Source: Process started | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic process call create "mshta C:\ProgramData\SKZbt.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\SKZbt.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1612, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\SKZbt.rtf", ProcessId: 2728 |
Source: Process started | Author: Michael Haag, Florian Roth, juju4, oscd.community: Data: Command: wmic process call create "mshta C:\ProgramData\SKZbt.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\SKZbt.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1612, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\SKZbt.rtf", ProcessId: 2728 |
Source: unknown | TCP traffic detected without corresponding DNS query: 157.230.250.107 |
Source: unknown | TCP traffic detected without corresponding DNS query: 157.230.250.107 |
Source: unknown | TCP traffic detected without corresponding DNS query: 157.230.250.107 |
Source: unknown | TCP traffic detected without corresponding DNS query: 157.230.250.107 |
Source: EXCEL.EXE, 00000000.00000002.671221919.0000000004F00000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.669811445.0000000003320000.00000002.00020000.sdmp | String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail) |
Source: mshta.exe, 00000006.00000002.669184783.00000000003AE000.00000004.00000020.sdmp | String found in binary or memory: http://157.230.250.107: |
Source: mshta.exe, 00000006.00000002.669270394.000000000045A000.00000004.00000020.sdmp | String found in binary or memory: http://157.230.250.107:808 |
Source: mshta.exe, 00000006.00000002.669270394.000000000045A000.00000004.00000020.sdmp | String found in binary or memory: http://157.230.250.107:8080 |
Source: mshta.exe, 00000006.00000002.669184783.00000000003AE000.00000004.00000020.sdmp | String found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhore |
Source: mshta.exe, 00000006.00000002.669184783.00000000003AE000.00000004.00000020.sdmp | String found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhoreh |
Source: mshta.exe, 00000006.00000002.669184783.00000000003AE000.00000004.00000020.sdmp | String found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9 |
Source: mshta.exe, 00000006.00000002.670704206.0000000003F35000.00000004.00000040.sdmp, mshta.exe, 00000006.00000002.669184783.00000000003AE000.00000004.00000020.sdmp, mshta.exe, 00000006.00000002.669246044.0000000000413000.00000004.00000020.sdmp | String found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e |
Source: mshta.exe, 00000006.00000002.670704206.0000000003F35000.00000004.00000040.sdmp | String found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9enM |
Source: mshta.exe, 00000006.00000002.669184783.00000000003AE000.00000004.00000020.sdmp | String found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9ez:vy |
Source: mshta.exe, 00000006.00000002.669270394.000000000045A000.00000004.00000020.sdmp | String found in binary or memory: http://157.230.250.107:8t |
Source: mshta.exe, 00000006.00000002.669184783.00000000003AE000.00000004.00000020.sdmp | String found in binary or memory: http://157.230.250.107t.rtf |
Source: mshta.exe, 00000006.00000002.669184783.00000000003AE000.00000004.00000020.sdmp | String found in binary or memory: http://157.230.250P.6. |
Source: mshta.exe, 00000006.00000002.669184783.00000000003AE000.00000004.00000020.sdmp | String found in binary or memory: http://157.230.HTTP.6.0 |
Source: EXCEL.EXE, 00000000.00000002.671221919.0000000004F00000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.669811445.0000000003320000.00000002.00020000.sdmp | String found in binary or memory: http://investor.msn.com |
Source: EXCEL.EXE, 00000000.00000002.671221919.0000000004F00000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.669811445.0000000003320000.00000002.00020000.sdmp | String found in binary or memory: http://investor.msn.com/ |
Source: EXCEL.EXE, 00000000.00000002.671756590.00000000050E7000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.670016804.0000000003507000.00000002.00020000.sdmp | String found in binary or memory: http://localizability/practices/XML.asp |
Source: EXCEL.EXE, 00000000.00000002.671756590.00000000050E7000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.670016804.0000000003507000.00000002.00020000.sdmp | String found in binary or memory: http://localizability/practices/XMLConfiguration.asp |
Source: EXCEL.EXE, 00000000.00000002.673679216.00000000059FE000.00000004.00000001.sdmp | String found in binary or memory: http://purl.or |
Source: EXCEL.EXE, 00000000.00000002.675045303.00000000078C6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.675067278.0000000007936000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.675084344.0000000007996000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.675020293.0000000007890000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.open |
