
unkown
|
page read and write
|
|
There are 256 hidden memdumps, click here to show them.