Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
Netflix coupon-32822.xlsb
|
Microsoft Excel 2007+
|
initial sample
|
 |
|
|
C:\ProgramData\QiLuJMFtkBaWg.rtf
|
HTML document, ASCII text, with very long lines, with CRLF line terminators
|
dropped
|
|
|
|
C:\Users\user\Desktop\~$Netflix coupon-32822.xlsb
|
data
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\781FED27.png
|
PNG image data, 225 x 318, 8-bit/color RGBA, non-interlaced
|
dropped
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9F568E3E.png
|
PNG image data, 293 x 40, 8-bit/color RGB, non-interlaced
|
dropped
|
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
|
|
|
|
C:\Windows\System32\wbem\WMIC.exe
|
wmic process call create "mshta C:\ProgramData\QiLuJMFtkBaWg.rtf"
|
|
|
|
C:\Windows\System32\mshta.exe
|
mshta C:\ProgramData\QiLuJMFtkBaWg.rtf
|
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
|
unknown
|
|
|
|
http://www.windows.com/pctv.
|
unknown
|
|
|
|
http://investor.msn.com
|
unknown
|
|
|
|
http://www.msnbc.com/news/ticker.txt
|
unknown
|
|
|
|
http://www.%s.comPA
|
unknown
|
|
|
|
http://www.icra.org/vocabulary/.
|
unknown
|
|
|
|
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
|
unknown
|
|
|
|
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
|
unknown
|
|
|
|
http://www.hotmail.com/oe
|
unknown
|
|
|
|
http://servername/isapibackend.dll
|
unknown
|
|
|
|
http://investor.msn.com/
|
unknown
|
|
There are 1 hidden URLs, click here to show them.
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
158.140.185.205
|
unknown
|
Indonesia
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
4r-
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
|
MTTT
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
ReviewToken
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\2D114
|
2D114
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
VBAFiles
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
6y-
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
ProductNonBootFilesIntl_1033
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
|
LastPurgeTime
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
EXCELFiles
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
|
SavedLegacySettings
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
ProductNonBootFilesIntl_1033
|
|
There are 4 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
302B000
|
unkown
|
page read and write
|
|
|
|
3027000
|
unkown
|
page read and write
|
|
|
|
219000
|
unkown
|
page read and write
|
|
|
|
1C6000
|
unkown
|
page read and write
|
|
|
|
3E8000
|
unkown
|
page read and write
|
|
|
|
1E0000
|
heap default
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
26CC000
|
unkown
|
page read and write
|
|
|
|
21C6000
|
heap private
|
page read and write
|
|
|
|
2608000
|
unkown
|
page read and write
|
|
|
|
3024000
|
unkown
|
page read and write
|
|
|
|
4B80000
|
unkown
|
page read and write
|
|
|
|
1BA0000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
239000
|
unkown
|
page read and write
|
|
|
|
21D000
|
heap default
|
page read and write
|
|
|
|
3E60000
|
unkown image
|
page readonly
|
|
|
|
3D9000
|
unkown
|
page read and write
|
|
|
|
C9F000
|
stack
|
page read and write
|
|
|
|
20000
|
unkown image
|
page read and write
|
|
|
|
4BD0000
|
unkown
|
page read and write
|
|
|
|
226000
|
heap default
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
40A000
|
unkown
|
page read and write
|
|
|
|
18A000
|
unkown
|
page read and write
|
|
|
|
2640000
|
unkown
|
page read and write
|
|
|
|
240000
|
unkown
|
page read and write
|
|
|
|
3DB000
|
unkown
|
