Source: DWWIN.EXE, 00000005.00000002.2237945619.0000000003230000.00000002.00000001.sdmp |
String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail) |
Source: DWWIN.EXE, 00000005.00000002.2238579507.0000000003661000.00000004.00000001.sdmp |
String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo) |
Source: 3C428B1A3E5F57D887EC4B864FAC5DCC.5.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt |
Source: DWWIN.EXE, 00000005.00000003.2231318358.0000000000204000.00000004.00000001.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0 |
Source: DWWIN.EXE, 00000005.00000003.2231343971.0000000000213000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06 |
Source: DWWIN.EXE, 00000005.00000002.2238579507.0000000003661000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.entrust.net/2048ca.crl0 |
Source: DWWIN.EXE, 00000005.00000003.2231408116.0000000003621000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.entrust.net/server1.crl0 |
Source: DWWIN.EXE, 00000005.00000002.2238579507.0000000003661000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: DWWIN.EXE, 00000005.00000003.2231404153.0000000003618000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0 |
Source: DWWIN.EXE, 00000005.00000003.2231343971.0000000000213000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0 |
Source: DWWIN.EXE, 00000005.00000003.2231318358.0000000000204000.00000004.00000001.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07 |
Source: DWWIN.EXE, 00000005.00000003.2231318358.0000000000204000.00000004.00000001.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0 |
Source: DWWIN.EXE, 00000005.00000003.2231318358.0000000000204000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.5.dr |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: DWWIN.EXE, 00000005.00000002.2231667864.00000000001ED000.00000004.00000001.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enG |
Source: DWWIN.EXE, 00000005.00000002.2237945619.0000000003230000.00000002.00000001.sdmp |
String found in binary or memory: http://investor.msn.com |
Source: DWWIN.EXE, 00000005.00000002.2237945619.0000000003230000.00000002.00000001.sdmp |
String found in binary or memory: http://investor.msn.com/ |
Source: DWWIN.EXE, 00000005.00000002.2238158063.0000000003417000.00000002.00000001.sdmp |
String found in binary or memory: http://localizability/practices/XML.asp |
Source: DWWIN.EXE, 00000005.00000002.2238158063.0000000003417000.00000002.00000001.sdmp |
String found in binary or memory: http://localizability/practices/XMLConfiguration.asp |
Source: DWWIN.EXE, 00000005.00000002.2238579507.0000000003661000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0 |
Source: DWWIN.EXE, 00000005.00000002.2238579507.0000000003661000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0% |
Source: DWWIN.EXE, 00000005.00000002.2238579507.0000000003661000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0- |
Source: DWWIN.EXE, 00000005.00000003.2231343971.0000000000213000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0/ |
Source: DWWIN.EXE, 00000005.00000003.2231393880.0000000000258000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.comodoca.com05 |
Source: DWWIN.EXE, 00000005.00000003.2231318358.0000000000204000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.digicert.com0 |
Source: DWWIN.EXE, 00000005.00000003.2231408116.0000000003621000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.entrust.net03 |
Source: DWWIN.EXE, 00000005.00000002.2238579507.0000000003661000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.entrust.net0D |
Source: DWWIN.EXE, 00000005.00000002.2239715014.0000000003E10000.00000002.00000001.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: regsvr32.exe, 00000003.00000002.2103191822.0000000001D10000.00000002.00000001.sdmp, DWWIN.EXE, 00000005.00000002.2236119170.0000000002340000.00000002.00000001.sdmp |
String found in binary or memory: http://servername/isapibackend.dll |
Source: DWWIN.EXE, 00000005.00000002.2238158063.0000000003417000.00000002.00000001.sdmp |
String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check |
Source: DWWIN.EXE, 00000005.00000002.2238158063.0000000003417000.00000002.00000001.sdmp |
String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true |
Source: DWWIN.EXE, 00000005.00000002.2239715014.0000000003E10000.00000002.00000001.sdmp |
String found in binary or memory: http://www.%s.comPA |
Source: DWWIN.EXE, 00000005.00000002.2238579507.0000000003661000.00000004.00000001.sdmp |
String found in binary or memory: http://www.digicert.com.my/cps.htm02 |
Source: DWWIN.EXE, 00000005.00000003.2231343971.0000000000213000.00000004.00000001.sdmp |
String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0 |
Source: DWWIN.EXE, 00000005.00000002.2237945619.0000000003230000.00000002.00000001.sdmp |
String found in binary or memory: http://www.hotmail.com/oe |
Source: DWWIN.EXE, 00000005.00000002.2238158063.0000000003417000.00000002.00000001.sdmp |
String found in binary or memory: http://www.icra.org/vocabulary/. |
Source: DWWIN.EXE, 00000005.00000002.2237945619.0000000003230000.00000002.00000001.sdmp |
String found in binary or memory: http://www.msnbc.com/news/ticker.txt |
Source: DWWIN.EXE, 00000005.00000002.2237945619.0000000003230000.00000002.00000001.sdmp |
String found in binary or memory: http://www.windows.com/pctv. |
Source: DWWIN.EXE, 00000005.00000003.2231343971.0000000000213000.00000004.00000001.sdmp |
String found in binary or memory: https://secure.comodo.com/CPS0 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49169 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49168 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49167 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49168 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49169 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49167 -> 443 |
Source: sample20210111-01.xlsm |
Initial sample: CALL |
Source: sample20210111-01.xlsm |
Initial sample: CALL |
Source: sample20210111-01.xlsm |
Initial sample: CALL |
Source: sample20210111-01.xlsm |
Initial sample: CALL |
Source: sample20210111-01.xlsm |
Virustotal: Detection: 26% |
Source: sample20210111-01.xlsm |
ReversingLabs: Detection: 21% |
Source: unknown |
Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding |
|
Source: unknown |
Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\fhmhkjo.dll. |
|
Source: unknown |
Process created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1948 |
|
Source: unknown |
Process created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1948 |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\fhmhkjo.dll. |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1948 |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE |
Process created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1948 |
Jump to behavior |
Source: sample20210111-01.xlsm |
Initial sample: OLE zip file path = xl/media/image2.png |
Source: sample20210111-01.xlsm |
Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |