Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA |
Jump to behavior |
Source: global traffic |
TCP traffic: 192.168.2.22:49167 -> 190.14.37.165:80 |
Source: global traffic |
TCP traffic: 192.168.2.22:49167 -> 190.14.37.165:80 |
Source: global traffic |
TCP traffic: 192.168.2.22:49169 -> 5.196.247.11:80 |
Source: global traffic |
TCP traffic: 192.168.2.22:49171 -> 188.119.113.3:80 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 190.14.37.165 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 190.14.37.165 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 190.14.37.165 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 190.14.37.165 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 190.14.37.165 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 190.14.37.165 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.196.247.11 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.196.247.11 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.196.247.11 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.196.247.11 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.196.247.11 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.196.247.11 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.119.113.3 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.119.113.3 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.119.113.3 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.119.113.3 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.119.113.3 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.119.113.3 |
Source: 1701667874-10042021.xls |
String found in binary or memory: http://188.119.113.3/ |
Source: 1701667874-10042021.xls |
String found in binary or memory: http://190.14.37.165/ |
Source: 1701667874-10042021.xls |
String found in binary or memory: http://5.196.247.11/ |
Source: regsvr32.exe, 00000005.00000002.679858071.0000000001D50000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.680607370.0000000001C80000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.681304870.0000000001CE0000.00000002.00020000.sdmp |
String found in binary or memory: http://servername/isapibackend.dll |
Source: Document image extraction number: 0 |
Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 PROTECTEDWARNING This file o |
Source: Document image extraction number: 0 |
Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document. |
Source: Document image extraction number: 0 |
Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us |
Source: Document image extraction number: 1 |
Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 pRoTEcTmwARNNG Thisfileorigi |
Source: Document image extraction number: 1 |
Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document. |
Source: Document image extraction number: 1 |
Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us |
Source: 1701667874-10042021.xls |
OLE, VBA macro line: Sub auto_close() |
|
Source: 1701667874-10042021.xls |
OLE, VBA macro line: Sub auto_open() |
|
Source: 1701667874-10042021.xls |
OLE, VBA macro line: Private Sub saWorkbook_Opensa() |
|
Source: 1701667874-10042021.xls |
OLE indicator, VBA macros: true |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Temp\CVRDAD3.tmp |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: 1701667874-10042021.xls |
OLE indicator, Workbook stream: true |
Source: classification engine |
Classification label: mal68.expl.winXLS@7/2@0/3 |
Source: unknown |
Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac1 |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac2 |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac1 |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac2 |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Window found: window name: SysTabControl32 |
Jump to behavior |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Yara match |
File source: 1701667874-10042021.xls, type: SAMPLE |