page read and write
|
|
|
|
36AF000
|
stack
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
2E0000
|
unkown
|
page read and write
|
|
|
|
3021000
|
unkown
|
page read and write
|
|
|
|
5F4000
|
heap private
|
page read and write
|
|
|
|
240000
|
unkown
|
page read and write
|
|
|
|
2634000
|
unkown
|
page read and write
|
|
|
|
4BA3000
|
unkown
|
page read and write
|
|
|
|
387000
|
heap default
|
page read and write
|
|
|
|
222000
|
unkown
|
page read and write
|
|
|
|
286F000
|
stack
|
page read and write
|
|
|
|
2610000
|
unkown
|
page read and write
|
|
|
|
10000
|
unkown image
|
page read and write
|
|
|
|
307000
|
heap default
|
page read and write
|
|
|
|
610000
|
unkown image
|
page readonly
|
|
|
|
7EFE0000
|
unkown image
|
page readonly
|
|
|
|
21EB000
|
heap private
|
page read and write
|
|
|
|
4BB9000
|
unkown
|
page read and write
|
|
|
|
2CE5000
|
heap private
|
page read and write
|
|
|
|
4BA5000
|
unkown
|
page read and write
|
|
|
|
272000
|
unkown
|
page read and write
|
|
|
|
2644000
|
unkown
|
page read and write
|
|
|
|
2640000
|
unkown
|
page read and write
|
|
|
|
30000
|
unkown image
|
page readonly
|
|
|
|
28A0000
|
unkown image
|
page readonly
|
|
|
|
3DA000
|
unkown
|
page read and write
|
|
|
|
40F000
|
unkown
|
page read and write
|
|
|
|
228000
|
heap default
|
page read and write
|
|
|
|
234000
|
unkown
|
page read and write
|
|
|
|
2185000
|
heap private
|
page read and write
|
|
|
|
1E7000
|
heap default
|
page read and write
|
|
|
|
258000
|
unkown
|
page read and write
|
|
|
|
22B000
|
unkown
|
page read and write
|
|
|
|
3D0000
|
unkown
|
page read and write
|
|
|
|
53D0000
|
heap private
|
page read and write
|
|
|
|
2FA0000
|
heap private
|
page read and write
|
|
|
|
32D0000
|
heap private
|
page read and write
|
|
|
|
23B000
|
unkown
|
page read and write
|
|
|
|
9DF000
|
stack
|
page read and write
|
|
|
|
2B50000
|
heap private
|
page read and write
|
|
|
|
2A2F000
|
stack
|
page read and write
|
|
|
|
2669000
|
unkown
|
page read and write
|
|
|
|
40D000
|
unkown
|
page read and write
|
|
|
|
26B4000
|
unkown
|
page read and write
|
|
|
|
27B0000
|
unkown image
|
page readonly
|
|
|
|
34A0000
|
heap private
|
page read and write
|
|
|
|
F0000
|
unkown
|
page read and write
|
|
|
|
350000
|
unkown
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
2900000
|
heap private
|
page read and write
|
|
|
|
3CB000
|
unkown
|
page read and write
|
|
|
|
BEF000
|
stack
|
page read and write
|
|
|
|
3026000
|
unkown
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
3025000
|
unkown
|
page read and write
|
|
|
|
42B000
|
unkown
|
page read and write
|
|
|
|
26C0000
|
unkown
|
page read and write
|
|
|
|
2659000
|
unkown
|
page read and write
|
|
|
|
E0000
|
unkown image
|
page read and write
|
|
|
|
370000
|
heap private
|
page read and write
|
|
|
|
302C000
|
unkown
|
page read and write
|
|
|
|
40A000
|
unkown
|
page read and write
|
|
|
|
25C0000
|
heap private
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
2734000
|
heap private
|
page read and write
|
|
|
|
432000
|
unkown
|
page read and write
|
|
|
|
26C8000
|
unkown
|
page read and write
|
|
|
|
3FF000
|
heap default
|
page read and write
|
|
|
|
3020000
|
unkown
|
page read and write
|
|
|
|
3E8000
|
unkown
|
page read and write
|
|
|
|
348F000
|
stack
|
page read and write
|
|
|
|
21E4000
|
heap private
|
page read and write
|
|
|
|
2E40000
|
unkown
|
page read and write
|
|
|
|
26A0000
|
unkown
|
page read and write
|
|
|
|
2654000
|
unkown
|
page read and write
|
|
|
|
272000
|
unkown
|
page read and write
|
|
|
|
26B0000
|
unkown
|
page read and write
|
|
|
|
269C000
|
unkown
|
page read and write
|
|
|
|
277000
|
unkown
|
page read and write
|
|
|
|
2670000
|
unkown
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
4BB7000
|
unkown
|
page read and write
|
|
|
|
24D0000
|
unkown image
|
page readonly
|
|
|
|
30000
|
unkown image
|
page readonly
|
|
|
|
267C000
|
unkown
|
page read and write
|
|
|
|
25C000
|
unkown
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
268C000
|
unkown
|
page read and write
|
|
|
|
3022000
|
unkown
|
page read and write
|
|
|
|
2618000
|
unkown
|
page read and write
|
|
|
|
28B0000
|
unkown image
|
page readonly
|
|
|
|
5230000
|
heap private
|
page read and write
|
|
|
|
32D5000
|
heap private
|
page read and write
|
|
|
|
32D9000
|
heap private
|
page read and write
|
|
|
|
2688000
|
unkown
|
page read and write
|
|
|
|
53AF000
|
stack
|
page read and write
|
|
|
|
4B94000
|
unkown
|
page read and write
|
|
|
|
5F0000
|
heap private
|
page read and write
|
|
|
|
2624000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
25C000
|
unkown
|
page read and write
|
|
|
|
2628000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
4CE0000
|
heap private
|
page read and write
|
|
|
|
4BA1000
|
unkown
|
page read and write
|
|
|
|
302A000
|
unkown
|
page read and write
|
|
|
|
2740000
|
heap private
|
page read and write
|
|
|
|
2CE0000
|
heap private
|
page read and write
|
|
|
|
423000
|
unkown
|
page read and write
|
|
|
|
3BE000
|
heap default
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
4B9E000
|
unkown
|
page read and write
|
|
|
|
40F000
|
unkown
|
page read and write
|
|
|
|
2630000
|
unkown
|
page read and write
|
|
|
|
21CF000
|
heap private
|
page read and write
|
|
|
|
40000
|
unkown image
|
page readonly
|
|
|
|
35C0000
|
heap private
|
page read and write
|
|
|
|
4BB1000
|
unkown
|
page read and write
|
|
|
|
316000
|
unkown
|
page read and write
|
|
|
|
33E000
|
heap default
|
page read and write
|
|
|
|
5450000
|
unkown
|
page read and write
|
|
|
|
22E000
|
unkown
|
page read and write
|
|
|
|
264C000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
260C000
|
unkown
|
page read and write
|
|
|
|
E70000
|
unkown image
|
page readonly
|
|
|
|
2650000
|
unkown
|
page read and write
|
|
|
|
4B8F000
|
unkown
|
page read and write
|
|
|
|
4B97000
|
unkown
|
page read and write
|
|
|
|
2C0000
|
heap private
|
page read and write
|
|
|
|
D0000
|
unkown image
|
page readonly
|
|
|
|
40D000
|
unkown
|
page read and write
|
|
|
|
3A80000
|
unkown image
|
page readonly
|
|
|
|
2680000
|
unkown
|
page read and write
|
|
|
|
4BBE000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
28E0000
|
unkown
|
page read and write
|
|
|
|
2638000
|
unkown
|
page read and write
|
|
|
|
50A0000
|
heap private
|
page read and write
|
|
|
|
1D0000
|
unkown
|
page read and write
|
|
|
|
30000
|
unkown image
|
page readonly
|
|
|
|
2E3F000
|
stack
|
page read and write
|
|
|
|
40F000
|
unkown
|
page read and write
|
|
|
|
300000
|
heap default
|
page read and write
|
|
|
|
26A8000
|
unkown
|
page read and write
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
4BAA000
|
unkown
|
page read and write
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
1FCE000
|
stack
|
page read and write
|
|
|
|
422000
|
unkown
|
page read and write
|
|
|
|
21BB000
|
heap private
|
page read and write
|
|
|
|
2D0F000
|
stack
|
page read and write
|
|
|
|
2678000
|
unkown
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
1F3F000
|
stack
|
page read and write
|
|
|
|
40000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
380000
|
heap default
|
page read and write
|
|
|
