Source: Process started | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic process call create "mshta C:\ProgramData\tCeltZ.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\tCeltZ.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 800, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\tCeltZ.rtf", ProcessId: 2012 |
Source: Process started | Author: Michael Haag, Florian Roth, juju4, oscd.community: Data: Command: wmic process call create "mshta C:\ProgramData\tCeltZ.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\tCeltZ.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 800, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\tCeltZ.rtf", ProcessId: 2012 |
Source: mshta.exe, 00000006.00000002.688445295.00000000004CE000.00000004.00000020.sdmp | String found in binary or memory: http://149.129.254..6.0?_ |
Source: mshta.exe, 00000006.00000002.688964982.00000000035E0000.00000004.00000001.sdmp | String found in binary or memory: http://149.129.254.152:8080 |
Source: mshta.exe, 00000006.00000002.688445295.00000000004CE000.00000004.00000020.sdmp | String found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dad.12 |
Source: mshta.exe, 00000006.00000002.688445295.00000000004CE000.00000004.00000020.sdmp | String found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5.macroE |
Source: mshta.exe, 00000006.00000002.688445295.00000000004CE000.00000004.00000020.sdmp | String found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cacro |
Source: mshta.exe, 00000006.00000002.689908661.0000000004365000.00000004.00000040.sdmp, mshta.exe, 00000006.00000002.688498350.0000000000553000.00000004.00000020.sdmp | String found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpc |
Source: mshta.exe, 00000006.00000002.688445295.00000000004CE000.00000004.00000020.sdmp | String found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpcY |
Source: mshta.exe, 00000006.00000002.688445295.00000000004CE000.00000004.00000020.sdmp | String found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpcation/ |
Source: mshta.exe, 00000006.00000002.688445295.00000000004CE000.00000004.00000020.sdmp | String found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpcd.ms-m |
Source: mshta.exe, 00000006.00000002.688445295.00000000004CE000.00000004.00000020.sdmp | String found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpcel.tem |
Source: mshta.exe, 00000006.00000002.689908661.0000000004365000.00000004.00000040.sdmp | String found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpcu |
Source: mshta.exe, 00000006.00000002.688964982.00000000035E0000.00000004.00000001.sdmp | String found in binary or memory: http://149.129.254.152:8V |
Source: mshta.exe, 00000006.00000002.688445295.00000000004CE000.00000004.00000020.sdmp | String found in binary or memory: http://149.129.254.152tf |
Source: mshta.exe, 00000006.00000002.688964982.00000000035E0000.00000004.00000001.sdmp | String found in binary or memory: http://149.K |
Source: EXCEL.EXE, 00000000.00000002.690239943.0000000004FB0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.689081220.0000000003A30000.00000002.00020000.sdmp | String found in binary or memory: http://investor.msn.com |
Source: EXCEL.EXE, 00000000.00000002.690239943.0000000004FB0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.689081220.0000000003A30000.00000002.00020000.sdmp | String found in binary or memory: http://investor.msn.com/ |
Source: EXCEL.EXE, 00000000.00000002.690515807.0000000005197000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.689315306.0000000003C17000.00000002.00020000.sdmp | String found in binary or memory: http://localizability/practices/XML.asp |
Source: EXCEL.EXE, 00000000.00000002.690515807.0000000005197000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.689315306.0000000003C17000.00000002.00020000.sdmp | String found in binary or memory: http://localizability/practices/XMLConfiguration.asp |
Source: EXCEL.EXE, 00000000.00000002.688581731.0000000000402000.00000004.00000001.sdmp | String found in binary or memory: http://ns.a |
Source: EXCEL.EXE, 00000000.00000002.688581731.0000000000402000.00000004.00000001.sdmp | String found in binary or memory: http://ns.ad |
Source: EXCEL.EXE, 00000000.00000002.688581731.0000000000402000.00000004.00000001.sdmp | String found in binary or memory: http://ns.ado |
Source: EXCEL.EXE, 00000000.00000002.688581731.0000000000402000.00000004.00000001.sdmp | String found in binary or memory: http://ns.adobe. |
Source: EXCEL.EXE, 00000000.00000002.688581731.0000000000402000.00000004.00000001.sdmp | String found in binary or memory: http://ns.adobe.c |
Source: EXCEL.EXE, 00000000.00000002.688581731.0000000000402000.00000004.00000001.sdmp | String found in binary or memory: http://ns.adobe.co |
Source: EXCEL.EXE, 00000000.00000002.692842180.0000000005486000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.op |
Source: EXCEL.EXE, 00000000.00000002.693441234.0000000007976000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.693399201.00000000076A6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.693370068.00000000071F0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.693420826.0000000007816000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.open |
Source: EXCEL.EXE, 00000000.00000002.693370068.00000000071F0000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.openformatrg/package/2006/content-t |
Source: EXCEL.EXE, 00000000.00000002.693441234.0000000007976000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.693399201.00000000076A6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.693420826.0000000007816000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.openformatrg/package/2006/r |
Source: mshta.exe, 00000006.00000002.689533804.0000000003E10000.00000002.00020000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: WMIC.exe, 00000003.00000002.559211343.0000000001AB0000.00000002.00020000.sdmp | String found in binary or memory: http://servername/isapibackend.dll |
Source: EXCEL.EXE, 00000000.00000002.690515807.0000000005197000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.689315306.0000000003C17000.00000002.00020000.sdmp | String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check |
Source: EXCEL.EXE, 00000000.00000002.690515807.0000000005197000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.689315306.0000000003C17000.00000002.00020000.sdmp | String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true |
Source: mshta.exe, 00000006.00000002.689533804.0000000003E10000.00000002.00020000.sdmp | String found in binary or memory: http://www.%s.comPA |
Source: EXCEL.EXE, 00000000.00000002.690239943.0000000004FB0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.689081220.0000000003A30000.00000002.00020000.sdmp | String found in binary or memory: http://www.hotmail.com/oe |
Source: EXCEL.EXE, 00000000.00000002.690515807.0000000005197000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.689315306.0000000003C17000.00000002.00020000.sdmp | String found in binary or memory: http://www.icra.org/vocabulary/. |
Source: EXCEL.EXE, 00000000.00000002.690239943.0000000004FB0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.689081220.0000000003A30000.00000002.00020000.sdmp | String found in binary or memory: http://www.msnbc.com/news/ticker.txt |
Source: mshta.exe, 00000006.00000002.689081220.0000000003A30000.00000002.00020000.sdmp | String found in binary or memory: http://www.windows.com/pctv. |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\wbem\WMIC.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\wbem\WMIC.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: EXCEL.EXE, 00000000.00000002.688649967.00000000007E0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.688551943.00000000012E0000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: EXCEL.EXE, 00000000.00000002.688649967.00000000007E0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.688551943.00000000012E0000.00000002.00020000.sdmp | Binary or memory string: !Progman |
Source: EXCEL.EXE, 00000000.00000002.688649967.00000000007E0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.688551943.00000000012E0000.00000002.00020000.sdmp | Binary or memory string: Program Manager< |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.