Source: EXCEL.EXE, 00000000.00000002.675020293.0000000007890000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.openformatrg/package/2006/content-t |
Source: EXCEL.EXE, 00000000.00000002.675045303.00000000078C6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.675067278.0000000007936000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.675084344.0000000007996000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.openformatrg/package/2006/r |
Source: mshta.exe, 00000006.00000002.670256240.0000000003800000.00000002.00020000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: WMIC.exe, 00000002.00000002.539805239.0000000001B20000.00000002.00020000.sdmp | String found in binary or memory: http://servername/isapibackend.dll |
Source: EXCEL.EXE, 00000000.00000002.671756590.00000000050E7000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.670016804.0000000003507000.00000002.00020000.sdmp | String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check |
Source: EXCEL.EXE, 00000000.00000002.671756590.00000000050E7000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.670016804.0000000003507000.00000002.00020000.sdmp | String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true |
Source: mshta.exe, 00000006.00000002.670256240.0000000003800000.00000002.00020000.sdmp | String found in binary or memory: http://www.%s.comPA |
Source: EXCEL.EXE, 00000000.00000002.671221919.0000000004F00000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.669811445.0000000003320000.00000002.00020000.sdmp | String found in binary or memory: http://www.hotmail.com/oe |
Source: EXCEL.EXE, 00000000.00000002.671756590.00000000050E7000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.670016804.0000000003507000.00000002.00020000.sdmp | String found in binary or memory: http://www.icra.org/vocabulary/. |
Source: EXCEL.EXE, 00000000.00000002.671221919.0000000004F00000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.669811445.0000000003320000.00000002.00020000.sdmp | String found in binary or memory: http://www.msnbc.com/news/ticker.txt |
Source: mshta.exe, 00000006.00000002.669811445.0000000003320000.00000002.00020000.sdmp | String found in binary or memory: http://www.windows.com/pctv. |
Source: EXCEL.EXE, 00000000.00000002.673725130.0000000005A4E000.00000004.00000001.sdmp | Binary or memory string: C:\Windows\System32\Wbem\wmic.exewmic process call create "mshta C:\ProgramData\SKZbt.rtf"C:\Windows\System32\Wbem\wmic.exeWinSta0\Defaultty=C:=C:\Users\user\DocumentsALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeFP_NO_HOST_CHECK=NOHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=4OS=Windows_NTPath=C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=GIGIYTFUSERNAME=userUSERPROFILE=C:\Users\userWecVersionForRosebud.64C=4windir=C:\Windowswindows_tracing_flags=3windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.logicti1 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Code function: 0_2_02E966E8 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Code function: 0_2_02E966F3 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Code function: 0_2_02E9E9F1 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Code function: 0_2_02E96340 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Code function: 0_2_02E96743 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Code function: 0_2_02E96753 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Code function: 0_2_02E9CF01 |
Source: unknown | Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\SKZbt.rtf" |
Source: unknown | Process created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\SKZbt.rtf |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\SKZbt.rtf" |
Source: EXCEL.EXE, 00000000.00000002.671221919.0000000004F00000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.669811445.0000000003320000.00000002.00020000.sdmp | Binary or memory string: .VBPud<_ |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\wbem\WMIC.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\wbem\WMIC.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\wbem\WMIC.exe TID: 152 | Thread sleep time: -180000s >= -30000s |
Source: C:\Windows\System32\mshta.exe TID: 508 | Thread sleep time: -60000s >= -30000s |
Source: EXCEL.EXE, 00000000.00000002.669497726.00000000007E0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.669413061.0000000000F50000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: EXCEL.EXE, 00000000.00000002.669497726.00000000007E0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.669413061.0000000000F50000.00000002.00020000.sdmp | Binary or memory string: !Progman |
Source: EXCEL.EXE, 00000000.00000002.669497726.00000000007E0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.669413061.0000000000F50000.00000002.00020000.sdmp | Binary or memory string: Program Manager< |
Source: C:\Windows\System32\mshta.exe | Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation |
Source: C:\Windows\System32\mshta.exe | Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.