|
3E8000
|
unkown
|
page read and write
|
|
|
|
4B86000
|
unkown
|
page read and write
|
|
|
|
2730000
|
heap private
|
page read and write
|
|
|
|
6C62000
|
unkown image
|
page readonly
|
|
|
|
2950000
|
heap private
|
page read and write
|
|
|
|
3D8000
|
unkown
|
page read and write
|
|
|
|
2590000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFC0000
|
unkown image
|
page readonly
|
|
|
|
2648000
|
unkown
|
page read and write
|
|
|
|
275000
|
unkown
|
page read and write
|
|
|
|
3023000
|
unkown
|
page read and write
|
|
|
|
17D000
|
unkown
|
page read and write
|
|
|
|
262C000
|
unkown
|
page read and write
|
|
|
|
298B000
|
heap private
|
page read and write
|
|
|
|
30B5000
|
heap private
|
page read and write
|
|
|
|
10000
|
unkown image
|
page read and write
|
|
|
|
3A1000
|
heap default
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
42B000
|
unkown
|
page read and write
|
|
|
|
261C000
|
unkown
|
page read and write
|
|
|
|
206000
|
unkown
|
page read and write
|
|
|
|
42B000
|
unkown
|
page read and write
|
|
|
|
6872000
|
unkown image
|
page read and write
|
|
|
|
30AF000
|
stack
|
page read and write
|
|
|
|
4EB0000
|
heap private
|
page read and write
|
|
|
|
4B0000
|
heap private
|
page read and write
|
|
|
|
26A4000
|
unkown
|
page read and write
|
|
|
|
21E0000
|
heap private
|
page read and write
|
|
|
|
326D000
|
stack
|
page read and write
|
|
|
|
434000
|
unkown
|
page read and write
|
|
|
|
3C67000
|
unkown image
|
page readonly
|
|
|
|
1FE0000
|
heap private
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
FF0000
|
unkown image
|
page readonly
|
|
|
|
3C2000
|
heap default
|
page read and write
|
|
|
|
35C5000
|
heap private
|
page read and write
|
|
|
|
7FFFFFC2000
|
unkown image
|
page readonly
|
|
|
|
3E7000
|
heap default
|
page read and write
|
|
|
|
1190000
|
unkown image
|
page readonly
|
|
|
|
5FA000
|
heap private
|
page read and write
|
|
|
|
1C6000
|
unkown
|
page read and write
|
|
|
|
40000
|
unkown image
|
page readonly
|
|
|
|
30B0000
|
heap private
|
page read and write
|
|
|
|
3029000
|
unkown
|
page read and write
|
|
|
|
1EB0000
|
unkown image
|
page read and write
|
|
|
|
2676000
|
unkown
|
page read and write
|
|
|
|
1000000
|
unkown image
|
page readonly
|
|
|
|
4BA7000
|
unkown
|
page read and write
|
|
|
|
480000
|
unkown image
|
page readonly
|
|
|
|
40D000
|
unkown
|
page read and write
|
|
|
|
5FD000
|
heap private
|
page read and write
|
|
|
|
7FFFFFB0000
|
unkown image
|
page readonly
|
|
|
|
2620000
|
unkown
|
page read and write
|
|
|
|
25C0000
|
unkown
|
page read and write
|
|
|
|
35FB000
|
heap private
|
page read and write
|
|
|
|
4B4000
|
heap private
|
page read and write
|
|
|
|
7EFE0000
|
unkown image
|
page readonly
|
|
|
|
3028000
|
unkown
|
page read and write
|
|
|
|
232000
|
unkown
|
page read and write
|
|
|
|
2180000
|
heap private
|
page read and write
|
|
|
|
190000
|
unkown
|
page read and write
|
|
|
|
25A0000
|
unkown image
|
page read and write
|
|
|
|
600000
|
unkown image
|
page readonly
|
|
|
|
10000
|
unkown image
|
page read and write
|
|
|
|
3E8000
|
unkown
|
page read and write
|
|
|
|
2D90000
|
heap private
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
|
|
7FFFFFD0000
|
unkown image
|
page readonly
|
|
|
|
2955000
|
heap private
|
page read and write
|
|
|
|
7EFE0000
|
unkown image
|
page readonly
|
|
|
|
40A000
|
unkown
|
page read and write
|
|
|
|
38BE000
|
stack
|
page read and write
|
|
|
|
374000
|
heap private
|
page read and write
|
|
|
|
7FFFFFB2000
|
unkown image
|
page readonly
|
|
There are 254 hidden memdumps, click here to show them.